Copilot is a coprocessor-based kernel integrity monitor for commodity systems. Copilot is designed to detect malicious modifications to a host's kernel and has correctly detected the presence of 12 real-world rootkits, each within 30 seconds of their installation with less than a 1% penalty to the host's performance. Copilot requires no modifications to the… (More)
component of this work in other works must be obtained from the IEEE. Abstract We hypothesize that a form of kernel-resident access-control-based integrity protection can gain widespread acceptance in Commercial Off-The-Shelf (COTS) environments provided that it couples some useful protection with a high degree of compatibility with existing software,… (More)
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.
The ability of intruders to hide their presence in compromised systems has surpassed the ability of the current generation of integrity monitors to detect them. Once in control of a system, intruders modify the state of constantly-changing dynamic kernel data structures to hide their processes and elevate their privileges. Current monitoring tools are… (More)
We present the Forensic Analysis ToolKit (FATKit)–a modular, extensible framework that increases the practical applicability of volatile memory forensic analysis by freeing human analysts from the prohibitively-tedious aspects of low-level data extraction. FATKit allows analysts to focus on higher-level tasks by providing novel methods for automatically… (More)
LOMAC is a security enhancement for Linux kernels. LOMAC demonstrates that it is possible to apply Mandatory Access Control techniques to standard Linux kernels already deployed in the field, and to do so in a manner that is simple, compatible, and largely invisible to the traditional Linux user. The LOMAC Loadable Kernel Module protects the integrity of… (More)
When systems are under constant attack, there is no time to restore those infected with malware to health manually—repair of infected systems must be fully automated and must occur within milliseconds. After detecting kernel-modifying rootkit infections using Virtual Machine Introspection, the VICI Agent applies a collection of novel repair techniques to… (More)