There will be an all-hands meeting on Friday, November 6 at 11:00 in the Apollo room, Nichols Hall. Refreshments will be provided at the 11:00 meeting.
There will also be a tutorial at 2:00 in the Apollo room, for those who wish a more in-depth discussion of the topic.
Speaker: Julian Grizzard
Title: Increasing Platform Assurance with the Linux Kernel Integrity Measurer
Abstract: If a computer system is vulnerable to attack, then an attacker could break in, install a rootkit, and own the system along with any sensitive data input into the system. One way to counter such attacks is to measure the system integrity. That is, we can inspect the system state to determine if it is running only the software that we expect and nothing else. In particular, our goal is to inspect the system state at runtime. As a step toward this goal, we have developed the Linux Kernel Integrity Measurer(LKIM) as a tool that can measure the dynamic state of a running Linux kernel. This measurement can then be sent to an apprasier to verify that the kernel has not been compromised (e.g., there are no kernel-level rootkits installed).
This talk will discuss LKIM and will be broken into two parts. In the morning, we will provide an introduction to dynamic measurement, LKIM, and a discussion of research challenges. Following the morning talk we will dive into the details of how LKIM works in the afternoon. We are actively building a community around dynamic measurement and as such will be releasing LKIM as open source so that other researchers can more easily conduct measurement experiments.
Bio: Julian Grizzard is a researcher in the Applied Information Sciences Department at The Johns Hopkins University Applied Physics Laboratory. He received his Ph.D. and M.S. in Electrical and Computer Engineering at the Georgia Institute of Technology in 2006 and 2004, respectively. He received his B.S. in Electrical and Computer Engineering at Clemson University in 2002. Julian has been researching rootkit-related problems for many years, including a talk on rootkit recovery at DEFCON 13. He can be contacted by email at: julian.grizzard@jhuapl.edu.
I enjoyed this one. It was good to hear a fresh someone’s take on measurement/attestation/appraisal. I still cringe when attestation is hand-waived.
Garrin and Wes observed that LKIM has a lot of simliarities to garbage collectors: tracing the heap for shape and such. We discusses some short-comings of their type structure analyzer, but posited that the requisite sorts of programming practices (storing a casted pointer in a non-pointer field) were unlikely to make it into many projects.
The CoW solution to atomicity seems to work well according to Julian’s numbers. The issue made me think that this seems to be a fancy heap-invariant checker, that delegates a certain class of run-time checks out to a GC-like independent analyzer. Presumably the sorts of this LKIM checks for could be checked for my Linux itself as run-time checks (in situ checks would be placed to avoid the coherency issues).
Good stuff.
Are you implying that Julian hand-waived attestation?
If so, LKIM’s job is measurement, not attestation. There’s an additional subsystem that consumes measurement results and generates attestations that is outside LKIM’s (and JHUAPL’s) task.
If not, well, I guess everything I said is still true…