Distinguished seminar: Towards snooper-based system integrity monitors and memory defenses with Brent ByungHoon Kang

April 23, 2018

12:00 p.m. - 1:00 p.m. ET

DEC, CIC Building


The advanced malware binaries have shown great sophistication in compromising system kernel, persisting their attacks against the host system without being detected. To counter this severe threat, our team have been working on creating a series of kernel defense methods based on snooping the kernel activities with no performance hits on the host system.

In this talk, I will introduce our first prototype, called Vigilare, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from separate independent hardware. This snoop-based monitoring of Vigilare overcomes the limitations of the snapshot-based approaches employed in previous kernel integrity monitoring solutions. Being based on inspecting snapshots taken periodically, the snapshot-based monitoring solutions cannot detect transient attacks that can occur in between snapshots. We implemented a prototype of the Vigilare system by adding Snooper connections module for snooping the bus traffic on the host system. Our evaluation showed that the Vigilare system detected all the transient attacks with no performance degradation whereas the snapshot-based monitor could not catch all the attacks and induced considerable performance degradation in the benchmark test.

In the second half of the talk, I will further describe KI-Mon as our next effort on protecting dynamic kernel regions. I will present the challenges in tracking mutable data objects and how we tried to address this challenge by creating an advanced snooper module for filtering white-listed values and providing on-demand verification of related data structures for ensuring the semantic invariants of dynamic data structures.  KI-Mon also provides API software platform, with which one can implement their own monitoring rules for checking the integrity of the dynamic data objects.

Finally, I will present our recent efforts on harnessing the snooper hardware to create system hardening methods against sophisticated memory exploits. I will conclude by introducing possible collaboration research topics in the related area of burgeoning trusted software isolation approaches such as Intel SGX and ARM TrustZone.


Brent KangBrent ByungHoon Kang received Ph.D. in Computer Science from University of California at Berkeley, M.S. from the University of Maryland at College Park, and B.S. from Seoul National University.  He is currently an associate professor at KAIST and serves as Chief Professor of Graduate School of Information Security at School of Computing. He has also been with George Mason University as an associate professor in the Volgenau School of Engineering. His academic services include Program Committee for IEEE Security and Privacy, ACM CCS, USENIX SECURITY, and Tutorial co-chair for ACM CCS. 

His research interests include designing Trusted Computing Environment (TCE) and securing host system based on the TCE (e.g.,  System integrity monitors , HW-based trusted execution environment, Memory address translation integrity, Code-Reuse-Attack(CRA) defenses, Heap memory defenses, Malware analysis and Dialects computing).