Signature-based detection of kernel data structure modification

摘要

A method and apparatus for signature-based detection of kernel data structure modification are disclosed. In the method and apparatus a signature is generated for a kernel data structure, whereby the kernel data structure is capable of being modified based at least in part on access to the kernel data structure. The signature is also updated as a result of access to the kernel data structure due at least in part to one or more identified instructions being executed. The signature is used to determine whether the kernel data structure is accessed by one or more other instructions.

主权项

1. A computer-implemented method for detecting changes to kernel data structures, comprising:
generating a signature for a kernel data structure, the kernel data structure pertaining to a kernel of an operating system of a virtual computer system instantiated on one or more computer systems, the kernel data structure comprising one or more bits modifiable due at least in part to access to the kernel data structure, the signature based at least in part on the kernel data structure; receiving a request for the access to the kernel data structure using one or more instructions; accessing the kernel data structure, the accessing including:
modifying the kernel data structure to produce a modified kernel data structure based at least in part on the one or more instructions;updating the signature to produce an updated signature based at least in part on the updated kernel data structure; andstoring the updated signature; and identifying, based at least in part on the updated signature, further access to the kernel data structure due at least in part to execution of one or more other instructions different from the one or more instructions.