Abstract:
Integrity measurement architecture (IMA) is an important component of trusted computing. However, existing IMA schemes possess a number of practical limitations when applied in embedded systems. In this paper, we propose dynamic integrity measurement architecture at kernel-level (DIMAK), an effective and efficient runtime integrity measurement architecture for embedded Linux systems. DIMAK supports just-in-time integrity measurement for code texts and static data in both kernel and user space, as well as dynamic linking information maintained by position independent executables (PIE). Exploiting the process, memory and page management mechanism of Linux kernel, DIMAK is capable of measuring the to-be-measured contents at physical-page-level, hence avoids potential time-of-check to time-of-use (TOCTTOU) vulnerability that has been discovered in existing techniques. On top of that, by proposing a predictive integrity baseline generation technique for the relocation and dynamic linking information of ELF files, the proposed architecture achieves better completeness than the state-of-the-art schemes in case of responding to threats like hooking-based control flow hijacking and dynamically loaded malware. Also, with a novel trusted software hot-fix protocol, the proposed architecture becomes the first IMA scheme capable of correctly distinguishing on-the-fly software patching behaviors from malicious code loading. Given different types of contents to be measured, DIMAK generates the corresponding integrity baselines at a variety of timings, e.g., during off-line phase, system booting, process loading or dynamic code loading, thus ensures correctness of the architecture’s integrity measurement for all possible scenarios. Experiments on real commercial embedded devices have also shown that performance overhead caused by DIMAK is sufficiently acceptable for embedded devices.