Detecting compromised kernel hooks with support of hardware debugging features

Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context information. To address this challenge, this paper proposes a framework, called HookIMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept prototype system of HookIMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HookIMA is capable of detecting compromised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtime overhead introduced by HookIMA is about 21.5%.