J. Reeves, A Ramaswamy, M. Locasto, S. Bratus and S.W. Smith
- Secure resource-constrained devices living within power grid networks.
- Avoid using resource-intensive tools such as hypervisors, and instead use existing pieces of the OS kernel to monitor itself.
- "Protect Ring 0 from Ring 0”
- Provide a layer of security while also adhering to the grid's strict timing and availability constraints.
Key Science Methods & Advances
- Kprobes: Built-in Linux tracing framework that gives us a snapshot of the OS kernel when the probe is reached.
- ioctl Memory Access: Observe kernel memory directly rather than via mmap.
- Trusted Location Lists: Model of normal control flow constructed during the learning phase and verified during the detection phase.
- Improved Indirect Call Heuristics: Simple rules that let us make quick decisions and avoid using complicated disassembly techniques.
Results & Impacts
- We found that we could protect against control-flow altering rootkits while remaining within the grid's timing constraints.
- We transferred the Autoscopy Jr. technology to Schweitzer Engineering Laboratories, who incorporated it into their product lines.