Efficient Monitoring of Untrusted Kernel-Mode Execution

Recent malware instances execute completely in the kernel as drivers; they do not contain any user-level malicious processes. This design evades the system call monitoring used by many software security solutions, including malware analyzers and host-based intrusion detectors that track only user-level processes. To trace the behavior of kernel malware instances, we design and implement a hypervisor-based system called Gateway that monitors kernel APIs invoked by drivers. Gateway creates a hardened, non-bypassable monitoring interface by isolating drivers in an address space separate from the kernel. To overcome the performance degradation introduced by switches between these separate address spaces, our design rewrites binary kernel and driver code at runtime and generates new code on demand to optimize the address space transition speed. Our experimental measurements show performance overheads of 10% or better, with many overheads less than 1%. Our security evaluation shows that Gateway is able to monitor all kernel APIs invoked by malicious drivers across its non-bypassable interface.