Runtime integrity framework based on trusted computing

I present in this dissertation, a technique to measure the integrity of an operating system, so that the user can verify that all critical software components, including the operating system kernel, is running in a known valid state. The technique solves a key problem of providing continuous runtime verification of kernel memory-space. The measurement is integrated with a trustworthy verification chain from the firmware, host machine, hypervisor, guest machine to applications, based on existing techniques from Trust Computing and guest security mechanisms. This is accomplished by checking the guest kernel against a known reference, to provide instant feedback on changes in its integrity. A Trusted Platform Module (TPM) is used to provide a complete integrity measurement chain from the hardware to the host and guest system. A working implementation of the entire framework has been achieved for a 64bit Linux host and guest system, using QEMU and KVM as two different virtualization techniques. The implementation has been verified to correctly detect integrity changes in the guest, while maintaining a minimal performance overhead. The technique is generally portable to other operating systems. It is implemented as an integrity measurement framework for the Linux kernel, which can be extended to utilize additional measurement capabilities of the guest operating system, forming a more in-depth measurement. Prototypes for such extensions are implemented using two existing Linux security modules. An example of trusted authentication and host-based intrusion detection has been used as proof-of-concept application scenarios for the integrity measurement framework. Benchmarking on the system shows that the integrity measurement has minimal impact on the guest machine performance, with only slight overhead during the guest machine boot time. Correctness and security strength of the framework were verified using functional and penetration testing.