Rule-Based Integrity Checking of Interrupt Descriptor Tables in Cloud Environments

An interrupt descriptor table (IDT) is used by the processor to transfer the execution of a program to special software routines that handle interrupts, which might be raised during the normal course of operation by hardware or to signal exceptional conditions, such as a hardware failure. Attackers frequently modify the pointers in the IDT in order to execute malicious code. In this paper we present IDTchecker, which provides a comprehensive rulebased approach to check the integrity of the IDT and the corresponding interrupt handling code, based on a particular scenario commonly found in cloud environments. In this scenario, multiple virtual machines (VMs) run the same version of an OS kernel, which implies that IDT related code should also be identical across the pool of VMs. IDTchecker uses this scenario to compare the IDTs and the corresponding interrupt handlers across the VMs for any inconsistencies, based on a pre-defined set of rules. We thoroughly evaluate the effectiveness and runtime performance of IDTchecker and find that it can detect any change in the IDT or interrupt handling code without having any significant impact on a guest VMs’ system resources. Moreover, IDTchecker itself has a very small memory footprint (i.e. 10-15MB).