Monitoring integrity using limited local memory

Yuki Kinebuchi, Shakeel Butt, Vinod Ganapathy, Liviu Iftode, Tatsuo Nakajima

Research output: Contribution to journalArticlepeer-review

13 Citations (Scopus)


System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state-of-the-art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we use to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture builds upon recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.

Original languageEnglish
Article number6523151
Pages (from-to)1230-1242
Number of pages13
JournalIEEE Transactions on Information Forensics and Security
Issue number7
Publication statusPublished - 2013


  • Local memory
  • multicore
  • system integrity

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Monitoring integrity using limited local memory'. Together they form a unique fingerprint.

Cite this