CPC G06F 21/577 (2013.01) [G06F 21/554 (2013.01); G06F 21/575 (2013.01); G06F 2221/033 (2013.01)] | 3 Claims |
1. A method comprising:
verifying trust in a plurality of state information including a kernel code and a module code to load onto a computing system;
loading, by at least one processor of the computing system, the kernel code and the module code to a memory,
wherein the memory is accessible by a device separate from the at least one processor,
verifying and loading a measurement module into the memory;
wherein the state information corresponds to a plurality of symbols;
measuring, by the measurement module, after the measurement module is loaded and before loading a plurality of other modules, the state information corresponding to each of the symbols to generate a set of respective initial measurements; and
providing the set of initial measurements associated with the respective symbols to the device for integrity monitoring;
monitoring, by the device, respective state information in the memory corresponding to each of the symbols by:
measuring, by the device, the state information corresponding to each of the symbols to
determine a second set of measurements; comparing, by the device, the second set of the measurements with the initial measurements; determining, by the device, that there is a violation based on the comparison; and
performing, by the device, a security action based on the determination of the violation,
loading, by the measurement module, a hook into a function for loading the other modules, wherein each of the other modules correspond to other symbols;
measuring, by the measurement module, respective baseline measurements associated with each of the other symbols; and
sending the respective baseline measurements to the device, wherein the device monitors the respective memory corresponding to each of the symbols and other symbols for violations.
|