Technical Report: A Toolkit for Runtime Detection of Userspace Implants
This addresses security threats for users and systems by providing a toolkit to enhance detection capabilities, though it appears incremental as it builds on existing integrity measurement approaches.
The paper tackles the problem of detecting advanced malware like memory-only implants that evade traditional tools by introducing the Userspace Integrity Measurement Toolkit (USIM Toolkit), which validates platform integrity against invariants based on expected userspace behavior and malware key behaviors.
This paper presents the Userspace Integrity Measurement Toolkit (USIM Toolkit), a set of integrity measurement collection tools capable of detecting advanced malware threats, such as memory-only implants, that evade many traditional detection tools. Userspace integrity measurement validates that a platform is free from subversion by validating that the current state of the platform is consistent with a set of invariants. The invariants enforced by the USIM Toolkit are carefully chosen based on the expected behavior of userspace, and key behaviors of advanced malware. Userspace integrity measurement may be combined with existing filesystem and kernel integrity measurement approaches to provide stronger guarantees that a platform is executing the expected software and that the software is in an expected state.