Runtime Detection of Userspace Implants

Abstract

Userspace integrity is a necessary and often-overlooked component of overall system integrity. We present the concept of userspace integrity measurement to validate the state of the system against a set of carefully chosen invariants based on the expected behavior of userspace and key behaviors of advanced malware. Userspace integrity measurement may be combined with existing filesystem and kernel integrity measurement approaches to both provide stronger guarantees that a platform is executing the expected software and that the software is in an expected state. We also introduce the Userspace Integrity Measurement (USIM) Toolkit, a preliminary set of integrity measurement tools to detect advanced malware threats, such as memory-only implants, that evade traditional defenses.