PsycoTrace: Virtual and Transparent Monitoring of a Process Self

PsycoTrace is a set of tools to protect a process P from attacks that alter P self as specified by its source code. P self is specified in terms of legal traces of system calls and of assertions on P status paired with each call. In turn, legal traces are specified through a context-free grammar returned by a static analysis of P program that may also compute assertions. At run-time, each time P invokes a system call, PsycoTrace checks that the trace is coherent with the grammar and assertions are satisfied. To increase overall robustness, PsycoTrace´s run-time tool relies on two virtual machines that run, respectively, P and the monitoring system. This strongly separates the monitored machine that runs P from the monitoring one. The current implementation is fully transparent to P but not to the OS because a kernel module in the monitored machine intercepts system calls. We describe PsycoTrace overall architecture and focus on the run-time and introspection tools that enable the monitoring machine to check that a trace is legal and to transparently access the memory of the other machine to evaluate assertions. Lastly, a preliminary evaluation of the run-time overhead is discussed.