LWRM: A lightweight response mechanism for TCG TOCTOU attack

The current TCG architecture suffers from the time-of-check-to-time-of-use (TOCTOU) attacks in commodity PC operating systems (OS), in which kernel rootkits can get unrestricted access to OS resources. VMM-based approaches running at a privilege level higher than that of virtual machine (VM) kernel can effectively detect dynamic or static data attacks occurring in VMs. This paper proposes a lightweight response mechanism (LWRM) for TCG TOCTOU attacks occurring in VMs. LWRM has the following features: (1) compared to the existing response mechanism, LWRM is more effective in defeating the TCG TOCTOU attacks; (2) LWRM imposes less overhead on the system during normal execution; (3) LWRM is transparent to the kernel rootkits; and (4) LWRM can work in the scenarios with more than one run-time trusted virtual machine. We describe the design idea and the implementation by using the Xen virtual machine monitor (VMM) and the virtual TPM facility shipped with the Xen.