Measuring Software Integrity with LKIM

Next-generation technology for the detection of malicious modifications to a running piece of software

Software & Information Technology

The Linux Kernel Integrity Measurer (LKIM) verifies that running system software has not been modified and is authorized to run on the system. Unlike other system integrity technologies, LKIM does not require a database of known malware signatures and can detect modifications resulting from previously unknown attacks. While initially designed for Linux, there are variations that extend to other operating systems (including Microsoft Windows and the Xen Hypervisor). Proper use of this technology increases confidence that running systems have not been compromised, making the system more trustworthy for its intended purpose.

The LKIM system flow chart

The LKIM system consists of three components: the baseliner, which analyzes the kernel and module executable files to produce a ground truth baseline measurement; the measurer, which analyzes the runtime memory of the kernel to produce a runtime measurement; and the appraiser, which compares the runtime measurement against the ground truth.

Potential applications include measurement and attestation, system monitoring, configuration control, protecting access to network resources, and computer forensics.

Do you have questions or need more information on a specific technology? Let's talk.

Contact Us