The Linux Kernel Integrity Measurer (LKIM) verifies that running system software has not been modified and is authorized to run on the system. Unlike other system integrity technologies, LKIM does not require a database of known malware signatures and can detect modifications resulting from previously unknown attacks. While initially designed for Linux, there are variations that extend to other operating systems (including Microsoft Windows and the Xen Hypervisor). Proper use of this technology increases confidence that running systems have not been compromised, making the system more trustworthy for its intended purpose.
Potential applications include measurement and attestation, system monitoring, configuration control, protecting access to network resources, and computer forensics.
- In most cases, LKIM detects the impacts of a malicious attack rather than the attack itself and provides detailed evidence of the operating state of a running piece of software
- There are two kinds of attacks that LKIM targets in particular: kernel code injection (or modification) attacks and kernel control flow attacks
- A key advantage that LKIM has over static integrity measurement is its ability to measure and appraise dynamically allocated data structures
- Because LKIM does not rely on signatures of known malware, it is able to detect zero-day infections, making it ideal for countering advanced persistent threats
- US patents 7,904,278 and 8,326,579 available for license
- Potential for collaboration with NSA scientists and engineers