Discussion

The idea of moving intrusion detection functions into the kernel is not new and has been hinted at in the literature. Balasubramaniyan et. al. discussed the advantages and disadvantages of integrating intrusion detection agents inside the kernel [1]. In-kernel intrusion detection has several advantages. First, overhead due to extra context switching is avoided - a system call is analyzed by the ID logic at the same kernel context at which the system call executes. In addition, information is registered and processed at or near the place where it is produced, reducing the time and resources for transferring the information to the analysis engine. Also, this proximity allows prompt detection and reduces the possibility of the information being modified by an attacker before it gets to the ID analysis engine. Lastly, it is harder for an intruder to tamper with the ID system as the attacker would have to modify the kernel (e.g., by defeating the kernel's memory-protection mechanism). However, the kernel-resident implementation strategy also has its disadvantages. First, kernel-resident ID systems are not portable across platforms. Second, a misbehaving ID system can do much more damage if it is running in the kernel rather than in user space because it has full access to the system. Third, entities in the kernel can have a large impact in the host behavior by slowing down fundamental operations (e.g., kernel data structures, accesses to memory, disk). Fourth, entities inside the kernel are very difficult to manage and configure. Finally, kernel programming is at a low level of abstraction, where the resources available provide very limited functionality when compared to the higher-level abstractions available in user space. Our work essentially illustrates that in-kernel intrusion detection is feasible and practical provided that the kernel-resident ID system is designed and coded carefully. With minimal adjustment, many intrusion detection techniques can be implemented to run inside the kernel efficiently without impacting the host behavior. By using the Generic Software Wrapper Toolkit as the basis for implementing kernel-resident intrusion detectors, our approach inherits the advantages of in-kernel intrusion detection while avoiding the problems of portability, manageability, and the low-level nature of kernel programming. We strongly believe that further investigation of in-kernel intrusion detection is worthwhile and necessary.