# Technical Report: A Toolkit for Runtime Detection of Userspace Implants

**Authors:** J. Aaron Pendergrass, Nathan Hull, John Clemens, Sarah Helble, Mark, Thober, Kathleen McGill, Machon Gregory, Peter Loscocco

arXiv: 1904.12896 · 2019-05-01

## TL;DR

This paper introduces the USIM Toolkit, a set of tools for detecting advanced malware like memory-only implants by validating platform invariants to ensure integrity and detect subversion.

## Contribution

The USIM Toolkit provides a novel approach for runtime detection of sophisticated userspace malware through integrity measurement of platform invariants.

## Key findings

- Effective detection of memory-only implants
- Compatibility with existing integrity measurement tools
- Enhanced security guarantees for platform integrity

## Abstract

This paper presents the Userspace Integrity Measurement Toolkit (USIM Toolkit), a set of integrity measurement collection tools capable of detecting advanced malware threats, such as memory-only implants, that evade many traditional detection tools. Userspace integrity measurement validates that a platform is free from subversion by validating that the current state of the platform is consistent with a set of invariants. The invariants enforced by the USIM Toolkit are carefully chosen based on the expected behavior of userspace, and key behaviors of advanced malware. Userspace integrity measurement may be combined with existing filesystem and kernel integrity measurement approaches to provide stronger guarantees that a platform is executing the expected software and that the software is in an expected state.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1904.12896/full.md

## Figures

2 figures with captions in the complete paper: https://tomesphere.com/paper/1904.12896/full.md

## References

47 references — full list in the complete paper: https://tomesphere.com/paper/1904.12896/full.md

---
Source: https://tomesphere.com/paper/1904.12896