Towards Concurrent Data Sampling Using GPU Coprocessing

Host intrusion detection systems operating on the host under observation itself are limited by an adversary´s ability to subvert all data collection and the detection and mitigation mechanisms themselves. Although coprocessor architectures have been proposed to avoid this security mechanism integrity problem, they either involve the application of non-standard hardware or rely on host-bound application programming interfaces (API). This is why, so far, they are only used in the field of network intrusion detection. In this paper, we present our results concerning a concurrent host memory sampling mechanism based on direct memory access (DMA) and demonstrate that it is possible to de-couple GPU kernel execution, thereby providing temporary isolation from the host and allowing data sampling actions to be taken without interruption. We present a security analysis of our approach and detail a proof-of-concept implementation of the autonomous concurrent monitoring and sampling system, thus, validating that self-sufficient data sampling using a commodity coprocessor (i.e. a GPU) is indeed possible.