Abstract: The present invention relates to an apparatus for reinforcing security of a mobile trusted execution environment, and relates to an apparatus for reinforcing security of a mobile trusted execution environment for constructing a general-purpose trusted execution environment. According to an embodiment of the present invention, a technology available for a general purpose in a mobile device operating on the basis of an ARM architecture has effects of configuring a trusted execution environment for guaranteeing safe execution of an application without depending on an existing commercial security technology, and of configuring a mobile trusted execution environment by using a write area execution prevention function and a debugging watchpoint, which are general-purpose hardware functions.

Abstract: A memory alignment randomization method of a memory heap exploit is provided, memory alignment of objects inside a heap area is randomly performed to mitigate the exploits of the vulnerability of the software memory heap area The heap exploit is powerfully mitigated by aligning randomly obtained memory addresses instead of aligning memory addresses at multiples of 4 or 8 when the memory alignment for the objects inside the heap area.

Abstract: Provided is a method of memory access for a memory controller in an integrity monitoring system sharing memory with a host system. The memory access method may include: receiving a memory access command from a local processor of the integrity monitoring system; accessing a system memory of the host system according to the memory access command; receiving data corresponding to the memory access command from the host system; and forwarding the received data to the local processor, wherein the system memory includes a secure area, access to which is allowed when the memory controller receives a memory access command from the local processor. In a feature of the present invention, there are provided a method and apparatus that can monitor integrity of data processed in the host system in a SoC environment.

Abstract: A memory alignment randomization method of a memory heap exploit is provided, memory alignment of objects inside a heap area is randomly performed to mitigate the exploits of the vulnerability of the software memory heap area The heap exploit is powerfully mitigated by aligning randomly obtained memory addresses instead of aligning memory addresses at multiples of 4 or 8 when the memory alignment for the objects inside the heap area.

Abstract: An apparatus and method for detecting a malicious domain cluster. The apparatus for detecting a malicious domain cluster includes a domain name server (DNS) data collection unit and a malicious domain cluster detection unit. The DNS data collection unit collects DNS traffic over a network, and stores the DNS traffic in a database. The malicious domain cluster detection unit generates a domain cluster based on the DNS data, learns the characteristics of normal and malicious clusters in the domain cluster, and detects whether the domain cluster is malicious based on the result of the learning.

Abstract: A snoop-based kernel integrity monitoring apparatus and a method thereof are provided. More particularly, provided are a kernel integrity monitoring apparatus which is provided as a hardware device independent of a host system, and snoops traffic occurring in a system bus of the host system and by detecting a write attempt in a kernel immutable region, monitors integrity of the kernel, and a method thereof. According to the apparatus and method, by analyzing traffic of the system bus of the host system, a write attempt in the kernel immutable region is detected. Thus, a transient attack which is difficult for a snapshot method to detect can be detected.

Abstract: An apparatus and method for detecting a malicious domain cluster. The apparatus for detecting a malicious domain cluster includes a domain name server (DNS) data collection unit and a malicious domain cluster detection unit. The DNS data collection unit collects DNS traffic over a network, and stores the DNS traffic in a database. The malicious domain cluster detection unit generates a domain cluster based on the DNS data, learns the characteristics of normal and malicious clusters in the domain cluster, and detects whether the domain cluster is malicious based on the result of the learning.

Abstract: Provided is a method of memory access for a memory controller in an integrity monitoring system sharing memory with a host system. The memory access method may include: receiving a memory access command from a local processor of the integrity monitoring system; accessing a system memory of the host system according to the memory access command; receiving data corresponding to the memory access command from the host system; and forwarding the received data to the local processor, wherein the system memory includes a secure area, access to which is allowed when the memory controller receives a memory access command from the local processor. In a feature of the present invention, there are provided a method and apparatus that can monitor integrity of data processed in the host system in a SoC environment.

Abstract: A technology for preventing network attacks. A service request is intercepted at an unaddressed port of a hidden device from a second device. The service request intended for a visible device is processed by the hidden device. A response may be provided based on the processing and sent to the second device.

Abstract: A snoop-based kernel integrity monitoring apparatus and a method thereof are provided. More particularly, provided are a kernel integrity monitoring apparatus which is provided as a hardware device independent of a host system, and snoops traffic occurring in a system bus of the host system and by detecting a write attempt in a kernel immutable region, monitors integrity of the kernel, and a method thereof. According to the apparatus and method, by analyzing traffic of the system bus of the host system, a write attempt in the kernel immutable region is detected. Thus, a transient attack which is difficult for a snapshot method to detect can be detected.

Abstract: A technology for preventing network attacks. A service request is intercepted at an unaddressed port of a hidden device from a second device. The service request intended for a visible device is processed by the hidden device. A response may be provided based on the processing and sent to the second device.