Open Access
Detecting kernel rootkits
Ashwin Ramaswamy
- 01 Jan 2008
TL;DR: This work writes its own kernel rootkit that manipulates the network driver, thus giving it control over all packets sent into the network, and leverages existing kernel functionalities such as kprobes to identify potential attack scenarios from within the sytem rather than from outside it.
read more
Abstract: Kernel rootkits are a special category of malware that are deployed directly in the kernel and hence have unmitigated reign over the functionalities of the kernel itself. We seek to detect such rootkits that are deployed in the real world by rst observing how the majority of kernel rootkits operate. To this end, comparable to how rootkits function in the real world, we write our own kernel rootkit that manipulates the network driver, thus giving us control over all packets sent into the network. We then implement a mechanism to thwart the attacks of such rootkits by noticing that a large number of the rootkits deployed today rely heavily on the redirection of function pointers within the kernel. By overwriting the desired function pointer to its own function, a rootkit can perform a proverbial man-in-the-middle attack. Our goal is not just the detection of kernel rootkits, but also to levy as little an impact on system performance as possible. Hence our technique is to leverage existing kernel functionalities (in the case of Linux) such as kprobes to identify potential attack scenarios from within the sytem rather than from outside it (such as a VMM). We hope to introduce real-world security in devices where performance and resource constraints are tantamount to security considerations.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
VM-based Security Overkill: A Lament for Applied Systems Security Research (Position Paper, pre-proceedings version)
Sergey Bratus,Michael E. Locasto,Ashwin Ramaswamy,Sean W. Smith +3 more
- 01 Jan 2010
TL;DR: In this paper, the authors present a case study of an alternative design for protecting privileged computation against malicious computation (i.e., rootkit) and conclude that self-protection mechanisms still represent an interesting and viable path of research.
23
VM-based security overkill: a lament for applied systems security research
Sergey Bratus,Michael E. Locasto,Ashwin Ramaswamy,Sean W. Smith +3 more
- 21 Sep 2010
TL;DR: It is suggested that many scenarios exist where virtual machines do not provide a suitable tool or appropriate security properties and that 'self-protection' mechanisms still represent an interesting and viable path of research.
Stealthy Rootkits in Smart Grid Controllers
Prashanth Krishnamurthy,Hossein Salehghaffari,Shiva Duraisamy,Ramesh Karri,Farshad Khorrami +4 more
- 01 Nov 2019
TL;DR: It is shown that the attack drastically impacts the CPS, especially when the adversary strategically chooses the target relays to attack, and an ensemble of detectors are designed to detect the attack and uncover its persistence and insertion mechanisms.
15
Autoscopy: Detecting Pattern-Searching Rootkits via Control Flow Tracing
Ashwin Ramaswamy
- 01 Jan 2009
TL;DR: By leveraging tracing frameworks within operating systems, it is shown that it is possible to introduce real-world security in devices where performance and resource constraints are tantamount to security considerations.
Data concealments with high privacy in new technology file system
TL;DR: This paper proposes a new approach, called file concealer (FC), to conceal files in a computer system, which modifies metadata about a file in NTFS to hide the file and shows that it is difficult for antivirus software to detect the files hidden by FC.
5
References
A sense of self for Unix processes
Stephanie Forrest,Steven Hofmeyr,Anil Somayaji,Thomas A. Longstaff +3 more
- 06 May 1996
TL;DR: A method for anomaly detection is introduced in which "normal" is defined by short-range correlations in a process' system calls, and initial experiments suggest that the definition is stable during normal behaviour for standard UNIX programs.
Intrusion detection using sequences of system calls
TL;DR: Evidence is given that short sequences of system calls executed by running processes are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs.
Automated detection of persistent kernel control-flow attacks
Nick L. Petroni,Michael Hicks +1 more
- 28 Oct 2007
TL;DR: This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI), and implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors.
Compatibility is not transparency: VMM detection myths and realities
Tal Garfinkel,Keith Adams,Andrew Warfield,Jason Franklin +3 more
- 07 May 2007
TL;DR: It is concluded that building a transparent VMM is fundamentally infeasible, as well as impractical from a performance and engineering standpoint.
Detecting kernel-level rootkits through binary analysis
Christopher Kruegel,William Robertson,Giovanni Vigna +2 more
- 06 Dec 2004
TL;DR: This paper presents a technique that exploits binary analysis to ascertain, at load time, if a module's behavior resembles the behavior of a rootkit, and it is possible to provide additional protection against this type of malicious modification of the kernel.