Book Chapter10.1007/978-3-642-02918-9_4
Shepherding Loadable Kernel Modules through On-demand Emulation
Chaoting Xuan,John A. Copeland,Raheem Beyah +2 more
- 29 Jun 2009
- pp 48-67
11
TL;DR: DARK, a rootkit prevention system that tracks a suspicious loadable kernel module at a granite level by using on-demand emulation, a technique that dynamically switches a running system between virtualized and emulated execution, is presented.
read more
Abstract: Despite many advances in system security, rootkits remain a threat to major operating systems. First, this paper discusses why kernel integrity verification is not sufficient to counter all types of kernel rootkits and a confidentiality-violation rootkit is demonstrated to evade all integrity verifiers. Then, the paper presents, DARK, a rootkit prevention system that tracks a suspicious loadable kernel module at a granite level by using on-demand emulation, a technique that dynamically switches a running system between virtualized and emulated execution. Combining the strengths of emulation and virtualization, DARK is able to thoroughly capture the activities of the target module in a guest OS, while maintaining reasonable run-time performance. To address integrity-violation and confidentiality-violation rootkits, we create a group of security policies that can detect all avialiable Linux rootkits. Finally, it is shown that normal guest OS performance is unaffected. The performance is only decreased when rootkits attempt to run, while most rootkits are detected at installation.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Toward Revealing Kernel Malware Behavior in Virtual Execution Environments
Chaoting Xuan,John A. Copeland,Raheem Beyah +2 more
- 01 Oct 2009
TL;DR: The evaluation results show that Rkprofiler can quickly expose the security-sensitive activities of kernel malware and thus reduces the effort exerted in conducting tedious manual malware analysis.
41
Security importance assessment for system objects and malware detection
TL;DR: A security dependency network is built from access behaviors to quantify the security importance of system objects from a system-wide perspective and proposes an importance based model for malware detection.
33
Patent
Detection of hidden objects in a computer system
Vyacheslav E. Rusakov
- 29 Nov 2010
TL;DR: In this paper, the authors propose a method for detecting a security compromise of a service module of an operating system running on a computer, bypassing the at least one native service module.
11
Exploring Rootkit Detectors' Vulnerabilities Using a New Windows Hidden Driver Based Rootkit
Woei-Jiunn Tsaur,Yuh-Chen Chen +1 more
- 20 Aug 2010
TL;DR: A new Windows driver-hidden rootkit with five tricks based on DKOM is developed, and it is verified that it can successfully avoid a variety of well-known rootkit detectors.
8
Strengthening digital rights management using a new driver-hidden rootkit
TL;DR: A new driver-hidden rootkit is constructed using the technique of DKOM (Direct Kernel Object Manipulation), and it is verified that it can successfully avoid a variety of well-known rootkit detectors.
8
References
•Proceedings Article
A Virtual Machine Introspection Based Architecture for Intrusion Detection.
Tal Garfinkel,Mendel Rosenblum +1 more
- 01 Jan 2003
TL;DR: This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Arvind Seshadri,Mark Luk,Ning Qu,Adrian Perrig +3 more
- 14 Oct 2007
TL;DR: A tiny hypervisor that ensures code integrity for commodity OS kernels, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime, which protects the kernel against code injection attacks, such as kernel rootkits.
•Proceedings Article
Copilot - a coprocessor-based kernel runtime integrity monitor
Nick L. Petroni,Timothy Fraser,Jesus Molina,William A. Arbaugh +3 more
- 13 Aug 2004
TL;DR: Copilot is a coprocessor-based kernel integrity monitor for commodity systems designed to detect malicious modifications to a host's kernel and has correctly detected the presence of 12 real-world rootkits within 30 seconds of their installation with less than a 1% penalty to the host's performance.
Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems.
Arvind Seshadri,Mark Luk,Adrian Perrig,Leendert van Doom,Pradeep K. Khosla +4 more
- 01 Jan 2007
TL;DR: A primitive, called Pioneer, is proposed, as a first step towards verifiable code execution on untrusted legacy hosts and can be used as a basic building block to build security systems.
365
•Book
Rootkits: Subverting the Windows Kernel
Greg Hoglund,Jamie Butler +1 more
- 22 Jul 2005
TL;DR: Rootkits, two of the world's leading experts have written the first comprehensive guide to rootkits: what they are, how they work, how to build them, and how to detect them.
340