Countering kernel rootkits with lightweight hook protection

@inproceedings{Wang2009CounteringKR,
  title={Countering kernel rootkits with lightweight hook protection},
  author={Zhi Wang and Xuxian Jiang and Weidong Cui and Peng Ning},
  booktitle={CCS},
  year={2009}
}
Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with… Expand
MOSKG: countering kernel rootkits with a secure paging mechanism
TLDR
The proposed secure paging mechanism and constructed an external and transparent architecture named multiple operating systems kernel guard MOSKG, which can protect critical kernel data in different operating systems like Windows and Linux, both of 32-bit and 64-bit. Expand
OPKH: A lightweight online approach to protecting kernel hooks in kernel modules
TLDR
OPKH, an on-the-fly hook protection system based on the virtualization technology, is proposed and it is shown that the system can protect the dynamic hooks effectively with minimal performance overhead. Expand
Comprehensive and Efficient Protection of Kernel Control Data
TLDR
indexed hooks is presented, a scheme that greatly facilitates kernel control-flow enforcement by thoroughly transforming and restricting kernel control data to take only legal jump targets (allowed by the kernel's control- flow graph) by severely limit the attackers' possibility of exploiting them as an infection vector to launch rootkit attacks. Expand
KQguard: Protecting Kernel Callback Queues
TLDR
KQguard protects all the 20 KQs in WRK, can be extended to accommodate new device drivers, and through dynamic analysis can support closed source device drivers. Expand
Hades∗: Scanning Kernel Extensions to Trust the Untrustworthy
  • 2013
Modern monolithic OSes leverage the loadable kernel module paradigm to add functionality to the kernel and allow a system to communicate with an increasing number of I/O devices. This paradigm isExpand
KLrtD: Kernel level rootkit detection
TLDR
A detection method named WHKrD that blocks and detects data kernel rootkit attacks by monitoring kernel data access using virtual machine monitor (VMM), demonstrating its effectiveness and practicality. Expand
POSTER : HookLocator : Function Pointer Integrity Checking in Kernel Pools via Virtual Machine Introspection
With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernelExpand
Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation
TLDR
Barrier is a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules by leveraging the hardware-supported memory virtualization to isolate thekernel modules into different address spaces. Expand
Hello rootKitty: A Lightweight Invariance-Enforcing Framework
TLDR
Hello rootKitty is presented, an invariance-enforcing framework which takes advantage of current virtualization technology to protect a guest operating system against rootkits and uses the idea of invariance to detect maliciously modified kernel data structures and restore them to their original legitimate values. Expand
Domain Isolated Kernel: A lightweight sandbox for untrusted kernel extensions
Monolithic kernel is one of the prevalent configurations out of various kernel design models. While monolithic kernel excels in performance and management, they are unequipped for runtime systemExpand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 32 REFERENCES
Countering Persistent Kernel Rootkits through Systematic Hook Discovery
TLDR
This paper has built a proof-of-concept system called HookMap and evaluated it with a number of Linux utility programs such as ls, ps, and netstatin RedHat Fedora Core 5, finding that there exist 35 kernel hooks in the kernel-side execution path of lsthat can be potentially hijacked for manipulation. Expand
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
TLDR
NICKLE is a lightweight, virtual machine monitor (VMM) based system that transparently prevents unauthorized kernel code execution for unmodified commodity (guest) OSes and guarantees that only the authenticated kernel code will be executed, foiling the kernel rootkit's attempt to strike in the first place. Expand
Multi-aspect profiling of kernel rootkit behavior
TLDR
PoKeR is presented, a kernel rootkit profiler capable of producing multi-aspect rootkit profiles which include the revelation of rootkit hooking behavior, the exposure of targeted kernel objects (both static and dynamic), assessment of user-level impacts, as well as the extraction ofkernel rootkit code. Expand
K-Tracer: A System for Extracting Kernel Malware Behavior
TLDR
This paper has built a system called K-Tracer that can dynamically analyze Windows kernel-level code and extract malicious behaviors from rootkits, including sensitive data access, modification and triggers, and overcomes several challenges of analyzing the Windows Kernel. Expand
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
TLDR
The design and implementation of a system that fully automates the process of constructing instruction sequences that can be used by an attacker for malicious computations are presented and a practical attack that can bypass existing kernel integrity protection mechanisms is described. Expand
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
TLDR
A tiny hypervisor that ensures code integrity for commodity OS kernels, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime, which protects the kernel against code injection attacks, such as kernel rootkits. Expand
Hypervisor Support for Identifying Covertly Executing Binaries
TLDR
Because Patagonix makes no assumptions about the OS kernel, it can identify code from application and kernel binaries on both Linux and Windows XP, and introduces less than 3% overhead on most applications. Expand
HookFinder: Identifying and Understanding Malware Hooking Behaviors
TLDR
This paper proposes a unified approach, fine-grained impact analysis, to identify malware hooking behaviors, and devise a method using semantics-aware impact dependency analysis to provide a succinct and intuitive graph representation to illustrate hooking mechanisms. Expand
Detecting stealth software with Strider GhostBuster
TLDR
This paper describes the design and implementation of the Strider GhostBuster tool and demonstrates its efficiency and effectiveness in detecting resources hidden by real-world malware such as rootkits, Trojans, and key-loggers. Expand
Lares: An Architecture for Secure Active Monitoring Using Virtualization
TLDR
This paper describes an architecture that takes a hybrid approach, giving security tools the ability to do active monitoring while still benefiting from the increased security of an isolated virtual machine. Expand
...
1
2
3
4
...