Author:

Keywords:

Science & Technology, Technology, Computer Science, Theory & Methods, Computer Science, rootkits, virtualization, detection, invariance, KERNEL ROOTKITS, cs.OS, cs.CR

Abstract:

In monolithic operating systems, the kernel is the piece of code that executes with the highest privileges and has control over all the software running on a host. A successful attack against an operating system’s kernel means a total and complete compromise of the running system. These attacks usually end with the installation of a rootkit. Rootkits are stealthy pieces of software running in the address space of the kernel where they can conceal themselves from administrators. By modifying specific kernel objects it is possible to hide malicious processes and keep the system compromised for an indefinite amount of time. When a rootkit is present, no guarantees can be made about the correctness, privacy or isolation of the operating system. In this paper we present Hello rootKitty an invariance-enforcing frame- work which takes advantage of current virtualization technology to pro- tect a guest operating system against rootkits. Hello rootKitty uses the idea of invariance to detect maliciously modified kernel data structures and restore them to their original legitimate values. Our system utilizes the hypervisor’s architecture to remain concealed and non-reachable by any attacker within the virtualized operating system. Our prototype has negligible performance and memory overhead while effectively protecting commodity operating systems from modern rootkits.