ISC Information Security Conference edition:14 location:Xi'an China date:2011
In monolithic operating systems, the kernel is the piece of
code that executes with the highest privileges and has control over all
the software running on a host. A successful attack against an operating
system’s kernel means a total and complete compromise of the running
system. These attacks usually end with the installation of a rootkit.
Rootkits are stealthy pieces of software running in the address space of
the kernel where they can conceal themselves from administrators. By
modifying specific kernel objects it is possible to hide malicious processes
and keep the system compromised for an indefinite amount of time. When
a rootkit is present, no guarantees can be made about the correctness,
privacy or isolation of the operating system.
In this paper we present Hello rootKitty an invariance-enforcing frame-
work which takes advantage of current virtualization technology to pro-
tect a guest operating system against rootkits. Hello rootKitty uses the
idea of invariance to detect maliciously modified kernel data structures
and restore them to their original legitimate values. Our system utilizes
the hypervisor’s architecture to remain concealed and non-reachable by
any attacker within the virtualized operating system. Our prototype has
negligible performance and memory overhead while effectively protecting
commodity operating systems from modern rootkits.