Title: Hello rootKitty: A lightweight invariance-enforcing framework
Authors: Gadaleta, Francesco ×
Nikiforakis, Nick
Younan, Yves
Joosen, Wouter #
Issue Date: 26-Oct-2011
Publisher: Springer
Conference: ISC Information Security Conference edition:14 location:Xi'an China date:2011
Abstract: In monolithic operating systems, the kernel is the piece of
code that executes with the highest privileges and has control over all
the software running on a host. A successful attack against an operating
system’s kernel means a total and complete compromise of the running
system. These attacks usually end with the installation of a rootkit.
Rootkits are stealthy pieces of software running in the address space of
the kernel where they can conceal themselves from administrators. By
modifying specific kernel objects it is possible to hide malicious processes
and keep the system compromised for an indefinite amount of time. When
a rootkit is present, no guarantees can be made about the correctness,
privacy or isolation of the operating system.
In this paper we present Hello rootKitty an invariance-enforcing frame-
work which takes advantage of current virtualization technology to pro-
tect a guest operating system against rootkits. Hello rootKitty uses the
idea of invariance to detect maliciously modified kernel data structures
and restore them to their original legitimate values. Our system utilizes
the hypervisor’s architecture to remain concealed and non-reachable by
any attacker within the virtualized operating system. Our prototype has
negligible performance and memory overhead while effectively protecting
commodity operating systems from modern rootkits.
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section
× corresponding author
# (joint) last author

Files in This Item:
File Description Status SizeFormat
isc2011_submission_19.pdfFull Paper Published 182KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.

© Web of science