Abstract
Despite many advances in system security, rootkits remain a threat to major operating systems. First, this paper discusses why kernel integrity verification is not sufficient to counter all types of kernel rootkits and a confidentiality-violation rootkit is demonstrated to evade all integrity verifiers. Then, the paper presents, DARK, a rootkit prevention system that tracks a suspicious loadable kernel module at a granite level by using on-demand emulation, a technique that dynamically switches a running system between virtualized and emulated execution. Combining the strengths of emulation and virtualization, DARK is able to thoroughly capture the activities of the target module in a guest OS, while maintaining reasonable run-time performance. To address integrity-violation and confidentiality-violation rootkits, we create a group of security policies that can detect all avialiable Linux rootkits. Finally, it is shown that normal guest OS performance is unaffected. The performance is only decreased when rootkits attempt to run, while most rootkits are detected at installation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rutkowska, J.: Subverting Vista Kernel for Fun and Profit (2006), http://www.invisiblethings.org/papers.html
Garfinkel, T., Rosenblum, M.: AVirtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the Symposium on Network and Distributed System Security, NDSS (2003)
Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure Coprocessor-based Intrusion Detection. In: Proceedings of the ACM SIGOPS European Workshop (2002)
Petroni, N.L., Fraser, T., Molinz, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the USENIX Security Symposium (2004)
Petroni, N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)
Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-Based ”Out-of-the-Box” Semantic View Recontruction. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)
Rutkowska, J.: Introducing Stealth Malware Taxonomy (2006), http://www.invisiblethings.org/papers.html
Baliga, A., Kamat, P., Iftode, L.: Lurking in the Shadows: Identifying Systemic Threats to Kernel Data. In: Proceedings of IEEE Symposium on Security and Privacy (2007)
BroFrancis, M.D., Ellick, M.C., Jeffery, C.C., Roy, C.: Cloaker: Hardware Supported Rootkit Concealment. In: Proceedings of IEEE Symposium on Security and Privacy (2008)
Heasman, J.: Implementing and Detecting a PCI Rootkit. Technical report, next Generation Security Software Ltd. (November 2006)
Heasman, J.: Implementing and Detecing an ACPI BIOS Rootkit. In: Black Hat Europe, Amsterdam (March 2006)
Bellard, F.: Qemu and Kqemu (2008), http://fabrice.bellard.free.fr/qemu/
King, S.T., Chen, P.M., Wang, Y.M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: Proceedings of the IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 314–327. IEEE Computer Society, Los Alamitos (2006)
Blue Pill, http://bluepillproject.org/
Scythale. Hacking deeper in the system, http://www.phrack.com/
Truff. Infecting Loadable Kernel Module, http://www.phrack.com/
McVoy, L.W., Staelin, C.: Lmbench: Portable Tools for Performance Analysis. In: Proceedings of the USENIX Annual Technical Conference, pp. 279–294 (1996)
Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical Taint-Based Protection using Demand Emulation. In: Proceedings of the ACM SIGOPS/EuroSys European Conference on Computer Systems (2006)
Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems. In: Proceedings of the ACM Symposium on Operating systems Princeiples, SOSP (2005)
Microsoft. Windows Kernel Patch Protection (2008), http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx
Kim, G., Spafford, E.: The Design and Implementation of Tripwire: A File system Integrity Checker. Technical report, Purdue University (1993)
Petroni, N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proceedings of the USENIX Security Symposium (2006)
Wang, Y.M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: Proceeding of International Conference on Denpendable Network Systems, DSN (2005)
Wilhelm, J., Chiueh, T.: A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)
Kruegel, B.C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits Through Binary Analysis. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC (2004)
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execurtion via program shepherding. In: Proceedings of the USENIX Security Symposium (2002)
Security-Ehanced Linux, http://www.nsa.gov/selinux/
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A Tiny Hypervisor to Guarantee Lifetime Kernel Code Integrity for Commodity OSes. In: Proceedings of the ACM Symposium on Operating Systems Principles, SOSP (2007)
Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Windows Vista Security Blog, http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/16/driver-signing-kernel-patch-protection-and-kpp-driver-signing.aspx
Windows Driver Signing, http://www.microsoft.com/
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: Proceedings of the 4th International Conference on Virtual Execution Environments (VEE) (March 2008)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor Suppot for Idnetifying Covertly Executing Binaries. In: Proceedings of the USENIX Security Symposium (2008)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic Inference and Enforcement of Kernel Data Structure Invariants. In: Proceedings of the 24th Annual Computer Security Applications Conference, ACSAC (2008)
Yin, H., Liang, Z., Song, D.: Hookfinder: Identifying and understanding malware hooking behaviors. In: Proceeding of the Annual Network and distributed System Security Symposium, NDSS (2008)
Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering Persistent Kernel Rootkits Through Systematic Hook Discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 21–38. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xuan, C., Copeland, J., Beyah, R. (2009). Shepherding Loadable Kernel Modules through On-demand Emulation. In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-02918-9_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02917-2
Online ISBN: 978-3-642-02918-9
eBook Packages: Computer ScienceComputer Science (R0)