Article

Towards a tamper-resistant kernel rootkit detector

Authors:

Nguyen Anh Quynh,

Yoshiyasu TakefujiAuthors Info & Claims

SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

Pages 276 - 283

https://doi.org/10.1145/1244002.1244070

Published: 11 March 2007 Publication History

Abstract

A variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been proposed to address the outstanding problem, but unfortunately they are not widely accepted. This paper presents a software-based method to detect intrusion to kernel. The proposed tool named XenKIMONO, which is based on Xen Virtual Machine, is able to detect many kernel rootkits in virtual machines with small penalty to the system's performance. In contrast with the traditional approaches, XenKIMONO is isolated with the kernel being monitored, thus it can still function correctly even if the observed kernel is compromised. Moreover, XenKIMONO is flexible and easy to deploy as it absolutely does not require any modification to the monitored systems.

References

[1]

buffer. Hijacking Linux Page Fault Handler Exception Table. http://www.phrack.org/show.php?p=61&a=7, August 2003.

[2]

B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles, October 2003.

Digital Library

[3]

DWARF Workgroup. DWARF Debugging Format Standard. http://dwarf.freestandards.org/Home.php, January 2006.

[4]

T. Fraser. Automatic discovery of integrity constraints in binary kernel modules. Technical report, University of Maryland Institute for Advanced Computer Studies, December 2004.

[5]

FuSyS. KSTAT: Kernel Security Therapy Anti-Trolls. http://www.s0ftpj.org/tools/kstat.tgz, February 2002.

[6]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Network and Distributed Systems Security Symposium, February 2003.

[7]

T. Holz. Detecting honeypots and other suspicious environments. In Proceedings of the 6th IEEE Information Assurance Workshop, June 2005.

[8]

S. Inc. W32/Sdbot-ADD Worm. http://www.sophos.com/virusinfo/analyses/w32sdbotadd.html, September 2005.

[9]

Joris Evers. Rootkits get better at hiding. http://news.com.com/2100-7355_3-6095762. html?part=rss&tag=6095762&subj=news, July 2006.

[10]

N. L. P. Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security Symposium, pages 179--194, August 2004.

Digital Library

[11]

kad. Handling Interrupt Descriptor Table for fun and profit. http://www.phrack.org/phrack/59/p59-0x04.txt, December 2002.

[12]

M. Laureano, C. Maziero, and E. Jamhour. Intrusion detection in virtual machine environments. In Proceedings of the 30th EUROMICRO Conference, September 2004.

Digital Library

[13]

McAfee Avert Labs. Rootkits, Part 1 of 3: The Growing Threat. http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_newappleofmalwareseye_en.pdf, April 2006.

[14]

T. Miller. Analysis of the Knark rootkit. www.ossec.net/rootkits/studies/knark.txt, 2001.

[15]

rd. Writing Linux kernel keylogger. http://www.phrack.org/phrack/59/p59-0x0e.txt, July 2002.

[16]

Redhat Inc. Crash-util. http://people.redhat.com/anderson/, July 2006.

[17]

sd. Linux on-the-fly kernel patching. http://www.phrack.org/show.php?p=58&a=7, July 2002.

[18]

SGI Inc. LKCD - Linux Kernel Crash Dump. http://lkcd.sf.net, April 2006.

[19]

Silvio Cesare. SysCall redirection without modifying the SysCall table. http://vx.netlux.org/lib/vsc05.html, 1999.

[20]

stealth. adore-ng rootkit. http://stealth.7530.org/rootkits/, March 2004.

[21]

The Honeynet Project. Know your enemy: Sebek. http://www.honeynet.org/papers/sebek.pdf, November 2003.

[22]

Tim Lawless. StMichael: Kernel-level IDS. http://sourceforge.net/projects/stjude, December 2005.

[23]

ubra. Process hiding and the Linux scheduler. http://www.phrack.org/show.php?p=63&a=12, August 2005.

[24]

Wojciech Purczynski. Linux kernel ptrace/kmod local root exploit, http://www.securiteam.com/exploits/5CPOQOU9FY.html, March 2003.

[25]

Xen project. Xen interface manual, http://www.cl.cam.ac.uk/Research/SRG/netos/xen/readmes/interface/interface.html, August 2006.

[26]

X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th ACM SIGOPS European workshop, September 2002.

Digital Library

Cited By

Zhou LZhang YMakris Y(2021)TPE: A Hardware-Based TLB Profiling Expert for Workload ReconstructionIEEE Journal on Emerging and Selected Topics in Circuits and Systems10.1109/JETCAS.2021.307744211:2(292-305)Online publication date: Jun-2021
https://doi.org/10.1109/JETCAS.2021.3077442
Hu GZhang TLee R(2020)Position Paper: Consider Hardware-enhanced Defenses for Rootkit AttacksProceedings of the 9th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3458903.3458909(1-9)Online publication date: 17-Oct-2020
https://dl.acm.org/doi/10.1145/3458903.3458909
Zhai JXiao YYang HWang J(2020)Object Scanning of Windows Kernel Driver Based on Pool Tag Quick ScanningXibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University10.1051/jnwpu/2019375104437:5(1044-1052)Online publication date: 14-Jan-2020
https://doi.org/10.1051/jnwpu/20193751044
Show More Cited By

Index Terms

Towards a tamper-resistant kernel rootkit detector
1. Security and privacy
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Database theory
      1. Theory of database privacy and security

Recommendations

An online cross view difference and behavior based kernel rootkit detector

Kernel level rootkits pose a serious threat today as they not only mask the presence of themselves but also mask the malware that comes attached with them. Rootkits achieve such stealthy behavior by manipulating the control flow of system calls by hooks ...
Multi-aspect profiling of kernel rootkit behavior
EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

Kernel rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. ...
A novel approach for a file-system integrity monitor tool of Xen virtual machine
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security

File-system integrity tools (FIT) are commonly deployed host-based intrusion detections (HIDS) tool to detect unauthorized file-system changes. While FIT are widely used, this kind of HIDS has many drawbacks: the intrusion detection is not done in real-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

March 2007

1688 pages

ISBN:1595934804

DOI:10.1145/1244002

Conference Chairs:
Yookun Cho
Seoul National University, Seoul, Korea
,
Roger L. Wainwright
University of Tulsa, Tulsa, Oklahoma
,
Hisham M. Haddad
Kennesaw State University, Kennesaw, Georgia
,
Sung Y. Shin
South Dakota State University, Brookings, South Dakota
,
Program Chair:
Yong Wan Koo
The University of Suwon, Gyeongggi-do, Korea

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 March 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC07

Sponsor:

SIGAPP

SAC07: The 2007 ACM Symposium on Applied Computing

March 11 - 15, 2007

Seoul, Korea

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
1,270
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou LZhang YMakris Y(2021)TPE: A Hardware-Based TLB Profiling Expert for Workload ReconstructionIEEE Journal on Emerging and Selected Topics in Circuits and Systems10.1109/JETCAS.2021.307744211:2(292-305)Online publication date: Jun-2021
https://doi.org/10.1109/JETCAS.2021.3077442
Hu GZhang TLee R(2020)Position Paper: Consider Hardware-enhanced Defenses for Rootkit AttacksProceedings of the 9th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3458903.3458909(1-9)Online publication date: 17-Oct-2020
https://dl.acm.org/doi/10.1145/3458903.3458909
Zhai JXiao YYang HWang J(2020)Object Scanning of Windows Kernel Driver Based on Pool Tag Quick ScanningXibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University10.1051/jnwpu/2019375104437:5(1044-1052)Online publication date: 14-Jan-2020
https://doi.org/10.1051/jnwpu/20193751044
Klemperer PJeon HPayne BHoe J(2019)High-Performance Memory Snapshotting for Real-Time, Consistent, Hypervisor-Based MonitorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2805904(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2018.2805904
(2018)The trusted virtual machine cluster construction method based on particle wave equationInternational Journal of Wireless and Mobile Computing10.5555/3292963.329297115:2(163-174)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.5555/3292963.3292971
Eresheim SLuh RSchrittwieser S(2017)The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible CountermeasuresJournal of Information Processing10.2197/ipsjjip.25.86625(866-874)Online publication date: 2017
https://doi.org/10.2197/ipsjjip.25.866
Eresheim SLuh RSchrittwieser S(2017)On the Impact of Kernel Code Vulnerabilities in IoT Devices2017 International Conference on Software Security and Assurance (ICSSA)10.1109/ICSSA.2017.16(1-5)Online publication date: Jul-2017
https://doi.org/10.1109/ICSSA.2017.16
Sgandurra DLupu E(2016)Evolution of Attacks, Threat Models, and Solutions for Virtualized SystemsACM Computing Surveys10.1145/285612648:3(1-38)Online publication date: 8-Feb-2016
https://dl.acm.org/doi/10.1145/2856126
Weng CLiu QLi KZou D(2016)CloudMonIEEE Transactions on Computers10.1109/TC.2016.256080965:12(3787-3793)Online publication date: 1-Dec-2016
https://dl.acm.org/doi/10.1109/TC.2016.2560809
Zhou LMakris Y(2016)Hardware-based workload forensics: Process reconstruction via TLB monitoring2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)10.1109/HST.2016.7495577(167-172)Online publication date: May-2016
https://doi.org/10.1109/HST.2016.7495577
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten