skip to main content
10.1145/1455770.1455821acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Rootkit-resistant disks

Published: 27 October 2008 Publication History

Abstract

Rootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Suchmalware becomes even more dangerous when it is persistent-infected disk images allow the malware to exist across reboots and prevent patches or system repairs from being successfully applied. In this paper, we introduce rootkit-resistant disks (RRD) that label all immutable system binaries and configuration files at installation time. During normal operation, the disk controller inspects all write operations received from the host operating system and denies those made for labeled blocks. To upgrade, the host is booted into a safe state and system blocks can only be modified if a security token is attached to the disk controller. By enforcing immutability at the disk controller, we prevent a compromised operating system from infecting its on-disk image.
We implement the RRD on a Linksys NSLU2 network storage device by extending the I/O processing on the embedded disk controller running the SlugOS Linux distribution. Our performance evaluation shows that the RRD exhibits an overhead of less than 1% for filesystem creation and less than 1.5% during I/O intensive Postmark benchmarking. We further demonstrate the viability of our approach by preventing a rootkit collected from the wild from infecting the OS image. In this way, we show that RRDs not only prevent rootkit persistence, but do so in an efficient way.

References

[1]
M.K. Aguilera, M. Ji, M. Lillibridge, J. MacCormick, E. Oertli, D. Andersen, M. Burrows, T. Mann, and C. A. Thekkath. Block-Level Security for Network-Attached Disks. In Proceedings of the 2nd USENIX Conference on File and Storage Technologies (FAST'03), San Francisco, CA, Apr. 2003.
[2]
S. Aubert. rkscan: Rootkit scanner for loadable kernel module rootkits. http://www.hsc.fr/ressources/outils/rkscan/index.html.en, Oct. 2002.
[3]
S. Baker and P. Green. Checking UNIX/LINUX Systems for Signs of Compromise, May 2005.
[4]
A. Bellissimo, J. Burgess, and K. Fu. Secure software updates: disappointments and new challenges. In Proceedings of USENIX Hot Topics in Security (HotSec), July 2006. http://prisms.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdf.
[5]
M. Blaze. A Cryptographic File System for UNIX. In Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS'93), Fairfax, VA, USA, Nov. 1993.
[6]
J. Butler and G. Hoglund. VICE--Catch the Hookers! In Black Hat 2004, Las Vegas, NV, July 2004.
[7]
G. Cattaneo, L. Cauogno, A. D. Sorbo, and P. Persiano. The design and implementation of a transparent cryptographic file system for UNIX. In Proceedings of the 2001 USENIX Annual Technical Conference, Boston, MA, USA, June 2001.
[8]
K. Chian and L. Lloyd. A Case Study of the Rustock Rootkit and Spam Bot. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), Cambridge, MA, USA, Apr. 2007.
[9]
J. Corbet. Once Upon atime. http://lwn.net/Articles/244829/, Aug. 2007.
[10]
M.D. Corner and B.D. Noble. Zero-Interaction Authentication. In Proceedings of ACM MOBICOM, Atlanta, GA, Sept. 2002.
[11]
DarkAngel. Mood-NT. http://darkangel.antifork.org/codes.htm.
[12]
J.G. Dyer, M. Lindermann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith, and S. Weingart. Building the IBM 4758 Secure Coprocessor. IEEE Computer, 39(10):57--66, Oct. 2001.
[13]
E. Filiol. Concepts and future trends in computer virology, 2007.
[14]
P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic Blending Attacks. In Proceedings of the USENIX Security Symposium, Vancouver, BC, Canada, Aug. 2006.
[15]
K. Fu, M.F. Kaashoek, and D. Mazières. Fast and secure distributed read-only file system. ACM Trans. Comput. Syst., 20(1):1--24, Feb. 2002.
[16]
G.A. Gibson, D.F. Nagle, K. Amiri, J. Butler, F.W. Chang, H. Gobioff, C. Hardin, E. Riedel, D. Rochberg, and J. Zelenka. A Cost-Effective, High-Bandwidth Storage Architecture. In Proceedings of the 8th ACM Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-VIII), San Jose, CA, USA, Oct. 1998.
[17]
G.A. Gibson, D.F. Nagle, K. Amiri, F.W. Chang, E. Feinberg, H. Gobioff, C. Lee, B. Ozceri, E. Riedel, and D. Rochberg. A case for network-attached secure disks. Technical Report CMU-CS-96-142, Carnegie Mellon University, Pittsburgh, PA, USA, Sept. 1996.
[18]
E.-J. Goh, H. Shacham, N. Modadugu, and D. Boneh. SiRiUS: Securing Remote Untrusted Storage. In Proceedings of the 10th ISOC Symposium on Network and Distributed Systems (NDSS'03), San Diego, CA, USA, Feb. 2003.
[19]
J.B. Grizzard. Towards Self-Healing Systems: Re-establishing Trust in Compromised Systems. PhD thesis, Georgia Institute of Technology, 2006.
[20]
T.C. Group. Stopping Rootkits at the Network Edge, January 2007.
[21]
Halflife. Abuse of the Linux Kernel for Fun and Profit. Phrack, 7(50), Apr. 1997.
[22]
D. Harley and A. Lee. The Root of All Evil? -- Rootkits Revealed. http://www.eset.com/download/whitepapers/Whitepaper-Rootkit_Root_Of_All%_Evil.pdf, 2007.
[23]
J. Heasman. Implementing and Detecting and ACPI BIOS Rootkit. In Black Hat Federal 2006, Washington, DC, USA, Jan. 2006.
[24]
G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2006.
[25]
M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu. Plutus: Scalable Secure File Sharing on Untrusted Storage. In Proceedings of the 2nd USENIX Conference on File and Storage Technologies (FAST'03), San Francisco, CA, Apr. 2003.
[26]
B. Kauer. OSLO: Improving the security of Trusted Computing. In Proceedings of the 16th USENIX Security Symposium, Boston, MA, USA, Aug. 2007.
[27]
G.H. Kim and E.H. Spafford. Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection. Technical Report CSD-TR_94-012, Department of Computer Sciences, Purdue University, West Lafayette, IN, Feb. 1994.
[28]
S.T. King, P.M. Chen, Y.-M. Wan, C. Verbowski, H.J. Wang, and J.R. Lorch. SubVirt: Implementing malware with virtual machines. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.
[29]
G. Kroah-Hartman. udev -- A Userspace Implementation of devfs. In Proceedings of the Ottawa Linux Symposium (OLS), Ottawa, ON, Canada, July 2002.
[30]
C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Tuscon, AZ, Dec. 2004.
[31]
M. Lauer. Building Embedded Linux Distributions with BitBake and OpenEmbedded. In Proceedings of the Free and Open Source Software Developers' European Meeting (FOSDEM), Brussels, Belgium, Feb. 2005.
[32]
J. Li, M. Krohn, D. Mazières, and D. Shasha. Secure Untrusted Data Repository (SUNDR). In Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2004), San Francisco, CA, Dec. 2004.
[33]
Linksys. NSLU2 Product Information. http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&pack%edargs=c%3DL_Product_C2%26cid%3D1118334819312&pagename=Linksys%2FCommon%2FVisi%torWrapper, Apr. 2008.
[34]
P. Loscocco and S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System. In Proceedings of FREENIX '01, Boston, MA, June 2001.
[35]
D. Mazières, M. Kaminsky, M.F. Kaashoek, and E. Witchel. Separating key management from file system security. In Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP'99), pages 124--139, Kiawah Island, SC, USA, Dec. 1999.
[36]
Metasploit Development Team. Metasploit Project. http://www.metasploit.com, 2008.
[37]
Microsoft. Registry Virtualization (Windows). http://msdn.microsoft.com/en-us/library/aa965884.aspx, June 2008.
[38]
E.L. Miller, W.E. Freeman, D. D.E. Long, and B.C. Reed. Strong Security for Network-Attached Storage. In Proceedings of the 1st USENIX Conference on File and Storage Technologies (FAST'02), Monterey, CA, USA, Jan. 2002.
[39]
T. Miller. Analysis of the T0rn Rootkit. http://www.securityfocus.com/infocus/1230, Nov. 2000.
[40]
N. Murilo and K. Steding-Jessen. Métodos Para Detecção Local de Rootkits e Módulos de Kernel Maliciosos em Sistemas Unix. In Anais do III Simpósio sobre Segurança em Informática (SSI'2001), São José dos Campos, SP, Brazil, Oct. 2001.
[41]
N. Murilo and K. Steding-Jessen. Chkrootkit v. 0.47. http://www.chkrootkit.org/, Dec. 2007.
[42]
A. Oprea and M.K. Reiter. Integrity Checking in Cryptographic File Systems with Constant Trusted Storage. In Proceedings of the 16th USENIX Security Symposium, Boston, MA, USA, Aug. 2007.
[43]
A. Oprea, M.K. Reiter, and K. Yang. Space-Efficient Block Storage Integrity. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (NDSS'05), San Diego, CA, USA, Feb. 2005.
[44]
PandaLabs. Quarterly Report (January -- March 2008). http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2008/04/01/Qu%arterly_Report_PandaLabs_Q1_2008.pdf?sitepanda=particulares, Mar. 2008.
[45]
A.G. Pennington, J.D. Strunk, J.L. Griffin, C.A.N. Soules, G.R. Goodson, and G.R. Ganger. Storage-based Intrusion Detection: Watching storage activity for suspicious behavior. In Proceedings of the 12th USENIX Security Symposium, Washington, DC, USA, Aug. 2003.
[46]
B.C. Reed, M.A. Smith, and D. Diklic. Security Considerations When Designing a Distributed File System Using Object Storage Devices. In Proceedings of the 1st IEEE Security in Storage Workshop (SISW'02), Greenbelt, MD, USA, Dec. 2002.
[47]
J. Rutkowska. Detecting Windows Server Compromises. In Proceedings of the HiverCon Corporate Security Conference, Dublin, Ireland, Nov. 2003.
[48]
A. Sabelfeld and A.C. Myers. Language-based Information Flow Security. IEEE Journal on Selected Areas in Communication, 21(1):5--19, Jan. 2003.
[49]
M. Sivathanu, V. Prabhakarn, F.I. Popovici, T.E. Denehy, A.C. Arpaci-Dusseau, and R.H. Arpaci-Dusseau. Semantically-Smart Disk Systems. In Proceedings of the 2nd USENIX Conference on File and Storage Technologies (FAST'03), San Francisco, CA, Apr. 2003.
[50]
NSLU2 -- Linux. http://www.nslu2-linux.org/wiki/SlugOS/HomePage, 2008.
[51]
D. Soeder and R. Permeh. eEye BootRoot. In Black Hat 2005, Las Vegas, NV, USA, July 2005.
[52]
Y. Song, M.E. Locasto, A. Stavrou, A.D. Keromytis, and S.J. Stolfo. On the Infeasibility of Modeling Polymorphic Shellcode. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), Alexandria, VA, Oct. 2007.
[53]
E.H. Spafford. The Internet worm program: An analysis. ACM Computer Communication Review, 19(1):17--57, Jan. 1989.
[54]
S. Sparks and J. Butler. Shadow Walker: Raising the Bar for Windows Rootkit Detection. Phrack, 11(63), Aug. 2005.
[55]
D. Spinellis. Reliable Identification of Bounded-length Viruses is NP-Complete. IEEE Transactions on Information Theory, 49(1):280--284, Jan. 2003.
[56]
L. St. Clair, J. Schiffman, T. Jaeger, and P. McDaniel. Establishing and Sustaining System Integrity via Root of Trust Installation. In Proceedings of the 23rd Annual Computer Security Applicatons Conference (ACSAC 2007), Miami Beach, FL, Dec. 2007.
[57]
S. Staniford, D. Moore, V. Paxon, and N. Weaver. The Top Speed of Flash Worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), Washington, DC, Oct. 2004.
[58]
J.D. Strunk, G.R. Goodson, M.L. Scheinholtz, C.A.N. Soules, and G.R. Ganger. Self-Securing Storage: Protecting Data in Compromised Systems. In Proceedings of the 4th Symposium on Operating Systems Design and Implementation (OSDI'00), San Diego, CA, USA, Oct. 2000.
[59]
K. Thompson. Reflections on Trusting Trust. Communications of the ACM, 27(8):761--763, Aug. 1984.
[60]
P. Vixie. cron man page. http://www.hmug.org/man/5/crontab.php.
[61]
H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), Alexandria, VA, Nov. 2007.
[62]
E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98, Columbia University, New York, NY, USA, 1988.
[63]
Y. Zhu and Y. Hu. SNARE: A Strong Security System for Network-Attached Storage. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (SRDS'03), Florence, Italy, Oct. 2003.

Cited By

View all
  • (2020)Deficiencies of Compliancy for Data and StorageNational Cyber Summit (NCS) Research Track 202010.1007/978-3-030-58703-1_11(170-192)Online publication date: 9-Sep-2020
  • (2018)An Analysis of Research Trends in Computer Security over the Last Decade2018 International Conference on Software Security and Assurance (ICSSA)10.1109/ICSSA45270.2018.00030(86-89)Online publication date: Jul-2018
  • (2018)SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS.2018.00089(875-884)Online publication date: Jul-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
October 2008
590 pages
ISBN:9781595938107
DOI:10.1145/1455770
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. labels
  2. rootkits
  3. security
  4. storage

Qualifiers

  • Research-article

Conference

CCS08
Sponsor:

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2020)Deficiencies of Compliancy for Data and StorageNational Cyber Summit (NCS) Research Track 202010.1007/978-3-030-58703-1_11(170-192)Online publication date: 9-Sep-2020
  • (2018)An Analysis of Research Trends in Computer Security over the Last Decade2018 International Conference on Software Security and Assurance (ICSSA)10.1109/ICSSA45270.2018.00030(86-89)Online publication date: Jul-2018
  • (2018)SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS.2018.00089(875-884)Online publication date: Jul-2018
  • (2016)ProvUSBProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978398(242-253)Online publication date: 24-Oct-2016
  • (2016)TrueEraseACM Transactions on Storage10.1145/285488212:4(1-37)Online publication date: 20-May-2016
  • (2015)GuardatProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741958(1-16)Online publication date: 17-Apr-2015
  • (2014)Process Authentication for High System AssuranceIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2013.2911:2(168-180)Online publication date: 1-Mar-2014
  • (2012)CodeShieldProceedings of the 28th Annual Computer Security Applications Conference10.1145/2420950.2420992(279-288)Online publication date: 3-Dec-2012
  • (2012)Reducing Unauthorized Modification of Digital ObjectsIEEE Transactions on Software Engineering10.1109/TSE.2011.738:1(191-204)Online publication date: 1-Jan-2012
  • (2012)DIONEProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_7(127-146)Online publication date: 12-Sep-2012
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media