skip to main content
10.1145/1774088.1774131acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Hypervisor-based prevention of persistent rootkits

Published: 22 March 2010 Publication History

Abstract

Rootkits are prevalent in today's Internet. In particular, persistent rootkits pose a serious security threat because they reside in storage and survive system reboots. Using hypervisors is an attractive way to deal with rootkits, especially when the rootkits have kernel privileges, because hypervisors have higher privileges than OS kernels. However, most of the previous studies do not focus on prevention of persistent rootkits. This paper presents a hypervisor-based file protection scheme for preventing persistent rootkits from residing in storage. Based on security policies created in a secure environment, the hypervisor makes critical system files read-only and unmodifiable by rootkits even if they have kernel privileges. Our scheme is designed to significantly reduce the size of hypervisors when combined with the architecture of BitVisor, a thin hypervisor for enforcing I/O device security, thereby contributing to the reliability of hypervisors. Our hypervisor consists of only 37 kilo lines of code in total, and its overhead on Windows XP with a FAT32 file system is only 1.1% -- 14.0%.

References

[1]
A. C. Arpaci-Dusseau and R. H. Arpaci-Dusseau. Information and control in gray-box systems. In Proc. of the 18th ACM Symposium on Operating Systems Principles (SOSP '01), pages 43--56, Oct. 2001.
[2]
K. R. Butler, S. McLaughlin, and P. D. McDaniel. Rootkit-resistant disks. In Proc. of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pages 403--416, Nov. 2008.
[3]
P. M. Chen and B. D. Noble. When virtual is better than real. In Proc. of the 8th Workshop on Hot Topics in Operating Systems, pages 133--138, May 2001.
[4]
X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pages 2--13, Mar. 2008.
[5]
B. Cogswell and M. Russinovich. RootkitRevealer. http://technet.microsoft.com/sysinternals/bb897445.aspx.
[6]
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. of the 10th Annual Network and Distributed System Security Symposium (NDSS '03), pages 191--206, Feb. 2003.
[7]
Intel Corporation. Iometer. http://www.iometer.org.
[8]
X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proc. of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 128--137, Oct. 2007.
[9]
G. H. Kim and E. H. Spafford. The design and implementation of tripwire: A file system integrity checker. In Proc. of the 1st ACM Conference on Computer and Communications Security (CCS '94), pages 18--29, Nov. 1994.
[10]
K. Kourai and S. Chiba. HyperSpector: Virtual distributed monitoring environments for secure intrusion detection. In Proc. of the 1st ACM/USENIX International Conference on Virtual Execution Environments (VEE 2005), pages 197--207, June 2005.
[11]
L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proc. of the 17th USENIX Security Symposium, pages 243--258, July 2008.
[12]
Microsoft Corporation. Microsoft extensible firmware initiative FAT32 file system specification, Dec. 2000.
[13]
D. G. Murray, G. Milos, and S. Hand. Improving xen security through disaggregation. In Proc. of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2008), pages 151--160, Mar. 2008.
[14]
S. Patil, A. Kashyap, G. Sivathanu, and E. Zadok. I3FS: An in-kernel integrity checker and intrusion detection file system. In Proc. of the 18th Systems Administration Conference, pages 67--78, Nov. 2004.
[15]
N. A. Quynh and Y. Takefuji. Towards a tamper-resistant kernel rootkit detector. In Proc. of the 2007 ACM Symposium on Applied Computing (SAC 2007), pages 276--283, Mar. 2007.
[16]
R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Proc. of the 7th International Symposium on Recent Advances in Intrusion Detection(RAID 2008), pages 1--20, Sept. 2008.
[17]
G. Sala, D. Sgandurra, and F. Baiardi. Security and integrity of a distributed file storage in a virtual environment. In Proc. of the 4th International IEEE Security in Storage Workshop, pages 58--69, Sept. 2007.
[18]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proc. of the 21st ACM Symposium on Operating Systems Principles (SOSP '07), pages 335--350, Oct. 2007.
[19]
T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: A thin hypervisor for enforcing I/O device security. In Proc. of the 5th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2009), pages 121--130, Mar. 2009.
[20]
M. Sivathanu, V. Prabhakaran, F. I. Popovici, T. E. Denehy, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Semantically-smart disk systems. In Proc. of the 2nd USENIX Conference on File and Storage Technologies(FAST '03), pages 73--88, Mar. 2003.
[21]
L. Stevenson and N. Altholz. Rootkits for Dummies. For Dummies, 2007.
[22]
Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proc. of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Nov. 2009.
[23]
Y. Zhang, Y. Gu, H. Wang, and D. Wang. Virtual-machine-based intrusion detection on file-aware block level storage. In Proc. of the 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD '06), pages 185--192, Oct. 2006.
[24]
X. Zhao, K. Borders, and A. Prakash. Towards protecting sensitive files in a compromised system. In Proc. of the 3rd International IEEE Security in Storage Workshop, pages 21--28, Dec. 2005.

Cited By

View all
  • (2018)Application of Virtualization Technology in IaaS Cloud Deployment ModelDesign and Use of Virtualization Technology in Cloud Computing10.4018/978-1-5225-2785-5.ch002(29-99)Online publication date: 2018
  • (2017)ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live ForensicsIEEE Transactions on Cloud Computing10.1109/TCC.2016.25352955:3(443-456)Online publication date: 1-Jul-2017
  • (2017)BMCArmor: A Hardware Protection Scheme for Bare-Metal Clouds2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom.2017.43(322-330)Online publication date: Dec-2017
  • Show More Cited By

Index Terms

  1. Hypervisor-based prevention of persistent rootkits

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing
    March 2010
    2712 pages
    ISBN:9781605586397
    DOI:10.1145/1774088
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 22 March 2010

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. file system
    2. hypervisor
    3. persistent rootkit
    4. security

    Qualifiers

    • Research-article

    Conference

    SAC'10
    Sponsor:
    SAC'10: The 2010 ACM Symposium on Applied Computing
    March 22 - 26, 2010
    Sierre, Switzerland

    Acceptance Rates

    SAC '10 Paper Acceptance Rate 364 of 1,353 submissions, 27%;
    Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

    Upcoming Conference

    SAC '25
    The 40th ACM/SIGAPP Symposium on Applied Computing
    March 31 - April 4, 2025
    Catania , Italy

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)10
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2018)Application of Virtualization Technology in IaaS Cloud Deployment ModelDesign and Use of Virtualization Technology in Cloud Computing10.4018/978-1-5225-2785-5.ch002(29-99)Online publication date: 2018
    • (2017)ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live ForensicsIEEE Transactions on Cloud Computing10.1109/TCC.2016.25352955:3(443-456)Online publication date: 1-Jul-2017
    • (2017)BMCArmor: A Hardware Protection Scheme for Bare-Metal Clouds2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom.2017.43(322-330)Online publication date: Dec-2017
    • (2014)ADvisorProceedings of the 2014 Second International Symposium on Computing and Networking10.1109/CANDAR.2014.43(412-418)Online publication date: 10-Dec-2014
    • (2012)Detecting malware signatures in a thin hypervisorProceedings of the 27th Annual ACM Symposium on Applied Computing10.1145/2245276.2232070(1807-1814)Online publication date: 26-Mar-2012
    • (2012)Hypervisor-based protection of sensitive files in a compromised systemProceedings of the 27th Annual ACM Symposium on Applied Computing10.1145/2245276.2232063(1765-1770)Online publication date: 26-Mar-2012
    • (2012)DIONEProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_7(127-146)Online publication date: 12-Sep-2012
    • (2011)Implementing rootkits to address operating system vulnerabilities2011 Information Security for South Africa10.1109/ISSA.2011.6027521(1-8)Online publication date: Aug-2011

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media