ABSTRACT
Rootkits are malware that attempt to compromise the system’s functionalities while hiding their existence. Various rootkits have been proposed as well as different software defenses, but only very few hardware defenses. We position hardware-enhanced rootkit defenses as an interesting research opportunity for computer architects, especially as many new hardware defenses for speculative execution attacks are being actively considered. We first describe different techniques used by rootkits and their prime targets in the operating system. We then try to shed insights on what the main challenges are in providing a rootkit defense, and how these may be overcome. We show how a hypervisor-based defense can be implemented, and provide a full prototype implementation in an open-source cloud computing platform, OpenStack. We evaluate the performance overhead of different defense mechanisms. Finally, we point to some research opportunities for enhancing resilience to rootkit-like attacks in the hardware architecture.
- [n.d.]. Amazon Inspector. https://aws.amazon.com/inspector/.Google Scholar
- [n.d.]. ARM926EJ-S Technical Reference Manual: Control Register c1. https://developer.arm.com/documentation/ddi0198/e/programmer-s-model/register-descriptions/control-register-c1.Google Scholar
- [n.d.]. Common Vulnerabilities and Exposures. https://cve.mitre.org/.Google Scholar
- [n.d.]. Explorations with adore-ng. http://ab-rtfm.blogspot.com/2007/07/explorations-with-adore-ng.html.Google Scholar
- [n.d.]. The httperf HTTP load generator. https://github.com/httperf/httperf.Google Scholar
- [n.d.]. Klister - Windows Kernel Level Rootkit Detector. https://securiteam.com/tools/5gp0315ffw/.Google Scholar
- [n.d.]. Libbdvmi. https://github.com/razvan-cojocaru/libbdvmi.Google Scholar
- [n.d.]. LibVMI.Google Scholar
- [n.d.]. Linux Hook IDT. https://github.com/majdi/deadlands/tree/master/srcs/linux/module/HOOK/IDT.Google Scholar
- [n.d.]. Magento Commerce. http://www.magento.com/.Google Scholar
- [n.d.]. Microsoft Antimalware for Azure Cloud Services and Virtual Machines. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware.Google Scholar
- [n.d.]. xingyiquan - simple linux kernel rootkit for kernel 3.x and kernel 2.6.x. https://sw0rdm4n.wordpress.com/2014/11/03/xingyiquan-simple-linux-kernel-rootkit-for-kernel-3-x-and-kernel-2-6-x/.Google Scholar
- Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, and Sergio Loureiro. 2012. A Security Analysis of Amazon’s Elastic Compute Cloud Service. In ACM Symposium on Applied Computing.Google Scholar
- Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 1–26.Google ScholarDigital Library
- Bitdefender. [n.d.]. Hypervisor Introspection. http://www.bitdefender.com/business/hypervisor-introspection.html.Google Scholar
- Jamie Butler and Peter Silberman. 2006. Raide: Rootkit analysis identification elimination. Black Hat USA 47(2006).Google Scholar
- Martim Carbone, Matthew Conover, Bruce Montague, and Wenke Lee. 2012. Secure and Robust Monitoring of Virtual Machines Through Guest-assisted Introspection. In Intl. Conf. on Research in Attacks, Intrusions, and Defenses.Google Scholar
- Silvio Cesare. [n.d.]. Syscall Redirection Without Modifying the Syscall Table. http://www.ouah.org/stealth-syscall.txt.Google Scholar
- Ping Chen, Xiao Xing, Bing Mao, and Li Xie. 2010. Return-Oriented Rootkit without Returns (on the x86). In Information and Communications Security, Miguel Soriano, Sihan Qing, and Javier López(Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 340–354.Google Scholar
- Bryce Cogswell and Mark Russinovich. 2006. Rootkitrevealer v1. 71. Rootkit detection tool by Microsoft(2006).Google Scholar
- F. M. David, E. M. Chan, J. C. Carlyle, and R. H. Campbell. 2008. Cloaker: Hardware Supported Rootkit Concealment. In 2008 IEEE Symposium on Security and Privacy (sp 2008). 296–310.Google Scholar
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware Analysis via Hardware Virtualization Extensions. In ACM Conf. on Computer and Communications Security.Google ScholarDigital Library
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In IEEE Symp. on Security and Privacy.Google Scholar
- Yangchun Fu and Zhiqiang Lin. 2012. Space Traveling Across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In IEEE Symp. on Security and Privacy.Google ScholarDigital Library
- Tal Garfinkel and Mendel Rosenblum. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection.. In Network and Distribution Security Symposium.Google Scholar
- Ralf Hund, Thorsten Holz, and Felix C Freiling. 2009. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In USENIX security symposium. 383–398.Google Scholar
- Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. 2007. Stealthy Malware Detection Through Vmm-based ”Out-of-the-box” Semantic View Reconstruction. In ACM Conf. on Computer and Communications Security.Google Scholar
- Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. 2008. VMM-based Hidden Process Detection and Identification Using Lycosid. In ACM International Conference on Virtual Execution Environments.Google Scholar
- Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen Wang, and Jay Lorch. 2006. SubVirt: Implementing malware with virtual machines. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (proceedings of the 2006 ieee symposium on security and privacy ed.). Institute of Electrical and Electronics Engineers, Inc., 314–327. https://www.microsoft.com/en-us/research/publication/subvirt-implementing-malware-with-virtual-machines/Google ScholarDigital Library
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, 2019. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1–19.Google ScholarCross Ref
- Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System. In Annual Computer Security Applications Conference.Google Scholar
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 973–990. https://www.usenix.org/conference/usenixsecurity18/presentation/lippGoogle ScholarDigital Library
- Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday Savagaonkar. 2013. Innovative Instructions and Software Model for Isolated Execution. In Proceedings of the ACM International Workshop on Hardware and Architectural Support for Security and Privacy.Google ScholarDigital Library
- B. D. Payne, M. Carbone, and W. Lee. 2007. Secure and Flexible Monitoring of Virtual Machines. In Annual Computer Security Applications Conference.Google Scholar
- B. D. Payne, M. Carbone, M. Sharif, and W. Lee. 2008. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In IEEE Symp. on Security and Privacy.Google Scholar
- Diego Perez-Botero, Jakub Szefer, and Ruby B. Lee. 2013. Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers. In International Workshop on Security in Cloud Computing.Google Scholar
- Nick L Petroni Jr, Timothy Fraser, Jesus Molina, and William A Arbaugh. 2004. Copilot-a Coprocessor-based Kernel Runtime Integrity Monitor.. In USENIX security symposium. San Diego, USA, 179–194.Google Scholar
- Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation.. In USENIX Security Symposium.Google ScholarDigital Library
- Nguyen Anh Quynh and Yoshiyasu Takefuji. 2007. Towards a Tamper-resistant Kernel Rootkit Detector. In ACM Symposium on Applied Computing.Google ScholarDigital Library
- Joanna Rutkowska. 2006. Introducing blue pill. The official blog of the invisiblethings. org 22 (2006), 23.Google Scholar
- Joanna Rutkowska. 2007. Beyond the CPU: Defeating hardware based RAM acquisition. Proceedings of BlackHat DC 2007 (2007).Google Scholar
- Baljit Singh, Dmitry Evtyushkin, Jesse Elwell, Ryan Riley, and Iliano Cervesato. 2017. On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security(Abu Dhabi, United Arab Emirates) (ASIA CCS ’17). Association for Computing Machinery, New York, NY, USA, 483–493. https://doi.org/10.1145/3052973.3052999Google ScholarDigital Library
- Sherri Sparks and Jamie Butler. 2005. Shadow walker: Raising the bar for rootkit detection. Black Hat Japan 11, 63 (2005), 504–533.Google Scholar
- Deepa Srinivasan, Zhi Wang, Xuxian Jiang, and Dongyan Xu. 2011. Process Out-grafting: An Efficient ”out-of-VM” Approach for Fine-grained Process Execution Monitoring. In ACM Conf. on Computer and Communications Security.Google Scholar
- Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. Graphene-sgx: A practical library {OS} for unmodified applications on {SGX}. In 2017 {USENIX} Annual Technical Conference ({USENIX}{ATC} 17). 645–658.Google Scholar
- V. R. Vasisht and H. S. Lee. 2008. SHARK: Architectural support for autonomic protection against stealth by rootkit exploits. In 2008 41st IEEE/ACM International Symposium on Microarchitecture. 106–116.Google ScholarCross Ref
- X. Wang and R. Karri. 2013. NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters. In 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC). 1–7.Google Scholar
- Su Zhang, Xinwen Zhang, and Xinming Ou. 2014. After We Knew It: Empirical Study and Modeling of Cost-effectiveness of Exploiting Prevalent Known Vulnerabilities Across IaaS Cloud. In ACM Symposium on Information, Computer and Communications Security.Google Scholar
Index Terms
- Position Paper: Consider Hardware-enhanced Defenses for Rootkit Attacks
Recommendations
Stealthy Rootkit Attacks on Cyber-Physical Microgrids: Poster
e-Energy '21: Proceedings of the Twelfth ACM International Conference on Future Energy SystemsCyber-physical microgrids hold the key to a carbon-neutral power sector since they enable renewable and distributed energy resource integration, can alleviate overloaded distribution systems, and provide economic energy by generating and consuming power ...
MOSKG: countering kernel rootkits with a secure paging mechanism
The kernel-level rootkits compromise the security of operating systems. In the current research studies, virtualization is used as a key tool against these attacks with virtualization-based memory protection. There are glitches in the memory protection ...
Intel Software Guard Extensions: Introduction and Open Research Challenges
SPRO '16: Proceedings of the 2016 ACM Workshop on Software PROtectionHardware-enhanced security is an important pillar of secure systems in general and software protection in particular. This presentation will survey the recently announced Intel Software Guard Extensions (Intel SGX) as well as innovative usages for ...
Comments