Loading...
Please wait, while we are loading the content...
D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing
| Content Provider | CiteSeerX |
|---|---|
| Author | Jiang, Xuxian Riley, Ryan Xu, Dongyan |
| Abstract | Abstract. Kernel rootkits pose a significant threat to computer systems as they run at the highest privilege level and have unrestricted access to the resources of their victims. Many current efforts in kernel rootkit de-fense focus on the detection of kernel rootkits – after a rootkit attack has taken place, while the smaller number of efforts in kernel rootkit preven-tion exhibit limitations in their capability or deployability. In this paper we present a kernel rootkit prevention system called NICKLE which ad-dresses a common, fundamental characteristic of most kernel rootkits: the need for executing their own kernel code. NICKLE is a lightweight, vir-tual machine monitor (VMM) based system that transparently prevents unauthorized kernel code execution for unmodified commodity (guest) OSes. NICKLE is based on a new scheme called memory shadowing, wherein the trusted VMM maintains a shadow physical memory for a running VM and performs real-time kernel code authentication so that only authenticated kernel code will be stored in the shadow memory. Further, NICKLE transparently routes guest kernel instruction fetches to the shadow memory at runtime. By doing so, NICKLE guarantees that only the authenticated kernel code will be executed, foiling the ker-nel rootkit’s attempt to strike in the first place. We have implemented NICKLE in three VMM platforms: QEMU+KQEMU, VirtualBox, and VMware Workstation. Our experiments with 23 real-world kernel rootk-its targeting the Linux or Windows OSes demonstrate NICKLE’s effec-tiveness. Furthermore, our performance evaluation shows that NICKLE introduces small overhead to the VMM platform. 1 |
| File Format | |
| Access Restriction | Open |
| Subject Keyword | Unauthorized Kernel Code Execution Shadow Physical Memory Shadow Memory Vmm Platform Qemu Kqemu Trusted Vmm Kernel Rootkit De-fense Focus Kernel Code Kernel Rootkit Prevention System Vmm-based Memory Real-world Kernel Rootk-its Guest-transparent Prevention Vmware Workstation Memory Shadowing Kernel Rootkit Preven-tion Exhibit Limitation Significant Threat Ker-nel Rootkit Attempt Running Vm Small Overhead Kernel Instruction Fetch Fundamental Characteristic Window Os Demonstrate Nickle Performs Real-time Kernel Code Authentication Unmodified Commodity Vir-tual Machine Monitor Rootkit Attack Authenticated Kernel Code Kernel Rootkits Privilege Level Many Current Effort |
| Content Type | Text |
| Resource Type | Article |
