Abstract
In this paper we address the problem of protecting computer systems against stealth malware. The problem is important because the number of known types of stealth malware increases exponentially. Existing approaches have some advantages for ensuring system integrity but sophisticated techniques utilized by stealthy malware can thwart them. We propose Runtime Kernel Rootkit Detection (RKRD), a hardware-based, event-driven, secure and inclusionary approach to kernel integrity that addresses some of the limitations of the state of the art. Our solution is based on the principles of using virtualization hardware for isolation, verifying signatures coming from trusted code as opposed to malware for scalability and performing system checks driven by events. Our RKRD implementation is guided by our goals of strong isolation, no modifications to target guest OS kernels, easy deployment, minimal infra-structure impact, and minimal performance overhead. We developed a system prototype and conducted a number of experiments which show that the per-formance impact of our solution is negligible.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)
Microsoft Corporation. Microsoft portable executable and common object file format specification (2006), http://www.microsoft.com/whdc/system/platform/firm-ware/PECOFF.mspx
Microsoft Corporation. Kernel enhancements for windows vista and windows server 2008 (2007), http://www.microsoft.com/whdc/system/vista/kernel-en.mspx
Microsoft Corporation. Enumdevicedrivers function (windows) (2008), http://msdn2.microsoft.com/en-us/library/ms682617VS.85.aspx
Hardjono, T., Smith, N.: TCG infrastructure working group architecture part ii – integrity management. Specification, Trusted Computing Group (2006), https://www.trustedcomputinggroup.org/specs/IWG/IWGArchitecturePartIIv1.0.pdf
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium, pp. 179–194. USENIX (2004)
Rutkowska, J.: System virginity verifier, defining the roadmap for malware detection on windows system, Kuala Lumpur, Malaysia (September 2005)
Rutkowska, J.: Beyond the CPU: Defeating hardware based RAM acquisition tools. In: BlackHat DC 2007 (February 2007)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSs. In: Bressoud, T.C., Frans Kaashoek, M. (eds.) SOSP, pp. 335–350. ACM, New York (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Grover, S., Khosravi, H., Kolar, D., Moffat, S., Kounavis, M.E. (2009). RKRD: Runtime Kernel Rootkit Detection. In: Filipe, J., Obaidat, M.S. (eds) e-Business and Telecommunications. ICETE 2008. Communications in Computer and Information Science, vol 48. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05197-5_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-05197-5_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05196-8
Online ISBN: 978-3-642-05197-5
eBook Packages: Computer ScienceComputer Science (R0)