Attacks/Breaches
11/3/2009
03:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Create Hypervisor-Based Tool For Blocking Rootkits

New technology 'patches' the operating system kernel, protects it from rootkits

Researchers at North Carolina State University and Microsoft Research have come up with a way to combat rootkits by using the machine's own hardware-based memory protection: the so-called HookSafe tool basically protects the operating system kernel from rootkits.

Rootkits are the most difficult of malware to detect and remove: they often evade detection by anti-malware software, and even if they are discovered, they can still be difficult to completely eradicate. A rootkit typically hijacks "hooks" in the operating system -- basically the control data in the kernel used to augment or extend the features of an OS -- in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system's data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system.

"Then the rootkit can hijack and manipulate the results seen by the user applications ... only allowing a user to see what it wants them to see," says Xuxian Jiang, assistant professor of computer science at NC State and a member of the research team.

"The best way to [defend against rootkits] is to prevent them in the first place," he says. "It's a mess trying to clean them up."

The researchers have devised a way to move the potentially tens of thousands of hooks in the kernel to a centralized location so they're easier to monitor and more difficult to abuse. Their HookSafe prototype is a hypervisor-based system that is able to protect nearly 6,000 different kernel hooks and has successfully stopped nine different rootkits.

HookSafe runs in Ubuntu Linux 8.04 and leverages hardware-based memory protection in the system to stop rootkits from hijacking kernel hooks. "[It] includes a patch to the OS kernel to relocate the kernel hooks," Jiang says. "It also includes an extension to commodity hypervisors [such as Xen] to enforce the hook protection with the hardware-based memory protection."

The main tradeoff of the tool thus far is a slight performance hit, about a 6 percent slowdown in system performance.

Jiang says the researchers designed the hypervisor-based hook to enforce hook usage because the OS kernel is vulnerable and could already be corrupted by a rootkit and thus not reliable for monitoring the hooks itself.

Greg Hoglund, CEO and founder of HBGary and a rootkit expert, says the new research addresses one of the main areas of rootkit infection, but is no silver bullet.

"This is a subset of the problem. They are protecting the kernel, but not preventing the rootkits from operating," Hoglund says. "Right now we have rootkits that will bypass this technology: there are simply too many places where execution control can be gained" by rootkits, he says.

But NC State's Jiang says HookSafe is for both preventing rootkits altogether as well as preventing them from using hooks: "The reason is that if a hook cannot be hijacked by rootkits, the rootkit will not be able to hide its presence in the system," he says. "And the very hiding capability is the defining characteristic of a rootkit."

With the help of Microsoft Research, the research team also has a version of HookSafe under development for the Windows research kernel, which can be found here.

Jiang and his colleagues will present their paper, titled "Countering Kernel Rootkits with Lightweight Hook Protection" (PDF) on November 12 at the 16th ACM Conference on Computer and Communications Security in Chicago.

"The exciting part of this research is that it effectively blocks one of most commonly used attack vectors by rootkits -- through kernel hooks. And the blocking can be done efficiently, thanks to the hardware-based memory protection," Jiang says.

They have proposed several techniques for protecting the OS kernel overall, including previous research on rootkit profiling and kernel code integrity. Jiang says the team is also looking how an OS kernel can be redesigned to make kernel rootkits more difficult to deploy in the first place.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

CVE-2014-4449
Published: 2014-10-22
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4450
Published: 2014-10-22
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.