Attacks/Breaches

11/3/2009
03:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Create Hypervisor-Based Tool For Blocking Rootkits

New technology 'patches' the operating system kernel, protects it from rootkits

Researchers at North Carolina State University and Microsoft Research have come up with a way to combat rootkits by using the machine's own hardware-based memory protection: the so-called HookSafe tool basically protects the operating system kernel from rootkits.

Rootkits are the most difficult of malware to detect and remove: they often evade detection by anti-malware software, and even if they are discovered, they can still be difficult to completely eradicate. A rootkit typically hijacks "hooks" in the operating system -- basically the control data in the kernel used to augment or extend the features of an OS -- in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system's data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system.

"Then the rootkit can hijack and manipulate the results seen by the user applications ... only allowing a user to see what it wants them to see," says Xuxian Jiang, assistant professor of computer science at NC State and a member of the research team.

"The best way to [defend against rootkits] is to prevent them in the first place," he says. "It's a mess trying to clean them up."

The researchers have devised a way to move the potentially tens of thousands of hooks in the kernel to a centralized location so they're easier to monitor and more difficult to abuse. Their HookSafe prototype is a hypervisor-based system that is able to protect nearly 6,000 different kernel hooks and has successfully stopped nine different rootkits.

HookSafe runs in Ubuntu Linux 8.04 and leverages hardware-based memory protection in the system to stop rootkits from hijacking kernel hooks. "[It] includes a patch to the OS kernel to relocate the kernel hooks," Jiang says. "It also includes an extension to commodity hypervisors [such as Xen] to enforce the hook protection with the hardware-based memory protection."

The main tradeoff of the tool thus far is a slight performance hit, about a 6 percent slowdown in system performance.

Jiang says the researchers designed the hypervisor-based hook to enforce hook usage because the OS kernel is vulnerable and could already be corrupted by a rootkit and thus not reliable for monitoring the hooks itself.

Greg Hoglund, CEO and founder of HBGary and a rootkit expert, says the new research addresses one of the main areas of rootkit infection, but is no silver bullet.

"This is a subset of the problem. They are protecting the kernel, but not preventing the rootkits from operating," Hoglund says. "Right now we have rootkits that will bypass this technology: there are simply too many places where execution control can be gained" by rootkits, he says.

But NC State's Jiang says HookSafe is for both preventing rootkits altogether as well as preventing them from using hooks: "The reason is that if a hook cannot be hijacked by rootkits, the rootkit will not be able to hide its presence in the system," he says. "And the very hiding capability is the defining characteristic of a rootkit."

With the help of Microsoft Research, the research team also has a version of HookSafe under development for the Windows research kernel, which can be found here.

Jiang and his colleagues will present their paper, titled "Countering Kernel Rootkits with Lightweight Hook Protection" (PDF) on November 12 at the 16th ACM Conference on Computer and Communications Security in Chicago.

"The exciting part of this research is that it effectively blocks one of most commonly used attack vectors by rootkits -- through kernel hooks. And the blocking can be done efficiently, thanks to the hardware-based memory protection," Jiang says.

They have proposed several techniques for protecting the OS kernel overall, including previous research on rootkit profiling and kernel code integrity. Jiang says the team is also looking how an OS kernel can be redesigned to make kernel rootkits more difficult to deploy in the first place.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
CVE-2019-11459
PUBLISHED: 2019-04-22
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
CVE-2019-11460
PUBLISHED: 2019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's control...
CVE-2019-8452
PUBLISHED: 2019-04-22
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains t...