Attacks/Breaches
11/3/2009
03:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Create Hypervisor-Based Tool For Blocking Rootkits

New technology 'patches' the operating system kernel, protects it from rootkits

Researchers at North Carolina State University and Microsoft Research have come up with a way to combat rootkits by using the machine's own hardware-based memory protection: the so-called HookSafe tool basically protects the operating system kernel from rootkits.

Rootkits are the most difficult of malware to detect and remove: they often evade detection by anti-malware software, and even if they are discovered, they can still be difficult to completely eradicate. A rootkit typically hijacks "hooks" in the operating system -- basically the control data in the kernel used to augment or extend the features of an OS -- in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system's data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system.

"Then the rootkit can hijack and manipulate the results seen by the user applications ... only allowing a user to see what it wants them to see," says Xuxian Jiang, assistant professor of computer science at NC State and a member of the research team.

"The best way to [defend against rootkits] is to prevent them in the first place," he says. "It's a mess trying to clean them up."

The researchers have devised a way to move the potentially tens of thousands of hooks in the kernel to a centralized location so they're easier to monitor and more difficult to abuse. Their HookSafe prototype is a hypervisor-based system that is able to protect nearly 6,000 different kernel hooks and has successfully stopped nine different rootkits.

HookSafe runs in Ubuntu Linux 8.04 and leverages hardware-based memory protection in the system to stop rootkits from hijacking kernel hooks. "[It] includes a patch to the OS kernel to relocate the kernel hooks," Jiang says. "It also includes an extension to commodity hypervisors [such as Xen] to enforce the hook protection with the hardware-based memory protection."

The main tradeoff of the tool thus far is a slight performance hit, about a 6 percent slowdown in system performance.

Jiang says the researchers designed the hypervisor-based hook to enforce hook usage because the OS kernel is vulnerable and could already be corrupted by a rootkit and thus not reliable for monitoring the hooks itself.

Greg Hoglund, CEO and founder of HBGary and a rootkit expert, says the new research addresses one of the main areas of rootkit infection, but is no silver bullet.

"This is a subset of the problem. They are protecting the kernel, but not preventing the rootkits from operating," Hoglund says. "Right now we have rootkits that will bypass this technology: there are simply too many places where execution control can be gained" by rootkits, he says.

But NC State's Jiang says HookSafe is for both preventing rootkits altogether as well as preventing them from using hooks: "The reason is that if a hook cannot be hijacked by rootkits, the rootkit will not be able to hide its presence in the system," he says. "And the very hiding capability is the defining characteristic of a rootkit."

With the help of Microsoft Research, the research team also has a version of HookSafe under development for the Windows research kernel, which can be found here.

Jiang and his colleagues will present their paper, titled "Countering Kernel Rootkits with Lightweight Hook Protection" (PDF) on November 12 at the 16th ACM Conference on Computer and Communications Security in Chicago.

"The exciting part of this research is that it effectively blocks one of most commonly used attack vectors by rootkits -- through kernel hooks. And the blocking can be done efficiently, thanks to the hardware-based memory protection," Jiang says.

They have proposed several techniques for protecting the OS kernel overall, including previous research on rootkit profiling and kernel code integrity. Jiang says the team is also looking how an OS kernel can be redesigned to make kernel rootkits more difficult to deploy in the first place.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.