Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/3/2009
03:19 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Create Hypervisor-Based Tool For Blocking Rootkits

New technology 'patches' the operating system kernel, protects it from rootkits

Researchers at North Carolina State University and Microsoft Research have come up with a way to combat rootkits by using the machine's own hardware-based memory protection: the so-called HookSafe tool basically protects the operating system kernel from rootkits.

Rootkits are the most difficult of malware to detect and remove: they often evade detection by anti-malware software, and even if they are discovered, they can still be difficult to completely eradicate. A rootkit typically hijacks "hooks" in the operating system -- basically the control data in the kernel used to augment or extend the features of an OS -- in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system's data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system.

"Then the rootkit can hijack and manipulate the results seen by the user applications ... only allowing a user to see what it wants them to see," says Xuxian Jiang, assistant professor of computer science at NC State and a member of the research team.

"The best way to [defend against rootkits] is to prevent them in the first place," he says. "It's a mess trying to clean them up."

The researchers have devised a way to move the potentially tens of thousands of hooks in the kernel to a centralized location so they're easier to monitor and more difficult to abuse. Their HookSafe prototype is a hypervisor-based system that is able to protect nearly 6,000 different kernel hooks and has successfully stopped nine different rootkits.

HookSafe runs in Ubuntu Linux 8.04 and leverages hardware-based memory protection in the system to stop rootkits from hijacking kernel hooks. "[It] includes a patch to the OS kernel to relocate the kernel hooks," Jiang says. "It also includes an extension to commodity hypervisors [such as Xen] to enforce the hook protection with the hardware-based memory protection."

The main tradeoff of the tool thus far is a slight performance hit, about a 6 percent slowdown in system performance.

Jiang says the researchers designed the hypervisor-based hook to enforce hook usage because the OS kernel is vulnerable and could already be corrupted by a rootkit and thus not reliable for monitoring the hooks itself.

Greg Hoglund, CEO and founder of HBGary and a rootkit expert, says the new research addresses one of the main areas of rootkit infection, but is no silver bullet.

"This is a subset of the problem. They are protecting the kernel, but not preventing the rootkits from operating," Hoglund says. "Right now we have rootkits that will bypass this technology: there are simply too many places where execution control can be gained" by rootkits, he says.

But NC State's Jiang says HookSafe is for both preventing rootkits altogether as well as preventing them from using hooks: "The reason is that if a hook cannot be hijacked by rootkits, the rootkit will not be able to hide its presence in the system," he says. "And the very hiding capability is the defining characteristic of a rootkit."

With the help of Microsoft Research, the research team also has a version of HookSafe under development for the Windows research kernel, which can be found here.

Jiang and his colleagues will present their paper, titled "Countering Kernel Rootkits with Lightweight Hook Protection" (PDF) on November 12 at the 16th ACM Conference on Computer and Communications Security in Chicago.

"The exciting part of this research is that it effectively blocks one of most commonly used attack vectors by rootkits -- through kernel hooks. And the blocking can be done efficiently, thanks to the hardware-based memory protection," Jiang says.

They have proposed several techniques for protecting the OS kernel overall, including previous research on rootkit profiling and kernel code integrity. Jiang says the team is also looking how an OS kernel can be redesigned to make kernel rootkits more difficult to deploy in the first place.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.