research-article

Countering kernel rootkits with lightweight hook protection

Authors:

Peng NingAuthors Info & Claims

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Pages 545 - 554

https://doi.org/10.1145/1653662.1653728

Published: 09 November 2009 Publication History

Abstract

Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap -- kernel hook protection requires byte-level granularity but commodity hardware only provides page level protection.

To address the above challenges, in this paper, we present HookSafe, a hypervisor-based lightweight system that can protect thousands of kernel hooks in a guest OS from being hijacked. One key observation behind our approach is that a kernel hook, once initialized, may be frequently "read"-accessed, but rarely write"-accessed. As such, we can relocate those kernel hooks to a dedicated page-aligned memory space and then regulate accesses to them with hardware-based page-level protection. We have developed a prototype of HookSafe and used it to protect more than 5,900 kernel hooks in a Linux guest. Our experiments with nine real-world rootkits show that HookSafe can effectively defeat their attempts to hijack kernel hooks. We also show that HookSafe achieves such a large-scale protection with a small overhead (e.g., around 6% slowdown in performance benchmarks).

References

[1]

GCC Extension for Protecting Applications from Stack-Smashing Attacks. http://www.trl.ibm.com/projects/security/ssp/.

[2]

Stack Shield. http://www.angelfire.com/sk/stackshield/info.html.

[3]

Trusted Boot. http://tboot.sourceforge.net.

[4]

Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 2: System Programming, 2007.

[5]

L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, DIKU, University of Copenhagen, 1994.

[6]

ApacheBench - Apache HTTP Server Benchmarking Tool. http://httpd.apache.org/docs/2.2/programs/ab.html.

[7]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. L. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In SOSP'03: Proceedings of the 19th ACMSymposium on Operating Systems Principles, 2003.

Digital Library

[8]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.

Digital Library

[9]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Proceedings of the 7th USENIX Security Symposium, 1998.

Digital Library

[10]

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS'03: Proceedings of the 10th Annual Network and Distributed System Security Symposium, 2003.

[11]

R. Hund, T. Holz, and F. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Security'09: Proceedings of the 18th USENIX Security Symposium, 2009.

Digital Library

[12]

G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions. In Proceedings of the 3rd USENIX Windows NT Symposium, 1999.

Digital Library

[13]

X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-based "Out-Of-the-Box" Semantic View Reconstruction. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.

Digital Library

[14]

I. T. Lab. Attacking SMM Memory via Intel CPU Cache Poisoning. http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf.

[15]

A. Lanzi, M. Sharif, and W. Lee. K-Tracer: A System for Extracting Kernel Malware Behavior. In NDSS'09: Proceedings of the 17th Annual Network and Distributed System Security Symposium, 2009.

[16]

L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Security'08: Proceedings of the 17th USENIX Security Symposium, 2008.

Digital Library

[17]

A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Oakland'07: Proceedings of the 28th IEEE Symposium on Security and Privacy, 2007.

Digital Library

[18]

B. D. Payne, M. Carbone, M. I. Sharif, and W. Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy, 2008.

Digital Library

[19]

N. L. Petroni, Jr. and T. Fraser. An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In Security'06: Proceedings of the 15th USENIX Security Symposium, 2006.

Digital Library

[20]

N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In Security'04: Proceedings of the 13th USENIX Security Symposium, 2004.

Digital Library

[21]

N. L. Petroni, Jr. and M. Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.

Digital Library

[22]

QEMU. http://www.qemu.org.

[23]

R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In RAID'08: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, 2008.

Digital Library

[24]

R. Riley, X. Jiang, and D. Xu. Multi-Aspect Profiling of Kernel Rootkit Behavior. In EuroSys'09: Proceedings of the 4th European Conference on Computer Systems, 2009.

Digital Library

[25]

J. Rutkowska. System Virginity Verifier. http://www.invisiblethings.org/papers/hitb05_virginity_verifier.ppt.

[26]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In SOSP'07: Proceedings of the 21st ACM Symposium on Operating Systems Principles, 2007.

Digital Library

[27]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86). In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.

Digital Library

[28]

A. Shevchenko. Rootkit Evolution. http://www.viruslist.com/en/analysis?pubid=204792016.

[29]

UnixBench. http://ftp.tux.org/pub/benchmarks/System/unixbench/.

[30]

Y.-M. Wang, D. Beck, B. Vo, R. Roussev, and C. Verbowski. Detecting Stealth Software with Strider GhostBuster. In DS'05: Proceedings of the 35th International Conference on Dependable Systems and Networks, 2005.

Digital Library

[31]

Z. Wang, X. Jiang, W. Cui, and X. Wang. Countering Persistent Kernel Rootkits through Systematic Hook Discovery. In RAID'08: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, 2008.

Digital Library

[32]

H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and Understanding Malware Hooking Behaviors. In NDSS'08: Proceedings of the 16th Annual Network and Distributed System Security Symposium, 2008.

[33]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.

Digital Library

Cited By

Liu HXing JHuang YZhuo DDevadas SChen ACalandrino JTroncoso C(2023)Remote direct memory introspectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620575(6043-6060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620575
hu XHuang MXue YJiang LLiu YXie G(2023)Drootkit: Kernel-Level Rootkit Detection and Recovery Based on eBPFJournal of Circuits, Systems and Computers10.1142/S021812662450073733:04Online publication date: 30-Sep-2023
https://doi.org/10.1142/S0218126624500737
AghamirMohammadAli SMomeni BSalimi SKharrazi M(2023)Blue-Pill Oxpecker: A VMI Platform for Transactional ModificationIEEE Transactions on Cloud Computing10.1109/TCC.2021.306782911:1(1-12)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3067829
Show More Cited By

Index Terms

Countering kernel rootkits with lightweight hook protection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Automated containment of rootkits attacks

Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to ...
Countering Persistent Kernel Rootkits through Systematic Hook Discovery
RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection

Kernel rootkits, as one of the most elusive types of malware, pose significant challenges for investigation and defense. Among the most notable are persistent kernel rootkits , a special type of kernel rootkits that implant persistent kernel hooks to ...
Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction

An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

November 2009

664 pages

ISBN:9781605588940

DOI:10.1145/1653662

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Somesh Jha
University of Wisconsin, USA
,
Angelos D. Keromytis
Columbia University, USA and Symantec Research Labs Europe, France

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 9 - 13, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

158
Total Citations
View Citations
1,717
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu HXing JHuang YZhuo DDevadas SChen ACalandrino JTroncoso C(2023)Remote direct memory introspectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620575(6043-6060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620575
hu XHuang MXue YJiang LLiu YXie G(2023)Drootkit: Kernel-Level Rootkit Detection and Recovery Based on eBPFJournal of Circuits, Systems and Computers10.1142/S021812662450073733:04Online publication date: 30-Sep-2023
https://doi.org/10.1142/S0218126624500737
AghamirMohammadAli SMomeni BSalimi SKharrazi M(2023)Blue-Pill Oxpecker: A VMI Platform for Transactional ModificationIEEE Transactions on Cloud Computing10.1109/TCC.2021.306782911:1(1-12)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3067829
Pham DMarion DHeuser A(2022)ULTRA: Ultimate Rootkit Detection over the AirProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545962(232-251)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545962
Nikolaev RNadeem HStone CRavindran BFalsafi BFerdman MLu SWenisch T(2022)Adelie: continuous address space layout re-randomization for Linux driversProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507779(483-498)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507779
Zhong BZeng Q(2021)SecPT: Providing Efficient Page Table Protection based on SMAP Feature in an Untrusted Commodity Kernel2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00045(215-223)Online publication date: Oct-2021
https://doi.org/10.1109/TrustCom53373.2021.00045
Lin KLiu WZhang KXia HTu B(2021)HyperKRP: A Kernel Runtime Security Architecture with A Tiny Hypervisor on Commodity Hardware2021 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM46510.2021.9685552(1-6)Online publication date: 7-Dec-2021
https://dl.acm.org/doi/10.1109/GLOBECOM46510.2021.9685552
Connelly JRoberts TGao XXiao JWang HStavrou A(2021)CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00047(350-362)Online publication date: Jun-2021
https://doi.org/10.1109/DSN48987.2021.00047
Shim DLee D(2021)SOTPM: Software One-Time Programmable Memory to Protect Shared Memory on ARM TrustzoneIEEE Access10.1109/ACCESS.2020.30478139(4490-4504)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2020.3047813
J. Gillan CKarakonstantis G(2020)Security at the EdgeCloud Computing Security [Working Title]10.5772/intechopen.92788Online publication date: 4-Aug-2020
https://doi.org/10.5772/intechopen.92788
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents