Scientists Unveil Lightweight Rootkit Protection

← Back to Stories (view on slashdot.org)

Scientists Unveil Lightweight Rootkit Protection

Posted by CmdrTaco on Wednesday November 11, 2009 @03:26AM from the take-two-of-these dept.

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

168 comments

I'll take one by 2names · 2009-11-11 03:29 · Score: 5, Funny

I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.

--
"I'm just here to regulate funkiness."
1. Re:I'll take one by LucidBeast · 2009-11-11 03:32 · Score: 2, Funny
  
  Seconded, Jefferson be damned
2. Re:I'll take one by NoYob · 2009-11-11 03:33 · Score: 3, Funny
  
  I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.
  Damn straight! The same goes for guns! It should be a law that computer admins have to carry guns in order to protect their machines! Have a computer in your house? Well then, you are required to have a gun by your machine - even if you live in NY City!
  
  --
  It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
3. Re:I'll take one by Anonymous Coward · 2009-11-11 03:34 · Score: 5, Funny
  
  Those who would give up essential system performance for temporary system security... probably need to learn how to overclock their systems.
4. Re:I'll take one by tjstork · 2009-11-11 03:50 · Score: 4, Informative
  
  It wasn't Jefferson, it was Franklin
  
  --
  This is my sig.
5. Re:I'll take one by V50 · 2009-11-11 03:52 · Score: 1
  
  Merely carry guns? What kind of protection is that?
  I say, it should be mandatory to have a USB firearm attached to your computer. If it detects someone trying to steal the computer, someone getting the password wrong, or someone trying to install unwanted software, the computer will now have a way to defend itself. I think we'd all be safer in a world where every computer has a USB assault rifle attached to it.
6. Re:I'll take one by NotBornYesterday · 2009-11-11 03:55 · Score: 1
  
  I'd be tempted to shoot the computers.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
7. Re:I'll take one by Anonymous Coward · 2009-11-11 04:01 · Score: 4, Funny
  
  I read it differently. I think he simply really, really, hates Jefferson and couldn't help but add it to his comment. Adams be damned.
8. Re:I'll take one by kungfugleek · 2009-11-11 04:04 · Score: 3, Funny
  
  Right. It was that one president who invented the light bulb and knew 200 different uses for the peanut.
9. Re:I'll take one by Captain+Splendid · 2009-11-11 04:14 · Score: 2, Funny
  
  Senior or Junior?
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
10. Re:I'll take one by _Shad0w_ · 2009-11-11 04:18 · Score: 2, Informative
  
  Franklin was never President. He was part of the Committee Of Five that drafted the Declaration of Independence and the first Postmaster General though. He was also a polymath.
  
  --
  Yeah, I had a sig once; I got bored of it.
11. Re:I'll take one by FatdogHaiku · 2009-11-11 04:24 · Score: 4, Funny
  
  Gomez
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
12. Re:I'll take one by FatdogHaiku · 2009-11-11 04:30 · Score: 1
  
  Sure, you say that now.
  When they can shoot back it will be "No Sir Mr. Computer Sir, I was no where near the UPS when that event happened, you got to believe me, it was someone who resembles me pixel for pixel, OH PLEASE DON"T AIM AT MY GROIN AGAIN!"
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
13. Re:I'll take one by FatdogHaiku · 2009-11-11 04:36 · Score: 1
  
  I wish people would check their facts. He MADE a light bulb out of 200 peanuts... and once it had been on for a few minutes it smelled delicious!
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
14. Re:I'll take one by Anonymous Coward · 2009-11-11 04:43 · Score: 0
  
  He knew different kinds of math? How kinky!
15. Re:I'll take one by Anonymous Coward · 2009-11-11 04:45 · Score: 0
  
  A polymath? Oohh, I just fought one of those in Dragon Age.
16. Re:I'll take one by NotBornYesterday · 2009-11-11 04:47 · Score: 3, Interesting
  
  I used to work for a computer distributor back in the mid-1990's. One of our VARs received a whole bunch of defective Seagate SCSI drives in a single shipment. He RMA's most of them, but he sent one to his sales rep personally, with a bullet hole through it. It was all in good fun, and she kept the disk on a shelf in her cubicle as a sort of trophy. I can't recall if the Seagate rep ever got to see it, though.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
17. Re:I'll take one by binarylarry · 2009-11-11 04:47 · Score: 1
  
  In the spirit of slashdot, I feel instead of a gun, it should be a +3 or great melee weapon of smiting.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
18. Re:I'll take one by Runaway1956 · 2009-11-11 04:56 · Score: 1
  
  6% doesn't sound like much. But, this is for virtual machines. By definition, a VM is already handicapped. Take away 6% of the performance of Windows 7 inside my existing VM's, and they aren't worth having. An XP machine may still work alright, but that isn't certain.
  Maybe I just need faster, more powerful hardware, then I won't notice another 6% decrease.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
19. Re:I'll take one by ConceptJunkie · 2009-11-11 05:02 · Score: 1
  
  I think he also discovered evolution by tying a string to a Galapagos turtle.
  
  --
  You are in a maze of twisty little passages, all alike.
20. Re:I'll take one by 2names · 2009-11-11 05:09 · Score: 1
  
  Maybe I just need faster, more powerful hardware
  
  If the current state of programming is any indication, then yes, you obviously need faster, more powerful hardware. :)
  
  --
  "I'm just here to regulate funkiness."
21. Re:I'll take one by the_womble · 2009-11-11 05:10 · Score: 1
  
  If he did that now he would probably be arrested for something or the other: shooting the hard drive could be interpreted as a threat to shoot a person.
22. Re:I'll take one by the_womble · 2009-11-11 05:12 · Score: 1
  
  I would gladly give up 6% of the performance of my machine if I could be safe from rootkits.
  
  Worthwhile: yes.
  Lightweight: no
23. Re:I'll take one by NotBornYesterday · 2009-11-11 05:18 · Score: 1
  
  Yeah, things are a lot different now. Of course, you have to understand that they got along very well and did a lot of business together. I'm pretty sure he gave her a heads-up it was coming, and that she knew it was intended for her amusement. Still, not something I'd do these days.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
24. Re:I'll take one by sigxcpu · 2009-11-11 05:19 · Score: 1
  
  yes, but who will protect the hypervisor from rootkits?
  maybe, if you nest the hypervisor inside another you can use that new hypervisor to protect the one protecting your OS...
  
  --
  As of Postgres v6.2, time travel is no longer supported.
25. Re:I'll take one by jhol13 · 2009-11-11 05:20 · Score: 1
  
  How about, er, a microkernel?
  It loses less than 6% ...
26. Re:I'll take one by Disgruntled+Goats · 2009-11-11 05:32 · Score: 1
  
  No, it was neither. It's a falsely attributed quote.
27. Re:I'll take one by NotBornYesterday · 2009-11-11 05:46 · Score: 5, Funny
  
  Nice try, young man, but you can't fool me. It's hypervisors all the way down.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
28. Re:I'll take one by SnarfQuest · 2009-11-11 05:50 · Score: 1
  
  Boot off a DVD. Have everything possible, including configuration files, run off the DVD.
  It makes reconfiguring the system a bit harder, but it also makes messing up the system files a great deal harder.
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
29. Re:I'll take one by Saint+Mitchell · 2009-11-11 06:19 · Score: 1
  
  I admit I had no idea what polymathic meant. Now that I've wikipedia'd it I really like it. Kudos to you sir for giving me a word to toss into a random conversation that will make me sound smarter than I am.
  No, that wasn't sarcasm I'm being serious.
30. Re:I'll take one by Anonymous Coward · 2009-11-11 06:47 · Score: 0
  
  Those who would give up essential system performance for temporary system security... probably need to learn how to overclock their systems.
  Over-clocking is for those who do not understand how to purchase the correct hardware for the purpose intended. It simply degrades the MTBF of the device, to gain short-term
  minimal performance boosts.
31. Re:I'll take one by droopycom · 2009-11-11 07:45 · Score: 1
  
  I'm actually amazed that you could shoot a bullet at a drive, and the drive would not shatter in 100 pieces...
32. Re:I'll take one by LucidBeast · 2009-11-11 08:03 · Score: 1
  
  It was in quotation marks and sounds more like Jefferson. Benjamin didn't worry about rootkits. His OS was engraved on metal plates.
33. Re:I'll take one by A+nonymous+Coward · 2009-11-11 08:10 · Score: 1
  
  I'll bet Franklin had the sense of humor you seem to be missing. His kite would have whooshed right over your head.
  
  --
  Infuriate left and right
34. Re:I'll take one by Sinning · 2009-11-11 08:30 · Score: 2, Informative
  
  if (mtbf > mtbObsolete) then overclock();
35. Re:I'll take one by _Shad0w_ · 2009-11-11 08:47 · Score: 1
  
  I shall throw autodidact your way as well then :)
  
  --
  Yeah, I had a sig once; I got bored of it.
36. Re:I'll take one by fuzzyfuzzyfungus · 2009-11-11 09:01 · Score: 1
  
  Some drives, mostly 2.5in and smaller, have glass platters (which do, in fact, shatter pretty enthusiastically and form nasty sharp slivers) most HDDs have metal platters, reasonably chunky aluminum housings, steel covers, and a fiberglass PCB on the bottom.
  
  I wouldn't volunteer to use one for armor; but it is pretty much to be expected that such a structure would either suffer a fairly neat hole(particularly if the round were jacketed) or just a significant dent(if it were softer lead only).
37. Re:I'll take one by Anonymous Coward · 2009-11-11 09:23 · Score: 0
  
  That was Carter.
38. Re:I'll take one by Anonymous Coward · 2009-11-11 09:54 · Score: 0
  
  lol, jokes.
39. Re:I'll take one by Anonymous Coward · 2009-11-11 10:09 · Score: 0
  
  It wasn't Franklin. It was from the author of a book he published.
40. Re:I'll take one by selven · 2009-11-11 13:38 · Score: 1
  
  Those who would give up an instant chain of Score 4:Funny comments for factual accuracy deserve neither humor nor accuracy.
41. Re:I'll take one by glarbl_blarbl · 2009-11-11 13:38 · Score: 1
  
  Yeah, that sounds right. The Mythbusters shot an iPod in one of their "What is Bulletproof?" eps and that's what it looked like. I googled around but couldn't find the video or any images online so I guess one will have to take my word for it or buy the DVD.
  
  --
  I use friend/foe to signal strong [dis]agreement instead of mod points. What else are f/f good for?
42. Re:I'll take one by Anonymous Coward · 2009-11-11 14:46 · Score: 0
  
  Would you also give up 6% of your bank account in return for 'security measures' against skimming and other scams?
43. Re:I'll take one by NotBornYesterday · 2009-11-12 05:52 · Score: 1
  
  Actually, I have several old disassembled hard drives sitting next to me. At least two of them are from between '96 (Quantum) and '98 (Maxtor), and both have metal platters.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
44. Re:I'll take one by DaVince21 · 2009-11-12 12:18 · Score: 1
  
  Overclocking my system only gives me the minimum desired performance - what now?!
  
  --
  I am not devoid of humor.
Linux by Anonymous Coward · 2009-11-11 03:33 · Score: 1, Funny

But does it run... oh, right.
1. Re:Linux by xOneca · 2009-11-11 04:34 · Score: 1
  
  No, it's a typo in the summary. It can't run on Linux. Moreover, I think it will never be ported to Linux. It's not profitable.
2. Re:Linux by Quantumstate · 2009-11-11 09:18 · Score: 1
  
  Does that mean that is is a typo in TFA as well "The team installed HookSafe on a machine running Ubuntu 8.04"
3. Re:Linux by xOneca · 2009-11-11 09:26 · Score: 1
  
  Yes. Both of them are wrong. Because I say so.
So ... by Nerdfest · 2009-11-11 03:39 · Score: 4, Interesting

There's actually nine rootkits out there for Linux? Anyone run into these or have any recommendations of good detection software? I've always been curious if an clamav run from a live CD will pick them up.
1. Re:So ... by Anonymous Coward · 2009-11-11 03:53 · Score: 4, Informative
  
  http://www.chkrootkit.org/
2. Re:So ... by vistapwns · 2009-11-11 03:55 · Score: 5, Funny
  
  No, it's a lie. It's not possible to build a rootkit for linux, it's magical.
  
  --
  "...I think the Microsoft hatred is a disease." - Linus Torvalds
3. Re:So ... by Nerdfest · 2009-11-11 04:07 · Score: 1
  
  There's possible, and there's 'worth the trouble'. I'd assume most of these are aimed at large scale server users, but I'm curious about how common they are in the wild.
4. Re:So ... by PhilHibbs · 2009-11-11 04:16 · Score: 1
  
  The reason it's called a root kit is that it hides the fact that your box has been root ed, and what kind of O/S has a root account? Hint: Not Windows.
5. Re:So ... by Jazz-Masta · 2009-11-11 04:24 · Score: 1
  
  The summary was incorrect - corrected below:
  
  The team installed HookSafe on a machine running Windows Vista, and found the system successfully prevented 126, 000 real-world rootkits targeting that platform from installing or hiding themselves.
6. Re:So ... by Tony+Hoyle · 2009-11-11 04:35 · Score: 1
  
  Rootkit as a name has nothing to do with the OS it's running on.. the Sony rootkits targetted Windows for example.
  Anyway, Windows has a whole class of root users called the administrators group, not just one user.
7. Re:So ... by Thelasko · 2009-11-11 04:43 · Score: 4, Informative
  There's actually nine rootkits out there for Linux?
  The rootkits in question are:
  
  adore-ng 0.56
  
  eNYeLKM 1.2
  
  sk2rc2
  
  superkit
  
  Phalanx b6
  
  mood-nt 2.3
  
  override
  
  Sebek 3.2.0b
  
  hideme.vfs
  
  Some of them are in the wild an some are just for research. For more information, I would check out this page.
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
8. Re:So ... by Anonymous Coward · 2009-11-11 04:52 · Score: 0
  
  Which almost, but not quite have root privileges. The equivalent to root in Windows is the System account.
9. Re:So ... by tepples · 2009-11-11 04:56 · Score: 1
  
  [Members of the Administrators group in Windows] almost, but not quite have root privileges.
  If a user can elevate to having a privilege without having to authenticate as anyone but the user himself, then the user effectively has that privilege. Members of the Adminstrators group under Windows have the privileges of the system account, and sudoers under Linux have the privileges of the root account.
10. Re:So ... by ehrichweiss · 2009-11-11 05:09 · Score: 1
  
  Thanks. Do you have any other sources for Linux rootkit info? I've been studying Vista kits for the past few months and find them horrifyingly simple to implement.
  
  --
  0x09F911029D74E35BD84156C5635688C0
11. Re:So ... by PhilHibbs · 2009-11-11 05:18 · Score: 1
  
  OK, badly phrased on my part, I was referring to the origin of the phrase.
12. Re:So ... by jhol13 · 2009-11-11 05:25 · Score: 1
  
  No. Distributing virus information is illegal in Finland (where "virus" is "program or part of it which causes harm to computers or data networks").
  Sorry for offtopic ...
13. Re:So ... by Anonymous Coward · 2009-11-11 05:51 · Score: 0
  
  You're either insulated, or you suck at humor. By your logic windows boxes get administratored.
14. Re:So ... by SnarfQuest · 2009-11-11 05:53 · Score: 1
  
  For a comparison, could you list all the Windows rootkits also?
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
15. Re:So ... by Skjellifetti · 2009-11-11 06:08 · Score: 1
  
  There's actually nine rootkits out there for Linux?
  
  Yes, they are supposed to be pretty scary, too. But what is worse, is that there is a ring 0 rootkit that rules them all.
  
  --
  FreeSpeech.org
16. Re:So ... by Anonymous Coward · 2009-11-11 06:20 · Score: 0
  
  Yes, we have run into the phalanx rootkit where I work. It was modified enough that it was not detected by rkhunter or chkrootkit.
17. Re:So ... by hmar · 2009-11-11 06:26 · Score: 3, Funny
  
  You're either insulated, or you suck at humor. By your logic windows boxes get administratored.
  Well, with some of the messes I've had to clean up from previous Admins it isn't an unfair statement
18. Re:So ... by Anonymous Coward · 2009-11-11 06:34 · Score: 0
  Two other rootkits you left out:
  
  Windows
  
  Mac OS X
  
  When infected, these take complete control of the machine, though machines with Atom processors are apparently invulnerable to the latest version of the second rootkit above.
19. Re:So ... by Anonymous Coward · 2009-11-11 07:26 · Score: 0
  
  Comedy gold^^. Damn you, lazy mods.
20. Re:So ... by fluffy99 · 2009-11-11 08:06 · Score: 1
  
  That depends entirely on what rights are granted to the administrators group and what are given to the system account. On top of that, you have the permissions on specific resources that may be different. A properly hardened Windows box will have tighter rights-assignments and resource permissions (think registry keys and file permissions).
  By default though, the Administrators group have more total rights granted than the system account itself. Run secpol.msc -> local policies -> user rights assignment and have a look if you don't believe me.
21. Re:So ... by selven · 2009-11-11 13:39 · Score: 1
  
  Administratored? I know it's cool to talk about the paper you "authored" and all, but this is getting ridiculous.
22. Re:So ... by Anonymous Coward · 2009-11-11 14:18 · Score: 0
  
  WTF?!?! He wasn't asking you about virus information in Finland.
23. Re:So ... by Anonymous Coward · 2009-11-12 02:45 · Score: 0
  
  There's actually nine rootkits out there for Linux?
  
  No, they only tested it on nine. There are a hell of a lot more than just nine rootkits for Windows. While for decades malware writers have written viruses for Windows, Linux has always been the home to rootkit writers. I would be surprised if there was less than a hundred rootkits out there for Linux.
24. Re:So ... by Unequivocal · 2009-11-12 05:25 · Score: 1
  
  fluffy99 is right in my experience. There was stuff I couldn't do as an admin group member, when I was programming on Windows server, that I could do as the SYSTEM ACCOUNT. So sometimes when I needed to test a hook on something I would schedule "CMD.exe" to run in the scheduling system and enable interact w/deskop for the job. Scheduler would pop up a CMD (dos prompt) window and that window would be running under SYSTEM ACCOUNT. That dos prompt could do things my other dos prompts couldn't do. Ergo, fluffy99 is on to something.
  I do recall being able to modify the system policy to allow my account to do these same things, but it took a lot of figuring, and the whole point here is that my default "root" account on windows couldn't do everything the system could do.
25. Re:So ... by fluffy99 · 2009-11-12 18:17 · Score: 1
  
  fluffy99 is right in my experience. There was stuff I couldn't do as an admin group member, when I was programming on Windows server, that I could do as the SYSTEM ACCOUNT. So sometimes when I needed to test a hook on something I would schedule "CMD.exe" to run in the scheduling system and enable interact w/deskop for the job.
  
  Yup, I'm quite familiar with that trick. In particular it was very handy for running regedit and getting to keys under security that only the system account had access to. Nowadays I just use runas to start a cmd prompt with my admin account as needed.
  Later on with XP, Microsoft got a bit smarter and created variants of the system account like network_service, local_service, as well as the usual system to help limit the damage that services could do (previously they all either ran as a local user or system). Again a properly hardened system shouldn't be running potentially vulnerable services under an excessively privileged account - under both Windows and Linux.
26. Re:So ... by fluffy99 · 2009-11-12 18:23 · Score: 1
  
  ...and sudoers under Linux have the privileges of the root account.
  One nitpick here. Sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. With a properly written /etc/sudoers file, the users are allowed to run specific commands as root. It doesn't given them cart blanche to run any command as root unless they are granted permissions to run either all or a shell.
27. Re:So ... by tepples · 2009-11-13 02:00 · Score: 1
  
  A lot of "specific commands" have functionality almost equivalent to a shell, especially when the program's command line can specify an output file that overwrites a system binary.
Not degrading the performance? by Mysticalfruit · 2009-11-11 03:43 · Score: 1

So the synopsis starts by saying it doesn't degrade performance and ends with "it only causes a 6% drop in performance." Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?

--
Yes Francis, the world has gone crazy.
1. Re:Not degrading the performance? by vistapwns · 2009-11-11 03:52 · Score: 1
  
  Well the kernel can't do them naively, it has to know it's doing them, in the first place.
  
  --
  "...I think the Microsoft hatred is a disease." - Linus Torvalds
2. Re:Not degrading the performance? by Anonymous Coward · 2009-11-11 03:54 · Score: 3, Funny
  
  Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
  My spelling error detector just exploded! You jerk!
3. Re:Not degrading the performance? by bcmm · 2009-11-11 03:58 · Score: 3, Funny
  
  Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
  Were you trying to say "Now, I might be native, but why can't these memory aligning tricks be done in the kernel naively?
  
  --
  # cat /dev/mem | strings | grep -i llama
  Damn, my RAM is full of llamas.
4. Re:Not degrading the performance? by moderatorrater · 2009-11-11 04:09 · Score: 1, Informative
  
  Schneier's synopsis is pretty good. Apparently, most hardware only provides page-level memory granularity, whereas protecting these hooks requires byte-level granularity.
5. Re:Not degrading the performance? by fibonacci8 · 2009-11-11 04:21 · Score: 1
  
  Just think of the performance hit implementing anything natively rather than naively.
  
  --
  Inheritance is the sincerest form of nepotism.
6. Re:Not degrading the performance? by wcrowe · 2009-11-11 04:32 · Score: 1
  
  You might be snow? And your kernel is naïve?
  
  --
  Proverbs 21:19
7. Re:Not degrading the performance? by Mysticalfruit · 2009-11-11 05:47 · Score: 1
  
  Ha! Ha!
  
  My native naive kernel naively is native!
  
  Sorry about that, my caffeine level was way below optimum...
  
  --
  Yes Francis, the world has gone crazy.
8. Re:Not degrading the performance? by raddan · 2009-11-11 06:21 · Score: 1
  
  Overlooking the funny spelling errors, there is no reason why the kernel can't do this natively. It just doesn't at the moment.
9. Re:Not degrading the performance? by Rockoon · 2009-11-11 06:51 · Score: 1
  
  Indeed. It is unlikely that byte level granularity will be common for commodity processors. Processors such as the old mainframe PDP-10 did have byte-level (hmmm, or was it word level?) access triggers.
  
  --
  "His name was James Damore."
10. Re:Not degrading the performance? by Attila+Dimedici · 2009-11-11 09:27 · Score: 1
  
  Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
  What does the fact that you might be a fist ( http://www.yourdictionary.com/nieve )have to do with doing something naive in the kernel?
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
11. Re:Not degrading the performance? by Anonymous Coward · 2009-11-11 09:51 · Score: 0
  
  Damn, my RAM is full of llamas.
  Well I'll be dipped - mine too!
12. Re:Not degrading the performance? by Anonymous Coward · 2009-11-11 17:02 · Score: 0
  
  You might be snow? And your kernel is naïve?
  It's neige, not nieve.
13. Re:Not degrading the performance? by johanatan · 2009-11-11 17:36 · Score: 1
  
  Actually, I think he meant Neve as in Neve Campbell.
14. Re:Not degrading the performance? by Anonymous Coward · 2009-11-11 17:47 · Score: 0
  
  Oops, never mind, wrong language!
What were the rootkits? by sgt+scrub · 2009-11-11 03:45 · Score: 2, Interesting

I'd like to know the 9 rootkits used. I know Ubuntu 8.04 is a generation behind the current stable version but I don't think there were any rootkits capable of installing. I'm assuming the people doing the test didn't install the kernel source on the box. It isn't installed by default and AFAIK you have to be able to build the kit using the kernel source. Anyone know of a rootkit that can be installed without creating modules from the kernel source? Maybe I'm just way out of the loop on owning a Linux box.

--
Having to work for a living is the root of all evil.
1. Re:What were the rootkits? by Bottles · 2009-11-11 03:50 · Score: 1
  
  The rootkits are mentioned in the PDF linked from the Register article: http://www.theregister.co.uk/2009/11/11/hooksafe_rootkit_protection/ Or the PDF here: http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf
2. Re:What were the rootkits? by JesseMcDonald · 2009-11-11 03:52 · Score: 2, Informative
  
  You don't need the full kernel source to build a module, just the header files. These are usually placed in a separate package. Is the kernel header package installed by default?
  
  --
  "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
3. Re:What were the rootkits? by Anonymous Coward · 2009-11-11 04:19 · Score: 3, Informative
  
  8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.
  Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.
  You're out of the loop. :(
4. Re:What were the rootkits? by Anonymous Coward · 2009-11-11 04:36 · Score: 0
  My summary from the table on page 7 of the pdf linked above:
  
  LKM attack vector: adore-ng 0.56, eNYeLKM 1.2, override, Sebek 3.2.0b, hideme.vfs
  /dev/kmem attack: sk2rc2, superkit, Phalanx b6, mood-nt 2.3
  Hiding fails via hook indirection on the adore-ng 0.56 and override root kits,
  and installation fails via memory protection on the rest.
5. Re:What were the rootkits? by Professional+Slacker · 2009-11-11 04:46 · Score: 1
  
  I don't believe that the headers are installed by default, but there are a bunch of packages that depend on it because they use DKMS, such as:
  Asterisk
  the BCM43xx driver
  All the closed video drivers
  Virtual box
  the LIRC drivers
  kqemu
  
  So while not installed by default, I'd guess they're a pretty common thing to have installed.
  
  --
  A Free Market requires informed intelligent consumers, such people are rare, we're in trouble.
6. Re:What were the rootkits? by chipschap · 2009-11-11 04:47 · Score: 1
  
  I find it "interesting" that Microsoft was part of this research, and what is tested? Ubuntu rather than Windows. No agenda here, I'm sure.
7. Re:What were the rootkits? by tepples · 2009-11-11 05:02 · Score: 1
  
  Is the kernel header package installed by default?
  One of the first things that a programmer installs on Ubuntu is build-essential. This package brings in GCC, GNU Make, and libc6-dev (the C standard library headers). And libc6-dev brings in the kernel headers. So if you've installed anything from source on Ubuntu, you have the kernel headers.
8. Re:What were the rootkits? by felipekk · 2009-11-11 05:04 · Score: 1
  
  I've installed an Ubuntu 9.04 Server recently and it didn't include the headers by default (neither the source).
  I'm pretty sure it's also the case for 9.10.
9. Re:What were the rootkits? by sgt+scrub · 2009-11-11 08:33 · Score: 1
  
  I guess the eyes ARE the first to go. Thanks.
  
  --
  Having to work for a living is the root of all evil.
10. Re:What were the rootkits? by sgt+scrub · 2009-11-11 08:36 · Score: 1
  
  How does an application, not part of the kernel, boot before the kernel? I guess if it is build into the BIOS. But, that wouldn't be a Linux rootkit would it?
  
  --
  Having to work for a living is the root of all evil.
11. Re:What were the rootkits? by initialE · 2009-11-11 16:43 · Score: 1
  
  Now the real challenge is to get someone to write a new rootkit, and see if it can defeat the protections. What's the point in protecting against known kits?
  
  --
  Starbucks, Harbuckle of Breath.
12. Re:What were the rootkits? by Anonymous Coward · 2009-11-11 20:13 · Score: 0
  
  Three of the rootkits in question (Phalanx, Adore-ng and sk2rc2) don't use modules at all, they inject raw assembly through /dev/(k)mem. Also, nothing prevents you from building the module against the same source on your local workstation and then uploading it to the target.
13. Re:What were the rootkits? by cichlid · 2009-11-13 07:13 · Score: 1
  
  Now the real challenge is to get someone to write a new rootkit, and see if it can defeat the protections. What's the point in protecting against known kits?
  It gets someone to write a new rootkit. Challenge met!
Can we learn lessons from mainframe VMs? by davidwr · 2009-11-11 03:47 · Score: 1

Surely this problem was addressed in the 1960s or 1970s in the mainframe world, yet I've not heard much in the way of lessons we can apply to today's PC-type OSes.
Anyone? Anyone? Bueller?

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Can we learn lessons from mainframe VMs? by tjstork · 2009-11-11 03:51 · Score: 2, Insightful
  
  Surely this problem was addressed in the 1960s or 1970s in the mainframe world, yet I've not heard much in the way of lessons we can apply to today's PC-type OSes.
  Could be tough. Have computer in physically sealed room, only communicate with dumb terminals.
  
  --
  This is my sig.
2. Re:Can we learn lessons from mainframe VMs? by NotBornYesterday · 2009-11-11 03:57 · Score: 1
  
  How many rootkits were running around back then?
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
3. Re:Can we learn lessons from mainframe VMs? by camperdave · 2009-11-11 05:17 · Score: 1
  
  Here's one. Of course, once they were found, they were very easy to remove.
  
  --
  When our name is on the back of your car, we're behind you all the way!
4. Re:Can we learn lessons from mainframe VMs? by Anonymous Coward · 2009-11-11 06:23 · Score: 0
  
  How many rootkits were running around back then?
  42
Sounds like a root kit. by Hatta · 2009-11-11 03:53 · Score: 5, Funny

So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.
It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?

--
Give me Classic Slashdot or give me death!
1. Re:Sounds like a root kit. by ScaledLizard · 2009-11-11 04:09 · Score: 1
  
  Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
  Added bonus: ability to threaten terrorists: "We'll denote our bomb before you activate yours"? No power to terrorists!
2. Re:Sounds like a root kit. by moderatorrater · 2009-11-11 04:11 · Score: 4, Funny
  
  It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
  That's why the TSA's so harmful. If you outlaw bombs on a plane, then only terrorists will have bombs.
3. Re:Sounds like a root kit. by Captain+Splendid · 2009-11-11 04:17 · Score: 2, Funny
  
  "We'll denote our bomb before you activate yours"? No power to terrorists!
  
  Only symbolically, of course.
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
4. Re:Sounds like a root kit. by Anonymous Coward · 2009-11-11 04:45 · Score: 0
  
  If you're from Canada, they have a bomb registry. Only good law-abiding folks register their bombs. Works like a charm.
5. Re:Sounds like a root kit. by VGPowerlord · 2009-11-11 05:39 · Score: 1
  
  Yes, but we could bring snakes instead. Snakes, on a mother-fucking plane!
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
6. Re:Sounds like a root kit. by Anonymous Coward · 2009-11-11 05:46 · Score: 0
  
  So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.
  It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
  Better way: all the airplanes should be required to carry 72 UGLY virgins as stewardesses. When the Holy Terror sees he future reward, he'll give up.
7. Re:Sounds like a root kit. by MickyTheIdiot · 2009-11-11 06:07 · Score: 1
  
  What? Spike Milligan must of come up with that strategy.
8. Re:Sounds like a root kit. by AlgorithMan · 2009-11-11 07:05 · Score: 1
  
  After all, what are the chances that there would be two bombs on the plane?
  the a-priori probability
  
  P(2 bombs)
  is very low, but if you know there already is a bomb in it, you have to apply the conditional probability
  
  P(2 bombs | 1 bomb)
  = P(2 bombs intersection 1 bomb) / P(1 bomb)
  = P(2 bombs) / P(1 bomb)
  = P(1 bomb and 1 bomb) / P(1 bomb)
  = P(1 bomb)^2 / P(1 bomb)
  = P(1 bomb)
  
  so you gain no extra security from this measurement... sorry to disappoint you... </smart ass>
  
  --
  The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
9. Re:Sounds like a root kit. by Anonymous Coward · 2009-11-11 07:57 · Score: 0
  
  Perhaps it is simply: "We'll detonate our bomb before you ram the plane into a building..."
10. Re:Sounds like a root kit. by Tanktalus · 2009-11-11 09:43 · Score: 1
  
  Better way: all the airplanes should be required to carry 72 UGLY virgins as stewardesses. When the Holy Terror sees he future reward, he'll give up.
  I always thought that having all stewardesses be topless was the better idea. Not only would it dissuade the terrorists from even getting on the plane, it would easily triple the amount of business travel, restoring profitability to the airlines.
11. Re:Sounds like a root kit. by Anonymous Coward · 2009-11-12 02:08 · Score: 0
  
  gas 'em
12. Re:Sounds like a root kit. by bill_mcgonigle · 2009-11-12 11:56 · Score: 1
  
  I always thought that having all stewardesses be topless was the better idea. Not only would it dissuade the terrorists from even getting on the plane, it would easily triple the amount of business travel, restoring profitability to the airlines.
  Yeah, I mean Richard Branson saw Iron Man too, so what gives?
  As a comedian once suggested, have an airline where at least one of the passengers in your party has to be packing, and everybody eats a bacon-wrapped scallop on they way in. No, screenings, just "Fly At Your Own Risk Airways."
  But, hey, chocolate and peanut butter - even if both ideas are terribly shellfish.
  Plus, remind them they were never promised 72 virgin women.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Hmm , is there a reason they didn't use Windows? by Viol8 · 2009-11-11 03:53 · Score: 3, Insightful

... it being partly a microsoft research project and all. They wouldn't be trying to imply anything about Linux would they , or perish the thought , be unwilling to embarras themselves if Windows could *still* be rooted even after this solution was installed?
How well would this play with Anti Virus programs? by Viol8 · 2009-11-11 04:03 · Score: 1

Anti Virus programs are effectively rootkits - at least for Windows - as they bury themselves deep in the OS and redirect various kernel hooks to themselves. I can see potential problems if this type of solution ever becomes common though I suppose you could argue that you shouldn't need anti virus protection if you have this hypervisor. And with both Linux and Windows how would it take into account someone attempting to load a driver/module from userland?
If it can be added, it can be removed by RiotingPacifist · 2009-11-11 04:07 · Score: 1

You cannot protect against root kits, all you can do is make it harder to get true root. How is this more effective than making key binaries immutable then removing the kernel ability to remove immutability during boot (performance cost 0%)?

--
IranAir Flight 655 never forget!
1. Re:If it can be added, it can be removed by Tony+Hoyle · 2009-11-11 04:41 · Score: 2, Informative
  
  If you can get a driver into ring 0 what the kernel can or can't do doesn't mean squat. Run everything under a hypervisor, however, and you never get direct access to the hardware hence it limits what you can do (doesn't mean you can't do it.. just makes it significantly harder).
2. Re:If it can be added, it can be removed by Rockoon · 2009-11-11 07:00 · Score: 2, Insightful
  
  Add to this the fact that even with a fully updated Windows/Linux/OSX box, it is still possible for a userland program to snag ring-0 via known vulnerabilities.
  
  I predict that hypervisors will become very complex over the next 10 years, complete with malware detection heuristics, but will eventually fall prey to the same problems modern kernels have (that of being too complex to make bullet proof)
  
  --
  "His name was James Damore."
Rootkit hunter by jDeepbeep · 2009-11-11 04:08 · Score: 4, Informative

Anyone run into these or have any recommendations of good detection software?
Rootkit Hunter

--
Reply to That ||
1. Re:Rootkit hunter by e9th · 2009-11-11 04:45 · Score: 1
  
  One of the sourceforge reviews of 1.3.4 gives it a thumbs up,
  
  But only older version (1.2.9) The new on I cant't install is to complicated.
  Now I'm worried. If this guy couldn't install it, what chance does anybody else have?
2. Re:Rootkit hunter by Thelasko · 2009-11-11 05:20 · Score: 1
  
  Rootkit Hunter [sourceforge.net]
  Ubuntu users:
  
  sudo apt-get install rkhunter
  sudo rkhunter -c
  Any warnings about stuff in /dev is likely normal.
  
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
3. Re:Rootkit hunter by Spyware23 · 2009-11-11 06:18 · Score: 1
  
  You should use aptitude instead of apt-get (handles dependencies better). And I hope you do realize that aptitude isn't just usable for Ubuntu users, but any system supporting APT (ie. Debian-based).
  Also also, ubuntuforums.org sucks. Really. It does.
4. Re:Rootkit hunter by mixmatch · 2009-11-11 09:46 · Score: 1
  
  I've never had dependency problems with apt-get. Where are you getting this?
5. Re:Rootkit hunter by Spyware23 · 2009-11-11 10:36 · Score: 1
  
  Everywhere. Here's an example: http://en.kioskea.net/faq/sujet-2154-apt-get-or-aptitude
  Googling for "aptitude vs. apt-get" yields many results, too.
Re:How well would this play with Anti Virus progra by AtomicDevice · 2009-11-11 04:13 · Score: 3, Funny

Anti Virus programs are effectively worthless shareware with a pretty interface designed to have a tray icon look science-ey - at least for Windows
I think you had a little typo there, but I fixed it.

--
Ze Atomic Device! It iz Ztolen!
Re:How well would this play with Anti Virus progra by thijsh · 2009-11-11 04:17 · Score: 1

I can see potential problems if this type of solution ever becomes common though I suppose you could argue that you shouldn't need anti virus protection if you have this hypervisor.
Hah! Well I see a potential problem there. :)
But others (the bad kind) probably see only the potential...
By any other name by fibonacci8 · 2009-11-11 04:24 · Score: 4, Insightful

A root kit is just a sandbox that someone else has set up for you on what is now his or her computer.

--
Inheritance is the sincerest form of nepotism.
Re:Hmm , is there a reason they didn't use Windows by Tony+Hoyle · 2009-11-11 04:39 · Score: 1

Probably more likely it's easier to test the theory on a kernel you can hack the source of quite easily than recompile Windows every time.. even if you have the souce license (which they may not have done even though they're funded by microsoft).
6%?? Of what system? by Hurricane78 · 2009-11-11 04:40 · Score: 1

6% of my mobile phone? Or 6% of the RoadRunner with its 1 petaflop?
I think a proper rootkit protection is a passive one. One that only takes resources, if there is actually something to do. How about that?
Sorry, 6% might sound small, but when you add it all together, rootkit-protection, anti-virus, anti-malware, intrusion detection system, honeypot, etc, etc, etc... and end up with only 6% of your cpu work actually being used for real work... you might start thinking about designing your OS in a proper way in the first place!
I don't like doing it wrong, and then patching it up. Or else I'd use Windows ME.
Just my two cents.

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
1. Re:6%?? Of what system? by raddan · 2009-11-11 06:30 · Score: 5, Interesting
  
  I'd have to read the author's original paper here to know for sure, but that 6% performance hit may be because those kernel hook pages are being swapped out of memory. Relocating kernel hooks to read-only pages is proper design, and if this proof-of-concept really works, kernel developers across all operating systems would be foolish not to look into implementing it themselves.
  
  But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.
2. Re:6%?? Of what system? by Charan · 2009-11-11 07:07 · Score: 4, Informative
  
  Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.
3. Re:6%?? Of what system? by Anonymous Coward · 2009-11-11 09:53 · Score: 0
  
  Useless. Rootkits will just move the hooks further down into a function call flow. Instead of hooking into the table of function pointers or the object with function pointers they will hook the first branching instruction in the function itself. Or they can utilize other hardware (GPUs, APICs, anything with DMA, other chips/chipsets) that allows unrestricted access to memory without any CPU control. Or they can utilize CPU flaws to enter SMM and bypass memory protections/hypervisor control, or CPU flaws in cache coherency to change memory, or flaws in whatever hypervisor...
  Never ending cat and mouse game.
That platform by Anonymous Coward · 2009-11-11 04:43 · Score: 0

Since when has a distro qualified as a platform?
I know Ubuntu is popular, but this sycophancy is going a bit too far.
Not more secure by ScaledLizard · 2009-11-11 04:49 · Score: 1

If I were insane with security, I'd still prefer booting a live distro from CD to booting an OS from disk, as any infection would be removed when powering down. But I suppose that this rootkit protection might add to the security of such a CD ...
1. Re:Not more secure by Plekto · 2009-11-11 05:26 · Score: 1
  
  This approach was common a couple of decades ago where you had the OS in ROM and there wasn't any way to do this sort of nonsense. The Live CD approach works well enough, I guess(though it's seriously slow), but with the right technology(USB or flash/SDD port on most new motherboards comes to mind), it should be possible to load some version of *IX onto the device, plug it into the slot, and go. You would need some method of physical protection for the device you've plugged in. I don't know of any, though, that have physical protection like this built in. They all seem to rely on software to do protection, and so far, none seem 100% safe from hacking.
2. Re:Not more secure by ScaledLizard · 2009-11-11 06:01 · Score: 1
  
  This approach was common a couple of decades ago where you had the OS in ROM and there wasn't any way to do this sort of nonsense.
  
  Good ole' C64 days. I remember the difficulties of getting graphics to a 160x200 pixel display with 16 colors by directly accessing RAM. Without checking, I think the VIC base address was 53248. Then came many other things, and yet things do not seem to slow down yet, speaking of CPU/GPU convergence ...
3. Re:Not more secure by Plekto · 2009-11-11 09:15 · Score: 1
  
  The last model I know of that did this was the Mac classic the mid 90s - it had OS in ROM and was a fully functional machine if booted up this way. My favorite though was the old C128, because it was actually a usable modern computer and worked as well as a typical console in terms of ease of use and reliability. With Readyboost and similar slots now on some motherboards, you may see a return of these type of setups. The only worry of course is being able to lock down the volume in a manner that is BIOS or physical and not under software control.
4. Re:Not more secure by ScaledLizard · 2009-11-11 21:49 · Score: 1
  
  The Live CD approach works well enough, I guess(though it's seriously slow), but with the right technology(USB or flash/SDD port on most new motherboards comes to mind), it should be possible to load some version of *IX onto the device, plug it into the slot, and go. You would need some method of physical protection for the device you've plugged in.
  There are USB sticks and flash media that have write protection switches built in. It is possible that booting an OS from flash media is faster than a CDROM, but haven't found the time to test it yet. Another good practice to increase security is to run all untrusted code in a virtual machine.
MOD Parent UP !!! by DrYak · 2009-11-11 05:50 · Score: 2, Informative

Together with Rkhunter (mentionned in another post bellow) Chkrootkit are both nice tools to use in helping preventing a linux machine being rooter.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Scientists and security by Anonymous Coward · 2009-11-11 05:51 · Score: 0

Its an unfair kneejerk reaction everytime I hear the word "scientist" and "security" spouted in the same sentance the first thing that pops into my mind is yet another stupid idea from someone peddling ignorance from well outside their domain.
If you don't want viruses to be able to hook the kernel of your favorite operating system...for crying out loud don't login as a user with those privledges.
Having hooksafe pimps relocate kernel hookers will not prevent your system from contracting an STD. Most people don't even care about their OS. They care about their work and crap thats on the computer itself.
Lightweight? No, thank you. by SEWilco · 2009-11-11 06:10 · Score: 1

But I don't want lightweight protection. I want a lot of steel and guns. And armed drones with packet sniffers. And K-9 units with dowsing rods.
Apples and Oranges by Anonymous Coward · 2009-11-11 06:36 · Score: 0

That quote from Franklin is about politcal climate and government. You could just as easily defame the quote by applying it to specific technology, such as a car or computer. However, they are very different things and don't change the importance of the original quote.
I just don't want this all important principal to be lost, is all:

They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
RamDisk by improfane · 2009-11-11 06:42 · Score: 1

I believe liveCDs work because they create ramdisks which are modifiable in memory so that they could technically be exploited in memory until switched off. Unless of course they are read only ram disks.

--
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
That's where the hypervisor idea comes from... by mbessey · 2009-11-11 07:14 · Score: 1

I think IBM invented hypervisors to allow running multiple OS's on the same hardware back in the 1960s...
Yep: http://en.wikipedia.org/wiki/Hypervisor#Mainframe_origins
The actual paper by rabtech · 2009-11-11 08:05 · Score: 1

The paper: http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf
And the required Schneier blog post: http://www.schneier.com/blog/archives/2009/11/protecting_oss.html

--
Natural != (nontoxic || beneficial)
And... by tjstork · 2009-11-11 08:41 · Score: 1

He was also a polymath.
And a poly-woman, for sure.

--
This is my sig.
Re:Lightweight? No, thank you. by Anonymous Coward · 2009-11-11 09:06 · Score: 0

It's not even lightweight. 6% is not lightweight. How about a lightweight tax raise? Only 6%!
Re:Hmm , is there a reason they didn't use Windows by Anonymous Coward · 2009-11-11 09:36 · Score: 0

Microsoft Research is for all intents and purposes academia without having to beg for funding from random organizations.
What kind of research is this by Luke+Wilson · 2009-11-11 09:58 · Score: 1

The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves.
Of course they didn't detect any rootkits installing themselves, that's exactly what an installed rootkit would prevent them from seeing.
Rootkits, schmootkits. by Zephiris · 2009-11-11 12:07 · Score: 1

Mucking with page alignment and/or addressing would effectively prevent Nvidia/fglrx drivers from working (which is more or less why they don't work in HVM or the L4 microkernels, which implement Linux at a lower layer; they expect to be at specific addresses in a specific way, however you make it 'not that address', it doesn't work), nevermind wine, and it'd presumably be hard pressed to get a rootkit onto a well maintained Linux server in the first place, since nobody'd be running with root priveleges except a remote admin that logs in once in a while, with or without 'security modules' or Stack Smashing Protection on top to limit the scope and possibility of any intrusions or privilege escalation.
So, this appears useless for desktops, useless for servers, what's left? It's good that money is being spent on research like this...

--

"A Goddess rarely smiles for she is forced by others to be an island unto herself." - Zephiris
Re:How well would this play with Anti Virus progra by selven · 2009-11-11 13:43 · Score: 1

The Moon is Earth's only natural satellite and the fifth largest satellite in the Solar System
I think you made a typo on pretty much every one of your letters, but I fixed them all.
Link to the paper by SiliconEntity · 2009-11-11 13:44 · Score: 1

http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf
[Via Schneier]
Re:Hmm , is there a reason they didn't use Windows by HiThere · 2009-11-11 15:10 · Score: 1

That may be true, but having encountered tied actions from purportedly independent MS funded groups before, I'm going to remain a bit dubious. I don't know what their agenda is, and I'll accept that it *MIGHT* be academic research. But it's going to take a bushel and a half of proof before I'll consider that a reasonable default assumption.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Philosophy alchemist bombs--Re:Sounds like a roo by sowth · 2009-11-11 18:06 · Score: 1

No. No. No. You should tackle it like a philosophy alchemist would:
If you bring a bomb, and a terrorist brings a bomb, they will clearly mate as they do in the wild. Therefore, you will not have two bombs, but three: two adults and one child. Therefore it is not very likely you will have two bombs for long!
However if only you bring a bomb, and no terrorist shows up to bring a bomb, the bomb will have no mate, and thereby will not be able to produce a child.
**ahem** ... Dr. Livingstone, if I may interject here, if there is only one bomb, then one could postulate that it would wish to reproduce? Yes? Therefore, I say a lone bomb would produce pheromones to attract other bombs, and so many bombs would "show up to the party" as it were, they would mate, and you would indeed have a great number of bombs.
One can suppose from this it is not only highly unlikely to have two bombs upon a plane, but it is also highly unlikely to have only one as well, and in fact there would be a great many bombs upon this great plane, yet I see none.
My end postulate is this: bombs are just a figment of your imagination, and if you continue to claim you see them, I will be required to assign you to the looney bin, post haste.