Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Unveil Lightweight Rootkit Protection

Posted by CmdrTaco on from the take-two-of-these dept.

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

12 of 168 comments (clear)

  1. Re:I'll take one by tjstork · · Score: 4, Informative

    It wasn't Jefferson, it was Franklin

    --
    This is my sig.
  2. Re:What were the rootkits? by JesseMcDonald · · Score: 2, Informative

    You don't need the full kernel source to build a module, just the header files. These are usually placed in a separate package. Is the kernel header package installed by default?

    --
    "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  3. Re:So ... by Anonymous Coward · · Score: 4, Informative

    http://www.chkrootkit.org/

  4. Rootkit hunter by jDeepbeep · · Score: 4, Informative

    Anyone run into these or have any recommendations of good detection software?

    Rootkit Hunter

    --
    Reply to That ||
  5. Re:Not degrading the performance? by moderatorrater · · Score: 1, Informative

    Schneier's synopsis is pretty good. Apparently, most hardware only provides page-level memory granularity, whereas protecting these hooks requires byte-level granularity.

  6. Re:I'll take one by _Shad0w_ · · Score: 2, Informative

    Franklin was never President. He was part of the Committee Of Five that drafted the Declaration of Independence and the first Postmaster General though. He was also a polymath.

    --

    Yeah, I had a sig once; I got bored of it.

  7. Re:What were the rootkits? by Anonymous Coward · · Score: 3, Informative

    8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.

    Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.

    You're out of the loop. :(

  8. Re:If it can be added, it can be removed by Tony+Hoyle · · Score: 2, Informative

    If you can get a driver into ring 0 what the kernel can or can't do doesn't mean squat. Run everything under a hypervisor, however, and you never get direct access to the hardware hence it limits what you can do (doesn't mean you can't do it.. just makes it significantly harder).

  9. Re:So ... by Thelasko · · Score: 4, Informative

    There's actually nine rootkits out there for Linux?

    The rootkits in question are:

    Some of them are in the wild an some are just for research. For more information, I would check out this page.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  10. MOD Parent UP !!! by DrYak · · Score: 2, Informative

    Together with Rkhunter (mentionned in another post bellow) Chkrootkit are both nice tools to use in helping preventing a linux machine being rooter.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  11. Re:6%?? Of what system? by Charan · · Score: 4, Informative

    Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.

  12. Re:I'll take one by Sinning · · Score: 2, Informative

    if (mtbf > mtbObsolete) then overclock();