Slashdot Mirror
Scientists Unveil Lightweight Rootkit Protection
DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."
It wasn't Jefferson, it was Franklin
This is my sig.
http://www.chkrootkit.org/
Anyone run into these or have any recommendations of good detection software?
Rootkit Hunter
Reply to That ||
8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.
Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.
You're out of the loop. :(
There's actually nine rootkits out there for Linux?
The rootkits in question are:
Some of them are in the wild an some are just for research. For more information, I would check out this page.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.