Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Unveil Lightweight Rootkit Protection

Posted by CmdrTaco on from the take-two-of-these dept.

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

5 of 168 comments (clear)

  1. Re:I'll take one by tjstork · · Score: 4, Informative

    It wasn't Jefferson, it was Franklin

    --
    This is my sig.
  2. Re:So ... by Anonymous Coward · · Score: 4, Informative

    http://www.chkrootkit.org/

  3. Rootkit hunter by jDeepbeep · · Score: 4, Informative

    Anyone run into these or have any recommendations of good detection software?

    Rootkit Hunter

    --
    Reply to That ||
  4. Re:So ... by Thelasko · · Score: 4, Informative

    There's actually nine rootkits out there for Linux?

    The rootkits in question are:

    Some of them are in the wild an some are just for research. For more information, I would check out this page.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  5. Re:6%?? Of what system? by Charan · · Score: 4, Informative

    Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.