Scientists Unveil Lightweight Rootkit Protection

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

Re:Can we learn lessons from mainframe VMs?

[tjstork]

Surely this problem was addressed in the 1960s or 1970s in the mainframe world, yet I've not heard much in the way of lessons we can apply to today's PC-type OSes.

Could be tough. Have computer in physically sealed room, only communicate with dumb terminals.

Hmm , is there a reason they didn't use Windows?

[Viol8]

... it being partly a microsoft research project and all. They wouldn't be trying to imply anything about Linux would they , or perish the thought , be unwilling to embarras themselves if Windows could *still* be rooted even after this solution was installed?

By any other name

[fibonacci8]

A root kit is just a sandbox that someone else has set up for you on what is now his or her computer.

Re:If it can be added, it can be removed

[Rockoon]

Add to this the fact that even with a fully updated Windows/Linux/OSX box, it is still possible for a userland program to snag ring-0 via known vulnerabilities.

I predict that hypervisors will become very complex over the next 10 years, complete with malware detection heuristics, but will eventually fall prey to the same problems modern kernels have (that of being too complex to make bullet proof)