Scientists Unveil Lightweight Rootkit Protection

← Back to Stories (view on slashdot.org)

Scientists Unveil Lightweight Rootkit Protection

Posted by CmdrTaco on Wednesday November 11, 2009 @03:26AM from the take-two-of-these dept.

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

25 of 168 comments (clear)

I'll take one by 2names · 2009-11-11 03:29 · Score: 5, Funny

I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.

--
"I'm just here to regulate funkiness."
1. Re:I'll take one by NoYob · 2009-11-11 03:33 · Score: 3, Funny
  
  I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.
  Damn straight! The same goes for guns! It should be a law that computer admins have to carry guns in order to protect their machines! Have a computer in your house? Well then, you are required to have a gun by your machine - even if you live in NY City!
  
  --
  It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
2. Re:I'll take one by Anonymous Coward · 2009-11-11 03:34 · Score: 5, Funny
  
  Those who would give up essential system performance for temporary system security... probably need to learn how to overclock their systems.
3. Re:I'll take one by tjstork · 2009-11-11 03:50 · Score: 4, Informative
  
  It wasn't Jefferson, it was Franklin
  
  --
  This is my sig.
4. Re:I'll take one by Anonymous Coward · 2009-11-11 04:01 · Score: 4, Funny
  
  I read it differently. I think he simply really, really, hates Jefferson and couldn't help but add it to his comment. Adams be damned.
5. Re:I'll take one by kungfugleek · 2009-11-11 04:04 · Score: 3, Funny
  
  Right. It was that one president who invented the light bulb and knew 200 different uses for the peanut.
6. Re:I'll take one by FatdogHaiku · 2009-11-11 04:24 · Score: 4, Funny
  
  Gomez
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
7. Re:I'll take one by NotBornYesterday · 2009-11-11 04:47 · Score: 3, Interesting
  
  I used to work for a computer distributor back in the mid-1990's. One of our VARs received a whole bunch of defective Seagate SCSI drives in a single shipment. He RMA's most of them, but he sent one to his sales rep personally, with a bullet hole through it. It was all in good fun, and she kept the disk on a shelf in her cubicle as a sort of trophy. I can't recall if the Seagate rep ever got to see it, though.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
8. Re:I'll take one by NotBornYesterday · 2009-11-11 05:46 · Score: 5, Funny
  
  Nice try, young man, but you can't fool me. It's hypervisors all the way down.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
So ... by Nerdfest · 2009-11-11 03:39 · Score: 4, Interesting

There's actually nine rootkits out there for Linux? Anyone run into these or have any recommendations of good detection software? I've always been curious if an clamav run from a live CD will pick them up.
1. Re:So ... by Anonymous Coward · 2009-11-11 03:53 · Score: 4, Informative
  
  http://www.chkrootkit.org/
2. Re:So ... by vistapwns · 2009-11-11 03:55 · Score: 5, Funny
  
  No, it's a lie. It's not possible to build a rootkit for linux, it's magical.
  
  --
  "...I think the Microsoft hatred is a disease." - Linus Torvalds
3. Re:So ... by Thelasko · 2009-11-11 04:43 · Score: 4, Informative
  There's actually nine rootkits out there for Linux?
  The rootkits in question are:
  
  adore-ng 0.56
  
  eNYeLKM 1.2
  
  sk2rc2
  
  superkit
  
  Phalanx b6
  
  mood-nt 2.3
  
  override
  
  Sebek 3.2.0b
  
  hideme.vfs
  
  Some of them are in the wild an some are just for research. For more information, I would check out this page.
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
4. Re:So ... by hmar · 2009-11-11 06:26 · Score: 3, Funny
  
  You're either insulated, or you suck at humor. By your logic windows boxes get administratored.
  Well, with some of the messes I've had to clean up from previous Admins it isn't an unfair statement
Sounds like a root kit. by Hatta · 2009-11-11 03:53 · Score: 5, Funny

So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.
It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?

--
Give me Classic Slashdot or give me death!
1. Re:Sounds like a root kit. by moderatorrater · 2009-11-11 04:11 · Score: 4, Funny
  
  It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
  That's why the TSA's so harmful. If you outlaw bombs on a plane, then only terrorists will have bombs.
Hmm , is there a reason they didn't use Windows? by Viol8 · 2009-11-11 03:53 · Score: 3, Insightful

... it being partly a microsoft research project and all. They wouldn't be trying to imply anything about Linux would they , or perish the thought , be unwilling to embarras themselves if Windows could *still* be rooted even after this solution was installed?
Re:Not degrading the performance? by Anonymous Coward · 2009-11-11 03:54 · Score: 3, Funny

Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
My spelling error detector just exploded! You jerk!
Re:Not degrading the performance? by bcmm · 2009-11-11 03:58 · Score: 3, Funny

Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
Were you trying to say "Now, I might be native, but why can't these memory aligning tricks be done in the kernel naively?

--
# cat /dev/mem | strings | grep -i llama
Damn, my RAM is full of llamas.
Rootkit hunter by jDeepbeep · 2009-11-11 04:08 · Score: 4, Informative

Anyone run into these or have any recommendations of good detection software?
Rootkit Hunter

--
Reply to That ||
Re:How well would this play with Anti Virus progra by AtomicDevice · 2009-11-11 04:13 · Score: 3, Funny

Anti Virus programs are effectively worthless shareware with a pretty interface designed to have a tray icon look science-ey - at least for Windows
I think you had a little typo there, but I fixed it.

--
Ze Atomic Device! It iz Ztolen!
Re:What were the rootkits? by Anonymous Coward · 2009-11-11 04:19 · Score: 3, Informative

8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.
Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.
You're out of the loop. :(
By any other name by fibonacci8 · 2009-11-11 04:24 · Score: 4, Insightful

A root kit is just a sandbox that someone else has set up for you on what is now his or her computer.

--
Inheritance is the sincerest form of nepotism.
Re:6%?? Of what system? by raddan · 2009-11-11 06:30 · Score: 5, Interesting

I'd have to read the author's original paper here to know for sure, but that 6% performance hit may be because those kernel hook pages are being swapped out of memory. Relocating kernel hooks to read-only pages is proper design, and if this proof-of-concept really works, kernel developers across all operating systems would be foolish not to look into implementing it themselves.

But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.
Re:6%?? Of what system? by Charan · 2009-11-11 07:07 · Score: 4, Informative

Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.