Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Unveil Lightweight Rootkit Protection

Posted by CmdrTaco on from the take-two-of-these dept.

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

16 of 168 comments (clear)

  1. I'll take one by 2names · · Score: 5, Funny

    I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.

    --
    "I'm just here to regulate funkiness."
    1. Re:I'll take one by Anonymous Coward · · Score: 5, Funny

      Those who would give up essential system performance for temporary system security... probably need to learn how to overclock their systems.

    2. Re:I'll take one by tjstork · · Score: 4, Informative

      It wasn't Jefferson, it was Franklin

      --
      This is my sig.
    3. Re:I'll take one by Anonymous Coward · · Score: 4, Funny

      I read it differently. I think he simply really, really, hates Jefferson and couldn't help but add it to his comment. Adams be damned.

    4. Re:I'll take one by FatdogHaiku · · Score: 4, Funny

      Gomez

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    5. Re:I'll take one by NotBornYesterday · · Score: 5, Funny

      Nice try, young man, but you can't fool me. It's hypervisors all the way down.

      --
      I prefer rogues to imbeciles because they sometimes take a rest.
  2. So ... by Nerdfest · · Score: 4, Interesting

    There's actually nine rootkits out there for Linux? Anyone run into these or have any recommendations of good detection software? I've always been curious if an clamav run from a live CD will pick them up.

    1. Re:So ... by Anonymous Coward · · Score: 4, Informative

      http://www.chkrootkit.org/

    2. Re:So ... by vistapwns · · Score: 5, Funny

      No, it's a lie. It's not possible to build a rootkit for linux, it's magical.

      --
      "...I think the Microsoft hatred is a disease." - Linus Torvalds
    3. Re:So ... by Thelasko · · Score: 4, Informative

      There's actually nine rootkits out there for Linux?

      The rootkits in question are:

      Some of them are in the wild an some are just for research. For more information, I would check out this page.

      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  3. Sounds like a root kit. by Hatta · · Score: 5, Funny

    So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.

    It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?

    --
    Give me Classic Slashdot or give me death!
    1. Re:Sounds like a root kit. by moderatorrater · · Score: 4, Funny

      It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?

      That's why the TSA's so harmful. If you outlaw bombs on a plane, then only terrorists will have bombs.

  4. Rootkit hunter by jDeepbeep · · Score: 4, Informative

    Anyone run into these or have any recommendations of good detection software?

    Rootkit Hunter

    --
    Reply to That ||
  5. By any other name by fibonacci8 · · Score: 4, Insightful

    A root kit is just a sandbox that someone else has set up for you on what is now his or her computer.

    --
    Inheritance is the sincerest form of nepotism.
  6. Re:6%?? Of what system? by raddan · · Score: 5, Interesting

    I'd have to read the author's original paper here to know for sure, but that 6% performance hit may be because those kernel hook pages are being swapped out of memory. Relocating kernel hooks to read-only pages is proper design, and if this proof-of-concept really works, kernel developers across all operating systems would be foolish not to look into implementing it themselves.

    But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.

  7. Re:6%?? Of what system? by Charan · · Score: 4, Informative

    Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.