RootkitDet: Practical end-to-end defense against kernel rootkits in a cloud environment

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8713 LNCS, Issue PART 2, 2014, Pages 475-493

  Zhang, Lingchen ^a,b,d   Shetty, Sachin ^b   Liu, Peng ^c   Jing, Jiwu ^a  

^a University of Chinese Academy of Sciences   (China)

^b Tennessee State University   (United States)

^c PENNSYLVANIA STATE UNIVERSITY   (United States)

^d UNIVERSITY OF CHINESE ACADEMY OF SCIENCES   (China)

Author keywords

Cloud; Defense; Hypervisor; Kernel level rootkit; VM

Indexed keywords

CLOUDS; SECURITY OF DATA;

CLOUD ENVIRONMENTS; DEFENSE; EVALUATION RESULTS; HYPERVISOR; KERNEL-LEVEL ROOTKIT; NETWORK OVERHEAD; SYSTEM MODIFICATIONS; VM;

SECURITY SYSTEMS;

EID: 84906494968     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-11212-1_27     Document Type: Conference Paper

References (22)

1. McAfee: Rootkits, Part 1 of 3: A Growing Threat. white paper (April 2006)
2. McAfee: 2010 Threat Predictions. white paper, McAfee AVERT Labs (December 2009)
3. Baliga, A., Ganapathy, V., Iftode, L.: Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing 8(5), 670-684 (2011)
4. Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th USENIX Security Symposium, pp. 289-304 (2006)
5. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 103-115. ACM (2007)
6. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 545-554. ACM (2009)
7. Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: 20th Annual Computer Security Applications Conference 2004, pp. 91-100. IEEE (2004)
8. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: ACM SIGOPS Operating Systems Review, vol. 41, pp. 335-350. ACM (2007)
9. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1-20. Springer, Heidelberg (2008)
10. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, SP 2008, pp. 233-247. IEEE (2008)
11. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based outof-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128-138. ACM (2007)
12. Fraser, T., Evenson, M.R., Arbaugh, W.A.: Vici-virtual machine introspection for cognitive immunity. In: Annual Computer Security Applications Conference, ACSAC 2008, pp. 87-96. IEEE (2008)
13. Kemerlis, V.P., Portokalidis, G., Keromytis, A.D.: kguard: lightweight kernel protection against return-to-user attacks. In: USENIX Security Symposium (2012)
14. Linux-KVM: Linux-KVM, http://www.linux-kvm.org/page/Main-Page
15. Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Conference on Security Symposium, pp. 243-258 (2008)
16. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 156-168. IEEE (2001)
17. Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: Identifying systemic threats to kernel data. In: IEEE Symposium on Security and Privacy, SP 2007, pp. 246-251. IEEE (2007)
18. Stealth: Announcing full functional adore-ng rootkit for 2.6 kernel, http://lwn.net/Articles/75991/
19. eNYe Sec: eNYeLKM v1.1, http://www.enye-sec.org/en/tags/enye-lkm/
20. Halflife: Abuse of the Linux-kernel for Fun and Profit. Phrack Magazine 5(50) (April 1997)
21. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proc. Network and Distributed Systems Security Symposium (2003)
22. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of the 18th USENIX Security Symposium, pp. 383-398 (2009)