HE Jin,FAN Ming-yu,WANG Guang-wei

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.06.017

2015-01-01

Abstract:Kernel-level rootkits attacks pose a deadly threat to kernel integrity, and kernel rootkits is currently a research focus, primarily focused on kernel-level rootkits detection and rootkits protection. However, these studies are always flawed: the rootkits protection presents a single protected mode; kernel-level rootkits detection can only do the detection use, even if the kernel has been found to be attacked, there is no method to solve. Give this situation, we design a two-mode protection operation system (TWPos), this is, a kernel-level integrity protection method along with detection and protection capability, even if the kernel is already under attack, TWPos also recoveries kernel integrity. The experiments show that TWPos is a comprehensive and effective protection system without sacrificing system performance for the price, and is compatible with a variety of OS systems.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.1109/ncis.2011.62

2011-01-01

Abstract:Aiming at the principles how root kit malicious action by hooking System Service Dispatch Table and utilizing inline function patching, this paper presents a method of integrity detection and restoration based on kernel file, which is proved to ensure correct implementation of the kernel function.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Xingjun Zhang,Endong Wang,Long Xin,Zhongyuan Wu,Weiqing Dong,Xiaoshe Dong

DOI: https://doi.org/10.1109/INCoS.2011.111

2011-01-01

Abstract:The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

Shangwu Dong,Yan Xiong,Wenchao Huang,Lu Ma

DOI: https://doi.org/10.1109/bigcom51056.2020.00022

2020-01-01

Abstract:Android operating system has been getting widely used in these years. At the meantime, lots of security issues have been exposed. Not only the softwares running on it are suffering great losses, but the operating system itself is also becoming a target for attackers. Especially kernel-level rootkits have a bad influence on the system security. Some attackers can use this method to get the root privilege by exploiting these vulnerabilities. It's high time we should take measures to enhance protection for Android kernel. In this paper, we propose a kernel integrity measuring system named KIMS on the TrustZone Architecture. The key idea is to build a safe and isolated environment for kernel measuring provided by the secure world in the TrustZone. And with the high privilege of secure world, KIMS can monitor the operating system kernel and detect whether it is destroyed. Then we build the prototype using the Hikey960 board to evaluate our design. The experiments show that our system can execute kernel integrity measurement when a malicious behaviour detected. And it has a relatively small performance overhead.

Mohammad Nadim,Wonjun Lee,David Akopian

2023-04-02

Abstract:One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.

Cryptography and Security

Zhang Liyun,Xue Zhi,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.048

2006-01-01

Abstract:The kernel-level rootkit is an import technology for hackers to open backdoor after intruding systems successfully. The article analyzes the hiding and detection principle of kernel-level rootkit, and focuses on the module binary analysis method which based on symbolic execution to detect rootkit.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

RUAN Wen-bo,ZHANG Chang-he,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1671-0673.2007.02.024

2007-01-01

Abstract:RootKit is a set of powerful tools used by hackers to gain the access to the computers and make itself undetectable.This paper introduces a technique named kernel object inline hooking,which extends existing technique of code redirection,hides tracks through inline hooking of kernel object's dispatch routines.Existing detecting methodology of rootkit is difficult to detect this kind of new rootkit.So this paper illustrates a branch instruction analysis based dynamic detecting methodology of rootkit.This methodology could find running rootkit programs dynamically in the system,and point out the loading images of these rootkits.

Yue Chen,Yulong Zhang,Zhi Wang,Liangzhao Xia,Chenfu Bao,Tao Wei

2017-01-01

Abstract:Android kernel vulnerabilities pose a serious threat to user security and privacy. They allow attackers to take full control over victim devices, install malicious and unwanted apps, and maintain persistent control. Unfortunately, most Android devices are never timely updated to protect their users from kernel exploits. Recent Android malware even has built-in kernel exploits to take advantage of this large window of vulnerability. An effective solution to this problem must be adaptable to lots of (out-of-date) devices, quickly deployable, and secure from misuse. However, the fragmented Android ecosystem makes this a complex and challenging task. To address that, we systematically studied 1,139 Android kernels and all the recent critical Android kernel vulnerabilities. We accordingly propose KARMA, an adaptive live patching system for Android kernels. KARMA features a multi-level adaptive patching model to protect kernel vulnerabilities from exploits. Specifically, patches in KARMA can be placed at multiple levels in the kernel to filter malicious inputs, and they can be automatically adapted to thousands of Android devices. In addition, KARMA's patches are written in a high-level memory-safe language, making them secure and easy to vet, and their run-time behaviors are strictly confined to prevent them from being misused. Our evaluation demonstrates that KARMA can protect most critical kernel vulnerabilities on many Android devices (520 devices in our evaluation) with only minor performance overhead (< 1%).

Liu Wei,Li Xun,Huang Wei,Huang Hao,Zhixian Chen

DOI: https://doi.org/10.1109/CSSS.2011.5973957

2011-01-01

Abstract:Kernel-level attacks can compromise the security of an operating system by tampering with key data and control flow in the kernel. Current approaches defend against these attacks by applying data integrity or control flow integrity control methods. However, they focus on only a certain aspect and cannot give a complete integrity monitoring solution. This paper tries our best to find out all resorts that violate the kernel integrity of operating system by analyzing what objects an action of the kernel relies on and affects. Then we examine all these objects to avoid them from being tamped with and also monitor whether the effect of an action of the kernel is the same as the semantics specified by the original design. Our operating system integrity surveillance system (OSISS) is implemented in a virtual machine monitor (VMM) and it can detect abnormity of an action by monitoring the data integrity and control flow integrity with acceptable performance loss. © 2011 IEEE.

Steven X. Ding,Linlin Li,Dong Zhao,Chris Louen,Tianyu Liu

DOI: https://doi.org/10.48550/arXiv.2103.00210

2021-06-05

Abstract:This draft addresses issues of detecting stealthy integrity cyber-attacks on automatic control systems in the unified control and detection framework. A general form of integrity cyber-attacks that cannot be detected using the well-established observer-based technique is first introduced as kernel attacks. The well-known replay, zero dynamics and covert attacks are special forms of the kernel attacks. Existence conditions for the kernel attacks are presented. It is demonstrated, in the unified framework of control and detection, that all kernel attacks can be structurally detected when not only the observer-based residual, but also the control signal based residual signals are generated and used for the detection purpose. Based on the analytical results, two schemes for detecting the kernel attacks are then proposed, which allow reliable attack detection without loss of control performance. While the first scheme is similar to the well-established moving target method and auxiliary system aided detection scheme, the second detector is realised with encrypted transmissions of control and monitoring signals in the feedback control system that prevents adversary to gain system knowledge by means of eavesdropping attacks. Both schemes are illustrated by examples of detecting replay, zero dynamics and covert attacks and an experimental study on a three-tank control system.

Systems and Control

Zhangxiang YANG,Zuhua DAI,Bo WANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1509-0167

2016-01-01

Abstract:This paper analyzes the principles of the existing Rootkit detection technology on Linux system, and further proposes a detection technology using Kprobe. The detection method collects the information of objects hidden by Rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects. The experiments are conducted to verify this detection method on several popular Rootkits. The results show that this technique has a good reliability.

Jinku Li,Zhi Wang,Xuxian Jiang,Mike Grace,Sina Bahram

DOI: https://doi.org/10.1145/1755913.1755934

2010-01-01

Abstract:Targeting the operating system (OS) kernels, kernel rootkits pose a formidable threat to computer systems and their users. Recent efforts have made significant progress in blocking them from injecting malicious code into the OS kernel for execution. Unfortunately, they cannot block the emerging so-called return-oriented rootkits (RORs). Without the need of injecting their own malicious code, these rootkits can discover and chain together "return-oriented gadgets" (that consist of only legitimate kernel code) for rootkit computation.In this paper, we propose a compiler-based approach to defeat these return-oriented rootkits. Our approach recognizes the hallmark of return-oriented rootkits, i.e., the ret instruction, and accordingly aims to completely remove them in a running OS kernel. Specifically, one key technique named return indirection is to replace the return address in a stack frame into a return index and disallow a ROR from using their own return addresses to locate and assemble return-oriented gadgets. Further, to prevent legitimate instructions that happen to contain return opcodes from being misused, we also propose two other techniques, register allocation and peephole optimization, to avoid introducing them in the first place. We have developed a LLVM-based prototype and used it to generate a return-less FreeBSD kernel. Our evaluation results indicate that the proposed approach is generic, effective, and can be implemented on commodity hardware with a low performance overhead.

ZHANG Li

DOI: https://doi.org/10.3969/j.issn.1674-7720.2009.12.004

2009-01-01

Abstract:This paper analyses the methods of Rootkits detections of nowdays,brings a method of kernel modules compared,checks memory sections integration and hidden driver detection.This method can detect most application layer Rootkits and kernel Rootkits.

Christoph Dorner,Lukas Daniel Klausner

DOI: https://doi.org/10.1145/3664476.3670433

2024-08-01

Abstract:Addressing a critical aspect of cybersecurity in online gaming, this paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits, highlighting the importance of distinguishing between protective and potentially invasive software. After establishing a definition for rootkits (making distinctions between rootkits and simple kernel-level applications) and defining metrics to evaluate such software, we introduce four widespread kernel-level anti-cheat solutions. We lay out the inner workings of these types of software, assess them according to our previously established definitions, and discuss ethical considerations and the possible privacy infringements introduced by such programs. Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system. This paper thus provides crucial insights for researchers and developers in the field of gaming security and software engineering, highlighting the need for informed development practices that carefully consider the intersection of effective anti-cheat mechanisms and user privacy.

Cryptography and Security,Computers and Society

Michael Grace,Zhi Wang,Deepa Srinivasan,Jinku Li,Xuxian Jiang,Zhenkai Liang,Siarhei Liakh

DOI: https://doi.org/10.1007/978-3-642-16161-2_10

2010-01-01

Abstract:Kernel rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with rootkit resistance while introducing < 5% performance overhead.