Rootkit modeling and experiments under Linux

Lacombe, Éric; Raynal, Frédéric; Nicomette, Vincent

doi:10.1007/s11416-007-0069-6

Cited by 6 publications

(32 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To insert itself into the kernel control flow, in-memory rootkits either hook into legitimate kernel functions [10], [35], [52] or modify kernel data structures [13], [14], [29]. To detect this type of subversion, kernel level rootkit detectors first build a ground truth on a set of kernel invariants and then detect any alteration of these invariants [30], [72], [73], [78].…”

Section: Related Workmentioning

confidence: 99%

CacheKit: Evading Memory Introspection Using Cache Incoherence

Zhang

Sun

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

With the growing importance of networked embedded devices in the upcoming Internet of Things, new attacks targeting embedded OSes are emerging. ARM processors, which power over 60% of embedded devices, introduce a hardware security extension called TrustZone to protect secure applications in an isolated secure world that cannot be manipulated by a compromised OS in the normal world. Leveraging TrustZone technology, a number of memory integrity checking schemes have been proposed in the secure world to introspect malicious memory modification of the normal world.In this paper, we first discover and verify an ARM Trust-Zone cache incoherence behavior, which results in the cache contents of the two worlds, secure and non-secure, potentially being different even when they are mapped to the same physical address. Furthermore, code in one TrustZone world cannot access the cache content in the other world. Based on this observation, we develop a new rootkit called CacheKit that hides in the cache of the normal world and is able to evade memory introspection from the secure world.We implement a CacheKit prototype on Cortex-A8 processors after solving a number of challenges. First, we employ the Cache-as-RAM technique to ensure that the malicious code is only loaded into the CPU cache and not RAM. Thus, the secure world cannot detect the existence of the malicious code by examining the RAM. Second, we use the ARM processor's hardware support on cache settings to keep the malicious code persistent in the cache. Third, to evade introspection that flushes cache content back into RAM, we utilize physical addresses from the I/O address range that is not backed by any real I/O devices or RAM. The experimental results show that CacheKit can successfully evade memory introspection from the secure world and has small performance impacts on the rich OS. We discuss potential countermeasures to detect this type of rootkit attack.

show abstract

Section: Related Workmentioning

confidence: 99%

CacheKit: Evading Memory Introspection Using Cache Incoherence

Zhang

Sun

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…Some attackers, in order to install kernel rootkits [2], copy the IDT, then modify this copy to finally load its address into the idtr register of the processor (thus replacing the previous one) [28]. This last action is malicious and is part of this class.…”

Section: Class 2-alteration Of the Execution Environment Memory -Clasmentioning

confidence: 99%

“…3.1, kernel features that directly provide write access to any region of the kernel space (such as the kernel module loader, the /dev/kmem or /dev/mem devices in the Linux case) are broadly used by lots of malware to inject themselves into the kernel memory space [2]. These features must obviously be controlled.…”

Section: Control Of the Access Vectors To The Kernel Memorymentioning

confidence: 99%

“…Corrupting the kernel of an operating system itself is particularly interesting from the attacker point of view because it signifies corrupting potentially all the software that run upon this kernel. In particular, kernel rootkits [2] are a kind of malware dedicated to perform such corruption. In order to operate, these malwares need kernel security flaws in order to execute malicious code inside the kernel.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Enforcing kernel constraints by hardware-assisted virtualization

2009

Self Cite

View full text Add to dashboard Cite

This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardwarevirtualization that is partially implemented into our demonstrator Hytux, which is inspired from bluepill (Rutkowska in subverting vista kernel for fun and profit. In: Black Hat in Las Vegas, 2006), a malware that installs itself as a lightweight hypervisor-on a hardware-virtualization compliant CPUand puts a running Microsoft Windows Operating System into a virtual machine. However, in contrast with bluepill, Hytux is a lightweight hypervisor that implements protection mechanisms in a more privileged mode than the Linux kernel.

show abstract

“…Reference [1] defines the rootkit as "a set of modifications that allow an attacker to maintain along the time a fraudulent control of the information system". Typically, a rootkit should have the following basic functions by modifying a system: one is to provide malicious backdoor services; the other is to hide itself to evade the security detection.…”

mentioning

confidence: 99%

A rule-based approach for rootkit detection

Wang

2010

2010 2nd IEEE International Conference on Information Management and Engineering

View full text Add to dashboard Cite

Rootkits have become one of the major threats to computer security, while it is hard to be detected by common malware detection technologies. This paper introduces a rulebased approach for the rootkit detection. It is based on the fact that a rootkit must modify some data structures of a system so as to hide itself. But the modifications of data structure will necessarily lead to some inconsistencies in a system. By finding the inconsistencies in a system, we can detect the rootkit. Our approach has four main steps: (1) elaborately choose data structures in different layers of a system; (2) perform the same information-calculation process by using different layers of data structures respectively, and form a information space according to the result obtained after each calculation; (3) defines rules as invariants based on information spaces formed in step (2); (4) if these rules are held, the system is clean; otherwise the system is probably infected by a rootkit.

show abstract

Rootkit modeling and experiments under Linux

Cited by 6 publications

References 10 publications

CacheKit: Evading Memory Introspection Using Cache Incoherence

CacheKit: Evading Memory Introspection Using Cache Incoherence

Enforcing kernel constraints by hardware-assisted virtualization

A rule-based approach for rootkit detection

Contact Info

Product

Resources

About