Abstract
OS kernel is the core part of the operating system, and it plays an important role for OS resource management. A popular way to compromise OS kernel is through a kernel rootkit (i.e., malicious kernel module). Once a rootkit is loaded into the kernel space, it can carry out arbitrary malicious operations with high privilege. To defeat kernel rootkits, many approaches have been proposed in the past few years. However, existing methods suffer from some limitations: 1) most methods focus on user-mode rootkit detection; 2) some methods are limited to detect obfuscated kernel modules; and 3) some methods introduce significant performance overhead. To address these problems, we propose VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology. Compared with previous methods, VKRD can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. To select the important run-time features for training our detection models, we utilize the TF-IDF method. By combining the hardware assisted virtualization and machine learning techniques, our kernel rootkit detection solution could be potentially applied in the cloud environment. The experiments show that our system can detect windows kernel rootkits with high accuracy and moderate performance cost.
Highlights
Kernel rootkits are malicious kernel modules, and they can be dynamically loaded into the kernel space in commodity operating systems
To address the above limitations, in this paper, we present the design and implementation of VKRD, a Virtualizationbased Kernel Rootkit Detection system
KERNEL ROOTKIT In commodity operating systems, the OS kernel and kernel modules run in the kernel mode; the user applications run in user mode
Summary
Kernel rootkits are malicious kernel modules, and they can be dynamically loaded into the kernel space in commodity operating systems. Due to the lack of protection and isolation mechanism in the kernel space, kernel rootkits can perform various malicious operations (e.g., process hiding, sensitive information gathering) with high privilege. These kernel rootkits pose significant threat to the OS security. More and more malware employ kernel rootkit technique to gain kernel-level privilege so that they could disable many OS protection mechanisms, and hide their malicious activity. The VMM (or hypervisor) works in VMX root mode while guest VMs work in VMX non-root mode. By configuring the VMCS, the VMM could select intercepting the associated operation performed by the guest VM
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.