Abstract
Rootkits are prevalent in today’s Internet. Using virtual machine monitor (VMM) is an attractive way to deal with rootkits. However, most of the previous studies do not focus on protecting kernel data using VMMs, especially for the data that may be dynamically changed. Direct kernel object manipulation (DKOM) attacks can stealthily detach kernel data objects belonging to the malicious program from kernel’s normal list, or overwrite import fields in the kernel. It’s hard for OSes or VMMs to distinguish between normal accesses and malicious ones to kernel data. Although some works provides access control policy to kernel data, it can’t detect loadable kernel module (LKM) rootkits that place malicious code to their installation procedure. This paper presents a framework, namely HACS, to protect kernel data using module white list based access control. HACS runs in VMM and intercepts the write requests to protected regions. A mediation strategy is proposed in this paper that judges whether the modification requests are legitimate or not. Malicious modifications requests are forbidden and normal ones are approved. Our experiments with real-world DKOM rootkits demonstrate that HACS provides robust rootkits detection ability, with lower performance overhead than other kernel data protection methods.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: DEStech Transactions on Computer Science and Engineering
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
