Paper Info
Title
Shepherding Loadable Kernel Modules through On-demand Emulation
Abstract
Despite many advances in system security, rootkits remain a threat to major operating systems. First, this paper discusses why kernel integrity verification is not sufficient to counter all types of kernel rootkits and a confidentiality-violation rootkit is demonstrated to evade all integrity verifiers. Then, the paper presents, DARK, a rootkit prevention system that tracks a suspicious loadable kernel module at a granite level by using on-demand emulation, a technique that dynamically switches a running system between virtualized and emulated execution. Combining the strengths of emulation and virtualization, DARK is able to thoroughly capture the activities of the target module in a guest OS, while maintaining reasonable run-time performance. To address integrity-violation and confidentiality-violation rootkits, we create a group of security policies that can detect all avialiable Linux rootkits. Finally, it is shown that normal guest OS performance is unaffected. The performance is only decreased when rootkits attempt to run, while most rootkits are detected at installation.
Year
DOI
Venue
2009
10.1007/978-3-642-02918-9_4
DIMVA
Keywords
Field
DocType
confidentiality-violation rootkits,avialiable linux rootkits,suspicious loadable kernel module,rootkits attempt,major operating system,kernel integrity verification,rootkit prevention system,shepherding loadable kernel modules,on-demand emulation,normal guest os performance,reasonable run-time performance,kernel rootkits,system security,virtual machine monitor,security policy,operating system
Kernel (linear algebra),Virtualization,On demand,Computer science,Rootkit,Hypervisor,Emulation,Loadable kernel module,Security policy,Operating system,Embedded system
Conference
Volume
ISSN
Citations 
5587
0302-9743
7
PageRank 
References 
Authors
0.51
23
3
Name
Order
Citations
PageRank
Chaoting Xuan1231.26
John A. Copeland245660.84
Raheem Beyah321314.78