MOSKG: countering kernel rootkits with a secure paging mechanism

The kernel-level rootkits compromise the security of operating systems. In the current research studies, virtualization is used as a key tool against these attacks with virtualization-based memory protection. There are glitches in the memory protection mechanism, and it is vulnerable to page mapping attack and hard to be used for protecting dynamic data. To address these problems, we proposed a secure paging mechanism and constructed an external and transparent architecture named multiple operating systems kernel guard MOSKG, which can protect critical kernel data in different operating systems like Windows and Linux, both of 32-bit and 64-bit. To evaluate our proposed architecture, we applied some experiments that are based on the study of kernel rootkits. The results show that MOSKG can protect critical kernel data from dynamic kernel object manipulation and page mapping attack, and it defeats all of the kernel-level attacks. It is also a significant conclusion that MOSKG only introduces a small performance overhead of 2.3%. Copyright © 2015 John Wiley & Sons, Ltd.

[1]  Lin Chen,et al.  An advanced method of process reconstruction based on VMM , 2011, Proceedings of 2011 International Conference on Computer Science and Network Technology.

[2]  Weisheng Li,et al.  Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer , 2012, 2012 Eighth International Conference on Computational Intelligence and Security.

[3]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.

[4]  Vijay Varadharajan,et al.  Dynamic State-Based Security Architecture for Detecting Security Attacks in Virtual Machines , 2012, Comput. J..

[5]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[6]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[7]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[8]  Zhi Wang,et al.  Countering Persistent Kernel Rootkits through Systematic Hook Discovery , 2008, RAID.

[9]  Ying Wang,et al.  VMDetector: A VMM-based Platform to Detect Hidden Process by Multi-view Comparison , 2011, 2011 IEEE 13th International Symposium on High-Assurance Systems Engineering.

[10]  Liviu Iftode,et al.  Monitoring Integrity Using Limited Local Memory , 2013, IEEE Transactions on Information Forensics and Security.

[11]  Wang Lina,et al.  Detecting and Managing Hidden Process via Hypervisor , 2011 .

[12]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[13]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[14]  Xuxian Jiang,et al.  Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring , 2009, 2009 International Conference on Availability, Reliability and Security.

[15]  Hai Jin,et al.  A comprehensive monitoring framework for virtual computing environment , 2012, The International Conference on Information Network 2012.

[16]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[17]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Mu Zhang,et al.  V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis , 2012, VEE '12.

[19]  Tianyang Zhou,et al.  Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.