Hello rootKitty: A lightweight invariance-enforcing framework
Francesco Gadaleta, Nick Nikiforakis, Yves Younan, and Wouter Joosen
TL;DR
Hello rootKitty is a lightweight framework leveraging virtualization to detect and restore malicious kernel data modifications caused by rootkits, providing effective OS protection with minimal overhead.
Contribution
It introduces a novel invariance-enforcing framework that uses virtualization to defend operating systems against rootkits by restoring kernel data structures.
Findings
Negligible performance overhead
Effective detection and restoration of kernel data modifications
Protects commodity OS from modern rootkits
Abstract
In monolithic operating systems, the kernel is the piece of code that executes with the highest privileges and has control over all the software running on a host. A successful attack against an operating system's kernel means a total and complete compromise of the running system. These attacks usually end with the installation of a rootkit, a stealthy piece of software running with kernel privileges. When a rootkit is present, no guarantees can be made about the correctness, privacy or isolation of the operating system. In this paper we present \emph{Hello rootKitty}, an invariance-enforcing framework which takes advantage of current virtualization technology to protect a guest operating system against rootkits. \emph{Hello rootKitty} uses the idea of invariance to detect maliciously modified kernel data structures and restore them to their original legitimate values. Our prototype…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Network Security and Intrusion Detection