Title :
KLrtD: Kernel level rootkit detection
Author :
Behrozinia, Soudeh ; Azmi, Reza
Author_Institution :
Oper. Syst. Security Lab. (OSSL), Alzahra Univ., Tehran, Iran
Abstract :
Kernel rootkits pose a significant threat to computer systems as they run at the highest privilege level of operating system and have unrestricted access to the resources of their victims. Majority of current efforts in kernel rootkit defense focus on the detection of kernel rootkits. Various untrusted extensions, it remains a challenging problem to comprehensively preserve the integrity of OS kernels in a practical and generic way. In this regard, we propose a detection method named WHKrD that blocks and detects data kernel rootkit attacks by monitoring kernel data access using virtual machine monitor (VMM). WHKrD in inference mode, observe the execution of the kernel during an inference phase and extract white list rules on kernel data structures. In the following, integrity checker phase uses these rules as specifications of data structure integrity and any violation of rules indicates an infection. We have implemented a prototype of our system using the xen VMM. Our experiments show that it successfully detects data kernel rootkits, demonstrating its effectiveness and practicality.
Keywords :
data structures; operating system kernels; security of data; virtual machines; KLrtD; OS kernel integrity; WHKrD detection method; data kernel rootkit attack detection; kernel data access; kernel data structures; kernel level rootkit detection; kernel rootkit defense; operating system; virtual machine monitor; xen VMM; Data mining; Data structures; Engines; Kernel; Monitoring; Virtual machine monitors; Virtual machining; Kernel-level rootkits; control and non-control data attacks; integrity checking; rule inference;
Conference_Titel :
Electrical Engineering (ICEE), 2014 22nd Iranian Conference on
Conference_Location :
Tehran
DOI :
10.1109/IranianCEE.2014.6999692
