Rootkit detection on virtual machines through deep information extraction at hypervisor-level

As a special type of stealth attacks, a rootkit hides its existence from malware detection and maintains continued privileged access to a computer system. The proliferation of virtualization creates a new technique for the detection of such attacks. In this paper, we propose to design a rootkit detection mechanism for virtual machines through deep information extracting and reconstruction at the hypervisor level. Through accessing the important components of a VM such as the kernel symbol table, the hypervisor can reconstruct the VM´s execution states and learn the essential information such as the running processes, active network connections, and opened files. Through cross-verification among the different components of the reconstructed execution states of the VM, we can detect both the hidden information and the anomaly connections among them. We implement our approach in Xen 4.1 with Linux VMs. Our experiments show that the hypervisor can efficiently reconstruct the semantic view of a VM´s memory and identify the rootkits. Since the hypervisor accesses only the high level data structures, it has very limited impacts on the performance of VM.