Write-protection enforcement
| Autor: | Igor Stoppa, Ahmed Abdelraoof, Mohamed Azab |
|---|---|
| Rok vydání: | 2020 |
| Předmět: |
Software_OPERATINGSYSTEMS
Computer science Rootkit 020207 software engineering Hypervisor Linux kernel Write protection 02 engineering and technology computer.software_genre Kernel (image processing) 020204 information systems 0202 electrical engineering electronic engineering information engineering Operating system Malware computer |
| Zdroj: | SAC |
| DOI: | 10.1145/3341105.3373919 |
| Popis: | A rootkit is a piece of code that aims to manipulate the computer behaviour without being detected. Rootkits are mainly used to disable kernel self-protection, hide malware presence, provide a covert communication channel between malware and their Command and Control server (C&C), secretly maintain a breach viable. Depending on how rootkits are injected into the target, they can either reside in user or kernel space. Kernel space rootkits are the hardest to detect and prevent because they usually take control of the kernel once compromised. In this paper, we present WpE, Write-protection Enforcement: a hypervisor-backed kernel hardening system. WpE aims to preserve the kernel self-protection active in presence of attacks. WpE is comprised of two software components, one running in hypervisor mode and one running in kernel mode. At OS instantiation, the kernel component will arrange the kernel critical data in a way that facilitate labeling such data as either writable, rarely writable, or read only. The hypervisor component will stop a compromised kernel from altering memory or registers that were flagged for read only protection. In the current stage of implementation, we managed to successfully integrate WpE with KVM and Linux kernel. Evaluation showed that WpE adds acceptable overhead. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|