\input zb-basic
\input zb-ioport
\iteman{io-port 05357351}
\itemau{Riley, Ryan; Jiang, Xuxian; Xu, Dongyan}
\itemti{Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing.}
\itemso{Lippmann, Richard (ed.) et al., Recent advances in intrusion detection. 11th international symposium, RAID 2008, Cambridge, MA, USA, September 15--17, 2008. Proceedings. Berlin: Springer (ISBN 978-3-540-87402-7/pbk). Lecture Notes in Computer Science 5230, 1-20 (2008).}
\itemab
Summary: Kernel rootkits pose a significant threat to computer systems as they run at the highest privilege level and have unrestricted access to the resources of their victims. Many current efforts in kernel rootkit defense focus on the detection of kernel rootkits -- after a rootkit attack has taken place, while the smaller number of efforts in kernel rootkit prevention exhibit limitations in their capability or deployability. In this paper we present a kernel rootkit prevention system called NICKLE which addresses a common, fundamental characteristic of most kernel rootkits: the need for executing their own kernel code. NICKLE is a lightweight, virtual machine monitor (VMM) based system that transparently prevents unauthorized kernel code execution for unmodified commodity (guest) OSes. NICKLE is based on a new scheme called memory shadowing, wherein the trusted VMM maintains a shadow physical memory for a running VM and performs real-time kernel code authentication so that only authenticated kernel code will be stored in the shadow memory. Further, NICKLE transparently routes guest kernel instruction fetches to the shadow memory at runtime. By doing so, NICKLE guarantees that only the authenticated kernel code will be executed, foiling the kernel rootkit's attempt to strike in the first place. We have implemented NICKLE in three VMM platforms: QEMU+KQEMU, VirtualBox, and VMware Workstation. Our experiments with 23 real-world kernel rootkits targeting the Linux or Windows OSes demonstrate NICKLE's effectiveness. Furthermore, our performance evaluation shows that NICKLE introduces small overhead to the VMM platform.
\itemrv{~}
\itemcc{}
\itemut{}
\itemli{doi:10.1007/978-3-540-87403-4\_1}
\end