Scientists Unveil Lightweight Rootkit Protection 168
DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."
Re:I'll take one (Score:5, Informative)
It wasn't Jefferson, it was Franklin
Re:What were the rootkits? (Score:3, Informative)
You don't need the full kernel source to build a module, just the header files. These are usually placed in a separate package. Is the kernel header package installed by default?
Re:So ... (Score:4, Informative)
http://www.chkrootkit.org/ [chkrootkit.org]
Rootkit hunter (Score:5, Informative)
Anyone run into these or have any recommendations of good detection software?
Rootkit Hunter [sourceforge.net]
Re:Not degrading the performance? (Score:2, Informative)
Re:I'll take one (Score:3, Informative)
Franklin was never President. He was part of the Committee Of Five that drafted the Declaration of Independence and the first Postmaster General though. He was also a polymath.
Re:What were the rootkits? (Score:3, Informative)
8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.
Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.
You're out of the loop. :(
Re:If it can be added, it can be removed (Score:3, Informative)
If you can get a driver into ring 0 what the kernel can or can't do doesn't mean squat. Run everything under a hypervisor, however, and you never get direct access to the hardware hence it limits what you can do (doesn't mean you can't do it.. just makes it significantly harder).
Re:So ... (Score:5, Informative)
There's actually nine rootkits out there for Linux?
The rootkits in question are:
Some of them are in the wild an some are just for research. For more information, I would check out this page. [packetstormsecurity.org]
MOD Parent UP !!! (Score:3, Informative)
Together with Rkhunter (mentionned in another post bellow) Chkrootkit are both nice tools to use in helping preventing a linux machine being rooter.
Re:6%?? Of what system? (Score:4, Informative)
Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.
Re:I'll take one (Score:2, Informative)