DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."
I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.
Franklin was never President. He was part of the Committee Of Five that drafted the Declaration of Independence and the first Postmaster General though. He was also a polymath.
I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.
Damn straight! The same goes for guns! It should be a law that computer admins have to carry guns in order to protect their machines! Have a computer in your house? Well then, you are required to have a gun by your machine - even if you live in NY City!
Merely carry guns? What kind of protection is that?
I say, it should be mandatory to have a USB firearm attached to your computer. If it detects someone trying to steal the computer, someone getting the password wrong, or someone trying to install unwanted software, the computer will now have a way to defend itself. I think we'd all be safer in a world where every computer has a USB assault rifle attached to it.
Sure, you say that now. When they can shoot back it will be "No Sir Mr. Computer Sir, I was no where near the UPS when that event happened, you got to believe me, it was someone who resembles me pixel for pixel, OH PLEASE DON"T AIM AT MY GROIN AGAIN!"
I used to work for a computer distributor back in the mid-1990's. One of our VARs received a whole bunch of defective Seagate SCSI drives in a single shipment. He RMA's most of them, but he sent one to his sales rep personally, with a bullet hole through it. It was all in good fun, and she kept the disk on a shelf in her cubicle as a sort of trophy. I can't recall if the Seagate rep ever got to see it, though.
There's actually nine rootkits out there for Linux? Anyone run into these or have any recommendations of good detection software? I've always been curious if an clamav run from a live CD will pick them up.
There's possible, and there's 'worth the trouble'. I'd assume most of these are aimed at large scale server users, but I'm curious about how common they are in the wild.
The team installed HookSafe on a machine running Windows Vista, and found the system successfully prevented 126, 000 real-world rootkits targeting that platform from installing or hiding themselves.
So the synopsis starts by saying it doesn't degrade performance and ends with "it only causes a 6% drop in performance." Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
I'd like to know the 9 rootkits used. I know Ubuntu 8.04 is a generation behind the current stable version but I don't think there were any rootkits capable of installing. I'm assuming the people doing the test didn't install the kernel source on the box. It isn't installed by default and AFAIK you have to be able to build the kit using the kernel source. Anyone know of a rootkit that can be installed without creating modules from the kernel source? Maybe I'm just way out of the loop on owning a Linux box.
You don't need the full kernel source to build a module, just the header files. These are usually placed in a separate package. Is the kernel header package installed by default?
8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.
Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of/bin/sh works quite fine, but as always it all depends on what you want.
So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.
It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
That's why the TSA's so harmful. If you outlaw bombs on a plane, then only terrorists will have bombs.
... it being partly a microsoft research project and all. They wouldn't be trying to imply anything about Linux would they , or perish the thought , be unwilling to embarras themselves if Windows could *still* be rooted even after this solution was installed?
Probably more likely it's easier to test the theory on a kernel you can hack the source of quite easily than recompile Windows every time.. even if you have the souce license (which they may not have done even though they're funded by microsoft).
Anti Virus programs are effectively rootkits - at least for Windows - as they bury themselves deep in the OS and redirect various kernel hooks to themselves. I can see potential problems if this type of solution ever becomes common though I suppose you could argue that you shouldn't need anti virus protection if you have this hypervisor. And with both Linux and Windows how would it take into account someone attempting to load a driver/module from userland?
You cannot protect against root kits, all you can do is make it harder to get true root. How is this more effective than making key binaries immutable then removing the kernel ability to remove immutability during boot (performance cost 0%)?
If you can get a driver into ring 0 what the kernel can or can't do doesn't mean squat. Run everything under a hypervisor, however, and you never get direct access to the hardware hence it limits what you can do (doesn't mean you can't do it.. just makes it significantly harder).
Add to this the fact that even with a fully updated Windows/Linux/OSX box, it is still possible for a userland program to snag ring-0 via known vulnerabilities.
I predict that hypervisors will become very complex over the next 10 years, complete with malware detection heuristics, but will eventually fall prey to the same problems modern kernels have (that of being too complex to make bullet proof)
Surely this problem was addressed in the 1960s or 1970s in the mainframe world, yet I've not heard much in the way of lessons we can apply to today's PC-type OSes.
Could be tough. Have computer in physically sealed room, only communicate with dumb terminals.
I'd have to read the author's original paper here to know for sure, but that 6% performance hit may be because those kernel hook pages are being swapped out of memory. Relocating kernel hooks to read-only pages is proper design, and if this proof-of-concept really works, kernel developers across all operating systems would be foolish not to look into implementing it themselves.
But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.
Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.
I'll take one (Score:5, Funny)
Reply to This
Re: (Score:3, Funny)
Re:I'll take one (Score:5, Informative)
It wasn't Jefferson, it was Franklin
Reply to This
Parent
Re:I'll take one (Score:4, Funny)
Reply to This
Parent
Re: (Score:3, Funny)
Re:I'll take one (Score:5, Funny)
Reply to This
Parent
Re:I'll take one (Score:4, Funny)
Reply to This
Parent
Re: (Score:3, Informative)
Franklin was never President. He was part of the Committee Of Five that drafted the Declaration of Independence and the first Postmaster General though. He was also a polymath.
Re: (Score:2)
Re:I'll take one (Score:5, Funny)
Reply to This
Parent
Re: (Score:3, Funny)
I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.
Damn straight! The same goes for guns! It should be a law that computer admins have to carry guns in order to protect their machines! Have a computer in your house? Well then, you are required to have a gun by your machine - even if you live in NY City!
Re: (Score:2)
Merely carry guns? What kind of protection is that?
I say, it should be mandatory to have a USB firearm attached to your computer. If it detects someone trying to steal the computer, someone getting the password wrong, or someone trying to install unwanted software, the computer will now have a way to defend itself. I think we'd all be safer in a world where every computer has a USB assault rifle attached to it.
Re: (Score:2)
Re: (Score:2)
When they can shoot back it will be "No Sir Mr. Computer Sir, I was no where near the UPS when that event happened, you got to believe me, it was someone who resembles me pixel for pixel, OH PLEASE DON"T AIM AT MY GROIN AGAIN!"
Re:I'll take one (Score:4, Interesting)
Reply to This
Parent
Re:I'll take one (Score:5, Funny)
Those who would give up essential system performance for temporary system security... probably need to learn how to overclock their systems.
Reply to This
Parent
So ... (Score:5, Interesting)
Reply to This
Re:So ... (Score:4, Informative)
http://www.chkrootkit.org/ [chkrootkit.org]
Reply to This
Parent
MOD Parent UP !!! (Score:3, Informative)
Together with Rkhunter (mentionned in another post bellow) Chkrootkit are both nice tools to use in helping preventing a linux machine being rooter.
Re:So ... (Score:5, Funny)
Reply to This
Parent
Re: (Score:2)
Re: (Score:2)
The reason it's called a root kit is that it hides the fact that your box has been root ed, and what kind of O/S has a root account? Hint: Not Windows.
Re: (Score:2)
Rootkit as a name has nothing to do with the OS it's running on.. the Sony rootkits targetted Windows for example.
Anyway, Windows has a whole class of root users called the administrators group, not just one user.
Re:So ... (Score:4, Funny)
You're either insulated, or you suck at humor. By your logic windows boxes get administratored.
Well, with some of the messes I've had to clean up from previous Admins it isn't an unfair statement
Reply to This
Parent
Rootkit hunter (Score:5, Informative)
Anyone run into these or have any recommendations of good detection software?
Rootkit Hunter [sourceforge.net]
Reply to This
Parent
Re: (Score:2)
The summary was incorrect - corrected below:
The team installed HookSafe on a machine running Windows Vista, and found the system successfully prevented 126, 000 real-world rootkits targeting that platform from installing or hiding themselves.
Re:So ... (Score:5, Informative)
There's actually nine rootkits out there for Linux?
The rootkits in question are:
Some of them are in the wild an some are just for research. For more information, I would check out this page. [packetstormsecurity.org]
Reply to This
Parent
Not degrading the performance? (Score:2)
Re: (Score:3, Funny)
Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?
My spelling error detector just exploded! You jerk!
Re:Not degrading the performance? (Score:4, Funny)
Were you trying to say "Now, I might be native, but why can't these memory aligning tricks be done in the kernel naively?
Reply to This
Parent
Re: (Score:2, Informative)
Re: (Score:2)
You might be snow? And your kernel is naïve?
What were the rootkits? (Score:3, Interesting)
I'd like to know the 9 rootkits used. I know Ubuntu 8.04 is a generation behind the current stable version but I don't think there were any rootkits capable of installing. I'm assuming the people doing the test didn't install the kernel source on the box. It isn't installed by default and AFAIK you have to be able to build the kit using the kernel source. Anyone know of a rootkit that can be installed without creating modules from the kernel source? Maybe I'm just way out of the loop on owning a Linux box.
Reply to This
Re: (Score:3, Informative)
You don't need the full kernel source to build a module, just the header files. These are usually placed in a separate package. Is the kernel header package installed by default?
Re: (Score:3, Informative)
8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.
Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.
You're out of the loop. :(
Sounds like a root kit. (Score:5, Funny)
So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.
It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
Reply to This
Re:Sounds like a root kit. (Score:5, Funny)
It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?
That's why the TSA's so harmful. If you outlaw bombs on a plane, then only terrorists will have bombs.
Reply to This
Parent
Re: (Score:3, Funny)
Only symbolically, of course.
Hmm , is there a reason they didn't use Windows? (Score:4, Insightful)
... it being partly a microsoft research project and all. They wouldn't be trying to imply anything about Linux would they , or perish the thought , be unwilling to embarras themselves if Windows could *still* be rooted even after this solution was installed?
Reply to This
Re: (Score:2)
Probably more likely it's easier to test the theory on a kernel you can hack the source of quite easily than recompile Windows every time.. even if you have the souce license (which they may not have done even though they're funded by microsoft).
How well would this play with Anti Virus programs? (Score:2)
Anti Virus programs are effectively rootkits - at least for Windows - as they bury themselves deep in the OS and redirect various kernel hooks to themselves. I can see potential problems if this type of solution ever becomes common though I suppose you could argue that you shouldn't need anti virus protection if you have this hypervisor. And with both Linux and Windows how would it take into account someone attempting to load a driver/module from userland?
Re: (Score:3, Funny)
I think you had a little typo there, but I fixed it.
If it can be added, it can be removed (Score:2)
You cannot protect against root kits, all you can do is make it harder to get true root. How is this more effective than making key binaries immutable then removing the kernel ability to remove immutability during boot (performance cost 0%)?
Re: (Score:3, Informative)
If you can get a driver into ring 0 what the kernel can or can't do doesn't mean squat. Run everything under a hypervisor, however, and you never get direct access to the hardware hence it limits what you can do (doesn't mean you can't do it.. just makes it significantly harder).
Re: (Score:3, Insightful)
I predict that hypervisors will become very complex over the next 10 years, complete with malware detection heuristics, but will eventually fall prey to the same problems modern kernels have (that of being too complex to make bullet proof)
By any other name (Score:4, Insightful)
A root kit is just a sandbox that someone else has set up for you on what is now his or her computer.
Reply to This
Re: (Score:3, Insightful)
Surely this problem was addressed in the 1960s or 1970s in the mainframe world, yet I've not heard much in the way of lessons we can apply to today's PC-type OSes.
Could be tough. Have computer in physically sealed room, only communicate with dumb terminals.
Re: (Score:2)
Re:6%?? Of what system? (Score:5, Interesting)
But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.
Reply to This
Parent
Re:6%?? Of what system? (Score:4, Informative)
Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.
Reply to This
Parent