Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Ubuntu Linux

Scientists Unveil Lightweight Rootkit Protection 168

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."
This discussion has been archived. No new comments can be posted.

Scientists Unveil Lightweight Rootkit Protection

Comments Filter:
  • So ... (Score:5, Interesting)

    by Nerdfest ( 867930 ) on Wednesday November 11, 2009 @11:39AM (#30060802)
    There's actually nine rootkits out there for Linux? Anyone run into these or have any recommendations of good detection software? I've always been curious if an clamav run from a live CD will pick them up.
  • by sgt scrub ( 869860 ) < minus punct> on Wednesday November 11, 2009 @11:45AM (#30060896)

    I'd like to know the 9 rootkits used. I know Ubuntu 8.04 is a generation behind the current stable version but I don't think there were any rootkits capable of installing. I'm assuming the people doing the test didn't install the kernel source on the box. It isn't installed by default and AFAIK you have to be able to build the kit using the kernel source. Anyone know of a rootkit that can be installed without creating modules from the kernel source? Maybe I'm just way out of the loop on owning a Linux box.

  • Re:I'll take one (Score:4, Interesting)

    by NotBornYesterday ( 1093817 ) * on Wednesday November 11, 2009 @12:47PM (#30061856) Journal
    I used to work for a computer distributor back in the mid-1990's. One of our VARs received a whole bunch of defective Seagate SCSI drives in a single shipment. He RMA's most of them, but he sent one to his sales rep personally, with a bullet hole through it. It was all in good fun, and she kept the disk on a shelf in her cubicle as a sort of trophy. I can't recall if the Seagate rep ever got to see it, though.
  • by raddan ( 519638 ) * on Wednesday November 11, 2009 @02:30PM (#30063302)
    I'd have to read the author's original paper here to know for sure, but that 6% performance hit may be because those kernel hook pages are being swapped out of memory. Relocating kernel hooks to read-only pages is proper design, and if this proof-of-concept really works, kernel developers across all operating systems would be foolish not to look into implementing it themselves.

    But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.

The intelligence of any discussion diminishes with the square of the number of participants. -- Adam Walinsky