Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Detecting Stealth Software with Strider GhostBuster
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Detours: binary interception of Win32 functions
WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium - Volume 3
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
When good instructions go bad: generalizing return-oriented programming to RISC
Proceedings of the 15th ACM conference on Computer and communications security
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Defeating return-oriented rootkits with "Return-Less" kernels
Proceedings of the 5th European conference on Computer systems
Hypervisor-based prevention of persistent rootkits
Proceedings of the 2010 ACM Symposium on Applied Computing
A control point for reducing root abuse of file-system privileges
Proceedings of the 17th ACM conference on Computer and communications security
Automatic discovery of parasitic malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
HyperCheck: a hardware-assisted integrity monitor
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
VM-based security overkill: a lament for applied systems security research
Proceedings of the 2010 workshop on New security paradigms
G-Free: defeating return-oriented programming through gadget-less binaries
Proceedings of the 26th Annual Computer Security Applications Conference
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
Ensuring operating system kernel integrity with OSck
Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems
Detecting stealthy malware with inter-structure and imported signatures
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Security versus energy tradeoffs in host-based mobile malware detection
MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
Operating system interface obfuscation and the revealing of hidden operations
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
DriverGuard: a fine-grained protection on I/O flows
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Breaking up is hard to do: security and functionality in a commodity hypervisor
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Hello rootKitty: a lightweight invariance-enforcing framework
ISC'11 Proceedings of the 14th international conference on Information security
A case for unlimited watchpoints
ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems
Architectural support for hypervisor-secure virtualization
ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems
A universal semantic bridge for virtual machine introspection
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation
Proceedings of the 27th Annual ACM Symposium on Applied Computing
kGuard: lightweight kernel protection against return-to-user attacks
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Enhanced operating system security through efficient and fine-grained address space randomization
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Blacksheep: detecting compromised hosts in homogeneous crowds
Proceedings of the 2012 ACM conference on Computer and communications security
Host based attack detection using system calls
Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology
Efficient protection of kernel data structures via object partitioning
Proceedings of the 28th Annual Computer Security Applications Conference
Information Sciences: an International Journal
InkTag: secure applications on an untrusted operating system
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
Proceedings of the 40th Annual International Symposium on Computer Architecture
NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters
Proceedings of the 50th Annual Design Automation Conference
Hi-index | 0.00 |
Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap -- kernel hook protection requires byte-level granularity but commodity hardware only provides page level protection. To address the above challenges, in this paper, we present HookSafe, a hypervisor-based lightweight system that can protect thousands of kernel hooks in a guest OS from being hijacked. One key observation behind our approach is that a kernel hook, once initialized, may be frequently "read"-accessed, but rarely write"-accessed. As such, we can relocate those kernel hooks to a dedicated page-aligned memory space and then regulate accesses to them with hardware-based page-level protection. We have developed a prototype of HookSafe and used it to protect more than 5,900 kernel hooks in a Linux guest. Our experiments with nine real-world rootkits show that HookSafe can effectively defeat their attempts to hijack kernel hooks. We also show that HookSafe achieves such a large-scale protection with a small overhead (e.g., around 6% slowdown in performance benchmarks).