The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Information and control in gray-box systems
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
When Virtual Is Better Than Real
HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
FS: An In-Kernel Integrity Checker and Intrusion Detection File System
LISA '04 Proceedings of the 18th USENIX conference on System administration
HyperSpector: virtual distributed monitoring environments for secure intrusion detection
Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments
Semantically-Smart Disk Systems
FAST '03 Proceedings of the 2nd USENIX Conference on File and Storage Technologies
Towards Protecting Sensitive Files in a Compromised System
SISW '05 Proceedings of the Third IEEE International Security in Storage Workshop
Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage
SBAC-PAD '06 Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing
Rootkits for Dummies (For Dummies (Computer/Tech))
Rootkits for Dummies (For Dummies (Computer/Tech))
Towards a tamper-resistant kernel rootkit detector
Proceedings of the 2007 ACM symposium on Applied computing
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
Security and Integrity of a Distributed File Storage in a Virtual Environment
SISW '07 Proceedings of the Fourth International IEEE Security in Storage Workshop
Improving Xen security through disaggregation
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Proceedings of the 15th ACM conference on Computer and communications security
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
BitVisor: a thin hypervisor for enforcing i/o device security
Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Countering kernel rootkits with lightweight hook protection
Proceedings of the 16th ACM conference on Computer and communications security
Hypervisor-based protection of sensitive files in a compromised system
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Detecting malware signatures in a thin hypervisor
Proceedings of the 27th Annual ACM Symposium on Applied Computing
DIONE: a flexible disk monitoring and analysis framework
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Hi-index | 0.00 |
Rootkits are prevalent in today's Internet. In particular, persistent rootkits pose a serious security threat because they reside in storage and survive system reboots. Using hypervisors is an attractive way to deal with rootkits, especially when the rootkits have kernel privileges, because hypervisors have higher privileges than OS kernels. However, most of the previous studies do not focus on prevention of persistent rootkits. This paper presents a hypervisor-based file protection scheme for preventing persistent rootkits from residing in storage. Based on security policies created in a secure environment, the hypervisor makes critical system files read-only and unmodifiable by rootkits even if they have kernel privileges. Our scheme is designed to significantly reduce the size of hypervisors when combined with the architecture of BitVisor, a thin hypervisor for enforcing I/O device security, thereby contributing to the reliability of hypervisors. Our hypervisor consists of only 37 kilo lines of code in total, and its overhead on Windows XP with a FAT32 file system is only 1.1% -- 14.0%.