Research Article
Transparent Protection of Commodity OS Kernels Using Hardware Virtualization
@INPROCEEDINGS{10.1007/978-3-642-16161-2_10, author={Michael Grace and Zhi Wang and Deepa Srinivasan and Jinku Li and Xuxian Jiang and Zhenkai Liang and Siarhei Liakh}, title={Transparent Protection of Commodity OS Kernels Using Hardware Virtualization}, proceedings={Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings}, proceedings_a={SECURECOMM}, year={2012}, month={5}, keywords={Virtualization Harvard Architecture Split Memory}, doi={10.1007/978-3-642-16161-2_10} }- Michael Grace
Zhi Wang
Deepa Srinivasan
Jinku Li
Xuxian Jiang
Zhenkai Liang
Siarhei Liakh
Year: 2012
Transparent Protection of Commodity OS Kernels Using Hardware Virtualization
SECURECOMM
Springer
DOI: 10.1007/978-3-642-16161-2_10
Abstract
Kernel rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with rootkit resistance while introducing < 5% performance overhead.