Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings

Research Article

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Download105 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-16161-2_10,
        author={Michael Grace and Zhi Wang and Deepa Srinivasan and Jinku Li and Xuxian Jiang and Zhenkai Liang and Siarhei Liakh},
        title={Transparent Protection of Commodity OS Kernels Using Hardware Virtualization},
        proceedings={Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings},
        proceedings_a={SECURECOMM},
        year={2012},
        month={5},
        keywords={Virtualization Harvard Architecture Split Memory},
        doi={10.1007/978-3-642-16161-2_10}
    }
    
  • Michael Grace
    Zhi Wang
    Deepa Srinivasan
    Jinku Li
    Xuxian Jiang
    Zhenkai Liang
    Siarhei Liakh
    Year: 2012
    Transparent Protection of Commodity OS Kernels Using Hardware Virtualization
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-16161-2_10
Michael Grace1, Zhi Wang1, Deepa Srinivasan1, Jinku Li1, Xuxian Jiang1, Zhenkai Liang2, Siarhei Liakh1
  • 1: North Carolina State University
  • 2: National University of Singapore

Abstract

Kernel rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with rootkit resistance while introducing < 5% performance overhead.