By Topic

SHARK: Architectural support for autonomic protection against stealth by rootkit exploits

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Vasisht, V.R. ; Sch. of Electr. & Comput. Eng., Georgia Inst. of Technol., Atlanta, GA ; Lee, H.-H.S.

Rootkits have become a growing concern in cyber-security. Typically, they exploit kernel vulnerabilities to gain root privileges of a system and conceal malwarepsilas activities from users and system administrators without any authorization. Once infected, these malware applications will operate completely in stealth, leaving no trace for administrators and anti-malware tools. Current anti-rootkit solutions try to either strengthen the kernel by removing known vulnerabilities or develop software tools at the OS or virtual machine monitor levels to monitor the integrity of the kernel. Seeing the failure of these software techniques, we propose, in this paper, an autonomic architecture called SHARK, or secure hardware support against rootkit by employing hardware support to provide system-level security without trusting the software stack, including the OS kernel. SHARK enhances the relationship between the OS and the hardware architecture, making the entire system more security-aware in defending rootkits. SHARK proposes new architectural support to provide a secure association between each software context and the underlying hardware. It helps system administrators to obtain feedback directly from the hardware to reveal all running processes, even when the OS kernel is compromised. We emulated the functionality of SHARK by using x86 Bochs and modifying the Linux kernel version 2.6.16.33 based on our proposed architectural extension. Several real rootkits were installed to compromise the kernel and conceal malware processes on our emulated environment. SHARK is shown to be highly effective in identifying a variety of rootkits employing different software schemes. In addition, the performance analysis based on our Simics simulations shows a negligible overhead, making the SHARK architecture highly practical.

Published in:

Microarchitecture, 2008. MICRO-41. 2008 41st IEEE/ACM International Symposium on

Date of Conference:

8-12 Nov. 2008