Scientists Unveil Lightweight Rootkit Protection

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

I'll take one

[2names]

I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.

Re:

[LucidBeast]

Seconded, Jefferson be damned

Re:I'll take one

[tjstork]

It wasn't Jefferson, it was Franklin

Re:I'll take one

[Anonymous Coward]

I read it differently. I think he simply really, really, hates Jefferson and couldn't help but add it to his comment. Adams be damned.

Re:

[Captain Splendid]

Senior or Junior?

Re:I'll take one

[FatdogHaiku]

Gomez

Re:I'll take one

[kungfugleek]

Right. It was that one president who invented the light bulb and knew 200 different uses for the peanut.

Re:

[_Shad0w_]

Franklin was never President. He was part of the Committee Of Five that drafted the Declaration of Independence and the first Postmaster General though. He was also a polymath.

Re:

[Saint Mitchell]

I admit I had no idea what polymathic meant. Now that I've wikipedia'd it I really like it. Kudos to you sir for giving me a word to toss into a random conversation that will make me sound smarter than I am.

No, that wasn't sarcasm I'm being serious.

Re:

[_Shad0w_]

I shall throw autodidact your way as well then :)

Re:

[A nonymous Coward]

I'll bet Franklin had the sense of humor you seem to be missing. His kite would have whooshed right over your head.

And...

[tjstork]

He was also a polymath.

And a poly-woman, for sure.

Re:

[FatdogHaiku]

I wish people would check their facts. He MADE a light bulb out of 200 peanuts... and once it had been on for a few minutes it smelled delicious!

Re:

[ConceptJunkie]

I think he also discovered evolution by tying a string to a Galapagos turtle.

Re:

[LucidBeast]

It was in quotation marks and sounds more like Jefferson. Benjamin didn't worry about rootkits. His OS was engraved on metal plates.

Re:

[selven]

Those who would give up an instant chain of Score 4:Funny comments for factual accuracy deserve neither humor nor accuracy.

Re:I'll take one

[NotBornYesterday]

Nice try, young man, but you can't fool me. It's hypervisors all the way down.

Re:

[NoYob]

I would gladly give up 6% of the performance of my machine if I could be safe from rootkits. Now queue the "those who would give up system performance for system security deserve neither" posts.

Damn straight! The same goes for guns! It should be a law that computer admins have to carry guns in order to protect their machines! Have a computer in your house? Well then, you are required to have a gun by your machine - even if you live in NY City!

Re:

[V50]

Merely carry guns? What kind of protection is that?

I say, it should be mandatory to have a USB firearm attached to your computer. If it detects someone trying to steal the computer, someone getting the password wrong, or someone trying to install unwanted software, the computer will now have a way to defend itself. I think we'd all be safer in a world where every computer has a USB assault rifle attached to it.

Re:

[NotBornYesterday]

I'd be tempted to shoot the computers.

Re:

[FatdogHaiku]

Sure, you say that now.
When they can shoot back it will be "No Sir Mr. Computer Sir, I was no where near the UPS when that event happened, you got to believe me, it was someone who resembles me pixel for pixel, OH PLEASE DON"T AIM AT MY GROIN AGAIN!"

Re:I'll take one

[NotBornYesterday]

I used to work for a computer distributor back in the mid-1990's. One of our VARs received a whole bunch of defective Seagate SCSI drives in a single shipment. He RMA's most of them, but he sent one to his sales rep personally, with a bullet hole through it. It was all in good fun, and she kept the disk on a shelf in her cubicle as a sort of trophy. I can't recall if the Seagate rep ever got to see it, though.

Re:

[the_womble]

If he did that now he would probably be arrested for something or the other: shooting the hard drive could be interpreted as a threat to shoot a person.

Re:

[NotBornYesterday]

Yeah, things are a lot different now. Of course, you have to understand that they got along very well and did a lot of business together. I'm pretty sure he gave her a heads-up it was coming, and that she knew it was intended for her amusement. Still, not something I'd do these days.

Re:

[droopycom]

I'm actually amazed that you could shoot a bullet at a drive, and the drive would not shatter in 100 pieces...

Re:

[fuzzyfuzzyfungus]

Some drives, mostly 2.5in and smaller, have glass platters (which do, in fact, shatter pretty enthusiastically and form nasty sharp slivers) most HDDs have metal platters, reasonably chunky aluminum housings, steel covers, and a fiberglass PCB on the bottom.

I wouldn't volunteer to use one for armor; but it is pretty much to be expected that such a structure would either suffer a fairly neat hole(particularly if the round were jacketed) or just a significant dent(if it were softer lead only).

Re:

[glarbl_blarbl]

Yeah, that sounds right. The Mythbusters shot an iPod in one of their "What is Bulletproof?" eps and that's what it looked like. I googled around but couldn't find the video or any images online so I guess one will have to take my word for it or buy the DVD.

Re:

[binarylarry]

In the spirit of slashdot, I feel instead of a gun, it should be a +3 or great melee weapon of smiting.

Re:I'll take one

[Anonymous Coward]

Those who would give up essential system performance for temporary system security... probably need to learn how to overclock their systems.

Re:

[Sinning]

if (mtbf > mtbObsolete) then overclock();

Re:

[Runaway1956]

6% doesn't sound like much. But, this is for virtual machines. By definition, a VM is already handicapped. Take away 6% of the performance of Windows 7 inside my existing VM's, and they aren't worth having. An XP machine may still work alright, but that isn't certain.

Maybe I just need faster, more powerful hardware, then I won't notice another 6% decrease.

Re:

[2names]

Maybe I just need faster, more powerful hardware

If the current state of programming is any indication, then yes, you obviously need faster, more powerful hardware. :)

Re:

[the_womble]

I would gladly give up 6% of the performance of my machine if I could be safe from rootkits.

Worthwhile: yes.

Lightweight: no

Re:

[jhol13]

How about, er, a microkernel?

It loses less than 6% ...

RamDisk

[improfane]

I believe liveCDs work because they create ramdisks which are modifiable in memory so that they could technically be exploited in memory until switched off. Unless of course they are read only ram disks.

So ...

[Nerdfest]

There's actually nine rootkits out there for Linux? Anyone run into these or have any recommendations of good detection software? I've always been curious if an clamav run from a live CD will pick them up.

Re:So ...

[Anonymous Coward]

http://www.chkrootkit.org/ [chkrootkit.org]

MOD Parent UP !!!

[DrYak]

Together with Rkhunter (mentionned in another post bellow) Chkrootkit are both nice tools to use in helping preventing a linux machine being rooter.

Re:So ...

[vistapwns]

No, it's a lie. It's not possible to build a rootkit for linux, it's magical.

Re:

[Nerdfest]

There's possible, and there's 'worth the trouble'. I'd assume most of these are aimed at large scale server users, but I'm curious about how common they are in the wild.

Re:

[PhilHibbs]

The reason it's called a root kit is that it hides the fact that your box has been root ed, and what kind of O/S has a root account? Hint: Not Windows.

Re:

[Tony Hoyle]

Rootkit as a name has nothing to do with the OS it's running on.. the Sony rootkits targetted Windows for example.

Anyway, Windows has a whole class of root users called the administrators group, not just one user.

Re:

[PhilHibbs]

OK, badly phrased on my part, I was referring to the origin of the phrase.

Re:

[tepples]

[Members of the Administrators group in Windows] almost, but not quite have root privileges.

If a user can elevate to having a privilege without having to authenticate as anyone but the user himself, then the user effectively has that privilege. Members of the Adminstrators group under Windows have the privileges of the system account, and sudoers under Linux have the privileges of the root account.

Re:

[fluffy99]

That depends entirely on what rights are granted to the administrators group and what are given to the system account. On top of that, you have the permissions on specific resources that may be different. A properly hardened Windows box will have tighter rights-assignments and resource permissions (think registry keys and file permissions).

By default though, the Administrators group have more total rights granted than the system account itself. Run secpol.msc -> local policies -> user rights assign

Re:So ...

[hmar]

You're either insulated, or you suck at humor. By your logic windows boxes get administratored.

Well, with some of the messes I've had to clean up from previous Admins it isn't an unfair statement

Re:

[selven]

Administratored? I know it's cool to talk about the paper you "authored" and all, but this is getting ridiculous.

Rootkit hunter

[jDeepbeep]

Anyone run into these or have any recommendations of good detection software?

Rootkit Hunter [sourceforge.net]

Re:

[Thelasko]

Rootkit Hunter [sourceforge.net]

Ubuntu users:

sudo apt-get install rkhunter
sudo rkhunter -c

Any warnings about stuff in /dev [blogspot.com] is likely normal. [ubuntuforums.org]

Re:

[mixmatch]

I've never had dependency problems with apt-get. Where are you getting this?

Re:

[Jazz-Masta]

The summary was incorrect - corrected below:

The team installed HookSafe on a machine running Windows Vista, and found the system successfully prevented 126, 000 real-world rootkits targeting that platform from installing or hiding themselves.

Re:So ...

[Thelasko]

There's actually nine rootkits out there for Linux?

The rootkits in question are:

• adore-ng 0.56 [lwn.net]
• eNYeLKM 1.2
• sk2rc2
• superkit
• Phalanx b6 [theregister.co.uk]
• mood-nt 2.3
• override
• Sebek 3.2.0b
• hideme.vfs

Some of them are in the wild an some are just for research. For more information, I would check out this page. [packetstormsecurity.org]

Re:

[ehrichweiss]

Thanks. Do you have any other sources for Linux rootkit info? I've been studying Vista kits for the past few months and find them horrifyingly simple to implement.

Re:

[jhol13]

No. Distributing virus information is illegal in Finland (where "virus" is "program or part of it which causes harm to computers or data networks").

Sorry for offtopic ...

Re:

[Skjellifetti]

There's actually nine rootkits out there for Linux?

Yes, they are supposed to be pretty scary, too. But what is worse, is that there is a ring 0 rootkit that rules them all.

Not degrading the performance?

[Mysticalfruit]

So the synopsis starts by saying it doesn't degrade performance and ends with "it only causes a 6% drop in performance." Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?

Re:

[Anonymous Coward]

Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?

My spelling error detector just exploded! You jerk!

Re:

[Mysticalfruit]

Ha! Ha!

My native naive kernel naively is native!

Sorry about that, my caffeine level was way below optimum...

Re:Not degrading the performance?

[bcmm]

Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?

Were you trying to say "Now, I might be native, but why can't these memory aligning tricks be done in the kernel naively?

Re:

[moderatorrater]

Schneier's synopsis [schneier.com] is pretty good. Apparently, most hardware only provides page-level memory granularity, whereas protecting these hooks requires byte-level granularity.

Re:

[Rockoon]

Indeed. It is unlikely that byte level granularity will be common for commodity processors. Processors such as the old mainframe PDP-10 did have byte-level (hmmm, or was it word level?) access triggers.

Re:

[wcrowe]

You might be snow? And your kernel is naïve?

Re:

[raddan]

Overlooking the funny spelling errors, there is no reason why the kernel can't do this natively. It just doesn't at the moment.

Re:

[Attila Dimedici]

Now, I might be nieve but why can't these memory aligning tricks be done in the kernel naively?

What does the fact that you might be a fist ( http://www.yourdictionary.com/nieve [yourdictionary.com] )have to do with doing something naive in the kernel?

What were the rootkits?

[sgt scrub]

I'd like to know the 9 rootkits used. I know Ubuntu 8.04 is a generation behind the current stable version but I don't think there were any rootkits capable of installing. I'm assuming the people doing the test didn't install the kernel source on the box. It isn't installed by default and AFAIK you have to be able to build the kit using the kernel source. Anyone know of a rootkit that can be installed without creating modules from the kernel source? Maybe I'm just way out of the loop on owning a Linux box.

Re:

[JesseMcDonald]

You don't need the full kernel source to build a module, just the header files. These are usually placed in a separate package. Is the kernel header package installed by default?

Re:

[tepples]

Is the kernel header package installed by default?

One of the first things that a programmer installs on Ubuntu is build-essential. This package brings in GCC, GNU Make, and libc6-dev (the C standard library headers). And libc6-dev brings in the kernel headers. So if you've installed anything from source on Ubuntu, you have the kernel headers.

Re:

[felipekk]

I've installed an Ubuntu 9.04 Server recently and it didn't include the headers by default (neither the source).

I'm pretty sure it's also the case for 9.10.

Re:

[Anonymous Coward]

8.04 isn't a full generation behind anything, it's the LTS version which is most likely to be used by people wanting Ubuntu on a server. They made an excellent choice with using 8.04 as their testbed for this.

Further, a rootkit absolutely doesn't require any kernel modules. A patched copy of /bin/sh works quite fine, but as always it all depends on what you want.

You're out of the loop. :(

Re:

[sgt scrub]

How does an application, not part of the kernel, boot before the kernel? I guess if it is build into the BIOS. But, that wouldn't be a Linux rootkit would it?

Re:

[sgt scrub]

I guess the eyes ARE the first to go. Thanks.

Sounds like a root kit.

[Hatta]

So this thing acts as a hypervisor and loads its own hooks into the kernel. Sounds like something a root kit would do.

It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?

Re:Sounds like a root kit.

[moderatorrater]

It reminds me of one approach to avoid a terrorist attack when flying. Carry your own bomb onto the plane. After all, what are the chances that there would be two bombs on the plane?

That's why the TSA's so harmful. If you outlaw bombs on a plane, then only terrorists will have bombs.

Re:

[MickyTheIdiot]

What? Spike Milligan must of come up with that strategy.

Re:

[AlgorithMan]

After all, what are the chances that there would be two bombs on the plane?

the a-priori probability

P(2 bombs)

is very low, but if you know there already is a bomb in it, you have to apply the conditional probability

P(2 bombs | 1 bomb)
= P(2 bombs intersection 1 bomb) / P(1 bomb)
= P(2 bombs) / P(1 bomb)
= P(1 bomb and 1 bomb) / P(1 bomb)
= P(1 bomb)^2 / P(1 bomb)
= P(1 bomb)

so you gain no extra security from this measurement... sorry to disappoint you... </smart ass>

Re:

[Captain Splendid]

"We'll denote our bomb before you activate yours"? No power to terrorists!

Only symbolically, of course.

Re:

[Tanktalus]

Better way: all the airplanes should be required to carry 72 UGLY virgins as stewardesses. When the Holy Terror sees he future reward, he'll give up.

I always thought that having all stewardesses be topless was the better idea. Not only would it dissuade the terrorists from even getting on the plane, it would easily triple the amount of business travel, restoring profitability to the airlines.

Hmm , is there a reason they didn't use Windows?

[Viol8]

... it being partly a microsoft research project and all. They wouldn't be trying to imply anything about Linux would they , or perish the thought , be unwilling to embarras themselves if Windows could *still* be rooted even after this solution was installed?

Re:

[Tony Hoyle]

Probably more likely it's easier to test the theory on a kernel you can hack the source of quite easily than recompile Windows every time.. even if you have the souce license (which they may not have done even though they're funded by microsoft).

Re:

[HiThere]

That may be true, but having encountered tied actions from purportedly independent MS funded groups before, I'm going to remain a bit dubious. I don't know what their agenda is, and I'll accept that it *MIGHT* be academic research. But it's going to take a bushel and a half of proof before I'll consider that a reasonable default assumption.

How well would this play with Anti Virus programs?

[Viol8]

Anti Virus programs are effectively rootkits - at least for Windows - as they bury themselves deep in the OS and redirect various kernel hooks to themselves. I can see potential problems if this type of solution ever becomes common though I suppose you could argue that you shouldn't need anti virus protection if you have this hypervisor. And with both Linux and Windows how would it take into account someone attempting to load a driver/module from userland?

Re:

[AtomicDevice]

Anti Virus programs are effectively worthless shareware with a pretty interface designed to have a tray icon look science-ey - at least for Windows

I think you had a little typo there, but I fixed it.

Re:

[selven]

The Moon is Earth's only natural satellite and the fifth largest satellite in the Solar System

I think you made a typo on pretty much every one of your letters, but I fixed them all.

If it can be added, it can be removed

[RiotingPacifist]

You cannot protect against root kits, all you can do is make it harder to get true root. How is this more effective than making key binaries immutable then removing the kernel ability to remove immutability during boot (performance cost 0%)?

Re:

[Tony Hoyle]

If you can get a driver into ring 0 what the kernel can or can't do doesn't mean squat. Run everything under a hypervisor, however, and you never get direct access to the hardware hence it limits what you can do (doesn't mean you can't do it.. just makes it significantly harder).

Re:

[Rockoon]

Add to this the fact that even with a fully updated Windows/Linux/OSX box, it is still possible for a userland program to snag ring-0 via known vulnerabilities.

I predict that hypervisors will become very complex over the next 10 years, complete with malware detection heuristics, but will eventually fall prey to the same problems modern kernels have (that of being too complex to make bullet proof)

By any other name

[fibonacci8]

A root kit is just a sandbox that someone else has set up for you on what is now his or her computer.

6%?? Of what system?

[Hurricane78]

6% of my mobile phone? Or 6% of the RoadRunner with its 1 petaflop?

I think a proper rootkit protection is a passive one. One that only takes resources, if there is actually something to do. How about that?
Sorry, 6% might sound small, but when you add it all together, rootkit-protection, anti-virus, anti-malware, intrusion detection system, honeypot, etc, etc, etc... and end up with only 6% of your cpu work actually being used for real work... you might start thinking about designing your OS in a proper way

Re:6%?? Of what system?

[raddan]

I'd have to read the author's original paper here to know for sure, but that 6% performance hit may be because those kernel hook pages are being swapped out of memory. Relocating kernel hooks to read-only pages is proper design, and if this proof-of-concept really works, kernel developers across all operating systems would be foolish not to look into implementing it themselves.

But if the aforementioned 6% is because of swapping, then some changes to the page replacement algorithm may mitigate the performance hit somewhat. My feeling is that this kind of protection is worth it. By analogy, bounds-checking arrays prevents many kinds of overflow errors, and there's a penalty to pay for that protection, but in most cases it is well worth doing.

Re:6%?? Of what system?

[Charan]

Reading the research paper, the 6% overhead looks like it comes from having the kernel call into the hypervisor every time it allocates or frees an object that contains a kernel hook (a.k.a. function pointer). The designers explicitly state that they use non-paged memory to store the protected kernel hooks.

Lightweight? No, thank you.

[SEWilco]

But I don't want lightweight protection. I want a lot of steel and guns. And armed drones with packet sniffers. And K-9 units with dowsing rods.

The actual paper

[rabtech]

The paper: http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf [ncsu.edu]

And the required Schneier blog post: http://www.schneier.com/blog/archives/2009/11/protecting_oss.html [schneier.com]

Link to the paper

[SiliconEntity]

http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf [ncsu.edu]

[Via Schneier [schneier.com]]

Re:

[tjstork]

Surely this problem was addressed in the 1960s or 1970s in the mainframe world, yet I've not heard much in the way of lessons we can apply to today's PC-type OSes.

Could be tough. Have computer in physically sealed room, only communicate with dumb terminals.

Re:

[NotBornYesterday]

How many rootkits were running around back then?

Re:

[camperdave]

Here's one [uni-klu.ac.at]. Of course, once they were found, they were very easy to remove.

That's where the hypervisor idea comes from...

[mbessey]

I think IBM invented hypervisors to allow running multiple OS's on the same hardware back in the 1960s...
Yep: http://en.wikipedia.org/wiki/Hypervisor#Mainframe_origins [wikipedia.org]

Re:

[Plekto]

This approach was common a couple of decades ago where you had the OS in ROM and there wasn't any way to do this sort of nonsense. The Live CD approach works well enough, I guess(though it's seriously slow), but with the right technology(USB or flash/SDD port on most new motherboards comes to mind), it should be possible to load some version of *IX onto the device, plug it into the slot, and go. You would need some method of physical protection for the device you've plugged in. I don't know of any, though

Re:

[Plekto]

The last model I know of that did this was the Mac classic the mid 90s - it had OS in ROM and was a fully functional machine if booted up this way. My favorite though was the old C128, because it was actually a usable modern computer and worked as well as a typical console in terms of ease of use and reliability. With Readyboost and similar slots now on some motherboards, you may see a return of these type of setups. The only worry of course is being able to lock down the volume in a manner that is BIOS

Re:

[Quantumstate]

Does that mean that is is a typo in TFA as well "The team installed HookSafe on a machine running Ubuntu 8.04"