TY - GEN
T1 - Towards a tamper-resistant kernel rootkit detector
AU - Quynh, Nguyen Anh
AU - Takefuji, Yoshiyasu
PY - 2007
Y1 - 2007
N2 - A variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been proposed to address the outstanding problem, but unfortunately they are not widely accepted. This paper presents a software-based method to detect intrusion to kernel. The proposed tool named XenKIMONO, which is based on Xen Virtual Machine, is able to detect many kernel rootkits in virtual machines with small penalty to the system's performance. In contrast with the traditional approaches, XenKIMONO is isolated with the kernel being monitored, thus it can still function correctly even if the observed kernel is compromised. Moreover, XenKIMONO is flexible and easy to deploy as it absolutely does not require any modification to the monitored systems.
AB - A variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been proposed to address the outstanding problem, but unfortunately they are not widely accepted. This paper presents a software-based method to detect intrusion to kernel. The proposed tool named XenKIMONO, which is based on Xen Virtual Machine, is able to detect many kernel rootkits in virtual machines with small penalty to the system's performance. In contrast with the traditional approaches, XenKIMONO is isolated with the kernel being monitored, thus it can still function correctly even if the observed kernel is compromised. Moreover, XenKIMONO is flexible and easy to deploy as it absolutely does not require any modification to the monitored systems.
KW - Intrusion detection
KW - Kernel rootkit
KW - Linux
KW - Xen virtual machine
UR - http://www.scopus.com/inward/record.url?scp=35248835511&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=35248835511&partnerID=8YFLogxK
U2 - 10.1145/1244002.1244070
DO - 10.1145/1244002.1244070
M3 - Conference contribution
AN - SCOPUS:35248835511
SN - 1595934804
SN - 9781595934802
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 276
EP - 283
BT - Proceedings of the 2007 ACM Symposium on Applied Computing
PB - Association for Computing Machinery
T2 - 2007 ACM Symposium on Applied Computing
Y2 - 11 March 2007 through 15 March 2007
ER -