Educational CyberPlayGround

Saturday, October 11, 2008

« Revoking Repeatedly Misbehaving Anonymou... | Main | Colombus Day Teach History Through Song »

The Department of Computer Science at Dartmouth College
announces a new technical report:

Detecting kernel rootkits

Dartmouth Technical Report TR2008-627

Ashwin Ramaswamy

Date: September 2008

Abstract:
Kernel rootkits are a special category of malware that are deployed directly in the
kernel and hence have unmitigated reign over the functionalities of the kernel itself.
We seek to detect such rootkits that are deployed in the real world by first observing
how the majority of kernel rootkits operate. To this end, comparable to how rootkits
function in the real world, we write our own kernel rootkit that manipulates the network
driver, thus giving us control over all packets sent into the network.
We then implement a mechanism to thwart the attacks of such rootkits by noticing
that a large number of the rootkits deployed today rely heavily on the redirection of
function pointers within the kernel. By overwriting the desired function pointer to its
own function, a rootkit can perform a proverbial man-in-the-middle attack.
Our goal is not just the detection of kernel rootkits, but also to levy as little an
impact on system performance as possible. Hence our technique is to leverage existing
kernel functionalities (in the case of Linux) such as kprobes to identify potential attack
scenarios from within the sytem rather than from outside it (such as a VMM). We hope
to introduce real-world security in devices where performance and resource constraints
are tantamount to security considerations.

Note:
M.S. Thesis Proposal. Advisor: Sean W. Smith

To obtain an electronic copy, point your web browser to the URL
<http://www.cs.dartmouth.edu/reports/abstracts/TR2008-627/>.

Network Newsletters

Saturday, October 11, 2008 11:25:07 PM (Eastern Daylight Time, UTC-04:00) Disclaimer | Comments [0] | Related posts:
SITESEEING: www.change.gov
AT&T Monthly Bandwidth Caps Are Here
ICANN proposes new way to buy top-level domains - Network World
Revoking Repeatedly Misbehaving Anonymous Users Without Relying on TTPs
LZfuz: a fast compression-based fuzzer for poorly documented protocols
FCC Begins to Resolve Mutually Exclusive Noncommercial FM Radio Applications

SIGN UP and GET POSTS DELIVERED TO YOUR EMAIL

Enter your email address:

You will get email if the Educational CyberPlayGround
has produced new content on that day.

Listen to this site on my phone with Jott Feeds

ON THIS PAGE....

Detect Rootkits


EDUCATION: An interdisciplinary blog about Internet and Technology News, NetHappenings, K12 Newsletters, and Network Newsletters. Provides resources for the Arts, Music, Linguistics, Literacy, National Childrens Folksong Repository, K12 School Directory for K-12 teachers, teacher educators, homeschooling parents, policy wonks, journalists, and business.