Defeating Dynamic Data Kernel Rootkit Attacks Via VMM-Based Guest-Transparent Monitoring
Source: North Carolina State University
Targeting the operating system kernel, the core of trust in a system, kernel rootkits are able to compromise the entire system, placing it under malicious control, while eluding detection efforts. Within the realm of kernel rootkits, dynamic data rootkits are particularly elusive due to the fact that they attack only data targets. Dynamic data rootkits avoid code injection and instead use existing kernel code to manipulate kernel data. Because they do not execute any new code, they are able to complete their attacks without violating kernel code integrity. The authors propose a prevention solution that blocks dynamic data kernel rootkit attacks by monitoring kernel memory access using Virtual Machine Monitor (VMM) policies.