Guest-Transparent Prevention of Kernel Rootkits With VMM-Based Memory Shadowing
Source: North Carolina State University
Kernel rootkits pose a significant threat to computer systems as they run at the highest privilege level and have unrestricted access to the resources of their victims. Many current efforts in kernel rootkit defense focus on the detection of kernel rootkits - after a rootkit attack has taken place, while the smaller number of efforts in kernel rootkit prevention exhibit limitations in their capability or deployability. In this paper the authors present a kernel rootkit prevention system called NICKLE which ad-dresses a common, fundamental characteristic of most kernel rootkits: the need for executing their own kernel code. NICKLE is a lightweight, Virtual Machine Monitor (VMM) based system that transparently prevents unauthorized kernel code execution for unmodified commodity (Guest) OSes.