KVM-based Detection of Rootkit Attacks

摘要

The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.