MOSKG: countering kernel rootkits with a secure paging mechanism

摘要

The kernel‐level rootkits compromise the security of operating systems. In the current research studies, virtualization is used as a key tool against these attacks with virtualization‐based memory protection. There are glitches in the memory protection mechanism, and it is vulnerable to page mapping attack and hard to be used for protecting dynamic data. To address these problems, we proposed a secure paging mechanism and constructed an external and transparent architecture named multiple operating systems kernel guard (MOSKG), which can protect critical kernel data in different operating systems like Windows and Linux, both of 32‐bit and 64‐bit. To evaluate our proposed architecture, we applied some experiments that are based on the study of kernel rootkits. The results show that MOSKG can protect critical kernel data from dynamic kernel object manipulation and page mapping attack, and it defeats all of the kernel‐level attacks. It is also a significant conclusion that MOSKG only introduces a small performance overhead of 2.3%. Copyright ? 2015 John Wiley & Sons, Ltd. We presented a secure paging mechanism (which is in the memory protector) to protect the critical kernel data in the guest virtual machine (VM) from dynamic kernel object manipulation and page mapping attack.Based on the secure paging mechanism, we proposed an external and transparent architecture for protecting multiple VMs with diverse operating systems such as Windows and Linux, both of 32‐bit and 64‐bit, which gives a fine‐granularity protection to certain critical kernel data from kernel‐level attacks.