TY - GEN
T1 - Rootkit-resistant disks
AU - Butler, Kevin R.B.
AU - McLaughlin, Stephen
AU - McDaniel, Patrick D.
N1 - Copyright:
Copyright 2009 Elsevier B.V., All rights reserved.
PY - 2008
Y1 - 2008
N2 - Rootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Such malware becomes even more dangerous when it is persistent-infected disk images allow the malware to exist across reboots and prevent patches or system repairs from being successfully applied. In this paper, we introduce rootkit-resistant disks (RRD) that label all immutable system binaries and configuration files at installation time. During normal operation, the disk con troller inspects all write operations received from the host operating system and denies those made for labeled blocks. To upgrade. the host is booted into a safe state and system blocks can only be modified if a security token is attached to the disk controller. By enforcing immutability at the disk controller, we prevent a compromised operating system from infecting its on-disk image. We implement the RRD on a Linksys NSLU2 network storage device by extending the I/O processing on the embedded disk con troller running the SlugOS Linux distribution. Our performance evaluation shows that the RRD exhibits an overhead of less than I % for filesystem creation and less than I .5% during I/O intensive Postmark benchmarking. We further demonstrate the viability of our approach by preventing a rootkit collected from the wild from infecting the OS image. In this way, we show that RRDs not only prevent rootkit persistence, but do so in an efficient way.
AB - Rootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Such malware becomes even more dangerous when it is persistent-infected disk images allow the malware to exist across reboots and prevent patches or system repairs from being successfully applied. In this paper, we introduce rootkit-resistant disks (RRD) that label all immutable system binaries and configuration files at installation time. During normal operation, the disk con troller inspects all write operations received from the host operating system and denies those made for labeled blocks. To upgrade. the host is booted into a safe state and system blocks can only be modified if a security token is attached to the disk controller. By enforcing immutability at the disk controller, we prevent a compromised operating system from infecting its on-disk image. We implement the RRD on a Linksys NSLU2 network storage device by extending the I/O processing on the embedded disk con troller running the SlugOS Linux distribution. Our performance evaluation shows that the RRD exhibits an overhead of less than I % for filesystem creation and less than I .5% during I/O intensive Postmark benchmarking. We further demonstrate the viability of our approach by preventing a rootkit collected from the wild from infecting the OS image. In this way, we show that RRDs not only prevent rootkit persistence, but do so in an efficient way.
UR - http://www.scopus.com/inward/record.url?scp=70349270845&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70349270845&partnerID=8YFLogxK
U2 - 10.1145/1455770.1455821
DO - 10.1145/1455770.1455821
M3 - Conference contribution
AN - SCOPUS:70349270845
SN - 9781595938107
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 403
EP - 415
BT - Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08
T2 - 15th ACM conference on Computer and Communications Security, CCS'08
Y2 - 27 October 2008 through 31 October 2008
ER -