Rootkit-resistant disks

Kevin R.B. Butler, Stephen McLaughlin, Patrick D. McDaniel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

29 Scopus citations


Rootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Such malware becomes even more dangerous when it is persistent-infected disk images allow the malware to exist across reboots and prevent patches or system repairs from being successfully applied. In this paper, we introduce rootkit-resistant disks (RRD) that label all immutable system binaries and configuration files at installation time. During normal operation, the disk con troller inspects all write operations received from the host operating system and denies those made for labeled blocks. To upgrade. the host is booted into a safe state and system blocks can only be modified if a security token is attached to the disk controller. By enforcing immutability at the disk controller, we prevent a compromised operating system from infecting its on-disk image. We implement the RRD on a Linksys NSLU2 network storage device by extending the I/O processing on the embedded disk con troller running the SlugOS Linux distribution. Our performance evaluation shows that the RRD exhibits an overhead of less than I % for filesystem creation and less than I .5% during I/O intensive Postmark benchmarking. We further demonstrate the viability of our approach by preventing a rootkit collected from the wild from infecting the OS image. In this way, we show that RRDs not only prevent rootkit persistence, but do so in an efficient way.

Original languageEnglish (US)
Title of host publicationProceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08
Number of pages13
StatePublished - 2008
Event15th ACM conference on Computer and Communications Security, CCS'08 - Alexandria, VA, United States
Duration: Oct 27 2008Oct 31 2008

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Other15th ACM conference on Computer and Communications Security, CCS'08
Country/TerritoryUnited States
CityAlexandria, VA

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Rootkit-resistant disks'. Together they form a unique fingerprint.

Cite this