April Chapter Meeting - Thursday, April 8, 2010, at 6:00 PM

Sponsored By: Carolina Advanced Digital

Location: McKimmon Center in Raleigh, North Carolina located on the campus of NC State University.

Presentation: TBD

Presenter: TBD

May Chapter Meeting - Thursday, May 6, 2010, at 6:00 PM

Sponsored By: Kaspersky Lab

Location: McKimmon Center in Raleigh, North Carolina located on the campus of NC State University.

Presentation: TBD

Presenter: TBD

June Chapter Meeting - Thursday, June 3, 2010, at 6:00 PM

Sponsored By: NCSU Department of Computer Science

Location: NCSU Computer Science Engineering Building II, Room 1231 in Raleigh, on the campus of NC State University.

              NOTICE! This is NOT our usual McKimmon Center meeting location!

Presentation: Blocking Stealthy Malware Attacks - Countering Kernel Rootkits with Lightweight Hook Protection

Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data.

In addition, there is a lack of flexible commodity hardware support, leading to the so-called protection granularity gap – kernel hook protection requires byte-level granularity but commodity hardware only provides page-level protection. To address the above challenges, in this paper, we present Hook-Safe, a hypervisor-based lightweight system that can protect thousands of kernel hooks in a guest OS from being hijacked. One key observation behind our approach is that a kernel hook, once initialized, may be frequently read-accessed, but rarely write-accessed.

As such, we can relocate those kernel hooks to a dedicated page-aligned memory space and then regulate accesses to them with hardware-based page-level protection. We have developed a prototype of Hook-Safe and used it to protect more than 5,900 kernel hooks in a Linux guest. Our experiments with nine real-world rootkits show that Hook-Safe can effectively defeat their attempts to hijack kernel hooks. We also show that Hook-Safe achieves such a large-scale protection with a small overhead (e.g., around 6% slowdown in performance benchmarks).

Presenter: Dr. Xuxian Jiang

Dr. Jiang is an assistant professor in the Department of Computer Science at NC State University. He received his Ph.D. in Computer Science from Purdue University in 2006 and his M.S. in Computer Science from Xi'an Jiaotong University, China in 2001. His research interests include virtual machines and security . Further information about Dr. Jiang is available on his site, here.

For greater insight into Dr. Jiang's research, read the recent NC State News article, High Profile ITSec Research.

Raleigh ISSA Chapter Past Events information.