Cloaker: Hardware Supported Rootkit Concealment
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Active In SP

Posts: 1,124
Joined: Jun 2010
07-10-2010, 11:50 AM

This article is presented by:
Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell
Department of Computer Science
University of Illinois at Urbana-Champaign
201 N Goodwin Ave, Urbana

Cloaker: Hardware Supported Rootkit Concealment

Rootkits are used by malicious attackers who desire to run software on a compromised machine without being de- tected. They have become stealthier over the years as a consequence of the ongoing struggle between attackers and system defenders. In order to explore the next step in rootkit evolution and to build strong defenses, we look at this issue from the point of view of an attacker. We construct Cloaker, a proof-of-concept rootkit for the ARM platform that is non- persistent and only relies on hardware state modifications for concealment and operation. A primary goal in the de- sign of Cloaker is to not alter any part of the host oper- ating system (OS) code or data, thereby achieving immu- nity to all existing rootkit detection techniques which per- form integrity, behavior and signature checks of the host OS. Cloaker also demonstrates that a self-contained ex- ecution environment for malicious code can be provided without relying on the host OS for any services. Integrity checks of hardware state in each of the machine’s devices are required in order to detect rootkits such as Cloaker. We present a framework for the Linux kernel that incorpo- rates integrity checks of hardware state performed by device drivers in order to counter the threat posed by rootkits such as Cloaker.
In order to surreptitiously control a compromised computer, an intruder typically installs software that tries to conceal malicious code. This software is commonly referred to as a rootkit. A rootkit hides itself and some malicious payload from the operating system, users and intrusion detection tools. The techniques utilized by rootkits to avoid detection have evolved over the years. Older rootkits modified system files and were easily detected by tools that checked for file integrity or rootkit signatures . To avoid being detected by such tools, rootkit designers resorted to more complex techniques such as modifying boot sectors and manipulating the in-memory image of the kernel. These rootkits are susceptible to detection by tools that check kernel code and data for alteration . Rootkits that modify the system BIOS or device firmware can also be detected by integrity checking tools. More recently, virtualization technology has been studied as yet another means to conceal rootkits . These rootkits remain hidden by running the host OS in a virtual machine environment. To counter the threat from these Virtual Machine Based Rootkits (VMBRs), researchers have detailed approaches to detect if code is executing inside a virtual machine . Is this the end of the line for rootkit evolution? We believe that other hardware features can still be exploited to conceal rootkits. For example, ShadowWalker exploits the existence of separate instruction and data address translation buffers to hide itself. While Shadow Walker exhibits some weaknesses that allow it to be detected by existing approaches, we aim to show that it is possible to construct a rootkit that exploits changes to hardware state for more effective concealment. Studying the construction of such a rootkit fuels the proactive design and deployment of new countermeasures. Similar approaches have been used in the past by other researchers .

For more information about this article,please follow the link:

Important Note..!

If you are not satisfied with above reply ,..Please


So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page

Quick Reply
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  pc hardware and networking lab manual for diploma jaseelati 0 238 23-12-2014, 03:04 PM
Last Post: jaseelati
  Hardware Assisted Watermarking for Multimedia pdf study tips 0 283 21-06-2013, 12:51 PM
Last Post: study tips
  Fast Sparse Level Sets on Graphics Hardware SEMINAR REPORT study tips 0 328 20-06-2013, 04:53 PM
Last Post: study tips
  HARDWARE DESCRIPTIVE LANGUAGE (HDL) REPORT study tips 0 322 14-06-2013, 03:00 PM
Last Post: study tips
  Introduction to Computers - Hardware ppt study tips 0 488 12-06-2013, 03:53 PM
Last Post: study tips
  CRUSH: Cognitive Radio Universal Software Hardware pdf study tips 0 361 05-03-2013, 01:11 PM
Last Post: study tips
  Basic Computer Hardware and Software. PPT study tips 0 614 25-02-2013, 02:54 PM
Last Post: study tips
  Computer hardware ppt seminar tips 0 344 07-02-2013, 02:37 PM
Last Post: seminar tips
  Hardware Description Language ppt seminar paper 1 1,202 30-01-2013, 02:12 PM
Last Post: Guest
  Low power High Efficient Hardware Implementation of Network Security Algorithm pdf project girl 0 298 16-01-2013, 03:19 PM
Last Post: project girl