The rampant growth of stealthy rootkits poses a serious security threat to cyberspace. Specifically, with the capability of directly subverting the software root of trust of a computer system, a rootkit can surreptitiously take over the control of the system and maintain a hidden presence thereafter. To effectively defend against them, researchers have explored various anti-rootkit solutions. Unfortunately, to our disadvantage, the state-of-the-art defense is mainly reactive and cannot meet the challenges in the arms-race against them. This project is developing a systematic immunization approach to proactively prevent and exterminate rootkit attacks. This goal is being achieved in three key steps. First, we are developing a fundamental immunization capability self-nonself discrimination to reliably discern and prevent malicious rootkit code execution. Second, we are investigating a kernel shepherding technique to enforce kernel control-flow integrity. Third, we are designing and implementing a high-assurance hypervisor with a minimal trusted computing base to establish and sustain the root-of-trust of the entire computer system. We expect the results from this research will substantially elevate our defense capability against elusive rootkits as well as more generic malware. We will disseminate our results by releasing the tools developed as well as associated education materials appropriate for undergraduate and graduate courses and IT staff training in industry and government agencies.
CAREER: Towards Exterminating Stealthy Rootkits - A Systematic Immunization Approach