Linux Kernel Module Rootkit Detection Based On System Virtual Machine Technology

Kernel Mode Rootkit is one class of the best hidden and the most difficult detected malicious. And with the rapid development of cloud computing services, the kernel mode Rootkit has became an important threat in the cloud computing center. How to guarentee the data security in the Cloud-Computing environment is the hot and difficult point of today's research, and the detection of maleware based on the virtual technology become the key point of the research. And the rootkit is the most hiddenable and undetectable one of the maleware. And my research is to study the dectection of rootkit based on the virtual technology.First, we introduced the related knowledge of cloud computing and cloud computing security. We describe the origin and definition of cloud computing, and the three main directions of cloud computing (IaaS, PaaS and SaaS), and its three main supporting technologies (system-level virtualization, distributed storage, large-scale data processing), and then we propose several issues in cloud computing security and their solutions were discussed. Based on this knowledge, we deeply analyzed the principle of rootkit, and the mechanism of Linux system call and LKM.Traditional methods for the detection of rootkit just use its signature features for detection, it did well for the user-level rootkit. But for the kernel-level rootkit these detection methods effect is not ideal. And based on the study of the behavior feature of hidden itself, we introduce a new cross-view method. System is mainly used by modifying the Xen kernel and use hardware virtualization technology to intercept related system calls to construct the VMM View. And we use the user-level tools of the target system to construct the User View. By compare the VMM View and the User View, we can detect the LKM rootkit. Finally, we compared the original system and the performance of Xen system, analyzed the reasons for performance degradation.And the result shows that it not only achieves the goal of detecting rootkit, and also with lower resource consumption. And my work will provide some reference for the dynamic behavior detection of malicious code based on the virtual machine technology.