The Research On VMM-based Rootkit Detection And Protection Model

Rootkit is a set of program which can bypass the security test by hiding techonology,and it has gradually become a significant threat to computer security. Rootkit has differentbehavior characteristics at different system layers, and it usually combined with maliciouscode to make great destruction on the operating system, which may cause incaculatableloss. VMM-based (Virtual Machine Monitor) Rootkit detection and protection model canresist the Rootkit attack and enhance the immunity by the effective isolation and priviledgewhich is higher than the guest system. However, exsited Rootkit detection and protectionmodels have drawbacks in detection scope and security. Therefore, research on Rootkitdetection and protection model has great theoretical and practical value.In Rootkit static detection, a VMM-based Rootkit multi-dimensional detection modelis proposed. The model monitors the status changes of the virtual machine, detects theRootkit by using semantic reconstruction and cross-view analysis methods from threedimensions: the core, user and network layer. Finally obtains the Rootkit details throughcomprehensive analysis. A prototype named XenBFS is implemented on Xen platform, andthe Rootkit detection and performance overhead experiment are performed. The resultsshow that the system-level of the model can detect the Rootkit based on differentapproaches effectively, and the system performance overhead is less than4%. The modelhas high detection accuracy, low performance overhead and strong pragmatic value.In Rootkit dynamic monitoring, a VMM-based pervasive protection model isproposed. The model resides in the VMM completely, and it intercepts the illegal writngoperation of guest system kernel by modifying the shadow page table into read-only. Aprototype based on the pervasive model named FFKP is implemented, and the Rootkitdetection and performance overhead experiment are performed. The results show that thesystem-level of the model can detect the mainstream Rootkit of Windows and Linux basedon different approaches effectively, and the system performance overhead is about2.3%.The model has high security leverl and strong universality, and provides new ideas for thereseach on VMM-based Rootkit behavior monitoring.