Hooksafe

Hooksafe is a hypervisor-based lightweight system that protects a operating system's kernel hooks from rootkit attacks.[1]

It prevents thousands of kernel hooks in the guest operating system from being hijacked. This is achieved by making a shadow copy of all the kernel hooks at one central place and adding an indirection layer on it to regulate attempts to access the hooks. A prototype of Hooksafe was used on a Linux guest and protected nearly 6000 kernel hooks.[2][1] It focuses on protecting kernel control data that are function pointers. It provides large scale hook protection with small performance overhead[3]

History

Prior rootkit thwarting systems include: Panorama, Hookfinder and systems focused on analyzing rootkit behavior, Copilot, VMwatcher and systems that detect rootkits based on symptoms, Patagonix, NICKLE and systems aimed to preserve kernel code integrity by preventing malicious rootkit code from executing.[1]

gollark: Some economists would say that printing lots of money is fine, for example.
gollark: That seems highly subjective.
gollark: So, it's inflammatory if it has political opinions you disagree with...?
gollark: If taxation were less horrendously convoluted it could probably stop a lot of the evasion things.
gollark: Governments really should be obligated to responsibly disclose exploits as soon as possible.

See also

References
  1. "Countering Kernel Rootkits with Lightweight Hook Protection" (PDF). Cite journal requires |journal= (help)
  2. Jackson Higgins, Kelly. "Researchers Create Hypervisor-Based Tool For Blocking Rootkits". Retrieved 1 July 2016.
  3. "Boffins boast newfangled rootkit blocker".


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.