Netinfo Security ›› 2015, Vol. 15 ›› Issue (4): 56-61.doi: 10.3969/j.issn.1671-1122.2015.04.010

Previous Articles     Next Articles

Kernel-level Rootkit Detection Technology Based on VMM

ZHANG Lei, CHEN Xing-shu(), REN Yi, LI Hui   

  1. Network and Trusted Computing Institute, School of Computer Science, Sichuan Univ, Chengdu Sichuan 610065, China
  • Received:2015-02-05 Online:2015-04-10 Published:2018-07-16

Abstract:

Kernel-level Rootkits of virtual machine in cloud can destroy the integrity of virtual machine of tenant. This paper presents a kind of kernel-level Rootkit detection technology based on Virtual Machine Monitor (VMM). This technology establishes True Module List (TML) by critical path breakpoint and obtains the virtual machine’s kernel module view, the user mode view was established by bottom-up calls from VMM, and the reconstructed kernel mode view of virtual machine was get in the VMM layer, then by cross-referencing these three views to detect Rootkit hidden in a virtual machine. Finally, a prototype system was realized based on the Kernel-based Virtual Machine (KVM), experimental results showed that Rootkits in Virtual Machine could be quickly and ac-curately detected in the prototype system, details of Rootkit could be reported according to TML, the overall per-formance loss of the prototype system was in acceptable range.

Key words: VMM, kernel-level Rootkit detection, critical path breakpoint, KVM

CLC Number: