Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down …
and nice to see Microsoft contributing to Linux Kernel security. ;-D
I imagine the reason the researchers chose Linux was mostly to do with the fact that Linux [the kernel] is easily separated out from the userspace parts of the OS making it a much easier research target - the problem itself is pretty OS-agnostic.
How is this news, all as thay have done is highlight how the OS should have been written in the first place. Am I right in thinking that kernel hooks are just the kernal addresses, the ones I used to chain when writing TSR programs? Is this another false sence of security add-on, use HookSafe and continue to write the same shite code. If Wang et al can move all the kernal hooks to a secure monotored location in memory, why can't kernal code writes do the same.
Sorry massive fail on the part of the kernal coders
have they just reinvented HP1000 style base-page indirection?
If this is a Microsoft initiative why did they not target the ability of the most common OS family to withstand root-kit attacks? Instead they used an uncommon OS that is often run by the more computer savvy.
If they had run this demonstration on all versions of MS Windows in regular use then people would take a greater degree of interest. As it stands, the implication is that Ubuntu, and other Linux OSs, are the common target of root-kits.
M$ rooting for Linux Security??
Looks like clever stuff, though I can't claim to be competent to judge the real-world significance of this. Presumably this is aimed at Ubuntu servers, are these rootkits responsible for a significant proportion of servers that are compromised?
On another note, interesting to see M$ researchers so concerned about Linux security. I guess they must be twiddling their thumbs because the new versions of Windoze are so secure... *cough*
Of course, if your O/S has already swallowed the pill, installing this makes no difference...
I guess I'm missing something but wouldn't it just be easier to run your user stuff in user space rather than as root?
If from user you can get root access you've lost anyway. Something doesn't make sense here, perhaps it's me.
Not all that spectacular really. Sure you wouldn't normally notice, but that's the difference between a 2.83GHz Processor and a 3GHz Processor. I don't know if root kits are a big enough threat for most people to justify even that relatively small cost.
Ways to pick up a weasel.
At the Epoch replace the operating system from CD.
I thought about that one.
Use a 'minor dictator' secondary computer to monitor the first one; if it encounters a real problem it goes with option one. Has the added value that your 'MD' can be some old slow cast off POS.
Lock down damn near every IP address on the planet; have your 'MD' check the event logs; one strike and you are out.
Nothing works all the time, and I am stuck with Windows.
Do we really need modular kernels for production systems?
When I used to do it, I used a 100% non-modular kernel for my production machines. No init-image. Output from lsmod was boring. Why should production system really have to load kernel modules? That might be a handy way to differentiate production servers from wannabees.
Ecsuse my ignorance
but I have heard that rootkits/rootbots infect Microsoft OS, but have not heard of any infecting Linux OS.
How many infections have there been of Linux OS?
Extant linux rootkit answers here:
Since [most] hackers like to use the powerful tools that are Linux-only, silent rootkits rather than debilitating virii are the weapon of choice for infecting Linux boxes.
The researchers most likely used Linux due to being able to have access to the entire system source code, which I doubt M$ would have released for their research even if they were sleeping with Balmer.... However, you are correct in this potentially being an OS agnostic strategy.
Of course, for myself, why load up a system with anti-spyware, anti-malware/virus, root-kit disablers, etc, etc, etc and lose 30+% of system performance? Apparently this kit whacks 6% off to boot and we all know the opinion on the [lack of] performance of Symantec or the like.
Paris - yeah, you'd probably get a virus from her too.