Boffins boast newfangled rootkit blocker Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked …
and nice to see Microsoft contributing to Linux Kernel security. ;-D
I imagine the reason the researchers chose Linux was mostly to do with the fact that Linux [the kernel] is easily separated out from the userspace parts of the OS making it a much easier research target - the problem itself is pretty OS-agnostic.
How is this news, all as thay have done is highlight how the OS should have been written in the first place. Am I right in thinking that kernel hooks are just the kernal addresses, the ones I used to chain when writing TSR programs? Is this another false sence of security add-on, use HookSafe and continue to write the same shite code. If Wang et al can move all the kernal hooks to a secure monotored location in memory, why can't kernal code writes do the same.
Sorry massive fail on the part of the kernal coders
If this is a Microsoft initiative why did they not target the ability of the most common OS family to withstand root-kit attacks? Instead they used an uncommon OS that is often run by the more computer savvy.
If they had run this demonstration on all versions of MS Windows in regular use then people would take a greater degree of interest. As it stands, the implication is that Ubuntu, and other Linux OSs, are the common target of root-kits.
Looks like clever stuff, though I can't claim to be competent to judge the real-world significance of this. Presumably this is aimed at Ubuntu servers, are these rootkits responsible for a significant proportion of servers that are compromised?
On another note, interesting to see M$ researchers so concerned about Linux security. I guess they must be twiddling their thumbs because the new versions of Windoze are so secure... *cough*
At the Epoch replace the operating system from CD.
I thought about that one.
Use a 'minor dictator' secondary computer to monitor the first one; if it encounters a real problem it goes with option one. Has the added value that your 'MD' can be some old slow cast off POS.
Lock down damn near every IP address on the planet; have your 'MD' check the event logs; one strike and you are out.
Nothing works all the time, and I am stuck with Windows.
When I used to do it, I used a 100% non-modular kernel for my production machines. No init-image. Output from lsmod was boring. Why should production system really have to load kernel modules? That might be a handy way to differentiate production servers from wannabees.
JW
@elderlybloke:
Since [most] hackers like to use the powerful tools that are Linux-only, silent rootkits rather than debilitating virii are the weapon of choice for infecting Linux boxes.
@LaeMi Qian:
The researchers most likely used Linux due to being able to have access to the entire system source code, which I doubt M$ would have released for their research even if they were sleeping with Balmer.... However, you are correct in this potentially being an OS agnostic strategy.
Of course, for myself, why load up a system with anti-spyware, anti-malware/virus, root-kit disablers, etc, etc, etc and lose 30+% of system performance? Apparently this kit whacks 6% off to boot and we all know the opinion on the [lack of] performance of Symantec or the like.
Paris - yeah, you'd probably get a virus from her too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
