195 / 2014-11-17 22:42:08

A Mechanism Of Loading Kernel Module To Prevent From Rootkit Invasion

Kernel-level rootkit is the main threat that breaks kernel integrity, which is usually loaded into the kernel by posing as or tampering with the legitimate module. Based on the comparison and analysis of the kernel level rootkit defence technology, this thesis presents a loading mechanism of kernel module combining authentication with detection, which divides the kernel module into the trusted module and the untrusted module. While loading the former, the integrity of the kernel module should be verified; while loading the latter, identity and the integrity of the kernel module should be verified while making real-time detection of modification of the kernel data. Experimental results show this mechanism can prevent kernel-level rootkit from intruding in the kernel module. In the final part, the advantages, disadvantages and the next step research of this mechanism are explored.