Hardware Virtualization Applied to Rootkit Defense

Author

Douglas P. Medley

Date of Award

3-6-2007

Document Type

Thesis

Degree Name

Master of Science in Computer Engineering

Department

Department of Electrical and Computer Engineering

First Advisor

Paul Williams, PhD

Abstract

This research effort examines the idea of applying virtualization hardware to enhance operating system security against rootkits. Rootkits are sets of tools used to hide code and/or functionality from the user and operating system. Rootkits can accomplish this feat through using access to one part of an operating system to change another part that resides at the same privilege level. Hardware assisted virtualization (HAV) provides an opportunity to defeat this tactic through the introduction of a new operating mode. Created to aid operating system virtualization, HAV provides hardware support for managing and saving multiple states of the processor. This hardware support overcomes a problem in pure software virtualization, which is the need to modify guest software to run at a less privileged level. Using HAV, guest software can operate at the pre-HAV most privileged level. This thesis provides a plan to protect data structures targeted by rootkits through unconventional use of HAV technology to secure system resources such as memory. This method of protection will provide true real-time security through OS attack prevention, rather than reaction.

AFIT Designator

AFIT-GCE-ENG-07-08

DTIC Accession Number

ADA469494

Recommended Citation

Medley, Douglas P., "Hardware Virtualization Applied to Rootkit Defense" (2007). Theses and Dissertations. 3104.
https://scholar.afit.edu/etd/3104