UPM Institutional Repository

Rootkit Guard (RG) - an architecture for rootkit resistant file-system implementation based on TPM


Yew, Teh Jia and Samsudin, Khairulmizam and Udzir, Nur Izura and Hashim, Shaiful Jahari (2013) Rootkit Guard (RG) - an architecture for rootkit resistant file-system implementation based on TPM. Pertanika Journal of Science & Technology, 21 (2). pp. 507-520. ISSN 0128-7680; ESSN: 2231-8526


Recent rootkit-attack mitigation work neglected to address the integrity of the mitigation tool itself. Both detection and prevention arms of current rootkit-attack mitigation solutions can be given credit for the advancement of multiple methodologies for rootkit defense but if the defense system itself is compromised, how is the defense system to be trusted? Another deficiency not addressed is how platform integrity can be preserved without availability of current RIDS or RIPS solutions, which operate only upon the loading of the kernel i.e. without availability of a trusted boot environment. To address these deficiencies, we present our architecture for solving rootkit persistence – Rootkit Guard (RG). RG is a marriage between TrustedGRUB (providing trusted boot), IMA (Integrity Measurement Architecture) (serves as RIDS) and SELinux (serves as RIPS). TPM hardware is utilised to provide total integrity of our platform via storage of the aggregate of the clean snapshot of our platform OS kernel into TPM hardware registers (i.e. the PCR) – of which no software attacks have been demonstrated to date. RG solves rootkit persistence by leveraging on one vital but simple strategy: the mounting of rootkit defense via prevention of the execution of configuration binaries or build initialisation scripts. We adopted the technique of rootkit persistence prevention via thwarting the initialisation of a rootkit’s installation procedure; if the rootkit is successfully installed, proper deployment via thwarting of the rootkit’s configuration is prevented. We had subjected the RG to 8 real world Linux 2.6 rootkits and the RG was successful in solving rootkit persistence in all 8 evaluated rootkits. In terms of performance, the RG introduced a maximum of 11% overhead and an average of 4% overhead, hence permitting deployment in production environments.

Download File

Rootkit Guard (RG) - An Architecture for Rootkit Resistant File-System Implementation Based on TPM.pdf

Download (820kB) | Preview

Additional Metadata

Item Type: Article
Divisions: Faculty of Computer Science and Information Technology
Publisher: Universiti Putra Malaysia
Keywords: Trusted Computing (TC); Trusted Platform Module (TPM); Malware and rootkits; SELinux; Linux Integrity Measurement Architecture (Linux-IMA); TrustedGRUB; Rootkit detection and prevention
Depositing User: Ms. Nida Hidayati Ghazali
Date Deposited: 06 Feb 2015 07:01
Last Modified: 18 Sep 2015 01:32
URI: http://psasir.upm.edu.my/id/eprint/30621
Statistic Details: View Download Statistic

Actions (login required)

View Item View Item