A Stack-based Lightweight Approach to Detect Kernel-level Rookits

Kernel-level rootkits take operating system into a serious security situation. They mainly aim at compromising the integrity of the operating system. Prior research has shown that security properties of the kernel heap can be used for rootkit detection. However, scanning across the entire heap is a time-consuming process. This paper presents a novel rootkit detection technique to verify kernel integrity. We focus on the kernel mode stack that contains useful information on program execution. Our work bases on two key techniques, where the first one is to protect the kernel code in real time, and the second is to externally verify the right properties of the kernel mode stack. Further more, we implement a prototype named StackSafe on top of Xen virtual machine monitor (VMM). The implementation detects most of the kernel rootkits while imposing a little overhead to the VMM.