Rootkit-Resistant Disks

  • View

  • Download

Embed Size (px)


Rootkit-Resistant Disks. K. R. B. Butler, S. McLaughlin, P.D. McDaniel Pennsylvania State University , CCS ’08 Presented by: HAN Jin. Outline. What is a rootkit? What is a RRD? Prototype Implementation Evaluation Discussion. Outline. What is a rootkit? What is a RRD? - PowerPoint PPT Presentation

Text of Rootkit-Resistant Disks

  • Rootkit-Resistant DisksK. R. B. Butler, S. McLaughlin, P.D. McDanielPennsylvania State University, CCS 08

    Presented by: HAN Jin

  • OutlineWhat is a rootkit?What is a RRD?Prototype ImplementationEvaluationDiscussion*

  • OutlineWhat is a rootkit?What is a RRD?Prototype ImplementationEvaluationDiscussion*

  • What is a rootkitRootkit is a software system that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised.

    An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit.*

  • OutlineWhat is a rootkit?What is a RRD?DesignTokens and Disk PolicyAlgorithmPrototype ImplementationEvaluationDiscussion*

  • What is a RRD?RRD is Rootkit Resistant Disk, that prevents rootkit persistence.*

  • What is a RRD?RRD is Rootkit Resistant Disk, that prevents rootkit persistence.*

  • RRD DesignOne sentence to summarize the design:

    Govern the write access to the disk blocks by the embedded disk processor

    How to do it?Label some of the disk blocks (e.g. OS binaries) to be immutable, and only grant the write access to these blocks when a security token is present (e.g. inserted to the USB port).


  • Tokens and Disk Policynormal mode:RRD is used like a regular disk, without any tokens present

    Administrator mode: a token is needed, when administrative event: e.g. initial installation of an OS onto the disk, and subsequent upgrades to the OS other software packages*

  • Tokens and labelsWritten data blocks are labeled with the token, and become immutable. Only when the corresponding token is inserted, can the labeled blocks be rewritten.*

  • RRD write algorithm*

  • OutlineWhat is a rootkit?What is a RRD?Prototype ImplementationRRDHost MachineInstallerEvaluationDiscussion*

  • Prototype ImplementationThey implemented an RRD that fulfills block requests over TCP.

    Their choice to use a network interface was made as development of firmware for commodity disks is prohibitively difficult due to a lack of open firmware and development environments.

    They claim their prototype RRD provides the same functionality and security guarantees described before, and can be used as the root partition of a running system.*

  • PrototypeRRDHost*

  • Prototype RRDRRD:Linksys NSLU2 network attached storage link (commonly referred to as slug)External HDDUSB thumb drive as physical tokens.

    Slug:receive block requests from the networkstore and enforce the RRDs policyact as an entry point for physical tokens*

  • Change to SlugChanges to slug:

    replace default firmware with the SlugOS Linux distribution

    upload netblockd (2,665 lines of code) a server program they developed to satisfy block I/O requests over TCP sockets

    udev framwork is used to detect physical tokens and notify netblockd of their insertion and removal


  • Host machineIn a typical RRD scenario, a standard SCSI or ATA driver would suffice for communication between the host and disk.

    Because their prototype exports a non-standard interface, they implement an RRD device driver for the host machine.

    The RRD driver consists of 1,314 lines of kernel code and 307 lines of user space code*

  • InstallerPerforming an installation with an RRD requires knowing when the token should be present in the disk and when it should be removed.

    It is desirable for the installer to cooperate with the administrator to simplify the installation process

    The installer should require as little token changing as possible, while at the same time ensuring the mutual exclusivity of mutable and immutable data.*

  • InstallerThe key design decision in creating the installer is what data should be mutable or immutable.The MBR, boot loader, kernel and any kernel modules must be immutable to prevent overwriting by kernel level rootkits.Similarly, all libraries and binaries should be immutable to prevent user level rootkits from installing trojan versions.Any system configurations and startup scripts should be made immutable, along with scripts defining repeatedly executed tasks*

  • OutlineWhat is a rootkit?What is a RRD?Prototype ImplementationEvaluationPerformanceScalabilitySecurityDiscussion*

  • Experimental Setup*

  • Performance (Postmark)*

  • Performance (System install)*

  • ScalabilityUsed blocks vs. Labeled blocks*

  • The overhead due to label creep in both cases is roughly 10% of labeled data, it represents less than 1% of the total space on the partitionlabel creep does not waste significant disk space*

  • Scalability (label Space)*

  • SecurityIn order to test the ability of their prototype to correctly protect immutable data

    Install a rootkit on a system booted from the prototype RRD: Mood-NT rootkit

    Verify that it fails to become persistent*

  • OutlineWhat is a rootkit?What is a RRD?Prototype ImplementationEvaluationDiscussionTokens and atimeFilesystem modificationMaintenance and Usability*

  • DiscussionsSystem tokens and atime:the use of the atime attribute for UNIX-based file systemsIn a Linux system, whenever a file is accessed, regardless of whether it is modified or otherwise changed, the time it was accessed, or atime, is affected.In the Linux 2.6 kernel it is possible, and common, to disable atime altogether by mounting the filesystem with the noatime attribute*

  • DiscussionsFilesystem modification:if there is a write request and free inode descriptors are available in the block, the filesystem may attempt to write data to the block.This will fail if the token is not present, and the filesystem will have no knowledge that the write failed because of a lack of access privileges, but would rather be a message such as BAD BLOCK.*

  • DiscussionsMaintenance and UsabilityToken cloning and disk backupRevocation of existing tokens and token escrowLarge-scale token management and initial RRD configuration

    Considerations for Windows Systems*

  • Future workTighter integration between the install programs and the RRD is needed

    Integration with intelligent commodity disks over other interfaces such as SCSI or IDE/ATA is needed

    Explore the usability of administrator tokens as a method for enforcing security*