Rootkits are prevalent in today's Internet. Using virtual machine monitor (VMM) is an attractive way to deal with rootkits. However, most of the previous studies do not focus on protecting kernel data using VMMs, especially for the data that may be dynamically changed. Direct kernel object manipulation (DKOM) attacks can stealthily detach kernel data objects belonging to the malicious program from kernel's normal list, or overwrite import fields in the kernel. It's hard for OSes or VMMs to

more »

... nguish between normal accesses and malicious ones to kernel data. Although some works provides access control policy to kernel data, it can't detect loadable kernel module (LKM) rootkits that place malicious code to their installation procedure. This paper presents a framework, namely HACS, to protect kernel data using module white list based access control. HACS runs in VMM and intercepts the write requests to protected regions. A mediation strategy is proposed in this paper that judges whether the modification requests are legitimate or not. Malicious modifications requests are forbidden and normal ones are approved. Our experiments with real-world DKOM rootkits demonstrate that HACS provides robust rootkits detection ability, with lower performance overhead than other kernel data protection methods.