Abstract
We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level rootkits. An attacker that has compromised a system will often install a set of tools, known as a rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them. © Springer-Verlag Berlin Heidelberg 2004.
Cite
CITATION STYLE
Grizzard, J. B., Levine, J. G., & Owen, H. L. (2004). Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3193, 369–384. https://doi.org/10.1007/978-3-540-30108-0_23
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
