Francesco Gadaleta

Francesco Gadaleta, Raoul Strackx, Nick Nikiforakis et al.

Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system.

Francesco Gadaleta, Nick Nikiforakis, Yves Younan et al.

In monolithic operating systems, the kernel is the piece of code that executes with the highest privileges and has control over all the software running on a host. A successful attack against an operating system's kernel means a total and complete compromise of the running system. These attacks usually end with the installation of a rootkit, a stealthy piece of software running with kernel privileges. When a rootkit is present, no guarantees can be made about the correctness, privacy or isolation of the operating system. In this paper we present \emph{Hello rootKitty}, an invariance-enforcing framework which takes advantage of current virtualization technology to protect a guest operating system against rootkits. \emph{Hello rootKitty} uses the idea of invariance to detect maliciously modified kernel data structures and restore them to their original legitimate values. Our prototype has negligible performance and memory overhead while effectively protecting commodity operating systems from modern rootkits.

Francesco Gadaleta, Nick Nikiforakis, Jan Tobias Muhlberg et al.

The sustained popularity of the cloud and cloud-related services accelerate the evolution of virtualization-enabling technologies. Modern off-the-shelf computers are already equipped with specialized hardware that enables a hypervisor to manage the simultaneous execution of multiple operating systems. Researchers have proposed security mechanisms that operate within such a hypervisor to protect the \textit{virtualized} operating systems from attacks. These mechanisms improve in security over previous techniques since the defense system is no longer part of an operating system's attack surface. However, due to constant transitions between the hypervisor and the operating systems, these countermeasures typically incur a significant performance overhead. In this paper we present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous \textit{in-hypervisor} systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an \textit{in-guest} security mechanism with the security of in-hypervisor one. We evaluate our framework by using it to re-implement an invariance-based rootkit detection system and show the performance benefits of a HyperForce-utilizing countermeasure.