To see the other types of publications on this topic, follow the link: Rootkit.
Dissertations / Theses on the topic 'Rootkit'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Rootkit.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Gach, Tomáš. "Generická detekce bootkitů." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2013. http://www.nusl.cz/ntk/nusl-236369.
Full textAbstract:
This thesis deals with the generic detection of bootkits which are relatively a new kind of malicious sofware falling into the category of rootkits. The definition of malicious software is presented along with several examples. Then the attention is paid to the rootkits in the context of Microsoft Windows operating systems. This section lists several techniques used by rootkits. After that, the ways of preventing and detecting rootkits are mentioned. Bootkits are known for infecting hard disks Master Boot Record (MBR). The structure of the MBR is described along with the example of hard disk partitioning. Afterwards, the processor instruction set is outlined and the disassembly of Windows 7 MBR is given. The rest of the thesis is devoted to a description of the course of operating system bootkit infection, bootkit prevention, analysis of infected MBR samples, and in particular to the design, implementation and testing of the generic MBR infection detector.
2
Plocek, Radovan. "Klasifikace rootkitů a jimi používaných technik." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2014. http://www.nusl.cz/ntk/nusl-412900.
Full textAbstract:
This paper describes information about current most widespread methods, which are used by rootkits. It contains basic information connected with development of rootkits, such as process registers, memory protection and native API of Windows operation system. The primary objective of this paper is to provide overview of techniques, such as hooking, code patching and direct kernel object modification, which are used by rootkits and present methods to detect them. These methods will be then implemented by detection and removal tools of rootkits based on these techniques.
3
Levine, John G. (John Glenn). "A Methodology for Detecting and Classifying Rootkit Exploits." Diss., Georgia Institute of Technology, 2004. http://hdl.handle.net/1853/5139.
Full textAbstract:
A Methodology for Detecting and Classifying Rootkit Exploits
John G. Levine
164 Pages
Directed by Dr. Henry L. Owen
We propose a methodology to detect and classify rootkit exploits. The goal of this research is to provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions concerning systems that are compromised by rootkits. There is no such methodolgoy available at present to perform this function. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. A formal framework was developed in order to define rootkit exploits as an existing rootkit, a modification to an exisiting, or an entirely new rootkit. A methodology was then described in order to apply this framework against rootkits that are to be investigated. We then proposed some new methods to detect and characterize specific types of rootkit exploits. These methods consisted of identifying unique string signatures of binary executable files as well as examining the system call table within the system kernel. We established a Honeynet in order to aid in our research efforts and then applied our methodology to a previously unseen rootkit that was targeted against the Honeynet. By using our methodology we were able to uniquely characterize this rootkit and identify some unique signatures that could be used in the detection of this specific rootkit. We applied our methodolgy against nine additional rootkit exploits and were were able to identify unique characterstics for each of these rootkits. These charactersitics could also be used in the prevention and detection of these rootkits.
4
Vibhute, Tejaswini Ajay. "EPA-RIMM-V: Efficient Rootkit Detection for Virtualized Environments." PDXScholar, 2018. https://pdxscholar.library.pdx.edu/open_access_etds/4485.
Full textAbstract:
The use of virtualized environments continues to grow for efficient utilization of the available compute resources. Hypervisors virtualize the underlying hardware resources and allow multiple Operating Systems to run simultaneously on the same infrastructure. Since the hypervisor is installed at a higher privilege level than the Operating Systems in the software stack it is vulnerable to rootkits that can modify the environment to gain control, crash the system and even steal sensitive information. Thus, runtime integrity measurement of the hypervisor is essential. The currently proposed solutions achieve the goal by relying either partially or entirely on the features of the hypervisor itself, causing them to lack stealth and leaving themselves vulnerable to attack.
We have developed a performance sensitive methodology for identifying rootkits in hypervisors from System Management Mode (SMM) while using the features of SMI Transfer Monitor (STM). STM is a recent technology from Intel and it is a virtual machine manager at the firmware level. Our solution extends a research prototype called EPA-RIMM, developed by Delgado and Karavanic at Portland State University. Our solution extends the state of the art in that it stealthily performs measurements of hypervisor memory and critical data structures using firmware features, keeps performance perturbation to acceptable levels and leverages the security features provided by the STM. We describe our approach and include experimental results using a prototype we have developed for Xen hypervisor on Minnowboard Turbot, an open hardware platform.
5
Esoul, O. "VMX-rootkit : implementing malware with hardware virtual machine extensions." Thesis, University of Salford, 2008. http://usir.salford.ac.uk/26667/.
Full textAbstract:
Stealth Malware (Rootkit) is a malicious software used by attackers who wish to run their code on a compromised computer without being detected. Over the years, rootkits have targeted different operating systems and have used different techniques and mechanisms to avoid detection. In late 2005 and early 2006, both, Intel™ and AMD™ incorporated explicit hardware support for virtualization into their CPUs. While this hardware support can help simplify the design and the implementation of a light-weight and efficient Virtual Machine Monitors (VMMs), this technology has introduced a new powerful mechanism that can be used by malware to create extremely stealthy rootkit called hardware-assisted virtual machine rootkit (HVM rootkit). An HVM rootkit is capable of totally controlling a compromised system by installing a small VMM (a.k.a. hyper- visor) underneath the operating system and its applications without altering any part of the target operating system or any part of its applications. It places the existing operating system into a virtual machine and turns it into a guest operating system on-the-fly without a reboot. The guest operating system is then totally governed and manipulated by the malicious hypervisor. In this thesis I have investigated the design and implementation of a minimal hypervisor based Rootkit that takes advantage of Intel Visualization Technology (Intel VT) for the IA-32 architecture (VT-x) and Microsoft Windows XP SP2 as the target operating system.
6
Vasisht, Vikas R. "Architectural support for autonomic protection against stealth by rootkit exploits." Thesis, Atlanta, Ga. : Georgia Institute of Technology, 2008. http://hdl.handle.net/1853/26618.
Full textAbstract:
Thesis (M. S.)--Electrical and Computer Engineering, Georgia Institute of Technology, 2009.Committee Chair: Lee, Hsien-Hsin; Committee Member: Blough, Douglas; Committee Member: Copeland, John. Part of the SMARTech Electronic Thesis and Dissertation Collection.
7
Xuan, Chaoting. "Countering kernel malware in virtual execution environments." Diss., Atlanta, Ga. : Georgia Institute of Technology, 2009. http://hdl.handle.net/1853/31718.
Full textAbstract:
Thesis (Ph.D)--Electrical and Computer Engineering, Georgia Institute of Technology, 2010.Committee Chair: Copeland A. John; Committee Member: Alessandro Orso; Committee Member: Douglas M. Blough; Committee Member: George F. Riley; Committee Member: Raheem A. Beyah. Part of the SMARTech Electronic Thesis and Dissertation Collection.
8
Zhang, Ning. "Attack and Defense with Hardware-Aided Security." Diss., Virginia Tech, 2016. http://hdl.handle.net/10919/72855.
Full textAbstract:
Riding on recent advances in computing and networking, our society is now experiencing the evolution into the age of information. While the development of these technologies brings great value to our daily life, the lucrative reward from cyber-crimes has also attracted criminals. As computing continues to play an increasing role in the society, security has become a pressing issue. Failures in computing systems could result in loss of infrastructure or human life, as demonstrated in both academic research and production environment. With the continuing widespread of malicious software and new vulnerabilities revealing every day, protecting the heterogeneous computing systems across the Internet has become a daunting task. Our approach to this challenge consists of two directions. The first direction aims to gain a better understanding of the inner working of both attacks and defenses in the cyber environment. Meanwhile, our other direction is designing secure systems in adversarial environment.Ph. D.
9
Persson, Emil, and Joel Mattsson. "Debug register rootkits : A study of malicious use of the IA-32 debug registers." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3609.
Full textAbstract:
The debug register rootkit is a special type of rootkit that has existed for over a decade, and is told to be undetectable by any scanning tools. It exploits the debug registers in Intel’s IA-32 processor architecture. This paper investigates the debug register rootkit to find out why it is considered a threat, and which malware removal tools have implemented detection algorithms against this threat. By implementing and running a debug register rootkit against the most popular Linux tools, new conclusions about the protection of the Linux system can be reached. Recently, debug register rootkits were found on Windows as well. This project intends to bring knowledge about the problem and investigate if there are any threats. Our study has shown that still after 12 years, the most popular tools for the Linux operating system have not implemented any detection algorithms against this threat. The security industry may need to prepare for this threat in case it is spread further.
10
Li, Jie, and Yuting Lu. "Rootkits." Thesis, Linnaeus University, School of Computer Science, Physics and Mathematics, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-8378.
Full textAbstract:
Abstract:The kernel system of Windows is more thoroughly exposed to people. So, thekernel-level Rootkits techniques are now laid on greater emphasis. It is very importantto maintain the security of computers and to conduct an in-depth research on theoperational mechanism by using kernel-level Rootkits in hiding its traces. Since theinvolved core techniques are beginning to catch on nowadays, we should analyzesome new key techniques employed for application of Rootkits, discuss the specificmethods and propose a set of defense strategy for computer security.
11
Procházka, Boris. "Útoky na operační systém Linux v teorii a praxi." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2010. http://www.nusl.cz/ntk/nusl-237139.
Full textAbstract:
This master's thesis deals with Linux kernel security from the attacker's point of view. It maps methods and techniques of disguising the computing resources used by today's IT pirates. The thesis presents a unique method of attack directed on the system call interface and implemented in the form of two tools (rootkits). The thesis consists of a theoretical and a practical part. Emphasis is placed especially on the practical part, which manifests the presented information in the form of experiments and shows its use in real life. Readers are systematically guided as far as the creation of a unique rootkit, which is capable of infiltrating the Linux kernel by a newly discovered method -- even without support of loadable modules. A part of the thesis focuses on the issue of detecting the discussed attacks and on effective defence against them.
12
Farr, C. R. "Treatment of Rootknot Nematodes." College of Agriculture, University of Arizona (Tucson, AZ), 1987. http://hdl.handle.net/10150/204511.
Full text
13
Fannon, Robert C. "An analysis of hardware-assisted virtual machine based rootkits." Thesis, Monterey, California: Naval Postgraduate School, 2014. http://hdl.handle.net/10945/42621.
Full textAbstract:
Approved for public release; distribution is unlimitedThe use of virtual machine (VM) technology has expanded rapidly since AMD and Intel implemented hardware-assisted virtualization in their respective x86 architectures. These new capabilities have resulted in a corresponding expansion of security challenges. Hardware-Assisted VM (HVM) rootkits have become a credible threat because of these new virtualization technologies and have provided an added vector with which root access can be exploited by malicious actors. An HVM rootkit covertly subverts an Operating System (OS) running on a general purpose x86 based processor and migrates that OS into a VM under the control of a malicious hypervisor. This results in the hypervisor possessing an effective privilege level of ring -0, a higher privilege level than ring 0, which the target OS possesses in either its non-virtualized or virtualized state. The only known successful HVM rootkits are Blue Pill and Vitriol. This thesis analyzes and compares the source code for both AMD-V and Intel VT-x implementations of Blue Pill to identify commonalities in the respective versions' attack methodologies from both a functional and technical perspective. Findings conclude that their functional implementations are nearly identical; but their technical implementations are very different, primarily because of differences in the AMD-V and Intel VT-x specifications.
14
Farr, C. R. "Nematocide Comparisons for Rootknot Nematode Control." College of Agriculture, University of Arizona (Tucson, AZ), 1986. http://hdl.handle.net/10150/219774.
Full textAbstract:
The 1985 and 1986 Cotton Reports have the same publication and P-Series numbers.Preplant treatments for rootknot nematodes on sandy loam gave less yield response than in earlier years at the same Buckeye field location. Post emergence treatments on sandy loam at Waddell failed to give sufficient economic return even though lateral root infestation level was over 50 percent.
15
Russell, Jonathan David. "The rootlet system of rhizocephalan barnacles." Thesis, Bangor University, 1998. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.285467.
Full text
16
Nigh, E. L. Jr. "Management of Rootknot Nematode in Arizona Cotton." College of Agriculture, University of Arizona (Tucson, AZ), 1989. http://hdl.handle.net/10150/204865.
Full text
17
Farr, Charles. "Nematocide Use for Control of Rootknot Nematodes." College of Agriculture, University of Arizona (Tucson, AZ), 1988. http://hdl.handle.net/10150/221226.
Full textAbstract:
Injection of Telone II in sandy loams containing more than 60 percent sand increased Pima S-6 yield 493 pounds of lint but failed to give economic response with DP 77 in second year cotton. Treatment with Vapam at two rates at the same locations did not increase yield significantly in 1987.
18
Bohl, Christina [Verfasser], and Ernst Wolfgang [Akademischer Betreuer] Kühn. "Untersuchungen zu Wechselbeziehungen zwischen ziliärem Rootlet und Primärzilie." Freiburg : Universität, 2014. http://d-nb.info/1123479410/34.
Full text
19
Husman, S., M. McClure, J. Lambeth, T. Dennehy, and B. Deeter. "Telone II® and Temik® Efficacy on Rootknot Nematodes in Cotton." College of Agriculture, University of Arizona (Tucson, AZ), 1995. http://hdl.handle.net/10150/210330.
Full textAbstract:
Field studies were conducted at four western Maricopa County commercial sites in 1994 to determine whether Temik 15G® would suppress rootknot nematode at low to moderate populations. Three of the experiments were on Upland D +PL 5415 with the fourth on Pima S-6. Sites were chosen based on pre- season sampling with individual field populations ranging from 0.005 (low) - 3.6 (high) rootknot nematode juveniles per cubic centimeter (cc) of soil volume. Each study consisted of four treatments with six replications. The following treatments were used at all test sites: (1) Untreated check, (2) 5 lbs. Temik 15G at planting, (3) 5 lbs. Temik 15G at planting, 15 lbs. Temik 15G sidedressed at pinhead square, (4) 5 gal. Telone 11® pre-plant. Sampling for thrips and lygus was conducted at all test sites to provide insight regarding yield effects resulting from control of insect versus those due to suppression of nematode. There were no significant yield differences between the untreated check and either Temik treatment. However, significant yield increases were measured with Telone versus all treatments at all locations. Insect pressures were minimal in all cases. Temik 15G did not suppress nematode damage at any population level.
20
Nabi, Md Ashikun. "Multiple Functions Of The Striated Rootlet Proteins Of The Paramecium Basal Body." ScholarWorks @ UVM, 2018. https://scholarworks.uvm.edu/graddis/951.
Full textAbstract:
Paramecium ciliary basal bodies align in straight rows from posterior to anterior. Each basal body is connected to three rootlets ((Post Ciliary Rootlet (PCR), Transverse Rootlet (TR) and Striated Rootlet (SR)). The SR, the longest, projects from the basal body toward the anterior past several more anterior basal bodies. The depletion of Meckelin (MKS3) misaligns SRs, disorganizes basal body rows and makes the SRs appear ragged and serpentine. In this study we clarify the composition of the Paramecium ciliary basal body’s SR and demonstrate that the SR plays a critical role in creating the orderly array of basal bodies in rows that run from pole to pole of the cell, likely through the interactions with centrins and other cytoskeletal elements underlying the cell surface. Here in this study we first report the reciprocal relationship between the SR and centrin related infraciliary lattice (ICL) protein that can dictate the cell surface morphology.
The SR of Chlamydomonas is the best studied. Using the single SR Chlamydomonas gene SF-assemblin to search in Paramecium DB, we found thirty Paramecium genes in thirteen Paralog Groups. Proteins from 13 paralog groups were confirmed to be in the SR structure using immunofluorescence. LC-MS/MS analyses of density fractions from SRs isolation show all thirty SR members are within the same density fraction. We further categorized all 30 SR genes in five Structural Groups based on their ability to form coiled coil domain and evaluate the function of all five Structural Group using RNA interference (RNAi). Silencing the transcripts of the any of the Structural Group showed misaligned basal body rows and the disordered organization of the SRs with abnormal appearance of SRs all over the cell surface. Silencing of Paralog Group showed normal phenotype except for the two Paralog Group (Paralog Group 1 or Paralog Group 7) which themselves constitute Structural Group individually. Isolated SRs from the control or Paralog Group depleted cells show a characteristic striation pattern that includes characteristic major and minor striations. Isolated SRs from any of the Structural Group depleted cells demonstrate abnormal shapes and striation periodicity. There is a correlation between the SR Structural Group RNAi surface misalignment phenotype and the isolated SR Structural Group RNAi phenotype for shape and periodicity of the SR. Strikingly our study of SR clearly demonstrates the role of SRs in shaping the other cytoskeleton structures of the cell cortex e.g., ICL, epiplasm territory and cortical unit territory.
In another follow up study of MKS3 (Picariello et al., 2014), we depleted the transcripts of MKS5 gene in Paramecium tetraurelia. Depletion of MKS5 transcripts in Paramecium causes cilia loss all over the cell surface. Unlike MKS3 depletion, MKS5 depletion does not affect the straight basal body rows and the ordered organization of SRs. Moreover, data presented in this study clearly demonstrates depletion of MKS5 transcripts somehow affect the localization of another transition zone protein, B9D2.
It appears when lacking any of the SR Structural Group, the rest fail to interact properly with each other to maintain the SRs structure and directionality toward the anterior. As a result, abnormal SRs appear to lose the interaction with other cytoskeleton structures such as ICL network complex, which eventually results in misaligned basal body rows and altered swimming behavior. From the data presented in this study it is reasonable to postulate ICL1e subfamily and SRs are in a reciprocal relationship to maintain the straight basal body rows and the highly ordered organization of the SRs all over the cell surface.
21
Bingham, Sonia Nicole. "Aquatic macroinvertebrate use of rootmat habitat created by eight woody riparian species." The Ohio State University, 2009. http://rave.ohiolink.edu/etdc/view?acc_num=osu1245417333.
Full text
22
Boyd, Joseph Samuel. "Eyespot Assembly and Positioning in Chlamydomonas reinhardtii." Diss., The University of Arizona, 2011. http://hdl.handle.net/10150/145298.
Full textAbstract:
The eyespot of the biflagellate unicellular green alga Chlamydomonas reinhardtii is a complex organelle that facilitates directional responses of the cell to environmental light stimuli. The eyespot, which assembles de novo after every cell division and retains a distinctive association with the microtubule cytoskeleton, comprises an elliptical patch of rhodopsin photoreceptors in the plasma membrane and stacks of carotenoid-rich pigment granule arrays in the chloroplast and serves as a model for understanding how organelles are formed and placed asymmetrically in the cell. This study describes the roles of several factors in the assembly and positioning of the eyespot. Two loci, EYE2 and EYE3, define factors involved in the formation and organization of the eyespot pigment granule arrays. Whereas EYE3, a serine/threonine kinase of the ABC1 family, localizes to pigment granules, EYE2 localization corresponds to an area of the chloroplast envelope in the eyespot. These proteins play interdependent roles: EYE2 and the ChR1 photoreceptor co-position in the absence of pigment granules, and the pigment granules are required to maintain the shape and integrity of the EYE2/ChR1 patch. The miniature-eyespot locus MIN2 affects eyespot size and likely regulates the amount of material available for eyespot assembly. The MLT2 locus regulates eyespot size, number, and asymmetry. A novel locus, PEY1, modulates the position of the eyespot on the anterior-posterior axis by affecting microtubule rootlet length. A working model is developed wherein rootlet microtubule-directed photoreceptor localization establishes connections in the chloroplast envelope with EYE2, which directs the site for pigment granule array assembly, and MLT2 is proposed to negatively regulate the levels of eyespot proteins.
23
Athreya, Manoj B. "Subverting Linux on-the-fly using hardware virtualization technology." Thesis, Georgia Institute of Technology, 2010. http://hdl.handle.net/1853/34844.
Full textAbstract:
In this thesis, we address the problem faced by modern operating systems due to the exploitation of Hardware-Assisted Full-Virtualization technology by attackers.
Virtualization technology has been of growing importance these days. With the help of such a technology, multiple operating systems can be run on a single piece of hardware, with little or no modification to the operating system. Both Intel and AMD have contributed to x86 full-virtualization through their respective instruction set architectures. Hardware virtualization extensions can be found in almost all x86 processors these days.
Hardware virtualization technologies have opened a whole new frontier for a new kind of attack. A system hacker can abuse hardware virualization technology to gain control over an operating system on-the-fly (i.e., without a system restart) by installing a thin Virtual Machine Monitor (VMM) below the native operating system. Such a VMM based malware is termed a Hardware-Assisted Virtual Machine (HVM) rootkit. We discuss the technique used by a rootkit named Blue Pill to subvert the Windows Vista operating system by exploiting the AMD-V (codenamed "Pacifica") virtualization extensions. HVM rootkits do not hook any operating system code or data regions; hence detecting the existence of such malware using conventional techniques becomes extremely difficult. This thesis discusses existing methods to detect such rootkits and their inefficiencies.
In this work, we implement a proof-of-concept HVM rootkit using Intel-VT hardware virtualization technology and also discuss how such an attack can be defended against by using an autonomic architecture called SHARK, which was proposed by Vikas et al., in MICRO 2008.
24
Porter, Jeremy. "Detecting Malicious Behavior in OpenWrt with QEMU Tracing." Wright State University / OhioLINK, 2019. http://rave.ohiolink.edu/etdc/view?acc_num=wright1564840733498961.
Full text
25
Picariello, Tyler August. "Meckelin Functions in the Guided Movement and Orientation of Basal Bodies Prior to Duplication in Paramecium tetraurelia." ScholarWorks @ UVM, 2015. http://scholarworks.uvm.edu/graddis/367.
Full textAbstract:
Ciliopathies are a group of disorders that arise from ciliary dysfunction. Meckelin (MKS3 or TMEM67) is a conserved transmembrane protein found at the transition zone of ciliated cells. In humans MKS3 is one of 3 genes linked to the ciliopathy Meckel Syndrome. This disease is characterized by occipital meningioencephalocoele, polycystic kidneys, fibrotic changes to the liver, postnatal polydactyly and situs inversus.
Paramecium tetraurelia is a single celled ciliated eukaryote. Its surface is organized of a meshwork of cortical units that run the length of the cell. At the center of the cortical units are either one or two basal bodies. In two basal body units only the posterior basal body is ciliated. From the ciliated basal body, three rootlets project in stereotypical orientations: the post-ciliary rootlet projects posteriorly, the transverse microtubule projects toward the adjacent basal body row and the striated rootlet projects anteriorly. Both the post-ciliary rootlet and transverse microtubule are microtubule-based structures. The striated rootlet is composed of multiple subunits that are predicted to have conserved segmented coiled coil domains known as SF-Assemblin domains.
In Picariello at al., 2014, we showed that MKS3 is present in the transition zone of Paramecium tetraurelia and that RNAi for MKS3 leads to global ciliary loss. Additionally, RNAi for MKS3 results in the disorganization of the basal body rows. Within the areas of disorganization, the basal bodies along with their striated rootlets, post-ciliary rootlets and transverse microtubules are rotated away from their expected orientation. Interestingly, the post-ciliary rootlet and transverse microtubule are still attached at the expected angles relative to each other within the areas of disorganization. Initial GST pull-down experiments using the coiled coil domain of MKS3 suggest a potential interaction between MKS3 and the striated rootlet family members KdC1 and KdB2.
To test potential interactions between MKS3 and the striated rootlet we identified 27 potential striated rootlet family members in Paramecium. Full-length sequences for 13 of these genes were marked at their N-terminus with a 3x FLAG sequence. Components with a conserved SF-Assemblin domain were distributed uniformly within the striated rootlet. Components lacking the SF-Assemblin domain were found in various cellular locations, but not within the striated rootlet. GST pull-down experiments utilizing the MKS3 C-terminus as bait were performed using cells expressing the FLAG-tagged striated rootlet family members. Unfortunately a clear interaction between MKS3 and the striated rootlet remains elusive.
The organized nature of the surface of Paramecium has allowed us to identify a previously unrealized function for MKS3. Our immunofluorescence data suggest that MKS3 functions outside the transition zone to maintain basal body row organization by potentially contributing to a link between the basal body and the striated rootlet. Without the link, the migrating basal bodies are free to rotate and project their rootlets in the wrong directions. Although the nature of the link remains elusive, the identification of disorganized basal body rows upon MKS3 reduction suggests that, in addition to ciliary dysfunction, basal body polarity defects may contribute to the development of MKS.
26
Afrim, Cerimi, and Joakim Norén. "Motåtgärder vid IT-forensisk liveanalys." Thesis, Högskolan i Halmstad, Sektionen för Informationsvetenskap, Data– och Elektroteknik (IDE), 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-15432.
Full textAbstract:
Liveanalys är ett begrepp som i detta arbete innebär att man undersöker ett datorsystem under tiden det är igång. Detta kan göras av flera skäl, t.ex. när det är risk för att kryptering finns på systemet vilket kan aktiveras när det stängs ner. Annars är det vanligt om man vill undersöka nätverkskopplingar, aktiva processer eller andra företeelser som kan vara volatila, dvs. försvinner när systemet stängs ner. Detta arbete kommer att ha fokus på motåtgärder vid forensisk liveanalys och redogöra för olika metoder och strategier som kan användas för dessa motåtgärder. Vi har bland annat skrivit ett program som automatiskt stänger ner systemet när man sätter i ett USB-minne eller annan media. Dessa media är oftast de man har sina forensiska program på när man ska göra en liveanalys. Andra viktiga element i arbetet är användning av kryptering, tidstämplar och sabotagekod för att försvåra liveanalysen. Vår analys i ämnet visar att det är relativt enkelt att förhindra att en liveanalys kan utföras på ett tillförlitligt sätt.Live Analysis is a concept that in this paper means analyzing a computer system while it is running. This can be done for several reasons, such as when there is a risk that the system has encryption which can be activated when the system shuts down. Otherwise, it is common if you want to examine network connections, active processes or other phenomena that can be volatile, i.e. disappear when the system shuts down. This work will focus on countermeasures to live forensic analysis and describe different methods and strategies that can be used for these countermeasures. For example, we wrote a program that automatically shuts down the system when you insert a USB memory stick or any other media. These are usually the media which you have your forensic programs on when you do a live analysis. Other important elements of the work are the use of encryption, timestamps and malicious code for challenging live analysis. Our analysis of the topic shows that it is relatively easy to prevent that a live analysis can be performed in a reliable way.
27
Blaauw, Pieter. "Search engine poisoning and its prevalence in modern search engines." Thesis, Rhodes University, 2013. http://hdl.handle.net/10962/d1002037.
Full textAbstract:
The prevalence of Search Engine Poisoning in trending topics and popular search terms on the web within search engines is investigated. Search Engine Poisoning is the act of manipulating search engines in order to display search results from websites infected with malware. Research done between February and August 2012, using both manual and automated techniques, shows us how easily the criminal element manages to insert malicious content into web pages related to popular search terms within search engines. In order to provide the reader with a clear overview and understanding of the motives and the methods of the operators of Search Engine Poisoning campaigns, an in-depth review of automated and semi-automated web exploit kits is done, as well as looking into the motives for running these campaigns. Three high profile case studies are examined, and the various Search Engine Poisoning campaigns associated with these case studies are discussed in detail to the reader. From February to August 2012, data was collected from the top trending topics on Google’s search engine along with the top listed sites related to these topics, and then passed through various automated tools to discover if these results have been infiltrated by the operators of Search Engine Poisoning campaings, and the results of these automated scans are then discussed in detail. During the research period, manual searching for Search Engine Poisoning campaigns was also done, using high profile news events and popular search terms. These results are analysed in detail to determine the methods of attack, the purpose of the attack and the parties behind it
28
Lacombe, Eric. "Sécurité des noyaux de systèmes d'exploitation." Phd thesis, INSA de Toulouse, 2009. http://tel.archives-ouvertes.fr/tel-00462534.
Full textAbstract:
Cette thèse traite de la préservation de l'intégrité des systèmes d'exploitation courants. L'objectif est de répondre aux menaces actuelles et futures que représentent les logiciels malveillants qui s'implantent dans le noyau de ces systèmes (comme les rootkits "noyau") ou du moins en altèrent l'intégrité (comme les rootkits "hyperviseur"). La première partie de ce document se focalise sur ces logiciels malveillants. Tout d'abord, les attaques logiques sur les systèmes informatiques sont présentées dans leur globalité. Ensuite est proposée une classification des actions malveillantes qui provoquent la perte de l'intégrité d'un noyau. Enfin, les résultats d'une étude sur les rootkits "noyau" sont donnés et la création d'un rootkit original est expliquée. La seconde partie s'intéresse à la protection des noyaux. Après une description de l'état de l'art, une approche originale est proposée, fondée sur le concept de préservation de contraintes. En premier lieu, les éléments essentiels sur lesquels reposent un noyau sont identifiés et les contraintes sur ces éléments, nécessaires à un fonctionnement correct du noyau, sont exposées. Un hyperviseur léger (Hytux) a été conçu pour empêcher la violation de ces contraintes en interceptant certaines des actions du noyau. Sa mise en oeuvre est décrite pour un noyau Linux 64 bits sur architecture x86 qui dispose des technologies Intel VT-x et VT-d.
29
Grizzard, Julian B. "Towards Self-Healing Systems: Re-establishing Trust in Compromised Systems." Diss., Available online, Georgia Institute of Technology, 2006, 2006. http://etd.gatech.edu/theses/available/etd-04072006-133056/.
Full textAbstract:
Thesis (Ph. D.)--Electrical and Computer Engineering, Georgia Institute of Technology, 2006.Schwan, Karsten, Committee Member ; Schimmel, David, Committee Member ; Copeland, John, Committee Member ; Owen, Henry, Committee Chair ; Wills, Linda, Committee Member.
30
Lin, Yu-chan, and 林郁展. "Discoverer- a realtime Rootkit detection system." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/28572747271333705716.
Full textAbstract:
碩士國立中央大學
資訊工程學系碩士在職專班
100
Rootkit is most often used by attacker to hide their behavior, the Rootkit detection mechanisms mostly focus on static characteristics or the integrity of the system, but the attacker can confuse the system eigenvalues through various ways , and the integrity of the rapid real-time confirmation would not be easy to reach. This paper presents an accurate, rapid real-time Rootkit detection mechanisms-Discoverer-to enhance the ability of the system to detect Rootkit. Since the attacker''s network connection and the running process is the main hidden object of Rootkit, Discoverer by locating the hidden network connections and process to detect Rootkits. In order to manage network connections and process, the operating system contains a variety of data structures to record the relevant message, the attacker can be added or even modify the code to allow users to not know the attacker''s network connection, or are under implementation process of the attacker, but if by tampering with the network connection or process-related data structures, such as the run queue, to achieve the above purpose, they are likely to undermine the normal functioning of the system, so the information in these data structures can be a true reflection of system status information, this paper list and send all the user mode process information (such as ps, the netstat) into the Kernel by adding the new system call, and compare one by one with kernel data .Then find out the hidden process PID, socket connections, and the access file name and path. The experimental results show that Discoverer can accurately detect all kinds of Rootkits which we collected.
31
Kan, Kai Lun, and 甘凱綸. "Using low-cost RFID for Rootkit countermeasures." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/26844489635538646755.
Full textAbstract:
碩士長庚大學
資訊管理學系
98
Rootkit can automatically invade your system and install without asking (the computer user’s) permission. Rootkit is purposely hidden so it is difficult to detect. Anti-virus programs may not be able to remove the invading malware completely as Rootkit can be well hidden and can possibly stay in the system as a repair file or combine with some kinds of spyware or malware. Most crackers favor this kind of virus attack. This research discusses the repercussion of Rootkit to health care information fields to understand the importance of protection against Rootkit’s intrusion into hospital files. This is especially important when we needed to protect the privacy and security of patient medical data so this information will not be leaked to outsiders. In a hospital database server, it is possible that information can be circulating through e-mail, audio or video from recorded meetings, and electronically stored meeting minutes could be acquired by Rootkit. Medical R & D or any hospital administrative decisions could be taped or intercepted without being noticed creates a substantial vulnerability for the hospital database server. In addition, the exchange of patients’ medical data files among hospital staffs, personnel work shift arrangement, procedures of doctors’ diagnosis, or even patients’ medical files can all be deliberately altered. A vulnerability to Rootkit adversely affects patients. Because of the implications of a hospital’s database server is vulnerable to Rootkit as information technology is used by the medical system, we must also feverishly protect the security of information before the hospital’s proprietary knowledge is lost or appropriate patient care is altered. In this research, we want to define a new Rootkit attack corresponding to the countermeasure. We used the low computing operators which composed with the symmetric key, exclusive or (XOR) operation and hash-based message authentication code (HMAC) to communicate in the proposed mechanism. We will use a symmetric key to encrypt and decrypt the data which are transferred among the reader, database server and the user. We also use the XOR to compute the recover operator to recover the modified data. Finally we will use HMAC to gain the digested code that used value k to hash the cipher text to compare with the true data and false data. In recent years, there are many theories of RFID identity security mechanisms have been proposed, although these methods in security issues has improved, but they are unable to provide a high transmission efficiency of protection. Therefore, in considering the information security is also necessary to take into consideration the feasibility of the problem. This research uses the HMAC and XOR operation to manually discover a database server privacy protection in the backward-looking mechanism for retrieving false data. Contributions to the method are: (1) even if the data was transferred to the other users the data is useless; (2) efficiency for the most prevalent the low computing, the low memory capacity with a large database server. This research can be referred to all researchers who want to understand the Rookit operations.
32
Chen, Yuh-Chen, and 陳昱成. "A Study on Polymorphic Windows Kernel Mode Rootkit." Thesis, 2008. http://ndltd.ncl.edu.tw/handle/92312229637569799284.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
96
More and more malicious programs are combined with rootkits to shield their illegal activities and the result makes security products face a challenge. It can be observed that most sophisticated kernel mode rootkits are implemented to execute hiding tasks through drivers in Windows Kernel. Therefore, the role of a detector for detecting Windows driver-hidden rootkits is becoming extremely important. In this thesis, we first develop a new Windows driver-hidden rootkit with five tricks based on Direct Kernel Object Manipulation, and have verified that it can successfully avoid well-known rootkit detectors. And we then propose a countermeasure to detect it. We affirm our efforts will be extremely useful for improving the current techniques of detecting Windows driver-hidden rootkits.
33
Huang, Chun-Hao, and 黃軍皓. "A Study on Metamorphic Linux Kernel Mode Rootkit." Thesis, 2006. http://ndltd.ncl.edu.tw/handle/04757711331947289605.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
94
Although defense mechanisms such as implementing antivirus software, anti-spy software, all kinds of hardware or software firewalls, and the latest fixing tools may prevent the system from attacking by malicious software, it is still hard to catch up with the pace of every transformation of malicious software. Recently, malicious software with rootkit technology is affecting the system security and makes related detecting techniques become more and more unsatisfactory and even ineffective. Rookit first appeared in 1990s and its attack targets are Sun and Linux operating systems. Nowadays over sixty kinds of rookits exist in the cyberspace, which has a great impact on information security. If we want to develop a more efficient and accurate detecting technique, we have to understand its developing process, technology and characteristics so that we can prevent our systems from being intruded by rootkit technology in advance. Rootkit can be divided into two types: user mode and kernel mode. The former is easily to be detected by rootkit detections tools. The latter is difficult to be recognized; especially,a variety of metamorphic rootkits will greatly threaten the whole security of systems. Therefore, this thesis will emphasize on kernel mode rootkit technology, and further develop a metamorphic Linux Kernel Mode Rookit, which can’t be detected by current rootkit detecting software tools. Moreover, we also discuss the corresponding detecting method for finding the proposed metamorphic rootkit such that it would be a practical reference for the subsequent development of metamorphic rookit detections.
34
Hsiao, Wei-Yun, and 蕭維昀. "A Real-time Defense Mechanism for DKOM-Rootkit." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/60388785430389473573.
Full textAbstract:
碩士國立臺北大學
資訊工程學系
102
With the development of computer technology widely applied in every walk of life, all kinds of important information are stored in computer and transported through Internet. So the system security has become a popular research target. As there are so many vulnerabilities exist in modern computer operating system and internet, the operating system is vulnerable to many types of attacks. One of the most popular attack techniques is Rootkit. Rootkit has a lot of technical tricks, so nowadays no one can claim their antivirus that have ability to understand it and caught Rootkit precisely. Furthermore, it is helpless for unknown Rootkit and complex-type Rootkit. The goal of this thesis is propose a defense and detection scheme on Rootkit. Analysis the attack techniques of Rootkit firstly, and do in-depth research on DKOM technology. In this thesis, a detailed description on detection technologies and defense techniques is being discussed, and then analysis the advantages and disadvantages. Finally, extract techniques from above mentioned which enhance designed to oppose Rootkit invasion. In order to improve the capability and hit rate, a new defense and detection method is proposed which is based on Windows DKOM-Rootkit. It’s not only achieve intercept but also point out the hidden address accurately by purpose mechanism. Ensure the security of computer systems.
35
Κοζυράκης, Ιωάννης Μάριος. "Τεχνικές ανίχνευσης rootkit και ανάπτυξη εφαρμογής για την αφαίρεσή του." Thesis, 2009. http://nemertes.lis.upatras.gr/jspui/handle/10889/1625.
Full textAbstract:
Τα rootkit επιτρέπουν στον επιτιθέμενο χρήστη να συνεχίσει να έχει πρόσβαση σε
ήδη παραβιασμένο σύστημα για μεγάλο χρονικό διάστημα μετά την παραβίαση,
χωρίς να γίνει αντιληπτός από τον νόμιμο διαχειριστή. Στην εργασία αυτή αναλύ-
θηκαν οι διάφορες τεχνικές οι οποίες χρησιμοποιούνται από τους επιτιθέμενους,
με έμφαση στα rootkits επιπέδου πυρήνα, και αναπτύχθηκε πρόγραμμα rootkit
το οποίο κάνει χρήση προηγμένων τεχνικών οι οποίες του επιτρέπουν τη λειτουρ-
γία ακόμη και στις νεότερες εκδόσεις του πυρήνα. Στη συνέχεια αναλύθηκαν οι
τεχνικές ανίχνευσης και αναπτύχθηκε εφαρμογή ανίχνευσης δυο διαφορετικών
κατηγοριών rootkit. Η εφαρμογή έχει επίσης τη δυνατότητα να εξουδετερώσει τα
rootkit της πρώτης κατηγορίας έτσι ώστε να αποκατασταθεί το σύστημα.-
36
Wang, Wen-Kai, and 王文楷. "A New Rootkit and Its Detection in Windows 7 64bit." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/20880803623463145590.
Full textAbstract:
碩士中國文化大學
資訊安全產業碩士專班
102
This thesis is a study on a new rootkit in the Windows 7 64 bit operating system and its detection. This rootkit has two types of attack techniques. The first attack techniques is using DKOM technology to modify the ePROCESS object in the windows memory that for hiding process. And the second attack techniques is using the SSDT hook technology to change two kernel API, NtTerminateProcess and NtQueryDirectoryFile, for restricting deletion process and hidden files. It is through the above attack techniques to understand the weakness of the Windows 7 64 bit operating system. So we can find new rootkit by analysis of the SSDT memory address and kernel object’s flink and blink fields。 This study found that a new rootkit can attack the Windows 7 64 bit operating system by using the jump function in the kernel space of the memory, and change the kernel object by bypassing the PatchGuard protection.
37
CHEN, CHANG, and 張真. "Integrated Technologies for Defending against Rootkit Malware in Cloud Service Environments." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/82938664724855632570.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
102
The rapid development of cloud computing technology has been becoming an important base of information technology, and makes life more convenient, as long as the platform will be able to connect to the Internet using cloud services. Convenient service allows users and enterprises to use a lot of data storage, and therefor cloud security issues are very crucial. Rootkit techniques to hide many of which were combined to conceal malware, so the cloud system security is facing enormous challenges. Thus, malware hidden in cloud applications, such as spyware and Rootkit, has been becoming the object of information security focus. Although there are many commercially available Windows rootkit detection software developedto effectively prevent know rootkits, for an unknown type of windows cloud operating system Rootkit, they often are unable to work effectively. Therefore, the design of an effective Windows Kernel Mode Rootkit detection for cloud operating systems is very important, especially to defend against driver-hidden rootkits. This study is to construct integrated kernel mode rootkits prevention techniques for windows cloud operation systems, in particular, against unknown type of rootkits, So that cloud operating system security threats and potential damage can be removed to construct cloud security basis.
38
Chen, Jun-Han, and 陳俊翰. "Effective Rootkit Malware Detection Technologies for Smartphone Based on Open Source." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/35586405657298935707.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
102
With the increasing popularity of information security issues are also smart mobile devices attendant, security can not be ignored. Android platform because of its superior choice for many consumers with the freedom to use, but Google Play shelves without rigorous audit system under the circumstances, allow a malicious software on the Android platform is very rampant. After the fact, there is no strong Rootkit itself destructive, but hidden Rootkit technology if integration with other malware become variant Rootkit, will make the mobile phone operating system security and defense raised the alarm. Therefore, how to effectively prevent the phone is malware invasion, it is particularly important. With malicious software on smart mobile devices continues to introduce new, Rootkit hidden features likely to be used off packaged as malware, thus achieving its invasion purposes. In today's viral infection, we can know the network transmission is a major key, the actual occurrence of this study will be conducted in malicious software for smart mobile devices Rootkit detection. While open source Rootkit detection tool can save costs also have some ability to detect, but the relevant literature indicates that existing open Rootkit detection tool is quite insufficient capacity, this study will improve the existing open-Rootkit detection tools to improve its ability to detect, protect the safety of existing smartphone users.
39
Lai, Wei-Lun, and 賴瑋倫. "Reinforcing the Defense against Rootkit-based Malicious Software in Cloud Computing Environment." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/05688434876090479067.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
101
With the popularity of cloud computing, security issues have also been generated, and thus the security of cloud’s virtual machine service platforms cannot be ignored. For rootkit malware prevention issues, due to a variety of new kernel mode rootkits will cause serious destruction to the kernel of the operating systems, even the Apple MAC system which is well known for no virus invasion also failed, and therefore rootkits have attracted more and more attentions all over the world. Many rootkits targeting the Microsoft Windows operating systems were made, and the systems destructed are extended to the cloud virtual machines instead of stand-alone systems. In the current technologies of detecting Windows rootkits, although some well-known detection software can detect known rootkits, it cannot detect variant rootkits effectively. The contribution of this research is to combine the signature-based detection and cross-view detection to enhance the detection capabilities in cloud’s host operating systems and guest virtual machine operating systems. Furthermore, the TPM (Trusted Platform Module) embedded systems technology is also integrated with the proposed detection mechanism to promote the high detection rate. The results obtained are to find the main weaknesses of the Windows Server 2008 host operating systems and Windows 7 guest operating systems to effectively help construct the basis of secure virtual machine platforms in cloud services.
40
Tseng, Shu-Ting, and 曾淑婷. "A Study on Registry-hidden Rootkit Detection Mechanism in Cloud Service Environments." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/78285936272779202170.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
101
In considerations of international big factories such as Google, Microsoft, Amazon, IBM, Dell, Sun, HP and so on entering the territory of cloud computing, application of cloud and virtualization technology has led to better desktop software using experiences in the Personal Computer area. As a result, the malware hiding in cloud virtual machine, particularly spywares and rootkits, have become the key preventive objects in the computer security territory. Regarding malware development, possessing certain degree of hiding function has been becoming a trend. Under Microsoft Windows systems, the existence and operation of malwares cannot be independent of related information registry in the system. Additionally, malwares often hide in the registry, so it is difficult to delete them completely. Consequently, how to effectively detect rootkits that hide in the registry has been becoming especially important. Although there are famous detection tools that can detect rootkits that hide in the registry, they often fail to detect new types of rootkits. In order to detect rootkits that hide in operating systems based on tampering registry file, this research analyzes the rootkit hiding technology in registry and related rootkit detection technologies. After analyzing the registry file format and operation controlling flow, this research designs a new type of registry based rootkit hiding technology, and then develops rootkit detection mechanism based on the experiences of designing the new type of rootkit. By the flow of virtualizing registry and registry key value flow at bottom tier in the Win 32 system, the actually valid registry key can be obtained, which can effectively detect hinding rootkits in cloud environments.
41
Chi, Cheng-Hua, and 杞承樺. "A Study on Process-hidden Rootkit Detection Mechanism in Cloud Service Environments." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/37856256552890637490.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
101
Since cloud service’s development becomes mature, the advantages of cloud service also give hackers easy way to create complicated and exquisite techniques of attacks. Rootkit always be used in these techniques and exquisite one is Trojan-based rootkits. In this rootkit-combined technique, “removing double linked list” and “using system services” are very hard to detect, which is why it always let users download data unconsciously and spread to contiguous systems and networks gradually by opening files. The way of attack is hiding to wait opportunities, and is controlled by a remote server. And pretends to be proper procedures or threads after conveying instructions, and steals important information by network transfer back to the attacker. The above-mentioned trick is called the technique of “APT” (Advanced Persistent Threat) which becomes a big menace to cloud services. Although famous anti-virus software can detect process-hidden rootkits, they still cannot work when confronting to mixed rootkits. Therefore, this research will develop a mechanism for detecting process-hidden rootkits in cloud operating systems to avoid APT attacks on clouds, which can effectively detect mixed rootkits of “removing double linked list” and “using system services”. Moreover, the proposed mechanism can help anti-virus software and cloud systems service provider develop a complete protection mechanism against rootkit attacks.
42
Li, You-Ru, and 李侑儒. "A Study on Protecting Android Operating Systems Based on Rootkit Stealth Technologies." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/29983409767821322791.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
103
With the popularity and universal of smart mobile devices, security issues are crucial and cannot be ignored. Concerning the open source based Android software development and Google Play open platform, it is no rigorous approval system and anyone can publish applications on Google Play, so the malware of Android platform has been gradually increasing. Although the Android platform has a variety of security technologies to protect the system, hackers still have tricks to escape detection to steal users’ data. Therefore, enhancing the security of Android systems has been becoming increasingly significant. In this study, the implementation of protection technologies in the kernel of Android, instead of implementing it at the application layer potentially provides great benefits of preventing malicious user space applications from subverting the system resources, and thus effectively removes external threats and potential damages to the Android operating systems to build the security infrastructure for Android service platform. This study has developed the stealth technologies for protecting Android system kernel from a variety of attacks, and then verify that the proposed subtle stealth technologies can successfully avoid subversion of a wide variety of Android root-theft malware. Because Android is open source software based on Linux Kernel, the software investment cost for constructing the effective Android kernel protection technologies will be significantly reduced, and the proposed technologies can be also increasingly strengthened via the resources of the open source community.
43
Litty, Lionel. "Architectural Introspection and Applications." Thesis, 2010. http://hdl.handle.net/1807/24817.
Full textAbstract:
Widespread adoption of virtualization has resulted in an increased interest in Virtual Machine (VM) introspection. To perform useful analysis of the introspected VMs, hypervisors must deal with the semantic gap between the low-level information available to them and the high-level OS abstractions they need. To bridge this gap, systems have proposed making assumptions derived from the operating system source code or symbol information. As a consequence, the resulting systems create a tight coupling between the hypervisor and the operating systems run by the introspected VMs. This coupling is undesirable because any change to the internals of the operating system can render the output of the introspection system meaningless. In particular, malicious software can evade detection by making modifications to the introspected OS that break these assumptions.
Instead, in this thesis, we introduce Architectural Introspection, a new introspection approach that does not require information about the internals of the introspected VMs. Our approach restricts itself to leveraging constraints placed on the VM by the hardware and the external environment. To interact with both of these, the VM must use externally specified interfaces that are both stable and not linked with a specific version of an operating system. Therefore, systems that rely on architectural introspection are more versatile and more robust than previous approaches to VM introspection.
To illustrate the increased versatility and robustness of architectural introspection, we describe two systems, Patagonix and P2, that can be used to detect rootkits and unpatched software, respectively. We also detail Attestation Contracts, a new approach to attestation that relies on architectural introspection to improve on existing attestation approaches. We show that because these systems do not make assumptions about the operating systems used by the introspected VMs, they can be used to monitor both Windows and Linux based VMs. We emphasize that this ability to decouple the hypervisor from the introspected VMs is particularly useful in the emerging cloud computing paradigm, where the virtualization infrastructure and the VMs are managed by different entities. Finally, we show that these approaches can be implemented with low overhead, making them practical for real world deployment.
44
Hsing, Chieh, and 邢傑. "An Efficient Solution for Hook-Based Kernel Level Rootkits." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/71998633525300700162.
Full textAbstract:
碩士國立清華大學
資訊系統與應用研究所
97
It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. Thus, we observe the behavior of these hooks by re-calling the original Native API and examine the results in order to make a better decision. When the users inspect their computers by existing tools (e.g., Rootkit Unhookers, Rootkit Hook Analyzer) and find out some hooks, they do not know what to do next because honest softwares (e.g., Anti-Virus Software, On-Line-Game) may also hook SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before and after hooked. Through this comparison, if a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect this difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we discuss the existing approaches of rootkits detection both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.
45
Corregedor, Manuel Rodrigues. "Utilizing rootkits to address the vulnerabilities exploited by malware." Thesis, 2012. http://hdl.handle.net/10210/6257.
Full textAbstract:
M.Sc.Anyone who uses a computer for work or recreational purposes has come across one or all of the following problems directly or indirectly (knowingly or not): viruses, worms, trojans, rootkits and botnets. This is especially the case if the computer is connected to the Internet. Looking at the statistics in [1] we can see that although malware detection techniques are detecting and preventing malware, they do not guarantee a 100% detection and or prevention of malware. Furthermore the statistics in [2] show that malware infection rates are increasing around the world at an alarming rate. The statistics also show that there are a high number of new malware samples being discovered every month and that 31% of malware attacks resulted in data loss [3], with 10% of companies reporting the loss of sensitive business data [4][5]. The reason for not being able to achieve a 100% detection and / or prevention of malware is because malware authors make use of sophisticated techniques such as code obfuscation in order to prevent malware from being detected. This has resulted in the emergence of malware known as polymorphic and metamorphic malware. The aforementioned malware poses serious challenges for anti-malware software specifically signature based techniques. However a more serious threat that needs to be addressed is that of rootkits. Rootkits can execute at the same privilege level as the Operating System (OS) itself. At this level the rootkit can manipulate the OS such that it can distribute other malware, hide existing malware, steal information, hide itself, disable anti-malware software etc all without the knowledge of the user. It is clear from the statistics that anti-malware products are not working because infection rates continue to rise and companies and end users continue to fall victims of these attacks. Therefore this dissertation will address the problem that current anti-malware techniques are not working. The main objective of this dissertation is to create a framework called ATE (Anti-malware Technique Evaluator) that can be used to critically evaluate current commercial anti-malware products. The framework will achieve this by identifying the current vulnerabilities that exist in commercial anti-malware products and the operating system. The prior will be achieved by making use of two rootkits, the Evader rootkit and the Sabotager rootkit, which were specifically developed to support the anti-malware product evaluation. Finally an anti-malware architecture we called External Malware Scanner (EMS), will be proposed to address the identified vulnerabilities.
46
Lin, SHI-JIA, and 林士嘉. "An Effective Scheme for Protecting against Windows Kernel-mode Rootkits." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/12058051180668887068.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
98
More and more malicious programs are combined with rootkits to shield their illegal activities so that result makes information security defense encounters a great challenge. It can be observed that most sophisticated kernel mode rootkits are implemented to execute hiding tasks through drivers in Windows Kernel.In the current prevention schemes, the memory shadowing, kernel-mode code signing walkthrough and host-based intrusion prevention system are all to passively protect the operating systems, and they cannot identify whether rootkits intrude in the operating systems. On the other hand, though many companies or individuals have developed rootkit detectors to the public and undoubtedly they can detect known rootkits effectively, they cannot foresee what the result is when meeting unknown rootkits and crashed operating systems. Hence, the thesis will develop a prevention mechanism which can identify driver-hidden rootkits to protect the Windows-based operating systems. Our research constructs an anti-rootkit scheme for protecting Windows kernel to higher system security, especially for safeguarding Windows kernel from the damages of unknown driver-hidden rootkits. Moreover, we also test the proposed prevention scheme by Windows XP SP3 on the Testbed@TWISC platform. We affirm that our efforts are extremely useful for improving the current techniques of preventing Windows driver-hidden rootkits.
47
Huang, Yihsi, and 黃奕璽. "Windows Rootkits Detection Technologies for Service Platforms in Cloud Computing." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/25770337870424373300.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
99
With the growing popularity of cloud computing, the security issues in cloud computing also emerge. Currently, information security researchers are focusing on cloud data security, including cloud data privacy and confidentiality. However, the security protection of the virtual-machine service platform in cloud computing is also crucial. The service architectures in cloud computing are based on the virtualization technology, which can achieve rapid deployment, resources flexibility, rapid disaster recovery, cost reduction, and so on. But even though the virtualization technology has the advantages mentioned above, it still has to be constructed based on cloud operating systems. And once the cloud operating systems suffer the attack of malware, the virtual machines constructed using the cloud operating systems will collapse. Therefore, the security protection of cloud operating systems is particularly critical. Nowadays, more and more malicious programs are combined with rootkits to shield their illegal activities, and the result makes information security defense encounter a great challenge. To the best of our knowledge, existing literatures are mainly aimed at exploring protective measures for the Guest OS, while there are few researches involved in the security issues of the Host OS. Therefore, this thesis will firstly try to develop a technology for detecting unknown kernel-mode rootkits in Windows host operating systems for cloud compiting, and thus build the security infrastructure for the virtual-machine service platform in cloud computing. As for the research procedure, we will firstly develop a new-typed driver-hidden rootkit for Windows host operating systems. The proposed rootkit has the ability of escaping a wide variety of famous detecting software, and can be used to indicate the weakness of those well-known detecting software. Afterwards, we have developed an effective mechanism for detecting driver-hidden rootkits, including the proposed new-typed Rootkit threat and other existing rootkits. Through experimental test and analysis, we have found that, in the aspects of detection rate, detection time, CPU usage rate and I/O usage rate, the proposed mechanism is much more superior to the existing rootkit detection software developed by famous domestic and foreign anti-virus software manufacturers like ESET, AVAST and Trend Micro. Thus, we affirm that the proposed mechanism is extremely practical in the real world.
48
Lin, Ming-Hsiao, and 林明孝. "A Study on Detecting Metamorphic Rootkits Based on Tripwire Tool." Thesis, 2006. http://ndltd.ncl.edu.tw/handle/19365306391583162648.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
94
With the rapid development and prevalence of Internet, more and more hackers rampant on the cyberspace invent out much more diverse and complex intrusion techniques. According to the bugs or defects of Linux and Windows operating systems, hackers can develop a great diversity of malicious software such as virus, worm, Trojan horse, backdoor, and rootkit. How to maintain a secure computing platform and avoid intrusion from hackers becomes a very crucial issue nowadays. Most host-based intrusion detection systems (HIDS) find out attacking evidences by filtering or auditing the operating system logs. However, hackers can place rootkits to get the root access right or leave backdoors, which let hackers intrude the system and change the system programs again. In such a way, administrators usually have little clue to detect it out. Consequently, this thesis focuses on the Linux system administrator‘s point of view to check out if the operating system has been placed a user mode rootkit. The proposed detecting mechanism is to employ the Chkrootkit tool to detect out the known rootkits, and then in terms of its intrusion characteristics, examine the integrity of system files by the Tripwire tool. From the database, we can first find out the abnormal items caused by the metamorphic rootkits, and then compare with the previously gained abnormal items generated by the known rootkits to find out metamorphic rootkits. Finally we also simulate the proposed detecting scheme to validate its feasibity.
49
Tsai, Being-Yu, and 蔡秉諭. "A Study on Effective Technology for Detecting Windows Kernel Mode Rootkits." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/25353094373204642564.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
97
More and more malicious programs are combined with rootkits to shield their illegal activities, and the result makes information security defense encounter a great challenge. It can be observed that most sophisticated kernel mode rootkits are implemented to execute hiding tasks through drivers in Windows Kernel. Thus, for the purpose of system security, the role of a detector for detecting Windows driver-hidden rootkits is becoming extremely important. However, we have verified currently well-known detecting software that it can not successfully avoid a variety of driver-hidden rootkit. Therefore, we propose a countermeasure to effectively detect Windows driver-hidden rootkits. Furthermore, we will also develop an effective scheme to unload the detected driver-hidden rootkit from Windows to achieve higher system security, in order to clearly remove the destructions from the system. After the proposal detecting scheme have been developed, we will test it on the Testbed@TWISC platform by Windows XP SP2 and SP3. We affirm our efforts will be extremely useful for improving the current techniques of detecting unknown Windows driver-hidden rootkits.
50
Santos, Maria Clara Vieira de Almeida dos. "A challenge : biocontrol strategies for the management of potato cyst and rootknot nematodes." Doctoral thesis, 2013. http://hdl.handle.net/10316/21652.
Full textAbstract:
Tese de doutoramento em Biologia, na especialidade de Ecologia, sob a orientação da Professora Doutora Isabel Maria de Oliveira Abrantes e da Doutora Rosane Hazelman Cunha Curtis, apresentada à Faculdade de Ciências e Tecnologia da Universidade de Coimbra.