User Tools

Site Tools


nickle

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
nickle [2007/10/30 12:51]
ryan created
nickle [2009/12/08 10:41]
dxu
Line 1: Line 1:
 ====== NICKLE: No Instructions Creeping into Kernel Level Executed ====== ====== NICKLE: No Instructions Creeping into Kernel Level Executed ======
-NICKLE is a rootkit prevention system that works by prevented unauthorized code from executing with kernel privilege. ​ It does this by creating a Shadow Memory where it stores authenticated (i.e., verified with a hash) kernel code.  ​Instructions ​fetches while the processor is in kernel mode can be routed to the shadow memory while data accesses go to the standard memory. ​ This means that a rootkit author cannot execute any code he injects into the kernel, as his injected code will exist only in the standard memory. ​ In the event an attempt is made to executed ​malicious code, NICKLE will rewrite it in order to allow the operating system to respond to the failure gracefully.+{{nickel.png }} 
 +NICKLE((Just to clarify, the coin (such as in the United States Mint image above) is spelled nickel. ​ Please don't let our acronym ruin your spelling abilities.)) ​is a rootkit prevention system that works by prevented unauthorized code from executing with kernel privilege. ​ It does this by creating a Shadow Memory where it stores authenticated (i.e., verified with a hash) kernel code.  ​Instruction ​fetches while the processor is in kernel mode can be routed to the shadow memory while data accesses go to the standard memory. ​ This means that a rootkit author cannot execute any code he injects into the kernel, as his injected code will exist only in the standard memory. ​ In the event an attempt is made to execute ​malicious code, NICKLE will rewrite it in order to allow the operating system to respond to the failure gracefully.
  
 We've built NICKLE in QEMU, VirtualBox, and VMWare Workstation. ​ We're able to protect Linux 2.4, Linux 2.6, and Windows 2000/​XP. ​ Linux 2.4 has full support (we can even handle valid kernel modules while denying malicious ones) while Linux 2.6 and Windows have a more limited support. We've built NICKLE in QEMU, VirtualBox, and VMWare Workstation. ​ We're able to protect Linux 2.4, Linux 2.6, and Windows 2000/​XP. ​ Linux 2.4 has full support (we can even handle valid kernel modules while denying malicious ones) while Linux 2.6 and Windows have a more limited support.
 +
 +
  
 ===== Publications ===== ===== Publications =====
-A publication is currently under review.+There are two publications corresponding to NICKLE: The conference paper and the technical report. ​ When in doubt, read the conference paper. ​ (The tech report has a few more experiments described and a bit more detail about the VirtualBox report.) 
 +  * "​Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing"​. Ryan Riley, Xuxian Jiang, and Dongyan Xu. In //11th International Symposium on Recent Advances in Intrusion Detection// ([[http://​www.ll.mit.edu/​RAID2008/​|RAID 2008]]). ​ Best paper award. 
 +     * [[http://​friends.cs.purdue.edu/​pubs/​RAID08.pdf|Paper]] in PDF format. 
 +     * [[http://​friends.cs.purdue.edu/​projects/​nickle/​raid08/​|Presentation]] as a Flash video. 
 + 
 +  * "​Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing"​. Ryan Riley, Xuxian Jiang, and Dongyan Xu. CERIAS TR 2001-146. 
 +     * [[http://​www.cerias.purdue.edu/​tools_and_resources/​bibtex_archive/​archive/​2001-146.pdf|TR]] in PDF format. 
 + 
 +  * "​Multi-Aspect Profiling of Kernel Rootkit Behavior"​. Ryan Riley, Xuxian Jiang, and Dongyan Xu. In //Fourth European Conference on Computer Systems// ([[http://​eurosys2009.informatik.uni-erlangen.de/​|EuroSys 2009]]).  
 +     * [[http://​friends.cs.purdue.edu/​pubs/​eurosys09.pdf|Paper]] in PDF format.
  
 ===== Software ===== ===== Software =====
-The QEMU version of NICKLE (the cleanest implementationwill be released here corresponding with the paper'​s eventual publication.+The QEMU source is now available! ​ If you aren't sure which file to get, get the distribution. ​ It includes the source, virtual machine image, binaries, and instructions to run it. 
 +  * The full distribution will allow you to test and run NICKLE-qemu. ​ [[http://​friends.cs.purdue.edu/​projects/​nickle/​nickle_dist.tar.gz|nickle_dist.tar.gz]] ​(~213MB) 
 +  * The source-only distribution only gives the modified QEMU code It is based on QEMU 0.9.0. ​ [[http://​friends.cs.purdue.edu/​projects/​nickle/​nickle-src.tar.gz|nickle-src.tar.gz]] (~1.9MB) 
  
 ===== People ===== ===== People =====
   * [[http://​www.cs.purdue.edu/​homes/​rileyrd/​|Ryan Riley]]   * [[http://​www.cs.purdue.edu/​homes/​rileyrd/​|Ryan Riley]]
-  * [[http://​www.ise.gmu.edu/~xjiang/|Xuxian Jiang]]+  * [[http://​www.csc.ncsu.edu/faculty/​jiang/|Xuxian Jiang]]
   * [[http://​www.cs.purdue.edu/​homes/​dxu/​|Dongyan Xu]]   * [[http://​www.cs.purdue.edu/​homes/​dxu/​|Dongyan Xu]]
- 
- 
nickle.txt · Last modified: 2009/12/08 10:41 by dxu