User Tools

Site Tools


nickle

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
nickle [2008/06/17 14:52]
ryan
nickle [2008/11/18 09:38]
ryan
Line 1: Line 1:
 ====== NICKLE: No Instructions Creeping into Kernel Level Executed ====== ====== NICKLE: No Instructions Creeping into Kernel Level Executed ======
 {{nickel.png }} {{nickel.png }}
-NICKLE((Just to clarify, the coin (such as in the United States Mint image above) is spelled nickel. ​ Please don't let our acronym ruin your spelling abilities.)) is a rootkit prevention system that works by prevented unauthorized code from executing with kernel privilege. ​ It does this by creating a Shadow Memory where it stores authenticated (i.e., verified with a hash) kernel code.  ​Instructions ​fetches while the processor is in kernel mode can be routed to the shadow memory while data accesses go to the standard memory. ​ This means that a rootkit author cannot execute any code he injects into the kernel, as his injected code will exist only in the standard memory. ​ In the event an attempt is made to executed ​malicious code, NICKLE will rewrite it in order to allow the operating system to respond to the failure gracefully.+NICKLE((Just to clarify, the coin (such as in the United States Mint image above) is spelled nickel. ​ Please don't let our acronym ruin your spelling abilities.)) is a rootkit prevention system that works by prevented unauthorized code from executing with kernel privilege. ​ It does this by creating a Shadow Memory where it stores authenticated (i.e., verified with a hash) kernel code.  ​Instruction ​fetches while the processor is in kernel mode can be routed to the shadow memory while data accesses go to the standard memory. ​ This means that a rootkit author cannot execute any code he injects into the kernel, as his injected code will exist only in the standard memory. ​ In the event an attempt is made to execute ​malicious code, NICKLE will rewrite it in order to allow the operating system to respond to the failure gracefully.
  
 We've built NICKLE in QEMU, VirtualBox, and VMWare Workstation. ​ We're able to protect Linux 2.4, Linux 2.6, and Windows 2000/​XP. ​ Linux 2.4 has full support (we can even handle valid kernel modules while denying malicious ones) while Linux 2.6 and Windows have a more limited support. We've built NICKLE in QEMU, VirtualBox, and VMWare Workstation. ​ We're able to protect Linux 2.4, Linux 2.6, and Windows 2000/​XP. ​ Linux 2.4 has full support (we can even handle valid kernel modules while denying malicious ones) while Linux 2.6 and Windows have a more limited support.
Line 8: Line 8:
  
 ===== Publications ===== ===== Publications =====
-  ​* "​Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing"​. Ryan Riley, Xuxian Jiang, and Dongyan Xu. In //11th International Symposium on Recent Advances in Intrusion Detection// ([[http://​www.ll.mit.edu/​RAID2008/​|RAID 2008]]).+There are two publications corresponding to NICKLE: The conference paper and the technical report. ​ When in doubt, read the conference paper. ​ (The tech report has a few more experiments described and a bit more detail about the VirtualBox report.) 
 +  ​* "​Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing"​. Ryan Riley, Xuxian Jiang, and Dongyan Xu. In //11th International Symposium on Recent Advances in Intrusion Detection// ([[http://​www.ll.mit.edu/​RAID2008/​|RAID 2008]]).  Best paper award.
      * [[http://​friends.cs.purdue.edu/​pubs/​RAID08.pdf|Paper]] in PDF format.      * [[http://​friends.cs.purdue.edu/​pubs/​RAID08.pdf|Paper]] in PDF format.
  
Line 15: Line 16:
  
 ===== Software ===== ===== Software =====
-The QEMU version of NICKLE (the cleanest implementationwill be released here corresponding with the paper'​s eventual publication in a conference proceedings.+The QEMU source is now available! ​ If you aren't sure which file to get, get the distribution. ​ It includes the source, virtual machine image, binaries, and instructions to run it. 
 +  * The full distribution will allow you to test and run NICKLE-qemu. ​ [[http://​friends.cs.purdue.edu/​projects/​nickle/​nickle_dist.tar.gz|nickle_dist.tar.gz]] ​(~213MB) 
 +  * The source-only distribution only gives the modified QEMU code It is based on QEMU 0.9.0. ​ [[http://​friends.cs.purdue.edu/​projects/​nickle/​nickle-src.tar.gz|nickle-src.tar.gz]] (~1.9MB) 
  
 ===== People ===== ===== People =====
   * [[http://​www.cs.purdue.edu/​homes/​rileyrd/​|Ryan Riley]]   * [[http://​www.cs.purdue.edu/​homes/​rileyrd/​|Ryan Riley]]
-  * [[http://​www.ise.gmu.edu/~xjiang/|Xuxian Jiang]]+  * [[http://​www.csc.ncsu.edu/faculty/​jiang/|Xuxian Jiang]]
   * [[http://​www.cs.purdue.edu/​homes/​dxu/​|Dongyan Xu]]   * [[http://​www.cs.purdue.edu/​homes/​dxu/​|Dongyan Xu]]
nickle.txt · Last modified: 2009/12/08 10:41 by dxu