User Tools

Site Tools


This is an old revision of the document!

NICKLE: No Instructions Creeping into Kernel Level Executed

NICKLE1) is a rootkit prevention system that works by prevented unauthorized code from executing with kernel privilege. It does this by creating a Shadow Memory where it stores authenticated (i.e., verified with a hash) kernel code. Instructions fetches while the processor is in kernel mode can be routed to the shadow memory while data accesses go to the standard memory. This means that a rootkit author cannot execute any code he injects into the kernel, as his injected code will exist only in the standard memory. In the event an attempt is made to executed malicious code, NICKLE will rewrite it in order to allow the operating system to respond to the failure gracefully.

We've built NICKLE in QEMU, VirtualBox, and VMWare Workstation. We're able to protect Linux 2.4, Linux 2.6, and Windows 2000/XP. Linux 2.4 has full support (we can even handle valid kernel modules while denying malicious ones) while Linux 2.6 and Windows have a more limited support.


A conference publication is currently under review.

A technical report is available now, however.


The QEMU version of NICKLE (the cleanest implementation) will be released here corresponding with the paper's eventual publication in a conference proceedings.


Just to clarify, the coin (such as in the United States Mint image above) is spelled nickel. Please don't let our acronym ruin your spelling abilities.
nickle.1207849166.txt.gz · Last modified: 2008/04/10 13:39 by ryan