Rootkit Guard (RG) - an architecture for rootkit resistant file-system implementation based on TPM

Recent rootkit-attack mitigation work neglected to address the integrity of the mitigation tool itself. Both detection and prevention arms of current rootkit-attack mitigation solutions can be given credit for the advancement of multiple methodologies for rootkit defense but if the defense system itself is compromised, how is the defense system to be trusted? Another deficiency not addressed is how platform integrity can be preserved without availability of current RIDS or RIPS solutions, which operate only upon the loading of the kernel i.e. without availability of a trusted boot environment. To address these deficiencies, we present our architecture for solving rootkit persistence – Rootkit Guard (RG). RG is a marriage between TrustedGRUB (providing trusted boot), IMA (Integrity Measurement Architecture) (serves as RIDS) and SELinux (serves as RIPS). TPM hardware is utilised to provide total integrity of our platform via storage of the aggregate of the clean snapshot of our platform OS kernel into TPM hardware registers (i.e. the PCR) – of which no software attacks have been demonstrated to date. RG solves rootkit persistence by leveraging on one vital but simple strategy: the mounting of rootkit defense via prevention of the execution of configuration binaries or build initialisation scripts. We adopted the technique of rootkit persistence prevention via thwarting the initialisation of a rootkit’s installation procedure; if the rootkit is successfully installed, proper deployment via thwarting of the rootkit’s configuration is prevented. We had subjected the RG to 8 real world Linux 2.6 rootkits and the RG was successful in solving rootkit persistence in all 8 evaluated rootkits. In terms of performance, the RG introduced a maximum of 11% overhead and an average of 4% overhead, hence permitting deployment in production environments.