Rootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Suchmalware becomes even more dangerous when it is persistent-infected disk images allow the malware to exist across reboots and prevent patches or system repairs from being successfully applied. In this paper, we introduce rootkit-resistant disks (RRD) that label all immutable system binaries and configuration files at installation time. During normal operation, the disk controller inspects all write operations received from the host operating system and denies those made for labeled blocks. To upgrade, the host is booted into a safe state and system blocks can only be modified if a security token is attached to the disk controller. By enforcing immutability at the disk controller, we prevent a compromised operating system from infecting its on-disk image.

We implement the RRD on a Linksys NSLU2 network storage device by extending the I/O processing on the embedded disk controller running the SlugOS Linux distribution. Our performance evaluation shows that the RRD exhibits an overhead of less than 1% for filesystem creation and less than 1.5% during I/O intensive Postmark benchmarking. We further demonstrate the viability of our approach by preventing a rootkit collected from the wild from infecting the OS image. In this way, we show that RRDs not only prevent rootkit persistence, but do so in an efficient way.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Marcos K. Aguilera , Minwen Ji , Mark Lillibridge , John MacCormick , Erwin Oertli , Dave Andersen , Mike Burrows , Timothy Mann , Chandramohan A. Thekkath, Block-Level Security for Network-Attached Disks, Proceedings of the 2nd USENIX Conference on File and Storage Technologies, March 31-31, 2003, San Francisco, CA
	2	S. Aubert. rkscan: Rootkit scanner for loadable kernel module rootkits. http://www.hsc.fr/ressources/outils/rkscan/index.html.en, Oct. 2002.
	3	S. Baker and P. Green. Checking UNIX/LINUX Systems for Signs of Compromise, May 2005.
	4	Anthony Bellissimo , John Burgess , Kevin Fu, Secure software updates: disappointments and new challenges, Proceedings of the 1st USENIX Workshop on Hot Topics in Security, p.7-7, July 31, 2006, Vancouver, B.C., Canada
	5	Matt Blaze, A cryptographic file system for UNIX, Proceedings of the 1st ACM conference on Computer and communications security, p.9-16, November 03-05, 1993, Fairfax, Virginia, United States  [doi>10.1145/168588.168590]
	6	J. Butler and G. Hoglund. VICE--Catch the Hookers! In Black Hat 2004, Las Vegas, NV, July 2004.
	7	Giuseppe Cattaneo , Luigi Catuogno , Aniello Del Sorbo , Pino Persiano, The Design and Implementation of a Transparent Cryptographic File System for UNIX, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.199-212, June 25-30, 2001
	8	Ken Chiang , Levi Lloyd, A case study of the rustock rootkit and spam bot, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.10-10, April 10, 2007, Cambridge, MA
	9	J. Corbet. Once Upon atime. http://lwn.net/Articles/244829/, Aug. 2007.
	10	Mark D. Corner , Brian D. Noble, Zero-interaction authentication, Proceedings of the 8th annual international conference on Mobile computing and networking, September 23-28, 2002, Atlanta, Georgia, USA  [doi>10.1145/570645.570647]
	11	DarkAngel. Mood-NT. http://darkangel.antifork.org/codes.htm.
	12	Joan G. Dyer , Mark Lindemann , Ronald Perez , Reiner Sailer , Leendert van Doorn , Sean W. Smith , Steve Weingart, Building the IBM 4758 Secure Coprocessor, Computer, v.34 n.10, p.57-66, October 2001  [doi>10.1109/2.955100]
	13	E. Filiol. Concepts and future trends in computer virology, 2007.
	14	Prahlad Fogla , Monirul Sharif , Roberto Perdisci , Oleg Kolesnikov , Wenke Lee, Polymorphic blending attacks, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
	15	Kevin Fu , M. Frans Kaashoek , David Mazières, Fast and secure distributed read-only file system, ACM Transactions on Computer Systems (TOCS), v.20 n.1, p.1-24, February 2002  [doi>10.1145/505452.505453]
	16	Garth A. Gibson , David F. Nagle , Khalil Amiri , Jeff Butler , Fay W. Chang , Howard Gobioff , Charles Hardin , Erik Riedel , David Rochberg , Jim Zelenka, A cost-effective, high-bandwidth storage architecture, Proceedings of the eighth international conference on Architectural support for programming languages and operating systems, p.92-103, October 02-07, 1998, San Jose, California, United States
	17	G.A. Gibson, D.F. Nagle, K. Amiri, F.W. Chang, E. Feinberg, H. Gobioff, C. Lee, B. Ozceri, E. Riedel, and D. Rochberg. A case for network-attached secure disks. Technical Report CMU-CS-96-142, Carnegie Mellon University, Pittsburgh, PA, USA, Sept. 1996.
	18	E.-J. Goh, H. Shacham, N. Modadugu, and D. Boneh. SiRiUS: Securing Remote Untrusted Storage. In Proceedings of the 10th ISOC Symposium on Network and Distributed Systems (NDSS'03), San Diego, CA, USA, Feb. 2003.
	19	Julian Bennett Grizzard , Henry L. Owen, III, Towards self-healing systems: re-establishing trust in compromised systems, Georgia Institute of Technology, Atlanta, GA, 2006
	20	T.C. Group. Stopping Rootkits at the Network Edge, January 2007.
	21	Halflife. Abuse of the Linux Kernel for Fun and Profit. Phrack, 7(50), Apr. 1997.
	22	D. Harley and A. Lee. The Root of All Evil? -- Rootkits Revealed. http://www.eset.com/download/whitepapers/Whitepaper-Rootkit_Root_Of_All%_Evil.pdf, 2007.
	23	J. Heasman. Implementing and Detecting and ACPI BIOS Rootkit. In Black Hat Federal 2006, Washington, DC, USA, Jan. 2006.
	24	Greg Hoglund , Jamie Butler, Rootkits: Subverting the Windows Kernel, Addison-Wesley Professional, 2005
	25	Mahesh Kallahalla , Erik Riedel , Ram Swaminathan , Qian Wang , Kevin Fu, Plutus: Scalable Secure File Sharing on Untrusted Storage, Proceedings of the 2nd USENIX Conference on File and Storage Technologies, March 31-31, 2003, San Francisco, CA
	26	Bernhard Kauer, OSLO: improving the security of trusted computing, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-9, August 06-10, 2007, Boston, MA
	27	G.H. Kim and E.H. Spafford. Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection. Technical Report CSD-TR_94-012, Department of Computer Sciences, Purdue University, West Lafayette, IN, Feb. 1994.
	28	Samuel T. King , Peter M. Chen , Yi-Min Wang , Chad Verbowski , Helen J. Wang , Jacob R. Lorch, SubVirt: Implementing malware with virtual machines, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.314-327, May 21-24, 2006  [doi>10.1109/SP.2006.38]
	29	G. Kroah-Hartman. udev -- A Userspace Implementation of devfs. In Proceedings of the Ottawa Linux Symposium (OLS), Ottawa, ON, Canada, July 2002.
	30	Christopher Kruegel , William Robertson , Giovanni Vigna, Detecting Kernel-Level Rootkits Through Binary Analysis, Proceedings of the 20th Annual Computer Security Applications Conference, p.91-100, December 06-10, 2004  [doi>10.1109/CSAC.2004.19]
	31	M. Lauer. Building Embedded Linux Distributions with BitBake and OpenEmbedded. In Proceedings of the Free and Open Source Software Developers' European Meeting (FOSDEM), Brussels, Belgium, Feb. 2005.
	32	Jinyuan Li , Maxwell Krohn , David Mazières , Dennis Shasha, Secure untrusted data repository (SUNDR), Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.9-9, December 06-08, 2004, San Francisco, CA
	33	Linksys. NSLU2 Product Information. http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&pack%edargs=c%3DL_Product_C2%26cid%3D1118334819312&pagename=Linksys%2FCommon%2FVisi%torWrapper, Apr. 2008.
	34	Peter Loscocco , Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.29-42, June 25-30, 2001
	35	David Mazières , Michael Kaminsky , M. Frans Kaashoek , Emmett Witchel, Separating key management from file system security, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.124-139, December 12-15, 1999, Charleston, South Carolina, United States
	36	Metasploit Development Team. Metasploit Project. http://www.metasploit.com, 2008.
	37	Microsoft. Registry Virtualization (Windows). http://msdn.microsoft.com/en-us/library/aa965884.aspx, June 2008.
	38	Ethan L. Miller , Darrell D. E. Long , William E. Freeman , Benjamin Reed, Strong Security for Network-Attached Storage, Proceedings of the Conference on File and Storage Technologies, p.1-13, January 28-30, 2002
	39	T. Miller. Analysis of the T0rn Rootkit. http://www.securityfocus.com/infocus/1230, Nov. 2000.
	40	N. Murilo and K. Steding-Jessen. Métodos Para Detecção Local de Rootkits e Módulos de Kernel Maliciosos em Sistemas Unix. In Anais do III Simpósio sobre Segurança em Informática (SSI'2001), São José dos Campos, SP, Brazil, Oct. 2001.
	41	N. Murilo and K. Steding-Jessen. Chkrootkit v. 0.47. http://www.chkrootkit.org/, Dec. 2007.
	42	Alina Oprea , Michael K. Reiter, Integrity checking in cryptographic file systems with constant trusted storage, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	43	A. Oprea, M.K. Reiter, and K. Yang. Space-Efficient Block Storage Integrity. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (NDSS'05), San Diego, CA, USA, Feb. 2005.
	44	PandaLabs. Quarterly Report (January -- March 2008). http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2008/04/01/Qu%arterly_Report_PandaLabs_Q1_2008.pdf?sitepanda=particulares, Mar. 2008.
	45	Adam G. Pennington , John D. Strunk , John Linwood Griffin , Craig A. N. Soules , Garth R. Goodson , Gregory R. Ganger, Storage-based intrusion detection: watching storage activity for suspicious behavior, Proceedings of the 12th conference on USENIX Security Symposium, p.10-10, August 04-08, 2003, Washington, DC
	46	Benjamin C. Reed , Mark A. Smith , Dejan Diklic, Security Considerations When Designing a Distributed File System Using Object Storage Devices, Proceedings of the First International IEEE Security in Storage Workshop, p.24, December 11-11, 2002
	47	J. Rutkowska. Detecting Windows Server Compromises. In Proceedings of the HiverCon Corporate Security Conference, Dublin, Ireland, Nov. 2003.
	48	A. Sabelfeld and A.C. Myers. Language-based Information Flow Security. IEEE Journal on Selected Areas in Communication, 21(1):5--19, Jan. 2003.
	49	Muthian Sivathanu , Vijayan Prabhakaran , Florentina I. Popovici , Timothy E. Denehy , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, Semantically-Smart Disk Systems, Proceedings of the 2nd USENIX Conference on File and Storage Technologies, March 31-31, 2003, San Francisco, CA
	50	NSLU2 -- Linux. http://www.nslu2-linux.org/wiki/SlugOS/HomePage, 2008.
	51	D. Soeder and R. Permeh. eEye BootRoot. In Black Hat 2005, Las Vegas, NV, USA, July 2005.
	52	Yingbo Song , Michael E. Locasto , Angelos Stavrou , Angelos D. Keromytis , Salvatore J. Stolfo, On the infeasibility of modeling polymorphic shellcode, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315312]
	53	Eugene H. Spafford, The internet worm program: an analysis, ACM SIGCOMM Computer Communication Review, v.19 n.1, p.17-57, Jan. 1989  [doi>10.1145/66093.66095]
	54	S. Sparks and J. Butler. Shadow Walker: Raising the Bar for Windows Rootkit Detection. Phrack, 11(63), Aug. 2005.
	55	D. Spinellis. Reliable Identification of Bounded-length Viruses is NP-Complete. IEEE Transactions on Information Theory, 49(1):280--284, Jan. 2003.
	56	L. St. Clair, J. Schiffman, T. Jaeger, and P. McDaniel. Establishing and Sustaining System Integrity via Root of Trust Installation. In Proceedings of the 23rd Annual Computer Security Applicatons Conference (ACSAC 2007), Miami Beach, FL, Dec. 2007.
	57	Stuart Staniford , David Moore , Vern Paxson , Nicholas Weaver, The top speed of flash worms, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA  [doi>10.1145/1029618.1029624]
	58	John D. Strunk , Garth R. Goodson , Michael L. Scheinholtz , Craig A. N. Soules , Gregory R. Ganger, Self-securing storage: protecting data in compromised system, Proceedings of the 4th conference on Symposium on Operating System Design & Implementation, p.12-12, October 22-25, 2000, San Diego, California
	59	Ken Thompson, Reflections on trusting trust, Communications of the ACM, v.27 n.8, p.761-763, Aug 1984  [doi>10.1145/358198.358210]
	60	P. Vixie. cron man page. http://www.hmug.org/man/5/crontab.php.
	61	Heng Yin , Dawn Song , Manuel Egele , Christopher Kruegel , Engin Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315261]
	62	E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A Stackable Vnode Level Encryption File System. Technical Report CUCS-021-98, Columbia University, New York, NY, USA, 1988.
	63	Y. Zhu and Y. Hu. SNARE: A Strong Security System for Network-Attached Storage. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (SRDS'03), Florence, Italy, Oct. 2003.