On the E ectiveness of Virtualisation Assisted View Comparison for Rootkit Detection.

There is growing interest in tools for monitoring virtualisation infrastructure and detecting malware within Virtual Machines (VMs). View comparison, or crossview validation, is a technique for detecting object hiding by malware. It involves comparing dierent views of system objects to nd discrepancies that might indicate the use of object hiding techniques. We present Linebacker, a system for performing view comparison on VMware vSphere VMs. Linebacker compares external (i.e. hypervisor level) and internal (i.e. guest operating system level) views of process, le and registry objects within VMs to detect rootkits that cloak such objects from the view of the guest operating system. We use Linebacker to compare the ecacy of the view comparison technique to sandboxing or API call monitoring approaches to rootkit detection. We also present a case study evaluating the performance impacts associated with using Linebacker to monitor VMs in a production environment. We present execution and analysis time metrics for this study and discuss feedback provided by users. Finally, we analyse our results and make recommendations regarding the implementation of view comparison for real-world virtualisation infrastructure.