Lehrstuhl für Technische Informatik - Rechnernetze

Analysis and detection approaches of rootkits based on virtualization

The current development of virtualization technology attracts a lot of attention and offers great opportunities for the IT-industry. However, recent development showed, that this new kind of technology can be abused by malware that might turn out to be completely undetectable by anti-virus software. Nowadays, nearly every processor supports hardware virtualization and therefore virtualization-based malware becomes a serious risk. Evaluating the threat and developing possible counter-measures is therefore an absolute necessity for current and future computer's security. The possibility of a perfect undetectable stealth rootkit, which did not exist prior to the availability of virtualization technology, is of additional interest.

This work acquires an in-depth understanding of virtualization-based rootkits. In the thesis the theoretical concepts behind this type of malware are to be described and a state-of-the-art analysis on counter-measures to detect the presence of a virtualization-rootkit is to be provided. The open-source reference project bluepill shall be studied in detail and a working proof-of-concept installation shall be provided by the student who will try to employ detection methods and other counter-measures within this means as well.

Aufgabensteller:
Prof. Dr. H.-G. Hegering

Anforderungen:
Vorkenntnisse im Bereich der Virualisierung und deren Techniken sind von Vorteil.

Dauer der Bachelor-Arbeit: 4 Monate

Anzahl Bearbeiter: 1

Betreuer:

• Nils gentschen Felde
• Tobias Lindinger