Rootkit-Resistant Disks

Rootkits are now prevalent in the wild. Users affected by rootkits are subject to the abuse of their data and resources, often unknowingly. Such malware becomes even more dangerous when it is persistent--infected disk images allow the malware to exist across reboots and prevent patches or system repairs from being successfully applied. This talk introduces rootkit-resistant disks (RRDs), which label all immutable system binaries and configuration files at installation time. During normal operation, the disk controller inspects all write operations received from the host operating system and denies those made for labeled blocks. To upgrade, the host is booted into a safe state and system blocks can only be modified if a security token is attached to the disk controller. By enforcing immutability at the disk controller, we prevent a compromised operating system from infecting its on-disk image. We discuss the design and implementation of these disks and investigate their performance characteristics. We demonstrate the viability of our approach by preventing a rootkit collected from the wild from infecting the OS. By doing so, we show that RRDs can not only prevent rootkit persistence, but can also be efficient.

Biography

Kevin Butler is a doctoral candidate researching storage security in the Systems and Internet Infrastructure Security (SIIS) Laboratory in the Computer Science and Engineering department at the Pennsylvania State University. Kevin's research encompasses systems and network security, and he has investigated topics including performance and security of disks, privilege separation, and interdomain routing security.

Digital Forensics: A Peek at the Basics + Research Directions

Digital evidence exists on a wide variety of devices, from traditional computers, to PDAs, voice recorders, game consoles, and cell phones. This talk provides a brief introduction to digital forensics, the art (and science) of discovering and preserving digital evidence, from two perspectives: digital investigation and research. The talk covers basic concepts and investigative challenges before addressing current research directions, most of which are concerned with techniques and tools for allowing investigators to deal with the ever-increasing size and complexity of forensics targets. These research approaches cover a wide spectrum, including the use of parallel and distributed architectures for forensics tools, Graphics Processing Units (GPUs), advanced file carving techniques, and tools for live investigation.

Golden G. Richard III is an experimental computer scientist and is currently a Professor of Computer Science at the University of New Orleans. He has a B.S. degree in Computer Science (honors) from the niversity of New Orleans and M.S. and Ph.D. degrees in Computer Science from The Ohio State University. He issued a single job application in 1994, to join the faculty of the University of New Orleans.

Golden's research interests are in next-generation digital forensics techniques, computer security, operating systems internals, and parallel and distributed computing. He is the director of the Greater New Orleans Center for Information Assurance (GNOCIA) and the Networking, Security, and Systems Administration Laboratory (NSSAL) at the University of New Orleans, a member of the American Academy of Forensics Sciences (AAFS), and a member of the United States Secret Service Taskforce on Electronic Crime. Golden is a GIAC-certified digital forensics investigator, Chair of the Board of Directors of the Digital Forensics Research Workshop (DFRWS) and co-founder of Digital Forensics Solutions, LLC, a private digital investigation company.