Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits.
IEEE Trans. on CAD of Integrated Circuits and Systems(2016)
摘要
Kernel rootkits are formidable threats to computer systems. They are stealthy and can have unrestricted access to system resources. This paper presents NumChecker, a new virtual machine (VM) monitor based framework to detect and identify control-flow modifying kernel rootkits in a guest VM. NumChecker detects and identifies malicious modifications to a system call in the guest VM by measuring the number of certain hardware events that occur during the system call’s execution. To automatically count these events, NumChecker leverages the hardware performance counters (HPCs), which exist in modern processors. By using HPCs, the checking cost is significantly reduced and the tamper-resistance is enhanced. We implement a prototype of NumChecker on Linux with the kernel-based VM. An HPC-based two-phase kernel rootkit detection and identification technique is presented and evaluated on a number of real-world kernel rootkits. The results demonstrate its practicality and effectiveness.
更多查看译文
关键词
Kernel,Monitoring,Hardware,Linux,Virtualization,Virtual machining,Radiation detectors
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络