Rootkits are tool sets used by intruders to modify the
perception that users have of a compromised system.
In particular, these tools are used by attackers to
hide their actions from system administrators. Originally,
rootkits mainly included modified versions of
system auditing programs (e.g., ps or netstat on a
Unix system). However, for operating systems that
support loadable kernel modules (e.g., Linux and Solaris),
a new type of rootkit has recently emerged.
These rootkits are implemented as kernel modules,
and they do not require modification of user space
binaries to conceal malicious activity. Instead, the
rootkit operates within the kernel, modifying critical
data structures such as the system call table or the
list of currently-loaded kernel modules.
This paper presents a technique that exploits binary
analysis to ascertain, at load time, if a module’s
behavior resembles the behavior of a rootkit.
Through this method, it is possible to provide additional
protection against this type of malicious modification
of the kernel. Our technique relies on an abstract
model of module behavior that is not affected
by small changes in the binary image of the module.
Therefore, the technique is resistant to attempts to
conceal the malicious nature of a kernel module.
Keywords: Rootkits, Binary Analysis, Kernel Hardening.
This paper is available here.