Saturday, February 21, 2009

Detecting Kernel-Level Rootkits Through Binary Analysis

One of our new guys[Gustavo Delgadillo] mentioned about this paper to EF, for LKM based Rootkit detection. We thought of sharing with our blog readers. Read and Enjoy!!!


Rootkits are tool sets used by intruders to modify the
perception that users have of a compromised system.
In particular, these tools are used by attackers to
hide their actions from system administrators. Originally,
rootkits mainly included modified versions of
system auditing programs (e.g., ps or netstat on a
Unix system). However, for operating systems that
support loadable kernel modules (e.g., Linux and Solaris),
a new type of rootkit has recently emerged.
These rootkits are implemented as kernel modules,
and they do not require modification of user space
binaries to conceal malicious activity. Instead, the
rootkit operates within the kernel, modifying critical
data structures such as the system call table or the
list of currently-loaded kernel modules.

This paper presents a technique that exploits binary
analysis to ascertain, at load time, if a module’s
behavior resembles the behavior of a rootkit.
Through this method, it is possible to provide additional
protection against this type of malicious modification
of the kernel. Our technique relies on an abstract
model of module behavior that is not affected
by small changes in the binary image of the module.
Therefore, the technique is resistant to attempts to
conceal the malicious nature of a kernel module.
Keywords: Rootkits, Binary Analysis, Kernel Hardening.

This paper is available here.

- EF

No comments: