Explore a comprehensive framework for detecting and identifying control-flow modifying kernel rootkits in virtual machines through this 53-minute Black Hat conference talk. Learn about NumChecker, a Virtual Machine Monitor (VMM) based system that leverages Hardware Performance Counters to measure low-level events during system call execution. Discover the two-phase detection and identification process, including syscall measurement, kernel preemption handling, and choosing proper events. Examine real-world kernel rootkit detection results, performance evaluations, and security analysis of this practical and effective approach implemented on Linux with Kernel-based Virtual Machine.
Numchecker - A System Approach for Kernel Rootkit Detection
Overview
Syllabus
Intro
Executive Summary
Kernel Rootkit Behavior Classification
Hardware Performance Counters (HPC)
Two-Phase Detection and identification
Syscall Measurement
Kernel Preemption Handling
Detection: Test Programs
Detection: Choosing Proper Events
Detection: Deviation Threshold
Detection: Kernel Rootkits Detected
Detection: Performance Evaluation
Identification: Kernel Rootkits Identified
Identification: Periodic Sampling
Security Analysis
Conclusion
Taught by
Black Hat
