Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC 2008); pages 77--86; Anaheim, California; December 8-12, 2008.
Outstanding Student Paper Award
Kernel-level rootkits affect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify non-control data structures. Prior techniques for rootkit detection fail to identify such rootkits either because they focus solely on detecting control data modifications or because they require elaborate, manually-supplied specifications to detect modifications of non-control data.
This paper presents a novel rootkit detection technique that automatically detects rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as specifications of data structure integrity during an enforcement phase; violation of these invariants indicates the presence of a rootkit.
We present the design and implementation of Gibraltar, a tool that uses the above approach to infer and enforce invariants. In our experiments, we found that Gibraltar can detect rootkits that modify both control and non-control data structures, and that its false positive rate and monitoring overheads are negligible.
Slides: [ Powerpoint | PDF ]
Poster: [ PDF ]
DOI: [ 10.1109/ACSAC.2008.29 ]
Journal version: This paper is superseded by its journal version, which appears in the IEEE Transactions on Dependable and Secure Computing (TDSC) as Detecting Kernel-Level Rootkits using Data Structure Invariants. Please read the journal version instead.