NumChecker: A System Approach for Kernel Rootkit Detection and Identification

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration).

Kernel rootkits are stealthy and can have unrestricted access to system resources. In our talk, we will present NumChecker, a new Virtual Machine Monitor (VMM) based framework to detect and identify control-flow modifying kernel rootkits in a guest Virtual Machine (VM). NumChecker detects and identifies malicious modifications to a system call in the guest VM by measuring low-level events that occur during the system call's execution. To efficiently measure these events, NumChecker leverages the Hardware Performance Counters (HPCs) in modern processors. HPCs today are able to measure a large number of low-level events that are related to program behavior. We implement NumChecker on Linux with the Kernel-based Virtual Machine. The results on a number of real-world kernel rootkits show that NumChecker is practical and effective.


Presenters:

  • Xueyang Wang - Intel Corporation
    Xueyang Wang received his PhD degree in Electrical Engineering from New York University. He is currently a security researcher at Intel. His research interests include secure computing architectures, virtualization and its application to cyber security, hardware support for software security, and hardware security.
  • Xiaofei Guo - Intel Corporation
    Xiaofei Guo works as a senior security researcher at Intel. He is responsible for security assurance of mobile and IoT products. He is interested in building and breaking things all the way from application to silicon. He received a PhD from New York University and he has more than 10 research publications on fault injection and side channel analysis.

Links:

Similar Presentations: