Surgical Recovery from Kernel-Level Rootkit Installations

Presented at DEF CON 13 (2005), July 31, 2005, 1 p.m. (50 minutes)

Conventional wisdom states that once a system has been compromised, it can no longer be trusted and the only solution is to wipe the system clean and reinstall. This talk goes against the grain of conventional wisdom and asks are there more efficient ways to repair a system other than complete reinstallation. Specifically, this talk will focus on the detection of and recovery from the installation of both traditional and kernel-level rootkits. Included in the presentation is a demonstration of an operating system architecture and intrusion recovery system (IRS) that is capable of recovering from some of the most prevalent rootkits seen in the wild. Prototype recovery tools will be released.


  • Julian Grizzard
    Julian Grizzard is a Ph.D. candidate in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. He received his B.S. in Computer Engineering from Clemson University and his M.S. in Electrical and Computer Engineering from the Georgia Institute of Technology. He has been studying rootkits for several years, written numerous related papers, and given many academic and research presentations. He is a member of the Honeynet Research Alliance and his research interests include kernel hacking, networking, and security.


Similar Presentations: