NUMCHECKER: A SYSTEM APPROACH FOR KERNEL ROOTKIT DETECTION presented at BlackHatAsia 2016

by Xueyang Wang, Xiaofei Guo,

Summary : Kernel rootkits are stealthy and can have unrestricted access to system resources. In our talk, we will present NumChecker, a new Virtual Machine Monitor (VMM) based framework to detect and identify control-flow modifying kernel rootkits in a guest Virtual Machine (VM). NumChecker detects and identifies malicious modifications to a system call in the guest VM by measuring low-level events that occur during the system call's execution.
To efficiently measure these events, NumChecker leverages the Hardware Performance Counters (HPCs) in modern processors. HPCs today are able to measure a large number of low-level events that are related to program behavior. We implement NumChecker on Linux with the Kernel-based Virtual Machine. The results on a number of real-world kernel rootkits show that NumChecker is practical and effective.