Detecting Kernel level Rootkits using Data Structure Invariants

Rootkits affect system security by modifying kernel data structures to achieve a variety of malicious goals. While early rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify noncontrol data. Most prior techniques for rootkit detection have focused solely on detecting control data modifications and, therefore, fail to detect such rootkits. This paper presents a novel technique to detect rootkits that modify both control and noncontrol data

Detecting Kernel‐level Rootkits using Data Structure Invariants
free download

Page 1. Detecting Kernel‐level Rootkits using Data Structure Invariants Vinod Ganapathy Rutgers University Page 2. What are rootkits Tools used by attackers to conceal their presence on a compromised system Typically installed after attacker has obtained root privileges Stealth is achieved by hiding accompanying user level malicious programs 2 December 2009 Vinod Ganapathy ‐ Rutgers University Rootkits = Stealthy malware Page 3. Rootkit‐based attack scenario Sensitive information Credit card: 4358654606 SSN: 543106789 Internet Kernel