Detecting Kernel-Level Rootkits Through Binary Analysis

Christopher Kruegel
TU Vienna

William Robertson
University of California Santa Barbara

Giovanni Vigna

Rootkits are toolsets used by intruders to modify the perception that users
have of a compromised system. In particular, these tools are used by
attackers to hide their actions from the administrators of the compromised
systems. Originally, rootkits included modified versions of system auditing
programs (e.g., ps or netstat on a Unix system). However, for operating
systems that support loadable kernel modules (e.g., Linux and Solaris), a new
type of rootkits has recently emerged. These rootkits are implemented as
kernel modules and they do not require to modify the program binaries to
conceal malicious activity. Instead, the rootkit component acts within the
kernel, modifying critical data structures (such as the system call table, or
the list of kernel modules).
This paper presents a technique that exploits binary analysis techniques to
ascertain, at load time, if a module's behavior resembles the behavior of a
rootkit. By doing this, it is possible to provide additional protection
against this type of malicious modifications of the kernel behavior. Our
technique relies on an abstract model of module behavior that
is not affected by changes in the binary image of the module. Therefore, the
technique is resistant to attempts to conceal the malicious nature of a kernel

Keywords: Kernel modules, rootkits, masqueraders

Read Paper Read Paper (in PDF)