Title :
NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters
Author :
Xueyang Wang ; Karri, Ramesh
Author_Institution :
Polytech. Inst., New York Univ., New York, NY, USA
fDate :
May 29 2013-June 7 2013
Abstract :
This paper presents NumChecker, a new Virtual Machine Monitor (VMM) based framework to detect control-flow modifying kernel rootkits in a guest Virtual Machine (VM). NumChecker detects malicious modifications to a system call in the guest VM by checking the number of certain hardware events that occur during the system call´s execution. To automatically count these events, NumChecker leverages the Hardware Performance Counters (HPCs), which exist in most modern processors. By using HPCs, the checking cost is significantly reduced and the tamper-resistance is enhanced. We implement a prototype of NumChecker on Linux with the Kernel-based Virtual Machine (KVM). Our evaluation demonstrates its practicality and effectiveness.
Keywords :
Linux; computerised monitoring; counting circuits; virtual machines; HPC; KVM; Linux; NumChecker; VMM based framework; checking cost; control-flow kernel rootkits; hardware event checking; hardware performance counter; kernel-based virtual machine; malicious modification detection; modern processor; system call execution; tamper-resistance; virtual machine monitor; Hardware; Kernel; Linux; Monitoring; Radiation detectors; Security; Virtualization; Hardware Performance Counters; Kernel Rootkits; Virtualization;
Conference_Titel :
Design Automation Conference (DAC), 2013 50th ACM/EDAC/IEEE
Conference_Location :
Austin, TX
