Hacker News new | past | comments | ask | show | jobs | submit login
On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters [pdf] (binghamton.edu)
73 points by lainon 10 months ago | hide | past | web | favorite | 4 comments

Me, Nate Lawson, and Peter Ferrie gave a talk at Black Hat 10 years ago about using hardware performance counters to detect virtualizing rootkits (rootkits that install themselves as very small hardware-virtualized hypervisors on top of your kernel).

This seems like an extension of the very old antidebugging/antitracing trick of checking the timestamp counter --- the question then becomes, are the HPCs read-only and how are they read? Because a rootkit might just as easily feed the "nominal" values to whatever application is reading them.


Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: kernel rootkits.

We design five synthetic rootkits, each providing a single piece of rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that rootkits employing direct kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new rootkits not previously seen by the detector.

Great amount of detail in the paper. Too bad it relies on VTune. Besides being huge it can be buggy sometimes. An open source HPC driver would be awesome.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact