Security versus energy tradeoffs in host-based mobile malware detection
MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
L4Android: a generic operating system framework for secure smartphones
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Proceedings of the 2012 ACM conference on Computer and communications security
Blacksheep: detecting compromised hosts in homogeneous crowds
Proceedings of the 2012 ACM conference on Computer and communications security
Behave or be watched: debugging with behavioral watchpoints
Proceedings of the 9th Workshop on Hot Topics in Dependable Systems
KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Rootkits affect system security by modifying kernel data structures to achieve a variety of malicious goals. While early rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify noncontrol data. Most prior techniques for rootkit detection have focused solely on detecting control data modifications and, therefore, fail to detect such rootkits. This paper presents a novel technique to detect rootkits that modify both control and noncontrol data. The main idea is to externally observe the execution of the kernel during an inference phase and hypothesize invariants on kernel data structures. A rootkit detection phase uses these invariants as specifications of data structure integrity. During this phase, violation of invariants indicates an infection. We have implemented Gibraltar, a prototype tool that infers kernel data structure invariants and uses them to detect rootkits. Experiments show that Gibraltar can effectively detect previously known rootkits, including those that modify noncontrol data structures.