research-article

Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits

Authors:

Xueyang Wang,

Ramesh KarriAuthors Info & Claims

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Volume 35, Issue 3

Pages 485 - 498

https://doi.org/10.1109/TCAD.2015.2474374

Published: 01 March 2016 Publication History

Abstract

Kernel rootkits are formidable threats to computer systems. They are stealthy and can have unrestricted access to system resources. This paper presents NumChecker, a new virtual machine (VM) monitor based framework to detect and identify control-flow modifying kernel rootkits in a guest VM. NumChecker detects and identifies malicious modifications to a system call in the guest VM by measuring the number of certain hardware events that occur during the system call’s execution. To automatically count these events, NumChecker leverages the hardware performance counters (HPCs), which exist in modern processors. By using HPCs, the checking cost is significantly reduced and the tamper-resistance is enhanced. We implement a prototype of NumChecker on Linux with the kernel-based VM. An HPC-based two-phase kernel rootkit detection and identification technique is presented and evaluated on a number of real-world kernel rootkits. The results demonstrate its practicality and effectiveness.

Cited By

View all

Bhade PPaturel JSentieys OSinha S(2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3663673
Karapoola SSingh NRebeiro CVeezhinathan K(2022)JUGAAD: Comprehensive Malware Behavior-as-a-ServiceProceedings of the 15th Workshop on Cyber Security Experimentation and Test10.1145/3546096.3546108(39-48)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.1145/3546096.3546108
Carnà SFerracci SQuaglia FPellegrini A(2022)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 30-Apr-2022
https://dl.acm.org/doi/10.1145/3519601
Show More Cited By

Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits
1. General and reference
  1. Cross-computing tools and techniques
2. Security and privacy
  1. Systems security

Recommendations

On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine ...
Countering kernel rootkits with lightweight hook protection
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating ...
HACKING EXPOSED MALWARE AND ROOTKITS

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems Volume 35, Issue 3

March 2016

173 pages

ISSN:0278-0070

Issue’s Table of Contents

Publisher

IEEE Press

Publication History

Published: 01 March 2016

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Bhade PPaturel JSentieys OSinha S(2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3663673
Karapoola SSingh NRebeiro CVeezhinathan K(2022)JUGAAD: Comprehensive Malware Behavior-as-a-ServiceProceedings of the 15th Workshop on Cyber Security Experimentation and Test10.1145/3546096.3546108(39-48)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.1145/3546096.3546108
Carnà SFerracci SQuaglia FPellegrini A(2022)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 30-Apr-2022
https://dl.acm.org/doi/10.1145/3519601
Kuruvila AMeng XKundu SPandey GBasu K(2022)Explainable Machine Learning for Intrusion Detection via Hardware Performance CountersIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.314974541:11(4952-4964)Online publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1109/TCAD.2022.3149745
Kuruvila AMahapatra AKarri RBasu K(2021)Hardware Performance Counters: Ready-Made vs Tailor-MadeACM Transactions on Embedded Computing Systems10.1145/347699620:5s(1-26)Online publication date: 17-Sep-2021
https://dl.acm.org/doi/10.1145/3476996
Alam MBhattacharya SMukhopadhyay D(2021)Victims Can Be SaviorsACM Journal on Emerging Technologies in Computing Systems10.1145/343918917:2(1-31)Online publication date: 29-Jan-2021
https://dl.acm.org/doi/10.1145/3439189
Kadiyala SJadhav PLam SSrikanthan T(2020)Hardware Performance Counter-Based Fine-Grained Malware DetectionACM Transactions on Embedded Computing Systems10.1145/340394319:5(1-17)Online publication date: 26-Sep-2020
https://dl.acm.org/doi/10.1145/3403943
Kadiyala SAlam MShrivastava YPatranabis SAbbas MBiswas AMukhopadhyay DSrikanthan T(2020)LAMBDAACM Transactions on Embedded Computing Systems10.1145/339085519:4(1-31)Online publication date: 21-Jun-2020
https://dl.acm.org/doi/10.1145/3390855
Jiang XLora MChattopadhyay SMohsenin TZhao WChen YMutlu O(2020)Efficient and Trusted Detection of Rootkit in IoT Devices via Offline Profiling and Online MonitoringProceedings of the 2020 on Great Lakes Symposium on VLSI10.1145/3386263.3406939(433-438)Online publication date: 7-Sep-2020
https://dl.acm.org/doi/10.1145/3386263.3406939
Jiang XLora MChattopadhyay S(2020)An Experimental Analysis of Security Vulnerabilities in Industrial IoT DevicesACM Transactions on Internet Technology10.1145/337954220:2(1-24)Online publication date: 18-May-2020
https://dl.acm.org/doi/10.1145/3379542
Show More Cited By

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters

Countering kernel rootkits with lightweight hook protection

HACKING EXPOSED MALWARE AND ROOTKITS

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations