More Web Proxy on the site http://driver.im/

research-article

NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters

Authors:

Ramesh KarriAuthors Info & Claims

DAC '13: Proceedings of the 50th Annual Design Automation Conference

Article No.: 79, Pages 1 - 7

https://doi.org/10.1145/2463209.2488831

Published: 29 May 2013 Publication History

Abstract

This paper presents NumChecker, a new Virtual Machine Monitor (VMM) based framework to detect control-flow modifying kernel rootkits in a guest Virtual Machine (VM). NumChecker detects malicious modifications to a system call in the guest VM by checking the number of certain hardware events that occur during the system call's execution. To automatically count these events, NumChecker leverages the Hardware Performance Counters (HPCs), which exist in most modern processors. By using HPCs, the checking cost is significantly reduced and the tamper-resistance is enhanced. We implement a prototype of NumChecker on Linux with the Kernelbased Virtual Machine (KVM). Our evaluation demonstrates its practicality and effectiveness.

References

[1]

www.tux.org/pub/benchmarks/System/unixbench/.

[2]

The adore-ng rootkit. http://stealth.7350.org.

[3]

Chkrootkit. http://packetstormsecurity.org/files/62258/chkrootkit-0.48.tar.gz.html.

[4]

Kernel based virtual machine. http://www.linux-kvm.org/page/Main_Page.

[5]

Kstat - kernel security therapy anti-trolls. http://www.s0ftpj.org/en/tools.html.

[6]

Rkhunter. http://packetstormsecurity.org/files/44153/rkhunter-1.2.8.tar.gz.html.

[7]

Performance counters for linux. http://lwn.net/Articles/310176, 2010.

[8]

F. Azmandian, M. Moffie, M. Alshawabkeh, J. G. Dy, J. A. Aslam, and D. R. Kaeli. Virtual machine monitor-based lightweight intrusion detection. ACM SIGOPS Operating Systems Review, 45(2):38--53, July 2011.

Digital Library

[9]

S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, and D. Xu. Dksm: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE International Symposium on Reliable Distributed Systems, Oct. 2010.

Digital Library

[10]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of ACM conference on Computer and Communications Security, Oct. 2008.

Digital Library

[11]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of Network and Distributed Systems Security Symposium, pages 191--206, 2003.

[12]

A. Godiyal, A. Nguyen, and N. Schear. A lightweight hypervisor for malware analysis. http://ivanlef0u.fr/repo/todo/HyperVisorMalware.pdf.

[13]

O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with osck. In Architectural Support for Programming Languages and Operating Systems, March 2011.

Digital Library

[14]

X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of ACM conference on Computer and communications security, Nov. 2007.

Digital Library

[15]

C. Malone, M. Zahran, and R. Karri. Are hardware performance counters a cost effective way for integrity checking of programs? In The Sixth ACM Workshop on Scalable Trusted Computing, Oct. 2011.

Digital Library

[16]

J. N. L. Petroni and M. Hicks. Automated detection of persistent kernel control-flow attacks. In Proceedings of ACM conference on Computer and Communications Security, pages 103--115, 2007.

Digital Library

[17]

B. Payne, M. de Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Computer Security Applications Conference, Dec. 2007.

[18]

B. Payne, M. S. M. Carbone, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy, May 2008.

Digital Library

[19]

J. Pfoh, C. Schneider, and C. Eckert. Nitro: Hardware-based system call tracing for virtual machines. Advances in Information and Computer Security, 7038:96--112, Nov 2011.

Digital Library

[20]

R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Proceedings of International Symposium on Recent Advances in Intrusion Detection, 2008.

Digital Library

[21]

J. Rutkowska. Execution path analysis: finding kernel based rootkits. Phrack Article, 11, 2002.

[22]

Sd and Devik. Linux on-the-fly kernel patching without lkm. Phrack Magazine, 11, Jan. 2004.

[23]

A. Srivastava and J. Giffin. Tamper-resistant, application-aware blocking of malicious network connections. In Proceedings of International Symposium on Recent Advances in Intrusion Detection, pages 39--58, 2008.

Digital Library

[24]

Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM conference on Computer and Communications Security, pages 545--554, Nov. 2009.

Digital Library

Cited By

Sayadi HHe ZMakrani HHomayoun H(2024)Intelligent Malware Detection based on Hardware Performance Counters: A Comprehensive Survey2024 25th International Symposium on Quality Electronic Design (ISQED)10.1109/ISQED60706.2024.10528369(1-10)Online publication date: 3-Apr-2024
https://doi.org/10.1109/ISQED60706.2024.10528369
Eichler CRöckl JJung BSchlenk RMüller THönig T(2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10617-024-09283-1
Chen CKande RNguyen NAndersen FTyagi ASadeghi ARajendran JCalandrino JTroncoso C(2023)HyPFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620314(1361-1378)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620314
Show More Cited By

Index Terms

NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Adaptive Virtual Machine Management in the Cloud: A Performance-Counter-Driven Approach

The success of cloud computing technologies heavily depends on both the underlying hardware and system software support for virtualization. In this study, we propose to elevate the capability of the hypervisor to monitor and manage co-running virtual ...
The Impact on the Performance of Co-running Virtual Machines in a Virtualized Environment
ARMS-CC'16: Proceedings of the Third International Workshop on Adaptive Resource Management and Scheduling for Cloud Computing

The success of cloud computing technologies heavily depends on the underlying hardware as well as the system software support for virtualization. As hardware resources become more abundant with each technology generation, the complexity of managing the ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

DAC '13: Proceedings of the 50th Annual Design Automation Conference

May 2013

1285 pages

ISBN:9781450320719

DOI:10.1145/2463209

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

EDAC: Electronic Design Automation Consortium
SIGDA: ACM Special Interest Group on Design Automation
IEEE-CEDA

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 May 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

DAC '13

Sponsor:

EDAC
SIGDA

DAC '13: The 50th Annual Design Automation Conference 2013

May 29 - June 7, 2013

Texas, Austin

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25

Sponsor:
sigda

62nd ACM/IEEE Design Automation Conference

June 22 - 26, 2025

San Francisco , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

83
Total Citations
View Citations
472
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)4

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sayadi HHe ZMakrani HHomayoun H(2024)Intelligent Malware Detection based on Hardware Performance Counters: A Comprehensive Survey2024 25th International Symposium on Quality Electronic Design (ISQED)10.1109/ISQED60706.2024.10528369(1-10)Online publication date: 3-Apr-2024
https://doi.org/10.1109/ISQED60706.2024.10528369
Eichler CRöckl JJung BSchlenk RMüller THönig T(2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10617-024-09283-1
Chen CKande RNguyen NAndersen FTyagi ASadeghi ARajendran JCalandrino JTroncoso C(2023)HyPFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620314(1361-1378)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620314
Pott CGulmezoglu BEisenbarth TShehab MFernandez MLi N(2023)Overcoming the Pitfalls of HPC-based Cryptojacking Detection in Presence of GPUsProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583655(177-188)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583655
Leal ECheng BNguyen TGarcia ACabero NMing J(2023)Leveraging Hardware Performance Counters for Efficient Classification of Binary Packers2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00252(1859-1864)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00252
Adhikari SAsad HJones K(2023)Enhancing IoT Security: Novel Mechanisms for Malware Detection using HPCs and Neural Networks2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00199(1455-1463)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00199
Ott KMahapatra R(2023)Hardware Performance Counter Enhanced Watchdog for Embedded Software Security2023 24th International Symposium on Quality Electronic Design (ISQED)10.1109/ISQED57927.2023.10129291(1-8)Online publication date: 5-Apr-2023
https://doi.org/10.1109/ISQED57927.2023.10129291
Yang YQiu PWang CJin YGao QLi XWang DQu G(2023)Exploration and Exploitation of Hidden PMU Events2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323695(1-9)Online publication date: 28-Oct-2023
https://doi.org/10.1109/ICCAD57390.2023.10323695
Sutton SRrushi J(2023)Decoy Processes With Optimal Performance FingerprintsIEEE Access10.1109/ACCESS.2023.327199911(43216-43237)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3271999
Praveen Kumar EPriyanka S(2023)A comprehensive survey on hardware-assisted malware analysis and primitive techniquesComputer Networks10.1016/j.comnet.2023.109967235(109967)Online publication date: Nov-2023
https://doi.org/10.1016/j.comnet.2023.109967
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents