KLrtD: Kernel level rootkit detection

Abstract

Kernel rootkits pose a significant threat to computer systems as they run at the highest privilege level of operating system and have unrestricted access to the resources of their victims. Majority of current efforts in kernel rootkit defense focus on the detection of kernel rootkits. Various untrusted extensions, it remains a challenging problem to comprehensively preserve the integrity of OS kernels in a practical and generic way. In this regard, we propose a detection method named WHKrD that blocks and detects data kernel rootkit attacks by monitoring kernel data access using virtual machine monitor (VMM). WHKrD in inference mode, observe the execution of the kernel during an inference phase and extract white list rules on kernel data structures. In the following, integrity checker phase uses these rules as specifications of data structure integrity and any violation of rules indicates an infection. We have implemented a prototype of our system using the xen VMM. Our experiments show that it successfully detects data kernel rootkits, demonstrating its effectiveness and practicality.