Numchecker - A System Approach for Kernel Rootkit Detection
Offered By: Black Hat via YouTube
Course Description
Overview
Explore a comprehensive framework for detecting and identifying control-flow modifying kernel rootkits in virtual machines through this 53-minute Black Hat conference talk. Learn about NumChecker, a Virtual Machine Monitor (VMM) based system that leverages Hardware Performance Counters to measure low-level events during system call execution. Discover the two-phase detection and identification process, including syscall measurement, kernel preemption handling, and choosing proper events. Examine real-world kernel rootkit detection results, performance evaluations, and security analysis of this practical and effective approach implemented on Linux with Kernel-based Virtual Machine.
Syllabus
Intro
Executive Summary
Kernel Rootkit Behavior Classification
Hardware Performance Counters (HPC)
Two-Phase Detection and identification
Syscall Measurement
Kernel Preemption Handling
Detection: Test Programs
Detection: Choosing Proper Events
Detection: Deviation Threshold
Detection: Kernel Rootkits Detected
Detection: Performance Evaluation
Identification: Kernel Rootkits Identified
Identification: Periodic Sampling
Security Analysis
Conclusion
Taught by
Black Hat
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network