Numchecker - A System Approach for Kernel Rootkit Detection
Offered By: Black Hat via YouTube
Course Description
Overview
Explore a comprehensive framework for detecting and identifying control-flow modifying kernel rootkits in virtual machines through this 53-minute Black Hat conference talk. Learn about NumChecker, a Virtual Machine Monitor (VMM) based system that leverages Hardware Performance Counters to measure low-level events during system call execution. Discover the two-phase detection and identification process, including syscall measurement, kernel preemption handling, and choosing proper events. Examine real-world kernel rootkit detection results, performance evaluations, and security analysis of this practical and effective approach implemented on Linux with Kernel-based Virtual Machine.
Syllabus
Intro
Executive Summary
Kernel Rootkit Behavior Classification
Hardware Performance Counters (HPC)
Two-Phase Detection and identification
Syscall Measurement
Kernel Preemption Handling
Detection: Test Programs
Detection: Choosing Proper Events
Detection: Deviation Threshold
Detection: Kernel Rootkits Detected
Detection: Performance Evaluation
Identification: Kernel Rootkits Identified
Identification: Periodic Sampling
Security Analysis
Conclusion
Taught by
Black Hat
Related Courses
Introduction to LinuxLinux Foundation via edX 操作系统原理(Operating Systems)
Peking University via Coursera Internet of Things: Setting Up Your DragonBoard™ Development Platform
University of California, San Diego via Coursera Information Security-3
Indian Institute of Technology Madras via Swayam Introduction to Embedded Systems Software and Development Environments
University of Colorado Boulder via Coursera