Numchecker - A System Approach for Kernel Rootkit Detection
Offered By: Black Hat via YouTube
Course Description
Overview
Explore a comprehensive framework for detecting and identifying control-flow modifying kernel rootkits in virtual machines through this 53-minute Black Hat conference talk. Learn about NumChecker, a Virtual Machine Monitor (VMM) based system that leverages Hardware Performance Counters to measure low-level events during system call execution. Discover the two-phase detection and identification process, including syscall measurement, kernel preemption handling, and choosing proper events. Examine real-world kernel rootkit detection results, performance evaluations, and security analysis of this practical and effective approach implemented on Linux with Kernel-based Virtual Machine.
Syllabus
Intro
Executive Summary
Kernel Rootkit Behavior Classification
Hardware Performance Counters (HPC)
Two-Phase Detection and identification
Syscall Measurement
Kernel Preemption Handling
Detection: Test Programs
Detection: Choosing Proper Events
Detection: Deviation Threshold
Detection: Kernel Rootkits Detected
Detection: Performance Evaluation
Identification: Kernel Rootkits Identified
Identification: Periodic Sampling
Security Analysis
Conclusion
Taught by
Black Hat
Related Courses
Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security ChipBlack Hat via YouTube Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube