JITScanner: Just-in-Time Executable Page Check in the Linux Operating System

Abstract

Modern malware has become increasingly sophisticated, posing a significant threat to cybersecurity. As a result, researchers and security professionals are constantly seeking more advanced methods to detect and analyze malware. Most of these methods are under the umbrella of dynamic analysis, which offers advantages over static analysis—it allows for the observation of the runtime behavior and the detection of obfuscated or encrypted code that may be used to evade detection. However, running executables in a controlled environment can be costly, often leading to a pragmatic compromise of running them with sandboxing only for a limited initial time. In this paper, we propose a different approach to dynamic executable analysis: we analyze the presence of malicious signatures in executable virtual pages of an application the moment they are materialized in RAM—possibly with a new content after an update. We specifically design and evaluate JITScanner, a Linux-oriented package based on a Loadable Kernel Module (LKM), which supports checking any executable page each time its fresh content located in RAM is accessed for instruction fetch enabling the detection of malicious updates to executable pages. The user-level component of the architecture communicates with the LKM via a scalable solution that exploits multi-processor/core technology. We also present experimental data that show the effectiveness of our solution and its promising potential.