Kernel-level hidden rootkit detection based on eBPF

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-21 DOI:10.1016/j.cose.2025.104582

Yun-Che Yu, Ci-Yi Hung, Li-Der Chou

{"title":"Kernel-level hidden rootkit detection based on eBPF","authors":"Yun-Che Yu, Ci-Yi Hung, Li-Der Chou","doi":"10.1016/j.cose.2025.104582","DOIUrl":null,"url":null,"abstract":"<div><div>With the rapid development of the Internet, entrusting data and services to cloud providers has become a prevailing trend among enterprises. However, this shift has also introduced new security threats, particularly the potential dangers posed by rootkits. Once these malicious software programs gain control of a system, they can conceal the activities of attackers. In particular, kernel-level rootkits are especially threatening and markedly difficult to detect. To counter kernel-level rootkit attacks, this study proposes a detection mechanism called the hidden kernel rootkit detector, specifically designed to detect hidden objects within Linux kernel-level rootkits. The mechanism utilizes the extended Berkeley Packet Filter technology and checks system calls during execution by comparing them with backed-up addresses to determine if they have been hijacked. If hijacking is detected, the system call is restored to its original address, and the attacker is removed from the system. Before a context switch occurs, the integrity of the process and module about to be executed is verified, and before a socket sends or receives messages, it is checked for existence within the system to defend against direct kernel object manipulation attacks. If system objects are found to have been tampered with, then they are restored to their original state, and the attacker is removed from the system.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104582"},"PeriodicalIF":4.8000,"publicationDate":"2025-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002718","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the rapid development of the Internet, entrusting data and services to cloud providers has become a prevailing trend among enterprises. However, this shift has also introduced new security threats, particularly the potential dangers posed by rootkits. Once these malicious software programs gain control of a system, they can conceal the activities of attackers. In particular, kernel-level rootkits are especially threatening and markedly difficult to detect. To counter kernel-level rootkit attacks, this study proposes a detection mechanism called the hidden kernel rootkit detector, specifically designed to detect hidden objects within Linux kernel-level rootkits. The mechanism utilizes the extended Berkeley Packet Filter technology and checks system calls during execution by comparing them with backed-up addresses to determine if they have been hijacked. If hijacking is detected, the system call is restored to its original address, and the attacker is removed from the system. Before a context switch occurs, the integrity of the process and module about to be executed is verified, and before a socket sends or receives messages, it is checked for existence within the system to defend against direct kernel object manipulation attacks. If system objects are found to have been tampered with, then they are restored to their original state, and the attacker is removed from the system.

查看原文本刊更多论文

基于eBPF的内核级隐藏rootkit检测

随着互联网的快速发展，将数据和服务委托给云提供商已成为企业的主流趋势。然而，这种转变也带来了新的安全威胁，特别是rootkit带来的潜在危险。一旦这些恶意软件程序获得对系统的控制，它们就可以隐藏攻击者的活动。特别是，内核级别的rootkit特别具有威胁性，并且明显难以检测。为了对抗内核级rootkit攻击，本研究提出了一种称为隐藏内核rootkit检测器的检测机制，专门用于检测Linux内核级rootkit中的隐藏对象。该机制利用扩展的伯克利包过滤技术，在执行过程中通过与备份地址进行比较来检查系统调用，以确定它们是否被劫持。如果检测到劫持，则将系统调用恢复到其原始地址，并将攻击者从系统中移除。在上下文切换发生之前，要验证将要执行的进程和模块的完整性，并且在套接字发送或接收消息之前，要检查它是否存在于系统中，以防御直接的内核对象操作攻击。如果发现系统对象被篡改，则将其恢复到原始状态，并将攻击者从系统中移除。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.