{"code":"K3VPXA","speakers":[{"code":"UBYVSX","name":"Leo","biography":"Cyber Security Analyst & Researcher","avatar":null}],"title":"Kernel Rootkit detection with eBPF time tracing","submission_type":"Talk","track":{"en":"Second Track"},"state":"canceled","abstract":"Rootkits are a specialized form of malware, with the goal of absolute stealth.\r\nThey have lived through an evolution of development through the time,\r\nas have the efforts to detect them.\r\nThis talk presents a detection approach based on time probes that detect the delays caused\r\nby a rootkit.\r\nThis is realized with modern eBPF technology.\r\nAdditionally a general overview of rootkits is given.","description":"Rootkits are a sophisticated class of malware.\r\nThey are used in the post-exploitation phase by attackers,\r\nto maintain access and hide their tracks.\r\nRootkits underwent an evolution on in which layer of the system they reside, from system utilities over libraries, to kernel modules and even beyond the OS in the firmware.\r\nSimilarly the techniques rootkits use have evolved and\r\ncomplementary the the detection approaches have seen many additions and improvements.\r\nNevertheless a rootkit running with sufficiently high permissions (e.g. in the kernel) can theoretically always defeat a detection program.\r\nThus the development of rootkits and respective detection is a tireless arms race.\r\nI will give an overview of rootkit types and go a bit into depth on how kernel rootkits work.\r\nThen I will show that there are actually only a few places in the Linux kernel where a rootkit can gain rootkit functionality.\r\nWith this knowledge I will show how to design time measuring probes with eBPF that can catch the rootkits actions by the delays that it causes.","duration":30,"slot_count":1,"do_not_record":false,"is_featured":false,"content_locale":"en","slot":{"room":{"en":"Track 2 (3.1 (Kreativ))"},"start":"2024-11-23T11:30:00+01:00","end":"2024-11-23T12:00:00+01:00"},"image":null,"resources":[]}