11-23, 11:30–12:00 (Europe/Vienna), Track 2 (3.1 (Kreativ))
Rootkits are a specialized form of malware, with the goal of absolute stealth.
They have lived through an evolution of development through the time,
as have the efforts to detect them.
This talk presents a detection approach based on time probes that detect the delays caused
by a rootkit.
This is realized with modern eBPF technology.
Additionally a general overview of rootkits is given.
Rootkits are a sophisticated class of malware.
They are used in the post-exploitation phase by attackers,
to maintain access and hide their tracks.
Rootkits underwent an evolution on in which layer of the system they reside, from system utilities over libraries, to kernel modules and even beyond the OS in the firmware.
Similarly the techniques rootkits use have evolved and
complementary the the detection approaches have seen many additions and improvements.
Nevertheless a rootkit running with sufficiently high permissions (e.g. in the kernel) can theoretically always defeat a detection program.
Thus the development of rootkits and respective detection is a tireless arms race.
I will give an overview of rootkit types and go a bit into depth on how kernel rootkits work.
Then I will show that there are actually only a few places in the Linux kernel where a rootkit can gain rootkit functionality.
With this knowledge I will show how to design time measuring probes with eBPF that can catch the rootkits actions by the delays that it causes.
Cyber Security Analyst & Researcher