TY - GEN
T1 - Detecting eBPF Rootkits Using Virtualization and Memory Forensics
AU - Zaidenberg, Nezer Jacob
AU - Kiperberg, Michael
AU - Menachi, Eliav
AU - Eitani, Asaf
N1 - Publisher Copyright:
© 2024 by SCITEPRESS - Science and Technology Publications, Lda.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - There is a constant increase in the sophistication of cyber threats. Areas considered immune to malicious code, such as eBPF, are shown to be perfectly suitable for malware. Initially, the eBPF mechanism was devised to inject small programs into the kernel, assisting in network routing and filtering. Recently, it was demonstrated that malicious eBPF programs can be used to construct rootkits. The previously proposed countermeasures need to be revised against rootkits that attempt to hide their presence. We propose a novel detection scheme that divides the detection process into two phases. In the first phase, the memory image of the potentially infected system is acquired using a hypervisor. In the second phase, the image is analyzed. The analysis includes extraction and classification of the eBPF programs. The classifier’s decision is based on the set of helper functions used by each eBPF program. Our study revealed a set of helper functions used only by malicious eBPF programs. The proposed scheme achieves optimal precision while suffering only a minor performance penalty for each additional eBPF program.
AB - There is a constant increase in the sophistication of cyber threats. Areas considered immune to malicious code, such as eBPF, are shown to be perfectly suitable for malware. Initially, the eBPF mechanism was devised to inject small programs into the kernel, assisting in network routing and filtering. Recently, it was demonstrated that malicious eBPF programs can be used to construct rootkits. The previously proposed countermeasures need to be revised against rootkits that attempt to hide their presence. We propose a novel detection scheme that divides the detection process into two phases. In the first phase, the memory image of the potentially infected system is acquired using a hypervisor. In the second phase, the image is analyzed. The analysis includes extraction and classification of the eBPF programs. The classifier’s decision is based on the set of helper functions used by each eBPF program. Our study revealed a set of helper functions used only by malicious eBPF programs. The proposed scheme achieves optimal precision while suffering only a minor performance penalty for each additional eBPF program.
KW - eBPF
KW - Forensics
KW - Rootkit
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=85190832056&partnerID=8YFLogxK
U2 - 10.5220/0012470800003648
DO - 10.5220/0012470800003648
M3 - Conference contribution
AN - SCOPUS:85190832056
SN - 9789897586835
T3 - International Conference on Information Systems Security and Privacy
SP - 254
EP - 261
BT - Proceedings of the 10th International Conference on Information Systems Security and Privacy
A2 - Lenzini, Gabriele
A2 - Mori, Paolo
A2 - Furnell, Steven
PB - Science and Technology Publications, Lda
T2 - 10th International Conference on Information Systems Security and Privacy, ICISSP 2024
Y2 - 26 February 2024 through 28 February 2024
ER -