Identifying Systemic Threats to Kernel Data: Attacks and Defense Techniques

Introduction

Integrity of the operating system kernel is critical to the security of all applications and data on the computer system. Tampering with the kernel is traditionally performed by malware, commonly known as rootkits. The term “rootkit” was originally used to refer to a toolkit developed by the attacker, which would help conceal his presence on the compromised system. The rootkit was typically installed after the attacker obtained “root” level control and attempted to hide the malicious objects belonging to him, such as files, processes and network connections.

A rootkit infested system can be exploited by remote attackers stealthily, such as exfiltration of sensitive information or system involvement in fraudulent or malicious activities without the user’s knowledge or permission. The lack of appropriate detection tools allows such systems to stealthily lie within the attackers realm for indefinite periods of time. Recent studies have shown a phenomenal increase in the number of malware that use stealth techniques commonly employed by rootkits. For example, a report by MacAfee Avert Labs (MacAfee, 2006) observes a 600% increase in the number of rootkits in the three year period from 2004-2006. Indeed, this trend continues even today; according to the forum antirootkit.com (Antirootkit, n.d.), over 200 rootkits were discovered in the first quarter of 2008 alone.