Detecting eBPF Rootkits Using Virtualization and Memory Forensics

Nezer Jacob Zaidenberg, Michael Kiperberg, Eliav Menachi, Asaf Eitani

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

There is a constant increase in the sophistication of cyber threats. Areas considered immune to malicious code, such as eBPF, are shown to be perfectly suitable for malware. Initially, the eBPF mechanism was devised to inject small programs into the kernel, assisting in network routing and filtering. Recently, it was demonstrated that malicious eBPF programs can be used to construct rootkits. The previously proposed countermeasures need to be revised against rootkits that attempt to hide their presence. We propose a novel detection scheme that divides the detection process into two phases. In the first phase, the memory image of the potentially infected system is acquired using a hypervisor. In the second phase, the image is analyzed. The analysis includes extraction and classification of the eBPF programs. The classifier’s decision is based on the set of helper functions used by each eBPF program. Our study revealed a set of helper functions used only by malicious eBPF programs. The proposed scheme achieves optimal precision while suffering only a minor performance penalty for each additional eBPF program.

Original languageEnglish
Title of host publicationProceedings of the 10th International Conference on Information Systems Security and Privacy
EditorsGabriele Lenzini, Paolo Mori, Steven Furnell
PublisherScience and Technology Publications, Lda
Pages254-261
Number of pages8
ISBN (Print)9789897586835
DOIs
StatePublished - 2024
Event10th International Conference on Information Systems Security and Privacy, ICISSP 2024 - Rome, Italy
Duration: 26 Feb 202428 Feb 2024

Publication series

NameInternational Conference on Information Systems Security and Privacy
Volume1
ISSN (Electronic)2184-4356

Conference

Conference10th International Conference on Information Systems Security and Privacy, ICISSP 2024
Country/TerritoryItaly
CityRome
Period26/02/2428/02/24

Keywords

  • eBPF
  • Forensics
  • Rootkit
  • Virtualization

Fingerprint

Dive into the research topics of 'Detecting eBPF Rootkits Using Virtualization and Memory Forensics'. Together they form a unique fingerprint.

Cite this