Authors:
Nezer Zaidenberg
1
;
Michael Kiperberg
2
;
Eliav Menachi
3
and
Asaf Eitani
3
Affiliations:
1
Department of Computer Science, Ariel University, Ariel, Israel
;
2
Department of Software Engineering, Shamoon College of Engineering, Bear Sheva, Israel
;
3
Faculty of Computer Science, College of Management Academic Studies, Rishon Le Zion, Israel
Keyword(s):
eBPF, Rootkit, Virtualization, Forensics.
Abstract:
There is a constant increase in the sophistication of cyber threats. Areas considered immune to malicious code, such as eBPF, are shown to be perfectly suitable for malware. Initially, the eBPF mechanism was devised to inject small programs into the kernel, assisting in network routing and filtering. Recently, it was demonstrated that malicious eBPF programs can be used to construct rootkits. The previously proposed countermeasures need to be revised against rootkits that attempt to hide their presence. We propose a novel detection scheme that divides the detection process into two phases. In the first phase, the memory image of the potentially infected system is acquired using a hypervisor. In the second phase, the image is analyzed. The analysis includes extraction and classification of the eBPF programs. The classifier’s decision is based on the set of helper functions used by each eBPF program. Our study revealed a set of helper functions used only by malicious eBPF programs. The
proposed scheme achieves optimal precision while suffering only a minor performance penalty for each additional eBPF program.
(More)