Root kit discovery with behavior-based anomaly detection through eBPF

Cyberattacks happen constantly. One tool of attackers to maintain covert persistence on systems are rootkits, tools that can hide the adversaries files and processes from the legitimate administrators. Rootkits that sit in the kernel are hard to detect, because there is no higher authority on the system. A number of methods have been proposed to detect rootkits, but the topic is under constant evolution as new rootkitting methods are developed and better detection approaches are proposed. In this thesis we look at the existing methods of rootkit detection and discuss behaviour-based anomaly detection in more detail. First we look at what types of rootkits exist and compare several of them, where we find similarities in kernel rootkits on how they manipulate the kernel. Then we argue why there are only few points in the kernel where a rootkit could intervene to achieve rootkit functionality. Next, we dissect the getdents system call, which is the target of most kernel rootkits, as it is the one and only interface through which the kernel lists files and processes to userspace. The main idea of the work conducted in this thesis is to develop an algorithm that catches the rootkits actions by measuring the runtime of certain pieces of kernel code. We demonstrate the time measurement with a proof-of-concept implementation using eBPF [5] technology and the BCC toolchain [87]. Furthermore, to evaluate this on recent (6.5+) kernels, we implement our own rootkit since there are no rootkits publicly available that work on recent kernels. Our experiments show that when measured at the correct place, a rootkit creates evident time-delay artefacts, that could facilitate automatic rootkit detection.