Open Source Summit Europe + ELC Europe 2017

A 'rootkit' typically refers to malicious software that enables an attacker to mask or obscure traces of intrusion and secure further control on a compromised system. While userland rootkits generally modify specific system binaries, kernel rootkits are especially insidious and powerful in that this class of rootkits can enable an attacker to subvert the heart of the system, granting abilities to modify kernel data structures and code. This talk aims to provide a beginner's introduction to Linux kernel rootkits and an overview of common methods used by attackers to cover their tracks. Since most existing literature on kernel rootkits focus on older 2.6.x kernels, we'll update these methods for newer kernels as needed. We'll also briefly cover general defenses against kernel rootkits. The talk will conclude with a demo on a modern 4.x kernel that employs the discussed methods and techniques.