We present LKRDet: a framework based on a Trusted Execution Environment to detect Kernel rootkits in IoT devices. LKRDet checks the consistency of hardware events, occurring in specific system call routines, to detect abnormalities caused by the kernel rootkits. LKRDet relies on Hardware Performance Counters to efficiently and safely count the hardware events occurring in the system. We implement a prototype of LKRDet for the ARM TrustZone architecture, on top of the Open Portable Trusted Execution Environment and evaluate our prototype with four popular rootkits. Our evaluation reveals that LKRDet can accurately detect the presence of all the rootkits in the device.

Efficient and Trusted Detection of Rootkit in IoT Devices via Offline Profiling and Online Monitoring

Lora, Michele;
2020-01-01

Abstract

We present LKRDet: a framework based on a Trusted Execution Environment to detect Kernel rootkits in IoT devices. LKRDet checks the consistency of hardware events, occurring in specific system call routines, to detect abnormalities caused by the kernel rootkits. LKRDet relies on Hardware Performance Counters to efficiently and safely count the hardware events occurring in the system. We implement a prototype of LKRDet for the ARM TrustZone architecture, on top of the Open Portable Trusted Execution Environment and evaluate our prototype with four popular rootkits. Our evaluation reveals that LKRDet can accurately detect the presence of all the rootkits in the device.
2020
9781450379441
rootkit detection, arm architectures, internet-of-things security
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11562/1028824
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? ND
social impact