基于符号执行的内核级Rootkit静态检测

Rootkit是攻击者用来隐藏踪迹和保留访问权限的工具集.加载入系统内核的内核级Rootkit使得操作系统本身变得不可信任,造成极大安全隐患.构建了一个完整的通过静态分析检测内核级Rootkit的模型,构造了描述Rootkit行为的普遍适用的定义并证明了其充分必要性,采用符号执行法进行静态分析,利用污点传播机制,针对模型特点对分析过程进行优化.基于这个模型的内核级Rootkit检测具有高准确性和较好的前瞻性.

Kernel-level Rootkit detection model based on static analysis

Rootkit that hide trace and preserve accessing popedom by attacker is a collection of utility. The Rootkit which can be load into the system kernel, called kernel Rootkit, makes the operatiing system distrustful and result in terrorble safe hidden troubles. A intact kernel Rootkit model is established which is detected by static analysis and a universal Rootkit behavior definition which sufficient and essentia are provedl. The symbolic execution static state analyse is adopted, make use of tainting mechanism, optimize the analyse process relying on the characteristic of the model, The kernel Rootkit detection based on the model has good veracity and fine forecast.