Rootkit Detection and Mitigation Project Outbrief DARPA Contract N66001-06-C-2052 April 26, 2007

Summary Conclusions and Recommendations Best current approach is tailored detection Best current approach only detects known rootkits and techniques No current detection of unknown or new rootkits and techniques Solution: Collect evidence related to induced and passive indirect effects Collect evidence from multiple perspectives Probabilistic reasoning over evidence

Project Overview Purpose: Establish current state of rootkits and detection Project future state of rootkits and detection Identify promising solutions Approach: Collect and study rootkit samples Empirically test current detection methods Discussion with experts and practitioners Research emerging rootkits and detection approaches Propose solution

+ Threat Remote access to compromised systems and data Difficult to detect = Sensitive processing on compromised computers Statistics: ~100 entities conducting espionage against the U.S. Nine documented cases of corporate espionage Data theft accounts for 80% of cybercrime 46% of companies do not keep current on application patches Motive: Financial, strategic, military, political Means: Wide availability of tools Opportunity: Vulnerable systems, network connectivity

Current State Rootkits: Kernel mode drivers to provide functionality and stealth Prevention: Patch maintenance and standard security practices Detection: Tailored detection, cross view differences Mitigation: Full system containment Recovery: Restore known good (surgical recovery rare)

Detection Testing

Detection Testing: Alternate View

Detection Testing: Scored and Sorted

Future State Rootkits: Direct injection, plain sight, virtual machines Locations, platforms Distributed and cooperating Prevention: Signed code Detection: Multiple tailored methods, cross-view diffs and variations Mitigation: Selected mitigation possible Recovery: Virtual machine images, surgical restore possible

Solution Overview Required properties: Detect indirect rootkit effects Collect evidence from multiple perspectives Advanced evidence marshalling and reasoning Solution: Evidence collection as a suite of tests (induced and passive) Host agent to execute evidence collection Agent operates at five different levels Multi-Entity Bayesian Network to reason over evidence

Evidence Collection Tests Designed to detect indirect effects of rootkits Examples: Hidden process PID Hidden process memory footprint Data tracing

Host Agent Implemented as a virtual machine byte code interpreter: VM Interpreter Tests (evidence collection) are byte code sequences Other actions Advantages: Detection resistant Small footprint Verifiable integrity Views of system and data at different perspectives Extensible Cross platform

Multiple Levels Five levels (perspectives): Remote collection User-level tools Visible kernel driver Detection-resistant kernel driver Hardware device

Evidence Reasoning Multi-Entity Bayesian Network Collections of indicators as network fragments Logic to join fragments when evidence is received Local or remote Executes continuously Output: Likelihood of rootkit presence Reasoning chain Supporting evidence Contrarian evidence Additional evidence

Evaluation Develop variant and new rootkits (i.e., create “unknown” rootkits) Empirical testing against known and unknown rootkits Test deployments (truly unknown rootkits)

Solution Architecture

Concept of Operations Agent installation Detection mode Configurable Reasoner alert Analyst: Additional library tests Custom tests Collect data Take mitigation actions

Solution Development Phase 1: Tailored detection tool 6 months - $600k Optional Phase 2: Proof of Concept 6 months - $450k Concurrent with Phase 1 Phase 3: Functional Implementation 18 months - $2.7M After Phase 2 Phase 4: Extensions and Enhancements 12 months - $900k After Phase 3

Team SAIC: Rootkits, probabilistic reasoning, operational knowledge HBGary: Rootkits, agent IET: Probabilistic reasoning Northrup Grumman/TASC: Rootkits, operational knowledge

Discussion and Next Steps