A framework for prototyping and testing data-only rootkit attacks

Abstract

Kernel rootkits—attacks which modify a running operating system kernel in order to hide an attacker's presence—are significant threats. Recent advances in rootkit defense technology will force rootkit threats to rely on only modifying kernel data structures without injecting and executing any new code; however these data-only kernel rootkit attacks are still both realistic and powerful. In this work we present DORF, a framework for prototyping and testing data-only rootkit attacks. DORF is an object-oriented framework that allows researchers to construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF contains a group of existing and new data-only attacks, and the portability of DORF is demonstrated by porting it to 6 different Linux distributions. The goal of DORF is to allow researchers to construct repeatable experiments with little effort, which will in turn advance research into data-only attacks and defenses.