Efficient and Trusted Detection of Rootkit in IoT Devices via Offline Profiling and Online Monitoring

We present LKRDet: a framework based on a Trusted Execution Environment to detect Kernel rootkits in IoT devices. LKRDet checks the consistency of hardware events, occurring in specific system call routines, to detect abnormalities caused by the kernel rootkits. LKRDet relies on Hardware Performance Counters to efficiently and safely count the hardware events occurring in the system. We implement a prototype of LKRDet for the ARM TrustZone architecture, on top of the Open Portable Trusted Execution Environment and evaluate our prototype with four popular rootkits. Our evaluation reveals that LKRDet can accurately detect the presence of all the rootkits in the device.