{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:24:47Z","timestamp":1761812687612,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":47,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032081230","type":"print"},{"value":"9783032081247","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T00:00:00Z","timestamp":1761868800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T00:00:00Z","timestamp":1761868800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-08124-7_25","type":"book-chapter","created":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:22:43Z","timestamp":1761812563000},"page":"431-451","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["HYPERSEC: An\u00a0Extensible Hypervisor-Assisted Framework for\u00a0Kernel Rootkit Detection"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-3883-9664","authenticated-orcid":false,"given":"Lionel","family":"Hemmerl\u00e9","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7176-9760","authenticated-orcid":false,"given":"Guillaume","family":"Hiet","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2420-6105","authenticated-orcid":false,"given":"Fr\u00e9d\u00e9ric","family":"Tronel","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9681-644X","authenticated-orcid":false,"given":"Pierre","family":"Wilke","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6951-4702","authenticated-orcid":false,"given":"Jean-Christophe","family":"Pr\u00e9votet","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,10,31]]},"reference":[{"key":"25_CR1","unstructured":"Linux rootkit adapted for 2.6 and 3.x (2024). https:\/\/github.com\/yaoyumeng\/adore-ng"},{"key":"25_CR2","unstructured":"Armv8-a architecture registers (2024). https:\/\/developer.arm.com\/documentation\/ddi0595\/2020-12\/AArch64-Registers\/HFGITR-EL2--Hypervisor-Fine-Grained-Instruction-Trap-Register"},{"key":"25_CR3","unstructured":"Introduction to Large System Extensions (2024). https:\/\/learn.arm.com\/learning-paths\/servers-and-cloud-computing\/lse\/intro\/"},{"issue":"5","key":"25_CR4","doi-asserted-by":"publisher","first-page":"670","DOI":"10.1109\/TDSC.2010.38","volume":"8","author":"A Baliga","year":"2011","unstructured":"Baliga, A., Ganapathy, V., Iftode, L.: Detecting kernel-level rootkits using data structure invariants. IEEE Trans. Dependable Secur. Comput. 8(5), 670\u2013684 (2011). https:\/\/doi.org\/10.1109\/TDSC.2010.38","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"25_CR5","unstructured":"Source code (2024). https:\/\/www.gnu.org\/software\/binutils\/"},{"key":"25_CR6","unstructured":"Hypervisor memory introspection - specification (2023). https:\/\/hvmi.readthedocs.io\/en\/latest\/index.html"},{"key":"25_CR7","unstructured":"Bpf type format (btf) \u2014 the linux kernel documentation (2024). https:\/\/docs.kernel.org\/bpf\/btf.html"},{"key":"25_CR8","unstructured":"Buzeti, J.: R3tr074\/brokepkg: The lkm rootkit working in linux kernels 2.6.x\/3.x\/4.x\/5.x (2024). https:\/\/github.com\/R3tr074\/brokepkg"},{"key":"25_CR9","doi-asserted-by":"publisher","unstructured":"Canella, C., Schwarz, M., Haubenwallner, M., Schwarzl, M., Gruss, D.: Kaslr: break it, fix it, repeat. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 481\u2013493. ACM, New York, NY, USA (2020). https:\/\/doi.org\/10.1145\/3320269.3384747","DOI":"10.1145\/3320269.3384747"},{"key":"25_CR10","unstructured":"Cilium: BPF and XDP Reference Guide (2022)"},{"key":"25_CR11","doi-asserted-by":"publisher","unstructured":"Cota, E.G., Bonzini, P., Benn\u00e9e, A., Carloni, L.P.: Cross-isa machine emulation for multicores. In: 2017 IEEE\/ACM International Symposium on Code Generation and Optimization (CGO), pp. 210\u2013220. IEEE, Washington, D.C., USA (2017). https:\/\/doi.org\/10.1109\/CGO.2017.7863741","DOI":"10.1109\/CGO.2017.7863741"},{"key":"25_CR12","unstructured":"Vulnerability details (2024). https:\/\/www.cvedetails.com\/cve\/CVE-2023-2163\/"},{"key":"25_CR13","doi-asserted-by":"publisher","unstructured":"Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297\u2013312. IEEE, Washington, D.C., USA (2011). https:\/\/doi.org\/10.1109\/SP.2011.11","DOI":"10.1109\/SP.2011.11"},{"key":"25_CR14","unstructured":"Exclusive monitors (2024). https:\/\/dynamorio.org\/page_ldstex.html"},{"key":"25_CR15","unstructured":"Eitani, A.: Detecting drovorub\u2019s file operations hooking with tracee (2022). https:\/\/www.aquasec.com\/blog\/detect-drovorub-kernel-rootkit-attack-tracee\/"},{"key":"25_CR16","doi-asserted-by":"publisher","unstructured":"Fu, Y., Lin, Z.: Space traveling across vm: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: IEEE Symposium on Security and Privacy, pp. 586\u2013600. IEEE, Washington, D.C., USA (2012). https:\/\/doi.org\/10.1109\/SP.2012.40","DOI":"10.1109\/SP.2012.40"},{"key":"25_CR17","unstructured":"Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium, San Diego, California, USA, pp. 191\u2013206. The Internet Society, 11710 Plaza America Drive, Suite 400, Reston, VA 20190, USA (2003)"},{"key":"25_CR18","doi-asserted-by":"publisher","unstructured":"Guthaus, M., Ringenberg, J., Ernst, D., Austin, T., Mudge, T., Brown, R.: Mibench: a free, commercially representative embedded benchmark suite. In: Proceedings of the Fourth Annual IEEE International Workshop on Workload Characterization, pp. 3\u201314. IEEE, Washington, D.C., USA (2001). https:\/\/doi.org\/10.1109\/WWC.2001.990739","DOI":"10.1109\/WWC.2001.990739"},{"issue":"2","key":"25_CR19","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1145\/1243418.1243424","volume":"41","author":"GC Hunt","year":"2007","unstructured":"Hunt, G.C., Larus, J.R.: Singularity: rethinking the software stack. ACM SIGOPS Oper. Syst. Rev. 41(2), 37\u201349 (2007). https:\/\/doi.org\/10.1145\/1243418.1243424","journal-title":"ACM SIGOPS Oper. Syst. Rev."},{"key":"25_CR20","doi-asserted-by":"publisher","unstructured":"Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: Sok: introspections on trust and the semantic gap. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, 18\u201321 May 2014, pp. 605\u2013620. IEEE Computer Society, Washington, D.C., USA (2014). https:\/\/doi.org\/10.1109\/SP.2014.45","DOI":"10.1109\/SP.2014.45"},{"key":"25_CR21","doi-asserted-by":"publisher","unstructured":"Jang, D., Lee, H., Kim, M., Kim, D., Kim, D., Kang, B.B.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 167\u2013178. ACM, New York, NY, USA (2014). https:\/\/doi.org\/10.1145\/2660267.2660303","DOI":"10.1145\/2660267.2660303"},{"key":"25_CR22","doi-asserted-by":"crossref","unstructured":"Landauer, M., Alton, L., Lindorfer, M., Skopik, F., Wurzenberger, M., Hotwagner, W.: Trace of the times: rootkit detection through temporal anomalies in kernel activity (2025). https:\/\/arxiv.org\/abs\/2503.02402","DOI":"10.1145\/3770085"},{"key":"25_CR23","unstructured":"Lauterbach GmbH: Trace32: ARMv8-A\/-R Debugger (2024). support for exclusive monitor, page 157"},{"issue":"2","key":"25_CR24","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1109\/TDSC.2017.2679710","volume":"16","author":"H Lee","year":"2017","unstructured":"Lee, H., et al.: Ki-mon arm: a hardware-assisted event-triggered monitoring platform for mutable kernel object. IEEE Trans. Dependable Secure Comput. 16(2), 287\u2013300 (2017). https:\/\/doi.org\/10.1109\/TDSC.2017.2679710","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"25_CR25","unstructured":"Linux on-the-fly kernel patching without lkm (2001). http:\/\/phrack.org\/issues\/58\/7.html"},{"key":"25_CR26","unstructured":"lockdep.h (2022). https:\/\/elixir.bootlin.com\/linux\/v5.15.36\/source\/include\/linux\/lockdep.h#L535"},{"key":"25_CR27","unstructured":"Matveychikov, I.V.: Kopycat - linux kernel module-less implant (backdoor) (2021). https:\/\/github.com\/milabs\/kopycat"},{"key":"25_CR28","unstructured":"Mello, V.R.: Diamorphine: lkm rootkit for linux kernels 2.6.x\/3.x\/4.x\/5.x\/6.x (x86\/x86_64 and arm64) (2024). https:\/\/github.com\/m0nad\/Diamorphine"},{"key":"25_CR29","unstructured":"Morris, J., Sala\u00fcn, M., Gopinath, T.: Linux virtualization based security (lvbs) (2023). https:\/\/lpc.events\/event\/17\/contributions\/1515\/"},{"key":"25_CR30","doi-asserted-by":"publisher","unstructured":"Necula, G.C., Lee, P.: Safe kernel extensions without run-time checking. SIGOPS Oper. Syst. Rev. 30(SI), 229\u2013243 (1996). https:\/\/doi.org\/10.1145\/238721.238781","DOI":"10.1145\/238721.238781"},{"key":"25_CR31","doi-asserted-by":"publisher","unstructured":"Patel, A., Daftedar, M., Shalan, M., El-Kharashi, M.W.: Embedded hypervisor xvisor: a comparative analysis. In: 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pp. 682\u2013691. IEEE, Washington, D.C., USA (2015). https:\/\/doi.org\/10.1109\/PDP.2015.108","DOI":"10.1109\/PDP.2015.108"},{"key":"25_CR32","doi-asserted-by":"publisher","unstructured":"Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, pp. 233\u2013247. IEEE, Washington, D.C., USA (2008). https:\/\/doi.org\/10.1109\/SP.2008.24","DOI":"10.1109\/SP.2008.24"},{"key":"25_CR33","doi-asserted-by":"publisher","unstructured":"Pham, D.P., Marion, D., Heuser, A.: Ultra: ultimate rootkit detection over the air. In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 232\u2013251. ACM, New York, NY, USA (2022). https:\/\/doi.org\/10.1145\/3545948.3545962","DOI":"10.1145\/3545948.3545962"},{"key":"25_CR34","unstructured":"phoronix test suite (2019). https:\/\/www.phoronix-test-suite.com\/"},{"key":"25_CR35","doi-asserted-by":"publisher","unstructured":"Ruan, X.: Boot with integrity, or don\u2019t boot. In: Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine, chap.\u00a06, pp. 143\u2013163. Apress (2014). https:\/\/doi.org\/10.1007\/978-1-4302-6572-6_6","DOI":"10.1007\/978-1-4302-6572-6_6"},{"key":"25_CR36","unstructured":"Rutkowska, J.: Introducing stealth malware taxonomy (2006)"},{"key":"25_CR37","unstructured":"Samsung: Real-time kernel protection (2024). https:\/\/docs.samsungknox.com\/admin\/fundamentals\/whitepaper\/core-platform-security\/real-time-kernel-protection\/"},{"key":"25_CR38","unstructured":"Linux rootkits part 3: A backdoor to root (2020). https:\/\/xcellerator.github.io\/posts\/linux_rootkits_03\/"},{"key":"25_CR39","doi-asserted-by":"publisher","unstructured":"St\u00fchn, J., Hilgert, J.N., Lambertz, M.: The hidden threat: analysis of linux rootkit techniques and limitations of current detection tools. Digital Threats 5(3) (2024). https:\/\/doi.org\/10.1145\/3688808","DOI":"10.1145\/3688808"},{"key":"25_CR40","unstructured":"UEFI Forum: Unified Extensible Firmware Interface Specification (2019). https:\/\/uefi.org\/sites\/default\/files\/resources\/UEFI_Spec_2_8_final.pdf, version 2.8"},{"key":"25_CR41","unstructured":"Wavestone Cybersecurity and Digital Trust practice: EDRSandBlast (2022). https:\/\/github.com\/wavestone-cdt\/EDRSandblast"},{"issue":"1","key":"25_CR42","first-page":"22","volume":"42","author":"M Wei","year":"2019","unstructured":"Wei, M., Amit, N.: Leveraging hyperupcalls to bridge the semantic gap: an application perspective. IEEE Data Eng. Bull. 42(1), 22\u201335 (2019)","journal-title":"IEEE Data Eng. Bull."},{"key":"25_CR43","doi-asserted-by":"publisher","unstructured":"Westphal, F., Axelsson, S., Neuhaus, C., Polze, A.: Vmi-pl: a monitoring language for virtual platforms using virtual machine introspection. Digit. Investig. 11, S85\u2013S94 (2014). https:\/\/doi.org\/10.1016\/j.diin.2014.05.016, fourteenth Annual DFRWS Conference","DOI":"10.1016\/j.diin.2014.05.016"},{"key":"25_CR44","doi-asserted-by":"crossref","unstructured":"Whitaker, A., Shaw, M., Gribble, S.D., et\u00a0al.: Denali: lightweight virtual machines for distributed and networked applications. Technical report, University of Washington (2002)","DOI":"10.1145\/1133373.1133375"},{"key":"25_CR45","doi-asserted-by":"publisher","unstructured":"Xiao, J., Lu, L., Wang, H., Zhu, X.: Hyperlink: virtual machine introspection and memory forensic analysis without kernel source code. In: International Conference on Autonomic Computing, pp. 127\u2013136. IEEE, Washington, D.C., USA (2016). https:\/\/doi.org\/10.1109\/ICAC.2016.46","DOI":"10.1109\/ICAC.2016.46"},{"key":"25_CR46","unstructured":"Xvisor hypervisor (2024). https:\/\/github.com\/xvisor\/xvisor"},{"key":"25_CR47","unstructured":"Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: introspecting guest address space at native speed. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 799\u2013813. USENIX Association, Vancouver, BC (2017)"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-08124-7_25","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:22:52Z","timestamp":1761812572000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-08124-7_25"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,31]]},"ISBN":["9783032081230","9783032081247"],"references-count":47,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-08124-7_25","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,31]]},"assertion":[{"value":"31 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"The authors have no competing interests to declare that are relevant to the content of this article.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"ISC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Seoul","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Korea (Republic of)","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 October 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 October 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"isw2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/isc25.skku.edu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}