Skip to content

feat(root): add KernelSU timing side-channel detection#9

Open
ZnDong wants to merge 1 commit into1193776794:mainfrom
ZnDong:add-ksu-side-channel-detection
Open

feat(root): add KernelSU timing side-channel detection#9
ZnDong wants to merge 1 commit into1193776794:mainfrom
ZnDong:add-ksu-side-channel-detection

Conversation

@ZnDong
Copy link

@ZnDong ZnDong commented Feb 19, 2026

Implement kernel-level syscall hook detection for KernelSU by comparing faccessat (hooked by KSU) vs fchownat (not hooked) execution timing.

Reference: https://bbs.kanxue.com/thread-288928.htm

Detection algorithm:

  • Bind thread to big core for stable measurements
  • Collect 10000 timing samples for both faccessat and fchownat
  • Use hardware counter (CNTVCT_EL0) on ARM64 for nanosecond precision
  • Sort both arrays to reduce noise and outliers
  • Compare element-by-element: count cases where faccessat > fchownat + 1
  • If anomaly rate exceeds 70% (7000/10000), KernelSU hook detected

Key design decisions:

  • Both syscalls use dirfd=-1 (invalid fd) to ensure symmetric kernel failure paths; using AT_FDCWD would cause faccessat to enter deeper kernel code (path resolution + page fault) leading to false positives
  • faccessat chosen because it is in KSU hook list, is simple, fast, and failure has no side effects

Files changed:

  • syscall_wrapper.h: core detection functions (counter, CPU binding, sample collection, comparison, threshold check)
  • native-lib.cpp: JNI bindings for ksuSideChannelCheck/Detected
  • NativeDetector.java: native method declarations
  • SideChannelDetector.java: Java detection item integration

@ZnDong
feat(root): add KernelSU timing side-channel detection
e6c539e 
Implement kernel-level syscall hook detection for KernelSU by comparing
faccessat (hooked by KSU) vs fchownat (not hooked) execution timing.

Detection algorithm:
- Bind thread to big core for stable measurements
- Collect 10000 timing samples for both faccessat and fchownat
- Use hardware counter (CNTVCT_EL0) on ARM64 for nanosecond precision
- Sort both arrays to reduce noise and outliers
- Compare element-by-element: count cases where faccessat > fchownat + 1
- If anomaly rate exceeds 70% (7000/10000), KernelSU hook detected

Key design decisions:
- Both syscalls use dirfd=-1 (invalid fd) to ensure symmetric kernel
  failure paths; using AT_FDCWD would cause faccessat to enter deeper
  kernel code (path resolution + page fault) leading to false positives
- faccessat chosen because it is in KSU hook list, is simple, fast,
  and failure has no side effects

Files changed:
- syscall_wrapper.h: core detection functions (counter, CPU binding,
  sample collection, comparison, threshold check)
- native-lib.cpp: JNI bindings for ksuSideChannelCheck/Detected
- NativeDetector.java: native method declarations
- SideChannelDetector.java: Java detection item integration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZnDong