A practical defense from rootkits is not detection (which is a cat and mouse game), but control over what is loaded into the kernel. So, kernel module digital signing and whitelisting, or compiling the modules statically into kernel and disallowing the ability to load kernel modules at all.
After we implement this, we “only” need to care about security holes and privilege escalation exploits. Of course we lose extensibility, so a potential company can’t release a driver for their hardware. But i.e. Apple has partly solved it by providing a lot of user-mode frameworks that allow writing user-mode drivers, which are properly process-separated from crucial parts of the kernel (so firewalls, usb devices, AV real-time scanning, don’t require kernel-mode drivers at all).
A practical defense from rootkits is not detection (which is a cat and mouse game), but control over what is loaded into the kernel. So, kernel module digital signing and whitelisting, or compiling the modules statically into kernel and disallowing the ability to load kernel modules at all.
After we implement this, we “only” need to care about security holes and privilege escalation exploits. Of course we lose extensibility, so a potential company can’t release a driver for their hardware. But i.e. Apple has partly solved it by providing a lot of user-mode frameworks that allow writing user-mode drivers, which are properly process-separated from crucial parts of the kernel (so firewalls, usb devices, AV real-time scanning, don’t require kernel-mode drivers at all).