CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection

2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2021-06-01 DOI:10.1109/DSN48987.2021.00047

Joseph Connelly, Taylor Roberts, Xing Gao, Jidong Xiao, Haining Wang, A. Stavrou

{"title":"CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection","authors":"Joseph Connelly, Taylor Roberts, Xing Gao, Jidong Xiao, Haining Wang, A. Stavrou","doi":"10.1109/DSN48987.2021.00047","DOIUrl":null,"url":null,"abstract":"When attackers compromise a computer system and obtain root control over the victim system, retaining that control and avoiding detection become their top priority. To achieve this goal, various rootkits have been developed. However, existing rootkits are still easy to detect as long as defenders can gain control at a lower level, such as the operating system level, the hypervisor level, or the hardware level. In this paper, we present a new type of rootkit called CloudSkulk, which is a nested virtual machine (VM) based rootkit. While nested virtualization has attracted sufficient attention from the security and cloud community, to the best of our knowledge, we are the first to reveal and demonstrate how nested virtualization can be used by attackers to develop rootkits. We then, from defenders’ perspective, present a novel approach to detecting CloudSkulk rootkits at the host level. Our experimental results show that the proposed approach is effective in detecting CloudSkulk rootkits.","PeriodicalId":222512,"journal":{"name":"2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN48987.2021.00047","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

When attackers compromise a computer system and obtain root control over the victim system, retaining that control and avoiding detection become their top priority. To achieve this goal, various rootkits have been developed. However, existing rootkits are still easy to detect as long as defenders can gain control at a lower level, such as the operating system level, the hypervisor level, or the hardware level. In this paper, we present a new type of rootkit called CloudSkulk, which is a nested virtual machine (VM) based rootkit. While nested virtualization has attracted sufficient attention from the security and cloud community, to the best of our knowledge, we are the first to reveal and demonstrate how nested virtualization can be used by attackers to develop rootkits. We then, from defenders’ perspective, present a novel approach to detecting CloudSkulk rootkits at the host level. Our experimental results show that the proposed approach is effective in detecting CloudSkulk rootkits.

查看原文本刊更多论文

CloudSkulk:一个基于嵌套虚拟机的Rootkit及其检测

当攻击者入侵计算机系统并获得对受害系统的根控制时，保持这种控制并避免被发现成为他们的首要任务。为了实现这一目标，已经开发了各种rootkit。但是，只要防御者能够在较低的级别(如操作系统级别、管理程序级别或硬件级别)获得控制权，现有的rootkit仍然很容易被检测到。在本文中，我们提出了一种名为CloudSkulk的新型rootkit，它是一种基于嵌套虚拟机(VM)的rootkit。虽然嵌套虚拟化已经引起了安全和云社区的足够关注，但据我们所知，我们是第一个揭示和演示攻击者如何使用嵌套虚拟化来开发rootkit的人。然后，从防御者的角度来看，我们提出了一种在主机级别检测CloudSkulk rootkit的新方法。实验结果表明，该方法能够有效检测CloudSkulk rootkit。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量