| Popis: |
When attackers compromise a computer system and obtain root control over the victim system, retaining that control and avoiding detection become their top priority. To achieve this goal, various rootkits have been developed. However, existing rootkits are still easy to detect as long as defenders can gain control at a lower level, such as the operating system level, the hypervisor level, or the hardware level. In this paper, we present a new type of rootkit called CloudSkulk, which is a nested virtual machine (VM) based rootkit. While nested virtualization has attracted sufficient attention from the security and cloud community, to the best of our knowledge, we are the first to reveal and demonstrate how nested virtualization can be used by attackers to develop rootkits. We then, from defenders’ perspective, present a novel approach to detecting CloudSkulk rootkits at the host level. Our experimental results show that the proposed approach is effective in detecting CloudSkulk rootkits. |
