CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection

Authors

Joseph Connelly, Boise State University
Taylor Roberts, Boise State University
Xing Gao, University of Delaware
Jidong Xiao, Boise State University
Haining Wang, Virginia Tech
Angelos Stavrou, Virginia Tech

Document Type

Conference Proceeding

Publication Date

2021

Abstract

When attackers compromise a computer system and obtain root control over the victim system, retaining that control and avoiding detection become their top priority. To achieve this goal, various rootkits have been developed. However, existing rootkits are still easy to detect as long as defenders can gain control at a lower level, such as the operating system level, the hypervisor level, or the hardware level. In this paper, we present a new type of rootkit called CloudSkulk, which is a nested virtual machine (VM) based rootkit. While nested virtualization has attracted sufficient attention from the security and cloud community, to the best of our knowledge, we are the first to reveal and demonstrate how nested virtualization can be used by attackers to develop rootkits. We then, from defenders’ perspective, present a novel approach to detecting CloudSkulk rootkits at the host level. Our experimental results show that the proposed approach is effective in detecting CloudSkulk rootkits.

Publication Information

Connelly, Joseph; Roberts, Taylor; Gao, Xing; Xiao, Jidong; Wang, Haining; and Stavrou, Angelos. (2021). "CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection". In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (pp. 350-362). IEEE. https://doi.org/10.1109/DSN48987.2021.00047