CloudSkulk: Design of a Nested Virtual Machine-based RITM Attack
Author(s): Joseph Connelly, Haining Wang, Jidong Xia
Download: Poster (PDF)
Date: 12 May 2017
Document Type: Presentations
Additional Documents: Paper
Associated Event: NDSS Symposium 2017
When attackers have compromised a system and have some certain control over the victim system, retaining that control and avoiding detection becomes their top priority. To achieve this goal, various rootkits have been proposed. However, existing rootkits are still detectable as long as defenders can gain control at a lower-level, such as the operating system level or the hypervisor level, or the hardware level. In this project, we present a new type of rootkits called CloudSkulk, which is a nested virtual machine based rootkit. By impersonating the original hypervisor to communicate with the original guest OS and impersonating the original guest OS to communicate with the hypervisor, CloudSkulk is hard to detect, no matter whether defenders are at the higher-level (e.g., in the original guest OS) or at the lower-level (e.g., in the original hypervisor).