Author(s): Joseph Connelly, Haining Wang, Jidong Xia

Download: Poster (PDF)

Date: 12 May 2017

Document Type: Presentations

Additional Documents: Paper

Associated Event: NDSS Symposium 2017


When attackers have compromised a system and have some certain control over the victim system, retaining that control and avoiding detection becomes their top priority. To achieve this goal, various rootkits have been proposed. However, existing rootkits are still detectable as long as defenders can gain control at a lower-level, such as the operating system level or the hypervisor level, or the hardware level. In this project, we present a new type of rootkits called CloudSkulk, which is a nested virtual machine based rootkit. By impersonating the original hypervisor to communicate with the original guest OS and impersonating the original guest OS to communicate with the hypervisor, CloudSkulk is hard to detect, no matter whether defenders are at the higher-level (e.g., in the original guest OS) or at the lower-level (e.g., in the original hypervisor).