Behavioral Patterns of Kernel Level Rootkits Attacking Containers in Linux Environment

Alexander, Nidhin Samuel
Journal Title
Journal ISSN
Volume Title

Kernel Level Rootkits are a special category of malwares that has the capability to compromise operating system kernel and can hide itself from detection. With the advent of Linux Containers that share the kernel among them, kernel level rootkit becomes a critical threat. The main aim of this paper is to demonstrate the attack scenarios of kernel level rootkits affecting container environment and to provide behavioral specifications of these rootkits. We designed some sample kernel level rootkits to demonstrate the exploits of Linux Container. We then perform static analysis on the above samples and extract the malicious behavior. Behaviors collected from the rootkit samples are then fed as rules to a pattern matching tool to check for the specified malicious behavior with any object file on the system. We have implemented a prototype based on our behaviors and tested it on other rootkits. Experimental results indicate that our prototype is effective in detecting kernel level rootkits.

This item is available only to currently enrolled UTSA students, faculty or staff.
Containers, LKM, Namespaces, Rootkits, Static Analysis
Electrical and Computer Engineering