Behavioral Patterns of Kernel Level Rootkits Attacking Containers in Linux Environment




Alexander, Nidhin Samuel

Journal Title

Journal ISSN

Volume Title



Kernel Level Rootkits are a special category of malwares that has the capability to compromise operating system kernel and can hide itself from detection. With the advent of Linux Containers that share the kernel among them, kernel level rootkit becomes a critical threat. The main aim of this paper is to demonstrate the attack scenarios of kernel level rootkits affecting container environment and to provide behavioral specifications of these rootkits. We designed some sample kernel level rootkits to demonstrate the exploits of Linux Container. We then perform static analysis on the above samples and extract the malicious behavior. Behaviors collected from the rootkit samples are then fed as rules to a pattern matching tool to check for the specified malicious behavior with any object file on the system. We have implemented a prototype based on our behaviors and tested it on other rootkits. Experimental results indicate that our prototype is effective in detecting kernel level rootkits.


This item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.


Containers, LKM, Namespaces, Rootkits, Static Analysis



Electrical and Computer Engineering