Anatomy of a Linux container rootkit

7 May 2019

This year I gave a talk at the Easterhegg 2019 about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.


Linux Containers are becoming increasingly popular. Therefore, it is likely that there will be an increase of attacks against container systems. After successfully attacking all the security mechanisms of a container system, a “rootkit“ could be planted. This talk provides details of the anatomy of such a rootkit. First the main functions of rootkits are explained. After a brief introduction of Linux Containers and Linux Kernel Rootkits, a Kernel Rootkit called “themaster“, developed by the author of this thesis, is described and explained. Well known rootkit methods are used to implement functions to hide resources and escalate privileges. Results indicate that in container systems, patching system calls are the preferred method for functions which are globally accessible. For providing rootkit functionality in specific containers, patching the virtual file system is the better approach. A special backdoor for breaking out of the container is also applied and “themaster“ operates stealthily.


[ Linux  Programming  C  Docker  Security  Kernel  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti