vmm based rootkit detection on android
Download
Skip this Video
Download Presentation
VMM Based Rootkit Detection on Android

Loading in 2 Seconds...

play fullscreen
1 / 17

VMM Based Rootkit Detection on Android - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

VMM Based Rootkit Detection on Android. Class Presentation Pete Bohman, Adam Kunk, Erik Shaw. Motivation. Smartphone malware on the rise Increased security implications (compared to PC) Sensitive information: GPS, contacts, SMS, c all log Constantly connected to the Internet

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'VMM Based Rootkit Detection on Android' - baylee


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
vmm based rootkit detection on android

VMM Based Rootkit Detection on Android

Class Presentation

Pete Bohman, Adam Kunk, Erik Shaw

motivation
Motivation
  • Smartphone malware on the rise
  • Increased security implications (compared to PC)
    • Sensitive information: GPS, contacts, SMS, call log
    • Constantly connected to the Internet
    • Naïve users, limited use of anti-virus protection

The Increase of Mobile Malware Variants (2004 – 2010)

defensive rootkit approaches
Defensive Rootkit Approaches
  • User mode rootkits
    • Process infection, binary patching, lib hooks
  • User mode integrity checkers
    • tripwire, chkrootkit, rkthunter, AV scanner
  • Kernel mode rootkits
    • malicious device drivers and LKMs
    • sys call hooking, kernel data structure manipulation (DKOM)
  • Kernel level inspection
    • behavioral analysis, data structure integrity checkers, hook detection
  • But… Any kernel level inspection mechanisms can be subverted by kernel level rootkits!
our approach
Our Approach

Android Software Stack

  • Two Pronged
    • KM security mechanisms
      • System call integrity checks
      • Hidden process detection
      • ACLs for Android personal data
    • VMM inspection
      • Ensures integrity of static KM
      • Isolated from host OS
  • We exercise a “layer-below” level of security in which we establish trust beneath the kernel
overview
Overview
  • Design
    • VMM Interface Design
    • Protection KM Design
  • Implementation
  • Results
    • Demo Presentation
  • Conclusion
  • Q&A
vmm interface design
VMM Interface Design

Application Framework

Android VMM

Libraries and Runtime

Linux Kernel

4. Invoke KM

Trusted KM

2. Validate Protected KM

3. Raise Monitor Interrupt

1. Hardware Timer Interrupt

Hardware (Emulator)

protection km design
Protection KM Design

Maps

Contacts

SMS

App

Application Framework

Content Provider

Location Provider

Activity Manager

Malicious Native Application

Libraries and Runtime

System Calls

Open Socket

Read GPS

SQL Query

Linux Kernel

Trusted KM

System Call Whitelist

Original Sys Call Table

Sys Call Table

Open

protection km design1
Protection KM Design

Android VMM

Libraries and Runtime

System Calls

Linux Kernel

Trusted KM

System Call Whitelist

Original Sys Call Table

Malicious

LKM

Sys Call Table

Z

X

Y

Linux Kernel

Monitor Interrupt

implementation
Implementation
  • VMM Interface
    • Implemented VMM security functionality in an emulated hardware device within QEMU
    • Protected KM data and text compiled into QEMU emulator (VMM)

Kernel Image

Linux Kernel Source with Protection KM

Compilation

Protected Text Sect.

Protected Data Sect.

QEMU Emulator(VMM)

QEMU Emulator

(VMM)

Compilation

Protected Text

Protected Data

implementation1
Implementation
  • Protection KM
    • Checks system service function pointersin sys_call_table
    • Reports problem and restores them ifthey have been altered
    • Hooks sys_open and prevents access to mmssms.db and contacts2.db
      • Unless process name and parent process name are foundin the access control list
    • Likewise restricts socket and sys_read of GPS data according to the access control list
implementation2
Implementation
  • Malicious native mode application
    • Reads contacts database file
    • Reads GPS location
    • Transmits data using network sockets
    • Runs as Linux user mode process, underneath the Android ApplicationFramework
  • Malicious LKM
    • Implemented by following the MindTrick Rootkit techniques
    • Intercepts read system calls to access GPS location
    • Attempts to access the SMS and contacts database files
results
Results
  • We are able to detect and correct modifications to the sys_call_table
    • Malicious LKM system call table hooking was thwarted
    • Malicious LKM unable to obtain GPS coordinates
  • We are able to prevent malicious access to sensitive resources
    • Malicious application fails to read GPS data, fails to open sensitive database files, and fails to open network sockets
    • Malicious LKM also fails to open sensitive database files
  • Demo (short): http://www.youtube.com/watch?v=IR9yDyT50HQ
  • Demo (long):
  • http://www.youtube.com/watch?v=4M5YgsGU9Bw
conclusion
Conclusion
  • “Layer-Below” Protection
    • Security of the Linux kernel must be rooted in a layer below the kernel to withstand kernel level attacks
    • Trusted “layer-below” protection mechanisms can serve as the secure foundation for enabling additional advanced protection mechanisms in the kernel
backup problem statement
Backup – Problem Statement
  • Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides.
    • Kapersky 2011: 1046 unique malware strains targeting mobile platforms
    • Android platform built on Linux Kernel, a well known target.
    • Sensitive information on smart phones
      • GPS, contacts, text messages, call log
ad