Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Similar presentations


Presentation on theme: "Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department."— Presentation transcript:

1 Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department of Computer Science, Rutgers University

2 Rise of the Smart Phone HotMobile 2/23/20102

3 Rise of the Smart Phone 1993 calendar, address book, touch screen on-screen "predictive" keyboard Simon HotMobile 2/23/20102

4 Rise of the Smart Phone Symbian OS Ericsson R380 HotMobile 2/23/20102

5 Rise of the Smart Phone Blackberry Windows Pocket PC Treo Treo 180 BlackBerry 5810 HotMobile 2/23/20102

6 Rise of the Smart Phone iPhone HotMobile 2/23/20102

7 Rise of the Smart Phone iPhone 3G/3GS Android App Stores HotMobile 2/23/20102

8 3 Smart Phone Users

9 HotMobile 2/23/20104 Smart Phone Interfaces A rich set of interfaces is now available GSM GPS Bluetooth AccelerometerMicrophoneCamera

10 HotMobile 2/23/20105 Smart Phone Apps Contacts Location Banking Over 140,000 apps today

11 Smart Phone Operating Systems OSLines of Code Linux 2.6 Kernel10 million Android20 million Symbian20 million Complexity comparable to desktops HotMobile 2/23/20106

12 7 The Rise of Mobile Malware 2004 Cabir spreads via Bluetooth drains battery Receive message via Bluetooth? Yes No

13 HotMobile 2/23/20107 The Rise of Mobile Malware 2004 first J2ME malware sends texts to premium numbers RedBrowser 2006

14 HotMobile 2/23/20107 The Rise of Mobile Malware 2004 Kaspersky Labs report: 106 types of mobile malware 514 modifications

15 HotMobile 2/23/20108 The Rise of Mobile Malware “My iPhone is not jailbroken and it is running iPhone OS 3.0”

16 HotMobile 2/23/20109 Contributions Introduce rootkits into the space of mobile malware Demonstrate with three proof-of concept rootkits Explore the design space for detection

17 HotMobile 2/23/ Rootkits App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Virus Anti Virus

18 HotMobile 2/23/ Rootkits App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Anti Virus Rootkit Virus

19 Proof of Concept Rootkits HotMobile 2/23/ Note: We did not exploit vulnerabilities 1. Conversation Snooping Attack 2. Location Attack 3. Battery Depletion Attack Openmoko Freerunner

20 HotMobile 2/23/ Conversation Snooping Attack Attacker Send SMS Rootkit Infected Dial me “ ” Call Attacker Turn on Mic Delete SMS Rootkit stops if user tries to dial

21 HotMobile 2/23/ Conversation Snooping Attack Attacker Rootkit Infected Call Attacker Turn on Mic Calendar Notification

22 Attacker Send SMS Rootkit Infected Send Location “ ” 2. Location Attack Query GPS HotMobile 2/23/ N40°28', W074°26 SMS Response Delete SMS

23 3. Battery Depletion Attack Rootkit turns on high powered devices Rootkit shows original device status HotMobile 2/23/ Attack :

24 HotMobile 2/23/ Rootkit Detection App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Rootkit Detector Rootkit DOES NOT WORK!

25 HotMobile 2/23/ Memory Introspection Kernel Sys Call Table Monitor Fetch and Copy Monitor MachineTarget Machine Training Phase

26 HotMobile 2/23/ Memory Introspection KernelMonitor Fetch Monitor MachineTarget Machine Compare System OK Detection Phase

27 HotMobile 2/23/ Memory Introspection KernelMonitor Fetch Monitor MachineTarget Machine Compare Rootkit Detected Rootkit mal_write() Detection Phase

28 HotMobile 2/23/ Monitoring Approaches 1. Hardware Approach Monitor MachineTarget Machine Rootkit Infected NIC with remote DMA support

29 Smart Phone Challenge Monitor MachineRootkit Infected HotMobile 2/23/ Problem: Need interface allowing memory access without OS intervention (FireWire?)

30 HotMobile 2/23/ Monitoring Approaches Host Machine Hypervisor Dom0OS 2. VMM-based Approach Detector

31 Smart Phone Challenge HotMobile 2/23/ Problem: CPU-intensive detection algorithms exhaust phone battery Solution: Offload detection work to the service provider Send Pages Response CPU intensive work

32 Optimizations for Energy-Efficiency HotMobile 2/23/ Page Table Monitor Fetch Problem: Too many memory pages may have to be transferred

33 Optimizations for Energy-Efficiency HotMobile 2/23/ Page Table Monitor 1 1 Fetch Solution: Only fetch and scan pages that have been recently modified

34 HotMobile 2/23/ Related Work (1/2) Rootkit Detection Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008] Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009] Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]

35 Related Work (2/2) Mobile Malware Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009] Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006] Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005] HotMobile 2/23/201028

36 Conclusion and Future Work Conclusions: Rootkits are now a threat to smart phones Future Work: Energy efficient rootkit detection techniques Develop a rootkit detector for smart phone HotMobile 2/23/201029

37 Thank You! HotMobile 2/23/201030


Download ppt "Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department."

Similar presentations


Ads by Google