Presentation is loading. Please wait.

Presentation is loading. Please wait.

VMM Based Rootkit Detection on Android

Published byGarey Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "VMM Based Rootkit Detection on Android"— Presentation transcript:

1 VMM Based Rootkit Detection on Android
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw

2 Problem Statement Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides. Kapersky: 1046 unique malware strains targeting mobile platforms Android platform built on Linux Kernel, a well known target. Sensitive information on smart phones GPS, contacts, text messages, call log

3 Defensive Rootkit Approaches
User mode rootkits Process infection, binary patching, lib hooks User mode integrity checkers tripwire, chkrootkit, rkthunter, AV scanner Kernel mode rootkits malicious device drivers and lkms sys call hooking, kernel data structure manipulation Kernel level inspection behavioral analysis, data structure integrity checkers, hook detection But… Any kernel level inspection mechanisms can be subverted by kernel level rootkit

4 Our Approach Two Pronged
VMM inspection Ensures integrity of static kernel module Isolated from host OS Kernel module security mechanisms System call integrity checks Hidden process detection Android capability table We exercise a “layer-below” level of security in which we establish trust beneath the kernel

5 Solution Preview Android Software Stack
Kernel module implements security mechanisms Android VMM ensures integrity of static kernel module

6 Overview Design Implementation Results Demo Presentation Conclusion
Q&A

7 Application Framework
VMM Interface Design Application Framework Libraries and Runtime Linux Kernel 4. Invoke KM Trusted KM <ISR> 2. Validate Protected KM 3. Raise Monitor Interrupt Android VMM 1. Hardware Timer Interrupt Hardware (Emulator)

8 Protection KM Design

9 Implementation Instead of utilizing a VMM as the lowest layer, we created a new hardware device in the QEMU emulator Hardware device based on virtualized timer which expires at predefined intervals When a timer interval expires, an interrupt is generated and the timer is reset During each interrupt, the hardware device calls into our kernel module to pass execution Integrity checks are done on the sys_call_table

10 Implementation (cont.)
We implemented a static Kernel Module (KM) in order to make integrity checks on the sys_call_table The kernel module contains a copy of the original sys_call_table and compares this to the running version The KM also sets its own hooks in the sys_call_table in order to detect malicious access to sensitive resources e.g. Check for invalid process access to sys_open system call attempting to open a sensitive resource file (contacts2.db)

11 Results We are able to detect/correct modifications to the sys_call_table We are able to prevent malicious access to sensitive resources TODO: (Insert link to demo)

12 Conclusion Layer Below Protection
Security of the Linux kernel must be rooted in a layer below the kernel Code contained solely in the kernel is subject to any kernel-level attack Sensitive Resource Protection Android mobile phones contain lots of sensitive information that must be protected

13 Limits application abilities in order to prevent malicious behavior.
Architecture Layer Security Mechanism Threat Mitigation App Permissions Dalvik VM Isolation App signatures Limits application abilities in order to prevent malicious behavior. Virus Scanners Remote Lockout Modified system binaries Trojan’d services Stolen device Linux user and group permissions Access control Application permissions are granted by the user to reduce malicious behavior. (An application can only access the GPS device if it has been granted the GPS privilege when it was installed. Application isolation – Each application is ran in Dalvik VM, protects against memory corruption / remote code execution from compromising other applications. Application Signatures –

14

Download ppt "VMM Based Rootkit Detection on Android"

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Similar presentations

Ads by Google