Presentation is loading. Please wait.

Presentation is loading. Please wait.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Published byAudra Green Modified over 8 years ago

Similar presentations

Presentation on theme: "VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw."— Presentation transcript:

1 VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw

2 Motivation The Increase of Mobile Malware Variants (2004 – 2010) Smartphone malware on the rise Increased security implications (compared to PC) Sensitive information: GPS, contacts, SMS, call log Constantly connected Naïve users, limited use of Anti Virus

3 Defensive Rootkit Approaches User mode rootkits – Process infection, binary patching, lib hooks User mode integrity checkers – tripwire, chkrootkit, rkthunter, AV scanner Kernel mode rootkits – malicious device drivers and lkms – sys call hooking, kernel data structure manipulation Kernel level inspection – behavioral analysis, data structure integrity checkers, hook detection But… Any kernel level inspection mechanisms can be subverted by kernel level rootkits

4 Our Approach Two Pronged KM security mechanisms System call integrity checks Hidden process detection Android capability table VMM inspection Ensures integrity of static KM Isolated from host OS We exercise a “layer-below” level of security in which we establish trust beneath the kernel Android Software Stack

5 Solution Preview (Delete Slide) Android Software Stack Android VMM ensures integrity of static kernel module Kernel module implements security mechanisms

6 Overview Design VMM Design Protected KM Design Implementation Results Demo Presentation Conclusion Q&A

7 VMM Interface Design Android VMM Hardware (Emulator) Linux Kernel Trusted KM Libraries and Runtime Application Framework 1. Hardware Timer Interrupt 2. Validate Protected KM3. Raise Monitor Interrupt 4. Invoke KM

8 Protection KM Design Linux Kernel Trusted KM System Call Whitelist Original Sys Call Table Libraries and Runtime Maps Application Framework ContactsSMSApp Content Provider Location Provider Activity Manager Open Malicious Native Application System Calls Open Socket Read GPS SQL Query SysCall Table …

9 Protection KM Design Linux Kernel Trusted KM System Call Whitelist Original Sys Call Table Libraries and Runtime X Malicious LKM System Calls SysCall Table Y Z Android VMM Monitor Interrupt

10 Implementation Implemented VMM security functionality in an emulated hardware device within QEMU Protected KM data and text compiled into QEMU emulator (VMM) Linux Kernel Source with Protection KM Compilation Kernel Image Protected Text Sect. Protected Data Sect. QEMU Emulator (VMM) Compilation QEMU Emulator(VMM) Protected Text Protected Data

11 Implementation Malicious native mode application Read contacts database Read GPS location Ex-filled data using sockets Malicious LKM Intercept read system calls to access GPS location

12 Results We are able to detect/correct modifications to the sys_call_table We are able to prevent malicious access to sensitive resources TODO Mention Malicious App and LKM TODO: (Insert link to demo)

13 Conclusion Layer Below Protection Security of the Linux kernel must be rooted in a layer below the kernel Code contained solely in the kernel is subject to any kernel-level attack Sensitive Resource Protection Android mobile phones contain lots of sensitive information that must be protected

14 App Permissions Dalvik VM Isolation App signatures Limits application abilities in order to prevent malicious behavior. Virus Scanners Remote Lockout Modified system binaries Trojan’d services Stolen device Linux user and group permissions Access control Architecture LayerSecurity MechanismThreat Mitigation

15 Linux Kernel Source with Protection KM Compilation Kernel Image Protected Text Sect. Protected Data Sect. QEMU Emulator (VMM) Compilation QEMU Emulator(VMM) Protected Text Protected Data

16 Problem Statement Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides. Kapersky 2011: 1046 unique malware strains targeting mobile platforms Android platform built on Linux Kernel, a well known target. Sensitive information on smart phones GPS, contacts, text messages, call log

Download ppt "VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw."

Similar presentations

Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.

Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.

© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
Aurasium: Practical Policy Enforcement for Android Applications

Aurasium: Practical Policy Enforcement for Android Applications
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Similar presentations

Ads by Google