Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

Published byTheodore Bruce Modified over 8 years ago

Similar presentations

Presentation on theme: "Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)"— Presentation transcript:

1 Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

2 Problem Statement Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides. Linux kernel a major target Lots of sensitive information on smart phones GPS, banking info, text messages, contacts, etc.

3 Other Approaches User Level Mechanisms Can be subverted via kernel level attacks Checking ‘ps’ and ‘ls’ to make sure they are valid, Tripwire and chkrootkit programs Kernel Level Mechanisms Can be subverted via kernel level attacks as well Checking for Direct Kernel Object Manipulation (DKOM), syscall table checking mechanisms

4 Our Approach Two-pronged: VMM protects static kernel module (ensures integrity of the kernel module) Kernel module ensures integrity of the syscall table as well as protects sensitive resources from invalid access We exercise a “layer-below” level of security in which we establish trust beneath the kernel

5 Solution Preview TODO: (Need a nice picture (or two) of our solution) TODO: (Maybe one picture of the VMM/kernel module interaction and one picture of the capabilities table interaction)

6 Overview Design Implementation Results Watch a demo Conclusion Q&A

7 Design (TODO: is this just a restatement of the ‘Our Approach’ slide?) VMM root of trust below the kernel VMM ensures integrity of Trusted Kernel Module Kernel module ensures integrity of sys_call_table and protects sensitive resources

8 Implementation Instead of utilizing a VMM as the lowest layer, we created a new hardware device in the QEMU emulator Hardware device based on virtualized timer which expires at predefined intervals When a timer interval expires, an interrupt is generated and the timer is reset During each interrupt, the hardware device calls into our kernel module to pass execution Integrity checks are done on the sys_call_table

9 Implementation (cont.) Compilation environment The hardware device needs to know the contents of the sys_call_table in order to verify integrity We make use of a python script, grabBytes.py in order to index into the executable Android image and grab the sys_call_table binary data as well as that of our trusted kernel module The python script generates.c/.h files with the integrity data and is compiled into the emulator and Android executable

10 Implementation (cont.) We implemented a static Kernel Module (KM) in order to make integrity checks on the sys_call_table The kernel module contains a copy of the original sys_call_table and compares this to the running version The KM also sets its own hooks in the sys_call_table in order to detect malicious access to sensitive resources e.g. Check for invalid process access to sys_open system call attempting to open a sensitive resource file (contacts2.db)

11 Results We are able to detect/correct modifications to the sys_call_table We are able to prevent malicious access to sensitive resources TODO: (Insert link to demo)

12 Conclusion Layer Below Protection Security of the Linux kernel must be rooted in a layer below the kernel Code contained solely in the kernel is subject to any kernel-level attack Sensitive Resource Protection Android mobile phones contain lots of sensitive information that must be protected

13

14 Questions?

Download ppt "Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Operating-System Structures

Operating-System Structures
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.

Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
LittleOrange SMS Engine. Nice & easy to use user interface. High-performance, high-impact app that fully replicate the look, feel and user experience.

LittleOrange SMS Engine. Nice & easy to use user interface. High-performance, high-impact app that fully replicate the look, feel and user experience.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Linux Networking and Security Chapter 10 File Security.

Linux Networking and Security Chapter 10 File Security.

Similar presentations

Ads by Google