vmm based rootkit detection on android
DESCRIPTION
VMM Based Rootkit Detection on Android. Class Presentation Pete Bohman, Adam Kunk , Erik Shaw. Motivation. Smartphone malware on the rise Increased security implications (compared to PC) Sensitive information: GPS, contacts, SMS, c all log Constantly connected - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/1.jpg)
VMM Based Rootkit Detection on Android
Class PresentationPete Bohman, Adam Kunk, Erik Shaw
![Page 2: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/2.jpg)
Motivation
The Increase of Mobile Malware Variants (2004 – 2010)
• Smartphone malware on the rise• Increased security implications (compared to PC)• Sensitive information: GPS, contacts, SMS, call log• Constantly connected• Naïve users, limited use of Anti Virus
![Page 3: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/3.jpg)
Defensive Rootkit Approaches• User mode rootkits
– Process infection, binary patching, lib hooks
• User mode integrity checkers– tripwire, chkrootkit, rkthunter, AV scanner
• Kernel mode rootkits– malicious device drivers and lkms– sys call hooking, kernel data structure manipulation
• Kernel level inspection– behavioral analysis, data structure integrity checkers, hook detection
• But… Any kernel level inspection mechanisms can be subverted by kernel level rootkits
![Page 4: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/4.jpg)
Our Approach
• Two Pronged• KM security mechanisms • System call integrity checks• Hidden process detection• Android capability table
• VMM inspection • Ensures integrity of static KM• Isolated from host OS
• We exercise a “layer-below” level of security in which we establish trust beneath the kernel
Android Software Stack
![Page 5: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/5.jpg)
Solution Preview (Delete Slide)Android Software Stack
Android VMM ensures integrity of static kernel module
Kernel module implements security mechanisms
![Page 6: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/6.jpg)
Overview
• Design• VMM Design• Protected KM Design• Implementation• Results• Demo Presentation• Conclusion• Q&A
![Page 7: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/7.jpg)
VMM Interface Design
Android VMM
Hardware (Emulator)
Linux Kernel
Trusted KM <ISR>
Libraries and Runtime
Application Framework
1. Hardware Timer Interrupt
2. Validate Protected KM 3. Raise Monitor Interrupt
4. Invoke KM
![Page 8: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/8.jpg)
Protection KM Design
Linux KernelTrusted KMSystem Call WhitelistOriginal Sys Call Table
Libraries and Runtime
Maps
Application Framework
Contacts SMS App
Content Provider
Location Provider
Activity Manager
Open
Malicious Native
ApplicationSystem Calls
Open SocketRead GPSSQL QuerySysCall Table
…
![Page 9: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/9.jpg)
Protection KM Design
Linux KernelTrusted KMSystem Call WhitelistOriginal Sys Call Table
Libraries and Runtime
X
MaliciousLKM
System Calls
SysCall Table
Y Z<ISR>
Android VMM
Monitor Interrupt
![Page 10: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/10.jpg)
Implementation
• Implemented VMM security functionality in an emulated hardware device within QEMU• Protected KM data and text compiled into QEMU
emulator (VMM)
Linux Kernel Source with
Protection KMCompilation
Kernel Image
Protected Text Sect.
Protected Data Sect.
QEMU Emulator(VMM) Compilation
QEMU Emulator(VMM)Protected TextProtected Data
![Page 11: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/11.jpg)
Implementation
• Malicious native mode application• Read contacts database• Read GPS location• Ex-filled data using sockets
• Malicious LKM• Intercept read system calls to access GPS location
![Page 12: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/12.jpg)
Results
• We are able to detect/correct modifications to the sys_call_table• We are able to prevent malicious access to sensitive
resources• TODO Mention Malicious App and LKM
• TODO: (Insert link to demo)
![Page 13: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/13.jpg)
Conclusion
• Layer Below Protection• Security of the Linux kernel must be rooted in a layer
below the kernel• Code contained solely in the kernel is subject to any
kernel-level attack
• Sensitive Resource Protection• Android mobile phones contain lots of sensitive
information that must be protected
![Page 14: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/14.jpg)
App PermissionsDalvik VM IsolationApp signatures
Limits application abilities in order to prevent malicious behavior.
Virus ScannersRemote Lockout
Modified system binariesTrojan’d servicesStolen device
Linux user and group permissions
Access control
Architecture Layer Security Mechanism Threat Mitigation
![Page 15: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/15.jpg)
Linux Kernel Source with
Protection KMCompilation
Kernel Image
Protected Text Sect.
Protected Data Sect.
QEMU Emulator(VMM) Compilation
QEMU Emulator(VMM)Protected TextProtected Data
![Page 16: VMM Based Rootkit Detection on Android](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5681517b550346895dbfb619/html5/thumbnails/16.jpg)
Problem Statement
• Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides.• Kapersky 2011: 1046 unique malware strains
targeting mobile platforms• Android platform built on Linux Kernel, a well known
target.• Sensitive information on smart phones• GPS, contacts, text messages, call log