1 / 14

VMM Based Rootkit Detection on Android

VMM Based Rootkit Detection on Android. Class Presentation Pete Bohman , Adam Kunk , Erik Shaw (ONL). Problem Statement. Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides . Linux kernel a major target

finola
Download Presentation

VMM Based Rootkit Detection on Android

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

  2. Problem Statement • Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides. • Linux kernel a major target • Lots of sensitive information on smart phones • GPS, banking info, text messages, contacts, etc.

  3. Other Approaches • User Level Mechanisms • Can be subverted via kernel level attacks • Checking ‘ps’ and ‘ls’ to make sure they are valid, Tripwire and chkrootkit programs • Kernel Level Mechanisms • Can be subverted via kernel level attacks as well • Checking for Direct Kernel Object Manipulation (DKOM), syscall table checking mechanisms

  4. Our Approach • Two-pronged: • VMM protects static kernel module (ensures integrity of the kernel module) • Kernel module ensures integrity of the syscall table as well as protects sensitive resources from invalid access • We exercise a “layer-below” level of security in which we establish trust beneath the kernel

  5. Solution Preview • TODO: (Need a nice picture (or two) of our solution) • TODO: (Maybe one picture of the VMM/kernel module interaction and one picture of the capabilities table interaction)

  6. Overview • Design • Implementation • Results • Watch a demo • Conclusion • Q&A

  7. Design (TODO: is this just a restatement of the ‘Our Approach’ slide?) • VMM root of trust below the kernel • VMM ensures integrity of Trusted Kernel Module • Kernel module ensures integrity of sys_call_table and protects sensitive resources

  8. Implementation • Instead of utilizing a VMM as the lowest layer, we created a new hardware device in the QEMU emulator • Hardware device based on virtualized timer which expires at predefined intervals • When a timer interval expires, an interrupt is generated and the timer is reset • During each interrupt, the hardware device calls into our kernel module to pass execution • Integrity checks are done on the sys_call_table

  9. Implementation (cont.) • Compilation environment • The hardware device needs to know the contents of the sys_call_table in order to verify integrity • We make use of a python script, grabBytes.py in order to index into the executable Android image and grab the sys_call_tablebinary data as well as that of our trusted kernel module • The python script generates .c/.h files with the integrity data and is compiled into the emulator and Android executable

  10. Implementation (cont.) • We implemented a static Kernel Module (KM) in order to make integrity checks on the sys_call_table • The kernel module contains a copy of the original sys_call_table and compares this to the running version • The KM also sets its own hooks in the sys_call_table in order to detect malicious access to sensitive resources • e.g. Check for invalid process access to sys_open system call attempting to open a sensitive resource file (contacts2.db)

  11. Results • We are able to detect/correct modifications to the sys_call_table • We are able to prevent malicious access to sensitive resources • TODO: (Insert link to demo)

  12. Conclusion • Layer Below Protection • Security of the Linux kernel must be rooted in a layer below the kernel • Code contained solely in the kernel is subject to any kernel-level attack • Sensitive Resource Protection • Android mobile phones contain lots of sensitive information that must be protected

  13. Questions?

More Related