140 likes | 472 Views
VMM Based Rootkit Detection on Android. Class Presentation Pete Bohman , Adam Kunk , Erik Shaw (ONL). Problem Statement. Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides . Linux kernel a major target
E N D
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Problem Statement • Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides. • Linux kernel a major target • Lots of sensitive information on smart phones • GPS, banking info, text messages, contacts, etc.
Other Approaches • User Level Mechanisms • Can be subverted via kernel level attacks • Checking ‘ps’ and ‘ls’ to make sure they are valid, Tripwire and chkrootkit programs • Kernel Level Mechanisms • Can be subverted via kernel level attacks as well • Checking for Direct Kernel Object Manipulation (DKOM), syscall table checking mechanisms
Our Approach • Two-pronged: • VMM protects static kernel module (ensures integrity of the kernel module) • Kernel module ensures integrity of the syscall table as well as protects sensitive resources from invalid access • We exercise a “layer-below” level of security in which we establish trust beneath the kernel
Solution Preview • TODO: (Need a nice picture (or two) of our solution) • TODO: (Maybe one picture of the VMM/kernel module interaction and one picture of the capabilities table interaction)
Overview • Design • Implementation • Results • Watch a demo • Conclusion • Q&A
Design (TODO: is this just a restatement of the ‘Our Approach’ slide?) • VMM root of trust below the kernel • VMM ensures integrity of Trusted Kernel Module • Kernel module ensures integrity of sys_call_table and protects sensitive resources
Implementation • Instead of utilizing a VMM as the lowest layer, we created a new hardware device in the QEMU emulator • Hardware device based on virtualized timer which expires at predefined intervals • When a timer interval expires, an interrupt is generated and the timer is reset • During each interrupt, the hardware device calls into our kernel module to pass execution • Integrity checks are done on the sys_call_table
Implementation (cont.) • Compilation environment • The hardware device needs to know the contents of the sys_call_table in order to verify integrity • We make use of a python script, grabBytes.py in order to index into the executable Android image and grab the sys_call_tablebinary data as well as that of our trusted kernel module • The python script generates .c/.h files with the integrity data and is compiled into the emulator and Android executable
Implementation (cont.) • We implemented a static Kernel Module (KM) in order to make integrity checks on the sys_call_table • The kernel module contains a copy of the original sys_call_table and compares this to the running version • The KM also sets its own hooks in the sys_call_table in order to detect malicious access to sensitive resources • e.g. Check for invalid process access to sys_open system call attempting to open a sensitive resource file (contacts2.db)
Results • We are able to detect/correct modifications to the sys_call_table • We are able to prevent malicious access to sensitive resources • TODO: (Insert link to demo)
Conclusion • Layer Below Protection • Security of the Linux kernel must be rooted in a layer below the kernel • Code contained solely in the kernel is subject to any kernel-level attack • Sensitive Resource Protection • Android mobile phones contain lots of sensitive information that must be protected