Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare,...
-
Upload
kennedy-birchett -
Category
Documents
-
view
216 -
download
1
Transcript of Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare,...
Rootkits on Smart Phones:Attacks, Implications and Opportunities
Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode
Department of Computer Science, Rutgers University
2
Rise of the Smart Phone
HotMobile 2/23/2010
Rise of the Smart Phone
1993
• calendar, address book, e-mail• touch screen• on-screen "predictive" keyboard
Simon
HotMobile 2/23/2010 2
Rise of the Smart Phone
1993 2000
• Symbian OS
Ericsson R380
HotMobile 2/23/2010 2
Rise of the Smart Phone
1993 2000 2002
• Blackberry• Windows Pocket PC• Treo
Treo 180
BlackBerry 5810
HotMobile 2/23/2010 2
Rise of the Smart Phone
1993 2000 2002 2007
iPhone
HotMobile 2/23/2010 2
Rise of the Smart Phone
1993 2000 2002 2007 2008
• iPhone 3G/3GS• Android• App Stores
HotMobile 2/23/2010 2
HotMobile 2/23/2010 3
Smart Phone Users
HotMobile 2/23/2010 4
Smart Phone InterfacesA rich set of interfaces is now available
GSM
GPSBluetooth
AccelerometerMicrophone Camera
HotMobile 2/23/2010 5
Smart Phone Apps
Contacts
Location
Banking
Over 140,000 apps today
Smart Phone Operating Systems
OS Lines of CodeLinux 2.6 Kernel 10 million
Android 20 millionSymbian 20 million
Complexity comparable to desktops
HotMobile 2/23/2010 6
HotMobile 2/23/2010 7
The Rise of Mobile Malware
2004
Cabir
• spreads via Bluetooth• drains battery
Receive message via Bluetooth?
Yes No
HotMobile 2/23/2010 7HotMobile 2/23/2010HotMobile 2/23/2010
The Rise of Mobile Malware
2004
• first J2ME malware• sends texts to premium numbers
RedBrowser
2006
HotMobile 2/23/2010 7HotMobile 2/23/2010HotMobile 2/23/2010HotMobile 2/23/2010
The Rise of Mobile Malware
2004
• Kaspersky Labs report:106 types of mobile malware514 modifications
2006 2009
HotMobile 2/23/2010 8
The Rise of Mobile Malware
“My iPhone is not jailbroken and it is running
iPhone OS 3.0”
HotMobile 2/23/2010 9
Contributions
• Introduce rootkits into the space of mobile malware
• Demonstrate with three proof-of concept rootkits
• Explore the design space for detection
HotMobile 2/23/2010 10
Rootkits
App App App
User Space
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
VirusAntiVirus
HotMobile 2/23/2010 11
Rootkits
App App App
User Space
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
AntiVirus
Rootkit
Virus
Proof of Concept Rootkits
HotMobile 2/23/2010 12
Note: We did not exploit vulnerabilities
• 1. Conversation Snooping Attack
• 2. Location Attack
• 3. Battery Depletion Attack
Openmoko Freerunner
HotMobile 2/23/2010 13
1. Conversation Snooping Attack
Attacker Send SMSRootkit Infected
Dial me “666-6666”
Call AttackerTurn on Mic
Delete SMS
Rootkit stops if user tries to dial
HotMobile 2/23/2010 14
1. Conversation Snooping Attack
Attacker Rootkit Infected
Call AttackerTurn on Mic
Calendar Notification
Attacker Send SMSRootkit Infected
Send Location “666-6666”
2. Location Attack
Query GPS
HotMobile 2/23/2010 15
N40°28', W074°26SMS Response
Delete SMS
3. Battery Depletion Attack
• Rootkit turns on high powered devices• Rootkit shows original device status
Battery Life For Different Smartphones
52 51
44
4 52
0
10
20
30
40
50
60
70
Verizon Touch ATT Tilt Neo FreeRunner
Phone Make and Model
Ho
urs
of
Bat
tery
Lif
e (i
dle
)
Normal IdleOperation
All PeripheralsActive
HotMobile 2/23/2010 16
Attack :
HotMobile 2/23/2010 17
Rootkit Detection
App App App
User Space
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
Rootkit Detector
RootkitDOES NOT WORK!
HotMobile 2/23/2010 18
Memory Introspection
Kernel
Sys CallTable
Monitor
Fetchand
Copy
Monitor Machine Target Machine
Training Phase
HotMobile 2/23/2010 19
Memory Introspection
KernelMonitor
Fetch
Monitor Machine Target Machine
Compare
System OK
Detection Phase
HotMobile 2/23/2010 20
Memory Introspection
KernelMonitor
Fetch
Monitor Machine Target Machine
Compare
Rootkit Detected
Rootkit
mal_write()
Detection Phase
HotMobile 2/23/2010 21
Monitoring Approaches
1. Hardware Approach
Monitor Machine Target Machine
Rootkit InfectedNIC with remote
DMA support
Smart Phone Challenge
Monitor Machine Rootkit Infected
HotMobile 2/23/2010 22
Problem:• Need interface allowing memory access
without OS intervention (FireWire?)
HotMobile 2/23/2010 23
Monitoring Approaches
Host Machine
Hypervisor
Dom0 OS
2. VMM-based Approach
Detector
Smart Phone Challenge
HotMobile 2/23/2010 24
Problem: CPU-intensive detection algorithms exhaust phone battery
Solution: Offload detection work to the service provider
Send Pages
Response
CPU intensive work
Optimizations for Energy-Efficiency
HotMobile 2/23/2010 25
Page TableMonitor
Fetch
Problem: Too many memory pages may have to be transferred
Optimizations for Energy-Efficiency
HotMobile 2/23/2010 26
Page Table000000
Monitor1
1Fetch
Solution: Only fetch and scan pages that have been recently modified
HotMobile 2/23/2010 27
Related Work (1/2)
Rootkit Detection • Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008]• Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection• Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009]• Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]
Related Work (2/2)
Mobile Malware• Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009]• Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006]• Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]
HotMobile 2/23/2010 28
Conclusion and Future Work
Conclusions:• Rootkits are now a threat to smart phones
Future Work:• Energy efficient rootkit detection techniques
• Develop a rootkit detector for smart phone
HotMobile 2/23/2010 29
Thank You!
HotMobile 2/23/2010 30