VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Slides:



Advertisements
Similar presentations
Android Application Development A Tutorial Driven Course.
Advertisements

© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Chapter 6 Security Kernels.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Security at the VMM Layer Theodore Winograd OWASP June 14, 2007.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Linux Networking and Security Chapter 10 File Security.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Presentation By Deepak Katta
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Mobile Application Development with ANDROID Tejas Lagvankar UMBC 29 April 2009.
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Presented By: Steven Zittrower William Enck ( Penn St) (Duke)
Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Virtualization Concepts Presented by: Mariano Diaz.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
A Virtual Machine Introspection Based Architecture for Intrusion Detection CS598 STK Presented by Zahid Anwar.
1 Company Proprietary and ConfidentialThe document name can go here Android OS Security Omar Alaql July 8, 2013 Kent State University Android OS Security.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Android Security Auditing Slides and projects at samsclass.info.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Wireless and Mobile Security
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Analysis And Research Of System Security Based On.
By Adam Reimel. Outline Introduction Platform Architecture Future Conclusion.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.
Android Mobile Application Development
Understanding Android Security
Android System Security
CMPE419 Mobile Application Development
Suwen Zhu, Long Lu, Kapil Singh
Application Development A Tutorial Driven Course
How to Mitigate the Consequences What are the Countermeasures?
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Understanding Android Security
CMPE419 Mobile Application Development
Presentation transcript:

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw

Motivation The Increase of Mobile Malware Variants (2004 – 2010) Smartphone malware on the rise Increased security implications (compared to PC) Sensitive information: GPS, contacts, SMS, call log Constantly connected to the Internet Naïve users, limited use of anti-virus protection

Defensive Rootkit Approaches User mode rootkits – Process infection, binary patching, lib hooks User mode integrity checkers – tripwire, chkrootkit, rkthunter, AV scanner Kernel mode rootkits – malicious device drivers and LKMs – sys call hooking, kernel data structure manipulation (DKOM) Kernel level inspection – behavioral analysis, data structure integrity checkers, hook detection But… Any kernel level inspection mechanisms can be subverted by kernel level rootkits!

Our Approach Two Pronged KM security mechanisms System call integrity checks Hidden process detection ACLs for Android personal data VMM inspection Ensures integrity of static KM Isolated from host OS We exercise a “layer-below” level of security in which we establish trust beneath the kernel Android Software Stack

Overview Design VMM Interface Design Protection KM Design Implementation Results Demo Presentation Conclusion Q&A

VMM Interface Design Android VMM Hardware (Emulator) Linux Kernel Trusted KM Libraries and Runtime Application Framework 1. Hardware Timer Interrupt 2. Validate Protected KM3. Raise Monitor Interrupt 4. Invoke KM

Protection KM Design Linux Kernel Trusted KM System Call Whitelist Original Sys Call Table Libraries and Runtime Maps Application Framework ContactsSMSApp Content Provider Location Provider Activity Manager Open Malicious Native Application System Calls Open Socket Read GPS SQL Query Sys Call Table …

Protection KM Design Linux Kernel Trusted KM System Call Whitelist Original Sys Call Table Libraries and Runtime X Malicious LKM System Calls Sys Call Table Y Z Android VMM Monitor Interrupt Linux Kernel

Implementation VMM Interface Implemented VMM security functionality in an emulated hardware device within QEMU Protected KM data and text compiled into QEMU emulator (VMM) Linux Kernel Source with Protection KM Compilation Kernel Image Protected Text Sect. Protected Data Sect. QEMU Emulator (VMM) Compilation QEMU Emulator(VMM) Protected Text Protected Data

Implementation Protection KM Checks system service function pointers in sys_call_table Reports problem and restores them if they have been altered Hooks sys_open and prevents access to mmssms.db and contacts2.db Unless process name and parent process name are found in the access control list Likewise restricts socket and sys_read of GPS data according to the access control list

Implementation Malicious native mode application Reads contacts database file Reads GPS location Transmits data using network sockets Runs as Linux user mode process, underneath the Android Application Framework Malicious LKM Implemented by following the MindTrick Rootkit techniques Intercepts read system calls to access GPS location Attempts to access the SMS and contacts database files

Results We are able to detect and correct modifications to the sys_call_table Malicious LKM system call table hooking was thwarted Malicious LKM unable to obtain GPS coordinates We are able to prevent malicious access to sensitive resources Malicious application fails to read GPS data, fails to open sensitive database files, and fails to open network sockets Malicious LKM also fails to open sensitive database files Demo (short): Demo (long):

Conclusion “Layer-Below” Protection Security of the Linux kernel must be rooted in a layer below the kernel to withstand kernel level attacks Trusted “layer-below” protection mechanisms can serve as the secure foundation for enabling additional advanced protection mechanisms in the kernel

Questions?

Backup – Android Architecture

Backup – Protection by Layer App Permissions Dalvik VM Isolation App signatures Limits application abilities in order to prevent malicious behavior. Virus Scanners Remote Lockout Modified system binaries Trojan’d services Stolen device Linux user and group permissions Access control Architecture LayerSecurity MechanismThreat Mitigation

Backup – Problem Statement Rootkit detection and prevention on the Android platform with specific regards to the sensitive resources Android provides. Kapersky 2011: 1046 unique malware strains targeting mobile platforms Android platform built on Linux Kernel, a well known target. Sensitive information on smart phones GPS, contacts, text messages, call log

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.