Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)

Slides:

Advertisements

Similar presentations

……+(4n-3) = n(2n-1) P 1 = 1(2(1)-1)=1 check.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Operating System Security : David Phillips A Study of Windows Rootkits.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

Presented by Boris Yurovitsky

Towards Application Security On Untrusted OS

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

LINUX Virtualization Running other code under LINUX.

Introduction Our Topic: Mobile Security Why is mobile security important?

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Presented By: Steven Zittrower William Enck ( Penn St) (Duke)

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Virtualization Concepts Presented by: Mariano Diaz.

Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Rootkits in Windows XP  What they are and how they work.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.

University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

Software Integrity Monitoring Using Hardware Performance Counters Corey Malone.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

1 The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006.

G53SEC 1 Reference Monitors Enforcement of Access Control.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Security Vulnerabilities in A Virtual Environment

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

THAWAN KOOBURAT MICHAEL SWIFT UNIVERSITY OF WISCONSIN - MADISON 1 The Best of Both Worlds with On-Demand Virtualization.

Operating-System Structures

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

VMM Based Rootkit Detection on Android

Information Security - 2

Match the following Operating System concepts with definition A to E.

BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.

Embedded Real-Time Systems Processing interrupts Lecturer Department University.

Applying Adult Learning Theory Introduction Screen A Cathy, the safety officer for a large company, is responsible for making sure that all employees know.

Lecture 13: Virtual Machines

Virtualization.

Operating System Structure

Presented by Mike Marty

Midterm Review Chris Gill CSE 422S - Operating Systems Organization

Messaging Unit-4.

Lecture 24 Virtual Machine Monitors

Running other code under LINUX

VMPCS-OGC Virtual Machine Protection and Checking System using Out-of-Guest Control ferify.

Practical Rootkit Detection with RAI

By Dunlap, King, Cinar, Basrai, Chen

Mobile and Desktop Memory Management

Chapter 33: Virtual Machines

Computer Security: Art and Science, 2nd Edition

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

Understanding Android Security

Countering Kernel Rootkits with Lightweight Hook Protection

Chapter 33: Virtual Machines

Presentation transcript:

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)

Outline The problem and why it is important Our solution and why it is better Proof of concept LKM syscall table hook Preliminary Design Defensive syscall integrity LKM Android VMM Preliminary Results

The Problem Detecting rootkits on Android smart phones This is important because: Smart phone use is tremendously growing (especially Android, it just took 1 st place) Phones are starting to be used like mini computers Phones carry lots of sensitive data (more than a computer at times) GPS location, contacts, text messages, call data, People make purchases on their phones (billing info)

The Problem (cont.) Rootkits are a major problem on any traditional monolithic operating system on our desktop computers Android OS is modeled after the Linux kernel This means that many of the attack methods (LKM rootkits) that are targeted for the Linux OS may be applicable to Android Currently, power consumption is a major factor in the prevention methods

Our Solution Two part solution: VMM layer to live below the guest Android OS Layer below approach to ensure integrity of the LKM that lives alongside the kernel This is necessary in the event that another LKM attempts to hook into our LKM Minimal execution in the VMM to preserve power LKM that monitors the integrity of the syscall table and corresponding functions Would be executed at regular intervals

Proof of concept Demonstrating that the syscall table can be hooked This is how a rootkit can try to hide from the operating system (NOTE: We need to add a design picture of the syscall hooking LKM)

Preliminary Design (cont.) Android VMM lives a layer below the guest operating system, the Android kernel Android VMM will check integrity of the LKM that monitors the syscall table and pointed to functions (picture will go here of our VMM design)

Preliminary Design (cont.) Modifying the boot order is not enough We must also modify the QEMU emulator to trap to our VMM This allows our VMM to get execution after booting the Android guest OS (picture will go here of our VMM interaction with qemu, how we trap into our VMM)

Preliminary Design (cont.) (Picture will go here of our design for our LKM that checks integrity of syscall table and the functions contained within) LKM checks integrity of syscall table and functions pointed to This is checked periodically Root of trust is placed within the VMM The VMM checks integrity of this LKM from a layer below

Preliminary Results (boot time) Boot times of normal Android (zImage) image versus the VMM (zVmm) image were measured. The results to the right demonstrate the average of three boots for each image. The Linux ‘time’ utility was used to obtain the ‘real’, ‘user’, and ‘sys’ running times of each boot. The ‘boot time’ was measured as the time from booting the image in the Android emulator to the time it took for the emulator to boot up and unlock the initial screen.

Preliminary Results (boot time)

Preliminary Results (cont.) If we get the syscall hooking LKM up and running, maybe we can show some data here (Or, we might be able to do some power measurements by invoking some random function that does a hash of memory every minute or something, be creative)