Download presentation
Presentation is loading. Please wait.
Published byKennedy Birchett Modified over 10 years ago
1
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department of Computer Science, Rutgers University
2
Rise of the Smart Phone HotMobile 2/23/20102
3
Rise of the Smart Phone 1993 calendar, address book, e-mail touch screen on-screen "predictive" keyboard Simon HotMobile 2/23/20102
4
Rise of the Smart Phone 19932000 Symbian OS Ericsson R380 HotMobile 2/23/20102
5
Rise of the Smart Phone 199320002002 Blackberry Windows Pocket PC Treo Treo 180 BlackBerry 5810 HotMobile 2/23/20102
6
Rise of the Smart Phone 1993200020022007 iPhone HotMobile 2/23/20102
7
Rise of the Smart Phone 19932000200220072008 iPhone 3G/3GS Android App Stores HotMobile 2/23/20102
8
3 Smart Phone Users
9
HotMobile 2/23/20104 Smart Phone Interfaces A rich set of interfaces is now available GSM GPS Bluetooth AccelerometerMicrophoneCamera
10
HotMobile 2/23/20105 Smart Phone Apps Contacts Email Location Banking Over 140,000 apps today
11
Smart Phone Operating Systems OSLines of Code Linux 2.6 Kernel10 million Android20 million Symbian20 million Complexity comparable to desktops HotMobile 2/23/20106
12
7 The Rise of Mobile Malware 2004 Cabir spreads via Bluetooth drains battery Receive message via Bluetooth? Yes No
13
HotMobile 2/23/20107 The Rise of Mobile Malware 2004 first J2ME malware sends texts to premium numbers RedBrowser 2006
14
HotMobile 2/23/20107 The Rise of Mobile Malware 2004 Kaspersky Labs report: 106 types of mobile malware 514 modifications 20062009
15
HotMobile 2/23/20108 The Rise of Mobile Malware “My iPhone is not jailbroken and it is running iPhone OS 3.0”
16
HotMobile 2/23/20109 Contributions Introduce rootkits into the space of mobile malware Demonstrate with three proof-of concept rootkits Explore the design space for detection
17
HotMobile 2/23/201010 Rootkits App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Virus Anti Virus
18
HotMobile 2/23/201011 Rootkits App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Anti Virus Rootkit Virus
19
Proof of Concept Rootkits HotMobile 2/23/201012 Note: We did not exploit vulnerabilities 1. Conversation Snooping Attack 2. Location Attack 3. Battery Depletion Attack Openmoko Freerunner
20
HotMobile 2/23/201013 1. Conversation Snooping Attack Attacker Send SMS Rootkit Infected Dial me “666-6666” Call Attacker Turn on Mic Delete SMS Rootkit stops if user tries to dial
21
HotMobile 2/23/201014 1. Conversation Snooping Attack Attacker Rootkit Infected Call Attacker Turn on Mic Calendar Notification
22
Attacker Send SMS Rootkit Infected Send Location “666-6666” 2. Location Attack Query GPS HotMobile 2/23/201015 N40°28', W074°26 SMS Response Delete SMS
23
3. Battery Depletion Attack Rootkit turns on high powered devices Rootkit shows original device status HotMobile 2/23/201016 Attack :
24
HotMobile 2/23/201017 Rootkit Detection App User Space Kernel Space Libraries Kernel Code System Call Table Drivers Process Lists Rootkit Detector Rootkit DOES NOT WORK!
25
HotMobile 2/23/201018 Memory Introspection Kernel Sys Call Table Monitor Fetch and Copy Monitor MachineTarget Machine Training Phase
26
HotMobile 2/23/201019 Memory Introspection KernelMonitor Fetch Monitor MachineTarget Machine Compare System OK Detection Phase
27
HotMobile 2/23/201020 Memory Introspection KernelMonitor Fetch Monitor MachineTarget Machine Compare Rootkit Detected Rootkit mal_write() Detection Phase
28
HotMobile 2/23/201021 Monitoring Approaches 1. Hardware Approach Monitor MachineTarget Machine Rootkit Infected NIC with remote DMA support
29
Smart Phone Challenge Monitor MachineRootkit Infected HotMobile 2/23/201022 Problem: Need interface allowing memory access without OS intervention (FireWire?)
30
HotMobile 2/23/201023 Monitoring Approaches Host Machine Hypervisor Dom0OS 2. VMM-based Approach Detector
31
Smart Phone Challenge HotMobile 2/23/201024 Problem: CPU-intensive detection algorithms exhaust phone battery Solution: Offload detection work to the service provider Send Pages Response CPU intensive work
32
Optimizations for Energy-Efficiency HotMobile 2/23/201025 Page Table Monitor Fetch Problem: Too many memory pages may have to be transferred
33
Optimizations for Energy-Efficiency HotMobile 2/23/201026 Page Table 0 0 0 0 0 0 Monitor 1 1 Fetch Solution: Only fetch and scan pages that have been recently modified
34
HotMobile 2/23/201027 Related Work (1/2) Rootkit Detection Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008] Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009] Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]
35
Related Work (2/2) Mobile Malware Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009] Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006] Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005] HotMobile 2/23/201028
36
Conclusion and Future Work Conclusions: Rootkits are now a threat to smart phones Future Work: Energy efficient rootkit detection techniques Develop a rootkit detector for smart phone HotMobile 2/23/201029
37
Thank You! HotMobile 2/23/201030
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.