Embed Size (px)
Citation preview
JeffreyBickford,RyanO’Hare,Ara-Baliga,VinodGanapathy,andLiviuI=ode
DepartmentofComputerScience,RutgersUniversity
SupportedinpartbyNFSandUSArmyCERDEC
RiseoftheSmartPhone
HotMobile2/23/2010 2
RiseoftheSmartPhone
1993
• calendar,addressbook,e‐mail• touchscreen• on‐screen"predic-ve"keyboard
Simon
HotMobile2/23/2010 2
RiseoftheSmartPhone
1993 2000
• SymbianOS
EricssonR380
HotMobile2/23/2010 2
RiseoftheSmartPhone
1993 2000 2002
• Blackberry• WindowsPocketPC• Treo
Treo180
BlackBerry5810
HotMobile2/23/2010 2
RiseoftheSmartPhone
1993 2000 2002 2007
iPhone
HotMobile2/23/2010 2
RiseoftheSmartPhone
1993 2000 2002 2007 2008
• iPhone3G/3GS• Android• AppStores
HotMobile2/23/2010 2
HotMobile2/23/2010 3
SmartPhoneUsers
HotMobile2/23/2010 4
SmartPhoneInterfaces
ArichsetofinterfacesisnowavailableGSM
GPSBluetooth
AccelerometerMicrophone Camera
HotMobile2/23/2010 5
SmartPhoneApps
Contacts
Loca-on
Banking
Over140,000appstoday
SmartPhoneOpera-ngSystems
OS LinesofCode
Linux2.6Kernel 10million
Android 20million
Symbian 20million
Complexitycomparabletodesktops
HotMobile2/23/2010 6
HotMobile2/23/2010 7
TheRiseofMobileMalware
2004
Cabir
• spreadsviaBluetooth• drainsba_ery
Receive message via Bluetooth?
YesNo
HotMobile2/23/2010 7HotMobile2/23/2010HotMobile2/23/2010
TheRiseofMobileMalware
2004
• firstJ2MEmalware• sendstextstopremiumnumbers
RedBrowser
2006
HotMobile2/23/2010 7HotMobile2/23/2010HotMobile2/23/2010HotMobile2/23/2010
TheRiseofMobileMalware
2004
• KasperskyLabsreport:106typesofmobilemalware514modifica-ons
2006 2009
HotMobile2/23/2010 8
TheRiseofMobileMalware
“MyiPhoneisnotjailbrokenanditisrunning
iPhoneOS3.0”
HotMobile2/23/2010 9
Contribu-ons
• Introducerootkitsintothespaceofmobilemalware
• Demonstratewiththreeproof‐ofconceptrootkits
• Explorethedesignspacefordetec-on
HotMobile2/23/2010 10
Rootkits
App App App
UserSpace
KernelSpace
Libraries
KernelCode
SystemCallTable
DriversProcessLists
VirusAn-Virus
HotMobile2/23/2010 11
Rootkits
App App App
UserSpace
KernelSpace
Libraries
KernelCode
SystemCallTable
DriversProcessLists
An-Virus
Rootkit
Virus
ProofofConceptRootkits
HotMobile2/23/2010 12
Note:Wedidnotexploitvulnerabili-es
• 1.Conversa-onSnoopingA_ack
• 2.Loca-onA_ack
• 3.Ba_eryDeple-onA_ack
OpenmokoFreerunner
HotMobile2/23/2010 13
1.Conversa-onSnoopingA_ack
A_acker SendSMSRootkitInfected
Dialme“666‐6666”
CallA_ackerTurnonMic
DeleteSMS
Rootkitstopsifusertriestodial
HotMobile2/23/2010 14
1.Conversa-onSnoopingA_ack
A_acker RootkitInfected
CallA_ackerTurnonMic
CalendarNo-fica-on
A_acker SendSMSRootkitInfected
SendLoca-on“666‐6666”
2.Loca-onA_ack
QueryGPS
HotMobile2/23/2010 15
N40°28',W074°26SMSResponse
DeleteSMS
3.Ba_eryDeple-onA_ack
• Rootkitturnsonhighpowereddevices• Rootkitshowsoriginaldevicestatus
HotMobile2/23/2010 16
A_ack:
HotMobile2/23/2010 17
RootkitDetec-on
App App App
UserSpace
KernelSpace
Libraries
KernelCode
SystemCallTable
DriversProcessLists
RootkitDetector
RootkitDOESNOTWORK!
HotMobile2/23/2010 18
MemoryIntrospec-on
Kernel
SysCallTable
Monitor
FetchandCopy
MonitorMachine TargetMachine
TrainingPhase
HotMobile2/23/2010 19
MemoryIntrospec-on
KernelMonitor
Fetch
MonitorMachine TargetMachine
Compare
SystemOK
Detec<onPhase
HotMobile2/23/2010 20
MemoryIntrospec-on
KernelMonitor
Fetch
MonitorMachine TargetMachine
Compare
RootkitDetected
Rootkit
mal_write()
Detec<onPhase
HotMobile2/23/2010 21
MonitoringApproaches
1.HardwareApproach
MonitorMachine TargetMachine
RootkitInfectedNICwithremoteDMAsupport
SmartPhoneChallenge
MonitorMachine RootkitInfected
HotMobile2/23/2010 22
Problem:• NeedinterfaceallowingmemoryaccesswithoutOSinterven-on(FireWire?)
HotMobile2/23/2010 23
MonitoringApproaches
HostMachine
Hypervisor
Dom0 OS
2.VMM‐basedApproach
Detector
SmartPhoneChallenge
HotMobile2/23/2010 24
Problem:CPU‐intensivedetec-onalgorithmsexhaustphoneba_ery
Solu<on:Offloaddetec-onworktotheserviceprovider
SendPages
Response
CPUintensivework
Op-miza-onsforEnergy‐Efficiency
HotMobile2/23/2010 25
PageTable
MonitorFetch
Problem:Toomanymemorypagesmayhavetobetransferred
Op-miza-onsforEnergy‐Efficiency
HotMobile2/23/2010 26
PageTable000000
Monitor1
1Fetch
Solu<on:Onlyfetchandscanpagesthat havebeenrecentlymodified
HotMobile2/23/2010 27
RelatedWork(1/2)
RootkitDetec<on• EnforcementofKernelDataStructureInvariants[Baliga,etal.,ACSAC2008]• VirtualMachineIntrospec-on [GarfinkelandRosenblum,NDSS2003]
MobileSecurityandDetec<on• Seman-callyRichApplica-on‐CentricSecurityinAndroid [Ongtang, et al., ACSAC 2009]• Detec-ngEnergy‐GreedyAnomalies[Kim,etal.,MobiSys2008]
RelatedWork(2/2)
MobileMalware• CellularBotnets:ImpactonNetworkCore[Traynor,etal.,CCS2009]• Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]• Exploi-ngMMSVulnerabili-estoExhaustBa_ery[Racic,etal.,SecureComm2006]
HotMobile2/23/2010 28
ConclusionandFutureWork
Conclusions:• Rootkitsarenowathreattosmartphones
FutureWork:• Energyefficientrootkitdetec-ontechniques
• Developarootkitdetectorforsmartphone
HotMobile2/23/2010 29
ThankYou!
HotMobile2/23/2010 30
