Rootkits on Smart Phones: Attacks, Implications and Opportunities
description
Transcript of Rootkits on Smart Phones: Attacks, Implications and Opportunities
Slide 1
Rootkits on Smart Phones:Attacks, Implications and OpportunitiesJeffrey Bickford, Ryan OHare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode
Department of Computer Science, Rutgers UniversitySay who authors are
Bold my name joint work with 1Rise of the Smart Phone
HotMobile 2/23/201022Rise of the Smart Phone
1993 calendar, address book, e-mail touch screen on-screen "predictive" keyboard
SimonHotMobile 2/23/20102Rise of the Smart Phone
19932000 Symbian OS
Ericsson R380HotMobile 2/23/201024Rise of the Smart Phone
199320002002
Blackberry Windows Pocket PC Treo
Treo 180BlackBerry 5810 HotMobile 2/23/20102Rise of the Smart Phone
1993200020022007
iPhone
HotMobile 2/23/20102Rise of the Smart Phone
19932000200220072008
iPhone 3G/3GS Android App Stores
HotMobile 2/23/20102The reason I am telling you this is because we can see the increasing complexity. We see an increase in interfaces, applications, etc
Immediately after this present the users. 7HotMobile 2/23/20103Smart Phone Users
HotMobile 2/23/20104Smart Phone Interfaces
A rich set of interfaces is now available
GSMGPSBluetoothAccelerometerMicrophoneCameraName all, GSM, GPS, BT, Accellerometer
Tower instead of person
Make names smaller font9HotMobile 2/23/20105Smart Phone Apps
Contacts
Location
Banking Over 140,000 apps todayNumber of apps in store10Smart Phone Operating SystemsOSLines of CodeLinux 2.6 Kernel10 millionAndroid20 millionSymbian20 millionComplexity comparable to desktopsHotMobile 2/23/20106
Smart phone operating systems are becoming increasingly complex. From the tables we can see that some OSes are on the order of 20 million lines of code. 11HotMobile 2/23/20107The Rise of Mobile Malware2004
Cabir spreads via Bluetooth drains batteryReceive message via Bluetooth?Yes NoVarious other malware that then spread by MMS, Bluetooth and memory card. 12HotMobile 2/23/20107HotMobile 2/23/2010HotMobile 2/23/2010The Rise of Mobile Malware2004
first J2ME malware sends texts to premium numbers
RedBrowser2006
13HotMobile 2/23/20107HotMobile 2/23/2010HotMobile 2/23/2010HotMobile 2/23/2010The Rise of Mobile Malware2004
Kaspersky Labs report:106 types of mobile malware514 modifications20062009
14HotMobile 2/23/20108The Rise of Mobile Malware
My iPhone is not jailbroken and it is running iPhone OS 3.0
15HotMobile 2/23/20109Contributions Introduce rootkits into the space of mobile malware
Demonstrate with three proof-of concept rootkits
Explore the design space for detectionMove article before contributions mention malware has risin so far that even non jailbroken iphones can be attacked.16HotMobile 2/23/201010RootkitsAppAppAppUser SpaceKernel SpaceLibrariesKernel CodeSystemCallTableDriversProcessListsVirusAntiVirus17HotMobile 2/23/201011RootkitsAppAppAppUser SpaceKernel SpaceLibrariesKernel CodeSystemCallTableDriversProcessListsAntiVirusRootkitVirusRootkits have been damaging bottom 600 percent increase in desktop rootkits
Name the rootkit
Add virus back18
Proof of Concept RootkitsHotMobile 2/23/201012Note: We did not exploit vulnerabilities 1. Conversation Snooping Attack
2. Location Attack
3. Battery Depletion AttackOpenmoko FreerunnerList 3 rootkits
Smaller font
Move openmoko to under picture
As I have shown you early iphone, android all vulnerable to attacks
Discuss note
19HotMobile 2/23/2010131. Conversation Snooping AttackAttacker
Send SMS
Rootkit InfectedDial me 666-6666Call Attacker
Turn on MicDelete SMSRootkit stops if user tries to dial Attacker Infected phone
Send Special SMSTurn on microphoneCall attacker
Delete SMS should not overlap put on bottom dont make it redMake dial me light red
Delete SMS
Remove then say instead of doing it this way we can also do it from a calendar application
20HotMobile 2/23/2010141. Conversation Snooping AttackAttacker
Rootkit InfectedCall Attacker
Turn on MicCalendar NotificationAttacker
Send SMS
Rootkit InfectedSend Location 666-66662. Location AttackQuery GPSHotMobile 2/23/201015N4028', W07426SMS ResponseDelete SMSRepeat slide before
Put coordinates in box.Add delete SMS223. Battery Depletion Attack Rootkit turns on high powered devices Rootkit shows original device status
HotMobile 2/23/201016Attack : 23HotMobile 2/23/201017Rootkit DetectionAppAppAppUser SpaceKernel SpaceLibrariesKernel CodeSystemCallTableDriversProcessListsRootkit DetectorRootkitDOES NOT WORK!Rootkits have been damaging bottom 600 percent increase in desktop rootkits
Name the rootkit
Add virus24HotMobile 2/23/201018Memory IntrospectionKernelSys CallTableMonitorFetchandCopyMonitor MachineTarget MachineTraining PhaseTraining Phase25HotMobile 2/23/201019Memory IntrospectionKernelMonitorFetchMonitor MachineTarget MachineCompareSystem OKDetection PhaseDetection Phase26HotMobile 2/23/201020Memory IntrospectionKernelMonitorFetchMonitor MachineTarget MachineCompareRootkit DetectedRootkit
mal_write()Detection PhaseHotMobile 2/23/201021Monitoring Approaches1. Hardware Approach
Monitor MachineTarget MachineRootkit InfectedNIC with remote DMA supportMonitor Machine can be physical
with remote memory access or a virtual machine over VMM
Intelligent NIC I-NICNIC PCI card with remote DMA support
28Smart Phone Challenge
Monitor MachineRootkit InfectedHotMobile 2/23/201022
Problem: Need interface allowing memory access without OS intervention (FireWire?)Need interface with memory access without OS intervention (FireWire?)
Backdoor because we connect with access to memory without OS. If it is wireless in theory someone can use maliciously. Removes requires physical connection29HotMobile 2/23/201023Monitoring ApproachesHost MachineHypervisorDom0OS
2. VMM-based ApproachDetectorSmart Phone ChallengeHotMobile 2/23/201024Problem: CPU-intensive detection algorithms exhaust phone batterySolution: Offload detection work to the service providerSend PagesResponse
CPU intensive workOptimizations for Energy-EfficiencyHotMobile 2/23/201025Page TableMonitorFetchProblem: Too many memory pages may have to be transferredOptimizations for Energy-EfficiencyHotMobile 2/23/201026Page Table000000Monitor11FetchSolution: Only fetch and scan pages that have been recently modified HotMobile 2/23/201027Related Work (1/2)Rootkit Detection Enforcement of Kernel Data Structure Invariants [Baliga, et al., ACSAC 2008] Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 2003] Mobile Security and Detection Semantically Rich Application-Centric Security in Android [Ongtang, et al., ACSAC 2009] Detecting Energy-Greedy Anomalies [Kim, et al., MobiSys 2008]Rootkit detection
Mobile malware - SMS patrick mcdaniel- Cellular botnets patrick traynor- Michigan DBLP mobile malware kangshin34Related Work (2/2)Mobile Malware Cellular Botnets: Impact on Network Core [Traynor, et al., CCS 2009] Exploiting MMS Vulnerabilities to Exhaust Battery [Racic, et al., SecureComm 2006] Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]
HotMobile 2/23/201028Conclusion and Future WorkConclusions: Rootkits are now a threat to smart phones
Future Work: Energy efficient rootkit detection techniques
Develop a rootkit detector for smart phone
HotMobile 2/23/20102936Thank You!HotMobile 2/23/201030
Chart2524515442
Normal Idle OperationAll Peripherals ActivePhone Make and ModelHours of Battery Life (idle)Battery Life For Different Smartphones
Sheet1Verizon TouchATT TiltNeo FreeRunnerGTA02 w/ Rootkit5251442452
Sheet1
Normal Idle OperationAll Peripherals ActivePhone Make and ModelHours of Battery Life (idle)Battery Life For Different Smartphones
Sheet2
Sheet3