Skip to main content
SpringerLink
Log in

Uncloaking Rootkits on Mobile Devices with a Hypervisor-Based Detector

  • Conference paper
  • First Online:
Information Security and Cryptology - ICISC 2015 (ICISC 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9558))

Included in the following conference series:

  • 918 Accesses

Abstract

Cell phones have evolved into general purpose computing devices, which are tightly integrated into many IT infrastructures. As such, they provide a potential malware entry point that cannot be easily dismissed if attacks by determined adversaries are considered. Most likely, such targeted attacks will employ rootkit technologies so as to hide their presence for as long as possible.

We have designed a rootkit detector that will allow to inspect the complete state of a smart phone, turning up a rootkit if present. Our solution draws on the strong isolation provided by virtualization to protect our detector from attempts to disable it. In comparison to mainstream hypervisors such as Xen and KVM, our hypervisor consist of only 7.000 SLOC, allowing for systems with a small trusted computing base. We implemented a full prototype using a low-cost embedded board and a full Android stack and validated its effectiveness against an exemplary rootkit that employs advanced countermeasures. Also, various benchmark measurements of the prototype proved that the performance degradation incurred by our design, while noticable, is not prohibitive.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Similar concepts are known as nested page table (NPT) or extended page table (EPT) on x86 systems.

  2. 2.

    The ARM EABI uses r7.

  3. 3.

    PL0 denotes USR, the only unpriviled processor state, whereas PL1 subsumes all privileged processor states (SVC, SYS, IRQ, FIQ, ABT, UND).

References

  1. Antutu Hong Kong: Antutu benchmark. http://www.antutu.com/en/Ranking.shtml. Accessed 12 May 2015

  2. Ltd, ARM: mbed TLS. https://tls.mbed.org/. Accessed 26 May 2015

  3. Barr, K., Bungale, P., Deasy, S., Gyuris, V., Hung, P., Newell, C., Tuch, H., Zoppis, B.: The VMware mobile virtualization platform: is that a hypervisor in your pocket? ACM SIGOPS Oper. Syst. Rev. 44(4), 124–135 (2010)

    Article  Google Scholar 

  4. Colp, P., Zhang, J., Gleeson, J., Suneja, S., de Lara, E., Raj, H., Saroiu, S., Wolman, A.: Protecting data on smartphones and tablets from memory attacks. In: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2015, pp. 177–189. ACM, New York (2015). http://acm.org/10.1145/2694344.2694380

    Google Scholar 

  5. Cui, W., Peinado, M., Xu, Z., Chan, E.: Tracking rootkit footprints with a practical memory analysis system. In: USENIX Security Symposium, pp. 601–615 (2012)

    Google Scholar 

  6. Danisevskis, J., Peter, M., Nordholz, J., Petschick, M., Vetter, J.: Graphical user interface for virtualized mobile handsets (2015)

    Google Scholar 

  7. David, F.M., Chan, E.M., Carlyle, J.C., Campbell, R.H.: Cloaker: hardware supported rootkit concealment. In: 2008 IEEE Symposium on Security and Privacy, SP 2008, pp. 296–310. IEEE (2008)

    Google Scholar 

  8. Dharmdasani, H.: Android-rootkit (2015) https://github.com/hiteshd/Android-Rootkit. Accessed 13 April 2015

  9. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE (2011)

    Google Scholar 

  10. F-Secure Labs: Mobile threat report q1 2014, April 2014. https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2014.pdf. Accessed 11 April 2015

  11. Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. NDSS 3, 191–206 (2003)

    Google Scholar 

  12. Gotzfried, J., Muller, T.: Armored: CPU-bound encryption for android-driven arm devices. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 161–168, September 2013

    Google Scholar 

  13. Guerrero, S.: Getting sys_call_table on android, March 2013. https://www.nowsecure.com/blog/2013/03/13/syscalltable-android-playing-rootkits/. Accessed 29 April 2015

  14. Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42(3), 74–82 (2008)

    Article  Google Scholar 

  15. Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pp. 279–290. ACM, New York (2011). http://acm.org/10.1145/1950365.1950398

  16. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)

    Google Scholar 

  17. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 128–138. ACM (2007)

    Google Scholar 

  18. Kapoor, A., Mathur, R.: Predicting the future of stealth attacks (2011). http://www.mcafee.com/de/resources/reports/rp-predicting-stealth-attacks.pdf

  19. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., et al.: sel4: formal verification of an OS kernel. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pp. 207–220. ACM (2009)

    Google Scholar 

  20. mncoppola: An lkm rootkit targeting linux 2.6/3.x on x\(86(\_64)\), and arm, September 2014. https://github.com/mncoppola/suterusu. Accessed 13 April 2015

  21. National Vulnerability Database: CVE-2015-3456, January 2015. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7835. Accessed 01 November 2015

  22. Nordholz, J., Vetter, J., Peter, M., Junker-Petschick, M., Danisevskis, J.: Xnpro: low-impact hypervisor-based execution prevention on arm. In: Proceedings of the 5th International Workshop on Trustworthy Embedded Devices, pp. 55–64. ACM (2015)

    Google Scholar 

  23. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13. p. 13. USENIX Association, Berkeley (2004). http://dl.acm.org/citation.cfm?id=1251375.1251388

  24. Richer, T.J., Neale, G., Osborne, G.: On the effectiveness of virtualisation assisted view comparison for rootkit detection. In: Proceedings of the 13th Australasian Information Security Conference (AISC 2015), vol. 27, p. 30 (2015)

    Google Scholar 

  25. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  26. Studer, N., VanVossen, R.: Xen and the art of certification. Xen Developer Summit 2014 (2014)

    Google Scholar 

  27. trimpsyw: adore-ng - linux rootkit adapted for 2.6 and 3.x, October 2014. https://github.com/trimpsyw/adore-ng. Accessed 13 April 2015–04-13

  28. unixfreaxjp: Mmd-0028-2014 - fuzzy reversing a new china elf “linux/xor.ddos”, September 2014. http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html. Accessed 16 April 2015

  29. Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Symposium on Network and Distributed System Security (NDSS) (2014)

    Google Scholar 

  30. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)

    Google Scholar 

  31. You, D.-H.: Android platform based Linux kernel rootkit. Phrack 68, April 2011

    Google Scholar 

  32. Zeng, J., Fu, Y., Lin, Z.: Pemu: a pin highly compatible out-of-VM dynamic binary instrumentation framework. In: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2015, pp. 147–160. ACM, New York (2015). http://acm.org/10.1145/2731186.2731201

Download references

Acknowledgments

This research was supported by the Helmholtz Research School on Security Technologies.

Author information

Authors and Affiliations

  1. Technische Universität Berlin, Berlin, Germany

    Julian Vetter, Matthias Junker-Petschick, Jan Nordholz, Michael Peter & Janis Danisevskis

Authors
  1. Julian Vetter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Matthias Junker-Petschick
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jan Nordholz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael Peter
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Janis Danisevskis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julian Vetter .

Editor information

Editors and Affiliations

  1. Sungkyunkwan University, Suwon, Gyeonggi, Korea (Republic of)

    Soonhak Kwon

  2. UNIST, Ulsan, Korea (Republic of)

    Aaram Yun

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Vetter, J., Junker-Petschick, M., Nordholz, J., Peter, M., Danisevskis, J. (2016). Uncloaking Rootkits on Mobile Devices with a Hypervisor-Based Detector. In: Kwon, S., Yun, A. (eds) Information Security and Cryptology - ICISC 2015. ICISC 2015. Lecture Notes in Computer Science(), vol 9558. Springer, Cham. https://doi.org/10.1007/978-3-319-30840-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30840-1_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30839-5

  • Online ISBN: 978-3-319-30840-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation