jeffrey bickford, ryan o’hare, ara baliga, vinod ganapathy ...iftode/hotmobile10-slides.pdf ·...
TRANSCRIPT
![Page 1: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/1.jpg)
JeffreyBickford,RyanO’Hare,Ara-Baliga,VinodGanapathy,andLiviuI=ode
DepartmentofComputerScience,RutgersUniversity
SupportedinpartbyNFSandUSArmyCERDEC
![Page 2: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/2.jpg)
RiseoftheSmartPhone
HotMobile2/23/2010 2
![Page 3: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/3.jpg)
RiseoftheSmartPhone
1993
• calendar,addressbook,e‐mail• touchscreen• on‐screen"predic-ve"keyboard
Simon
HotMobile2/23/2010 2
![Page 4: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/4.jpg)
RiseoftheSmartPhone
1993 2000
• SymbianOS
EricssonR380
HotMobile2/23/2010 2
![Page 5: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/5.jpg)
RiseoftheSmartPhone
1993 2000 2002
• Blackberry• WindowsPocketPC• Treo
Treo180
BlackBerry5810
HotMobile2/23/2010 2
![Page 6: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/6.jpg)
RiseoftheSmartPhone
1993 2000 2002 2007
iPhone
HotMobile2/23/2010 2
![Page 7: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/7.jpg)
RiseoftheSmartPhone
1993 2000 2002 2007 2008
• iPhone3G/3GS• Android• AppStores
HotMobile2/23/2010 2
![Page 8: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/8.jpg)
HotMobile2/23/2010 3
SmartPhoneUsers
![Page 9: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/9.jpg)
HotMobile2/23/2010 4
SmartPhoneInterfaces
ArichsetofinterfacesisnowavailableGSM
GPSBluetooth
AccelerometerMicrophone Camera
![Page 10: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/10.jpg)
HotMobile2/23/2010 5
SmartPhoneApps
Contacts
Loca-on
Banking
Over140,000appstoday
![Page 11: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/11.jpg)
SmartPhoneOpera-ngSystems
OS LinesofCode
Linux2.6Kernel 10million
Android 20million
Symbian 20million
Complexitycomparabletodesktops
HotMobile2/23/2010 6
![Page 12: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/12.jpg)
HotMobile2/23/2010 7
TheRiseofMobileMalware
2004
Cabir
• spreadsviaBluetooth• drainsba_ery
Receive message via Bluetooth?
YesNo
![Page 13: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/13.jpg)
HotMobile2/23/2010 7HotMobile2/23/2010HotMobile2/23/2010
TheRiseofMobileMalware
2004
• firstJ2MEmalware• sendstextstopremiumnumbers
RedBrowser
2006
![Page 14: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/14.jpg)
HotMobile2/23/2010 7HotMobile2/23/2010HotMobile2/23/2010HotMobile2/23/2010
TheRiseofMobileMalware
2004
• KasperskyLabsreport:106typesofmobilemalware514modifica-ons
2006 2009
![Page 15: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/15.jpg)
HotMobile2/23/2010 8
TheRiseofMobileMalware
“MyiPhoneisnotjailbrokenanditisrunning
iPhoneOS3.0”
![Page 16: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/16.jpg)
HotMobile2/23/2010 9
Contribu-ons
• Introducerootkitsintothespaceofmobilemalware
• Demonstratewiththreeproof‐ofconceptrootkits
• Explorethedesignspacefordetec-on
![Page 17: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/17.jpg)
HotMobile2/23/2010 10
Rootkits
App App App
UserSpace
KernelSpace
Libraries
KernelCode
SystemCallTable
DriversProcessLists
VirusAn-Virus
![Page 18: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/18.jpg)
HotMobile2/23/2010 11
Rootkits
App App App
UserSpace
KernelSpace
Libraries
KernelCode
SystemCallTable
DriversProcessLists
An-Virus
Rootkit
Virus
![Page 19: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/19.jpg)
ProofofConceptRootkits
HotMobile2/23/2010 12
Note:Wedidnotexploitvulnerabili-es
• 1.Conversa-onSnoopingA_ack
• 2.Loca-onA_ack
• 3.Ba_eryDeple-onA_ack
OpenmokoFreerunner
![Page 20: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/20.jpg)
HotMobile2/23/2010 13
1.Conversa-onSnoopingA_ack
A_acker SendSMSRootkitInfected
Dialme“666‐6666”
CallA_ackerTurnonMic
DeleteSMS
Rootkitstopsifusertriestodial
![Page 21: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/21.jpg)
HotMobile2/23/2010 14
1.Conversa-onSnoopingA_ack
A_acker RootkitInfected
CallA_ackerTurnonMic
CalendarNo-fica-on
![Page 22: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/22.jpg)
A_acker SendSMSRootkitInfected
SendLoca-on“666‐6666”
2.Loca-onA_ack
QueryGPS
HotMobile2/23/2010 15
N40°28',W074°26SMSResponse
DeleteSMS
![Page 23: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/23.jpg)
3.Ba_eryDeple-onA_ack
• Rootkitturnsonhighpowereddevices• Rootkitshowsoriginaldevicestatus
HotMobile2/23/2010 16
A_ack:
![Page 24: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/24.jpg)
HotMobile2/23/2010 17
RootkitDetec-on
App App App
UserSpace
KernelSpace
Libraries
KernelCode
SystemCallTable
DriversProcessLists
RootkitDetector
RootkitDOESNOTWORK!
![Page 25: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/25.jpg)
HotMobile2/23/2010 18
MemoryIntrospec-on
Kernel
SysCallTable
Monitor
FetchandCopy
MonitorMachine TargetMachine
TrainingPhase
![Page 26: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/26.jpg)
HotMobile2/23/2010 19
MemoryIntrospec-on
KernelMonitor
Fetch
MonitorMachine TargetMachine
Compare
SystemOK
Detec<onPhase
![Page 27: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/27.jpg)
HotMobile2/23/2010 20
MemoryIntrospec-on
KernelMonitor
Fetch
MonitorMachine TargetMachine
Compare
RootkitDetected
Rootkit
mal_write()
Detec<onPhase
![Page 28: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/28.jpg)
HotMobile2/23/2010 21
MonitoringApproaches
1.HardwareApproach
MonitorMachine TargetMachine
RootkitInfectedNICwithremoteDMAsupport
![Page 29: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/29.jpg)
SmartPhoneChallenge
MonitorMachine RootkitInfected
HotMobile2/23/2010 22
Problem:• NeedinterfaceallowingmemoryaccesswithoutOSinterven-on(FireWire?)
![Page 30: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/30.jpg)
HotMobile2/23/2010 23
MonitoringApproaches
HostMachine
Hypervisor
Dom0 OS
2.VMM‐basedApproach
Detector
![Page 31: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/31.jpg)
SmartPhoneChallenge
HotMobile2/23/2010 24
Problem:CPU‐intensivedetec-onalgorithmsexhaustphoneba_ery
Solu<on:Offloaddetec-onworktotheserviceprovider
SendPages
Response
CPUintensivework
![Page 32: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/32.jpg)
Op-miza-onsforEnergy‐Efficiency
HotMobile2/23/2010 25
PageTable
MonitorFetch
Problem:Toomanymemorypagesmayhavetobetransferred
![Page 33: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/33.jpg)
Op-miza-onsforEnergy‐Efficiency
HotMobile2/23/2010 26
PageTable000000
Monitor1
1Fetch
Solu<on:Onlyfetchandscanpagesthat havebeenrecentlymodified
![Page 34: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/34.jpg)
HotMobile2/23/2010 27
RelatedWork(1/2)
RootkitDetec<on• EnforcementofKernelDataStructureInvariants[Baliga,etal.,ACSAC2008]• VirtualMachineIntrospec-on [GarfinkelandRosenblum,NDSS2003]
MobileSecurityandDetec<on• Seman-callyRichApplica-on‐CentricSecurityinAndroid [Ongtang, et al., ACSAC 2009]• Detec-ngEnergy‐GreedyAnomalies[Kim,etal.,MobiSys2008]
![Page 35: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/35.jpg)
RelatedWork(2/2)
MobileMalware• CellularBotnets:ImpactonNetworkCore[Traynor,etal.,CCS2009]• Exploiting SMS-Capable Cellular Network [Enck, et al., CCS 2005]• Exploi-ngMMSVulnerabili-estoExhaustBa_ery[Racic,etal.,SecureComm2006]
HotMobile2/23/2010 28
![Page 36: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/36.jpg)
ConclusionandFutureWork
Conclusions:• Rootkitsarenowathreattosmartphones
FutureWork:• Energyefficientrootkitdetec-ontechniques
• Developarootkitdetectorforsmartphone
HotMobile2/23/2010 29
![Page 37: Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy ...iftode/hotmobile10-slides.pdf · Jeffrey Bickford, Ryan O’Hare, Ara Baliga, Vinod Ganapathy, and Liviu Iode Department](https://reader035.vdocuments.us/reader035/viewer/2022063003/5f6908cdeca6434d616aa476/html5/thumbnails/37.jpg)
ThankYou!
HotMobile2/23/2010 30