security versus energy tradeoffs in host-based mobile malware detection
DESCRIPTION
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection. Jeffrey Bickford *, H. Andrés Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode *. * Rutgers University # AT&T Labs – Research. Smart Phone Apps. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/1.jpg)
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection
Jeffrey Bickford *, H. Andrés Lagar-Cavilla #, Alexander Varshavsky #,Vinod Ganapathy *, and Liviu Iftode *
* Rutgers University# AT&T Labs – Research
![Page 2: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/2.jpg)
Location
Banking
Smart Phone Apps
Contacts
Store personal and private information
![Page 3: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/3.jpg)
3
The Rise of Mobile Malware
2004 2006 2011Mobisys 6/30/2011
![Page 4: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/4.jpg)
4Mobisys 6/30/2011
Traditional Malware Detection
• Periodically scan the attack target– System comprised of code and data
• Personal files, executables, databases, network activity
Antivirus 2011
Cancel Scan
30469 of 121876 scanned
Remaining Time: 1 hour 2 minutesBattery life decreases 2x faster!
![Page 5: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/5.jpg)
5
• Typical machines can execute malware detection systems 24/7
• Mobile devices are limited by their battery
• Detection mechanisms in their current state lead to high energy cost
• Executing malware detection systems only when charging is not sufficient
Mobile Detection Problem
Mobisys 6/30/2011
![Page 6: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/6.jpg)
6Mobisys 6/30/2011
Contributions
Explore the tradeoffs between security monitoring and energy consumption on
mobile devices
1. Framework to quantify the security vs. energy tradeoffs on a mobile device
2. Create energy optimized versions of two security tools
3. Introduce a balanced security profile
![Page 7: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/7.jpg)
7Mobisys 6/30/2011
How Do I Conserve Energy?
Frequency of Checks
Attac
k Su
rfac
e
Wha
t to
Chec
k
When to Check
• Frequency of Checks– When to check?– Scan less frequently– Timing vs events
• Attack Surface– What to check?– Scan fewer code/data
objects
![Page 8: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/8.jpg)
8Mobisys 6/30/2011Mobisys 6/30/2011 8
Security-Energy Tradeoff
Frequency of Checks
Attac
k Su
rfac
e
• Scan all continuously– Best possible security– High energy cost
• Periodically Scan– Vulnerable between
scans
• Scan Subset– Vulnerable to attacks
outside of subset
Various Attacks
Is there a sweet spot?
![Page 9: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/9.jpg)
9Mobisys 6/30/2011
Rootkits
App App App
Kernel Space
Libraries
Kernel Code
SystemCall
TableDrivers Process
Lists
AntiVirus
Rootkit
Virus
Rootkits are sophisticated malware requiring complex detection algorithms
UserSpace
![Page 10: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/10.jpg)
10
Attacker Send SMSRootkit Infected
Dial me “666-6666”
Call AttackerTurn on Mic
Delete SMS
Rootkit stealthily hides from the user
Demonstrated AttackConversation Snooping Attack
Mobisys 6/30/2011
[Bickford et al. HotMobile ‘10]
![Page 11: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/11.jpg)
11
Host Machine
Hypervisor
Trusted User OS
Detector
Rootkit Detection
Mobisys 6/30/2011
OS must be monitored using a hypervisor
• Detection tools run in trusted domain
• Mobile hypervisors soon– VMWare– OKL4 Microvisor (Evoke)– Samsung Xen on ARM
![Page 12: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/12.jpg)
12Mobisys 6/30/2011
Experimental Setup
• Viliv S5– Intel Atom– 3G, WiFi, GPS, Bluetooth
• Xen Hypervisor– Evaluated the tradeoff using two existing rootkit detectors within trusted domain
• Workloads– 3G and WiFi workload simulating user browsing– Lmbench for a CPU intensive workload
![Page 13: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/13.jpg)
13Mobisys 6/30/2011
Detecting Data-Driven Attacks
• Gibraltar [Baliga et al. IEEE TDSC ‘11] typifies the usual form of rootkit defense for kernel data attacks
– Primarily pointer-based control flow– Scans data structures within the OS Kernel
• Scanning approach analogous to antivirus scans
• Original version monitored all data structures all of the time
![Page 14: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/14.jpg)
14
Detecting Data-Driven Attacks
Hypervisor
Guest domain Trusted domain
KernelCode
KernelData
Gibraltar daemon
InvariantDBData
page
2Reconstruct data structures
?3
Alert user
Mobisys 6/30/2011
Fetch Page1
![Page 15: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/15.jpg)
15Mobisys 6/30/2011
Problem – High Energy Cost
while(1) { for all kernel data structures { get current value check against invariant }}
• Maximum security• 100 % CPU usage• Poor Energy Efficiency
IdleContinuous
Scan
Must tradeoff security for energy
![Page 16: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/16.jpg)
16
Tradeoffs for Data-Based Detectors
Poll Frequency(seconds)
Attack Surface
0
Static Data
AllData
FunctionPointers
All Lists
Process List
1 5 30100 12050 10 1
Original design of Gibraltar
Frequency of ChecksMobisys 6/30/2011
Event Threshold: (page changes between checks)
![Page 17: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/17.jpg)
17
while(1) { for all kernel data structures { get current value check against invariant }}
while(1) {every “x” seconds { for all kernel data structures { get current value check against invariant }}
Mobisys 6/30/2011
Frequency of Checks
Idle Scan
![Page 18: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/18.jpg)
18
Evaluating the Tradeoff
Sweet Spot!
Mobisys 6/30/2011
![Page 19: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/19.jpg)
19Mobisys 6/30/2011
while(1) { for all kernel data structures { get current value check against invariant }}
Attack Surface
while(1) { for all kernel data structures { for a subset of data structures { get current value check against invariant }}
![Page 20: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/20.jpg)
20
Evaluating the Tradeoff
96% of rootkits![Petroni et al. CCS ‘07]
Mobisys 6/30/2011
![Page 21: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/21.jpg)
21
• Patagonix [Litty et al. USENIX Security ‘08] typifies most code integrity monitoring systems
• A different class of rootkits attack code – trojaned system utilities– kernel code modifications
• Can protect both kernel code and user space code
• Protects against a different set of attacks compared to Gibraltar
Mobisys 6/30/2011
Detecting Code-Driven Attacks
![Page 22: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/22.jpg)
22
Detecting Code-Driven Attacks
Hypervisor
Guest domain Trusted domain
Code: OS & applications Data
Patagonix daemon
HashDBCode
page
Resume guest
1
2
3
hash(page)
Alertuser
Mobisys 6/30/2011
?
![Page 23: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/23.jpg)
23
Tradeoffs for Code-Based Detectors
0
AllCode
Root Processes
KernelCode
1 5 30341 12050 10 1
Original design of Patagonix
Poll Frequency(seconds)
Frequency of Checks
Event Threshold: (pages exec between checks)
Attack Surface
Mobisys 6/30/2011
![Page 24: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/24.jpg)
24Mobisys 6/30/2011
Putting it Together• Cover 96% of Rootkits• Polling sweet spot – 30 sec
![Page 25: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/25.jpg)
25
Conclusion
• Mobile malware is a threat
• Security tools costly when energy constrained
• Developed a framework to quantify the tradeoff between energy efficiency and security
• Optimized two previously existing tools
• Generated a “balanced” security profile
Mobisys 6/30/2011
![Page 26: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/26.jpg)
26
Thank You!
Mobisys 6/30/2011
Fully Secure
Select a security plan:
High risk
Low risk
Balanced
Learn how to conserve powerMore security options
Smart Phone Security Center
![Page 27: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/27.jpg)
27Mobisys 6/30/2011
Randomization
Frequency of Checks
Attac
k Su
rfac
e
• Periodically scan
• Attackers will attempt to exploit the system while idle
• Randomize the time the system is idle
![Page 28: Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection](https://reader037.vdocuments.us/reader037/viewer/2022102909/56813ee2550346895da95ad7/html5/thumbnails/28.jpg)
28
Cloud Offload Feasibility
Mobisys 6/30/2011
Cloud offload impractical energy-wise