2023/12/13 Council Agenda Packet

detection mechanism must operate outside the operating system, typically on specialized hardware (e.g., a co -processor [18]) or in a virtual -machine monitor [15]. Although there have been recent efforts to deploy virtual machines on smart phones [8], such sup- port is not widely available yet. Even so, existing rootkit detec- tion techniques [10, 18 21], which have primarily been developed for desktop systems, employ heavyweight mechanisms that require periodic scans of kernel memory snapshots. Such techniques will likely place substantial energy demands if used on smart phones. We conclude the paper by discussing the challenges involved in detecting rootkits on smart phones. 2. BACKGRO Malware on Smart Phones Smart phones are an attractive target for attackers, both in the kinds of attacks that are possible and in the social implications of these attacks. Smart phones have access to both telephony and the In- ternet. As a consequence, malware that can attack a smart phone has the unique advantage of being able to affect the cell phone in- frastructure as well as other phones on the cellular network. These abilities have driven malware authors to focus on smart phones, with a recent report from MacAfee [3] stating that nearly 14% of mobile users worldwide have been directly infected or have known someone infected by mobile malware Nearly 72% of the users surveyed in the MacAfee study expressed concerns regarding the safety of using emerging mobile services and more than 86% were concerned about receiving inappropriate or unsolicited content, fraud- ulent bill increases, or information loss and theft. The pervasive nature of smart phones and a large, unsophisti- cated user base also make smart phones particularly attractive to attackers Important personal and financial information can likely be compromised by mobile malware because phone usage revolves largely around day-to-day user activities. For example, smart phones are increasingly being used for text messaging, email, storing per- sonal data, including financial data, pictures and videos. Espionage of such voice conversations is likely to have serious social implica- tions. As a second example, users typically tend to carry their smart phones (and keep them powered on) wherever they go; therefore, an attack that compromises the GPS subsystem will compromise privacy of the victim's location. Traditional threats to desktop systems, such as worms and viruses, have already begun infecting mobile platforms. According to F- Secure [1], there are already more than 400 mobile viruses in cir- culation. Several existing mobile malware result m simple annoy- ances. For example, the Skull.D viruslocks the phone and flashes an image of a skull and crossbones on the screen... .However, oth- ers are more dangerous and can cause financial damage to the user by sending text messages to "premium" numbers Malware such as spyware and Trojan horses have also started -affecting smart phones. The threats posed by mobile malware, can readily be countered using many of the same tools available for desktop machines For example, an antivirus tool equipped with an appropriate virus sig- nature database can detect the presence of viruses on a smart phone. As antivirus tools begin to get deployed on mobile platforms, we envisage that attackers will also move toward using stealth tech- niques to maintain long-term control over infected smart phones by maliciously modifying smart phone operating systems. Rootkits on Des i ps The term "rootkit" originally referred to a toolkit of techniques de- veloped by attackers to conceal the presence of malicious software on a compromised system. During infection, rootkits typically re- quire privileged access (e.g., root privileges) to infect the operating system. Even on operating systems that do not run applications Attack LOC 1 Size of kernel module 116 428 134 92.8 KB GSM GPS 101.7 87.2 KB KB Battery Figure 1• Lines of code and size of the kernel modules that implement each of the three attacks. with root privileges, an attacker may exploit vulnerabilities in ap- plication programs, such as web browsers (e g., drive -by -download attacks) and the operating system, to obtain elevated privileges to install rootkits. Rootkits typically infect the system by installing themselves as kernel modules, which are loaded each time the operating system is booted. However, this approach leaves a disk footprint, i.e., the kernel module containing the rootkit, thereby exposing the rootkit to antivirus tools. Sophisticated rootkits avoid this problem by di- rectly modifying data in kernel memory and do not leave a disk footprint. Although such rootkits only persist until the system is rebooted, they are effective on desktop computers, which are often not rebooted for several days or months at a time. Once infected, a rootkit can serve as the stepping stone for sev- eral future attacks. For example, rootkits are commonly used to conceal keyloggers, which steal sensitive user data, such as pass- words and credit card numbers, by silently logging keystrokes. They might also install backdoor programs on the system, which allow a remote attacker to gain entry into the system in the future. Rootkits can also perform other stealthy activities, such as disabling the fire- wall/antivirus tools or affecting the output quality of the system's pseudo random number generator, thereby causing the generation of weak cryptographic keys [12]. None of these activities are di- rectly visible to the user because the rootkit conceals its presence. Their stealthy nature enables rootkits to stay undetected, and there- fore retain long-term control over infected systems. 3. ROOTKITS ON SMART PHONES The, increasing complexity of smart phone operating systems makes them as vulnerable to rootkits as desktop operating sys- tems are. However, these rootkits can potentially exploit inter- faces and services unique to smart phones to compromise security in novel ways In this section, we present three proof -of -concept rootkits that we developed to illustrate the threat that they pose to smart phones. They were implemented by the first two authors, with only a basic undergraduate -level knowledge of operating sys- tems. Our test platform was a Neo Freerunner smart phone running the Openmoko Linux distribution [5]. We chose this platform be- cause (a) Linux source code is freely available, thereby allowing us to study and modify its data structures at will; and (b) the Neo Freerunner allows for easy experimentation, e.g., it allows end - users to re -flash the phone with newer versions of the operating system. All our rootkits were developed as Linux kernel modules (LKM), which we installed into the operating system. However, during a real attack, we expect that these LKMs will be delivered via other mechanisms, e.g., after an attacker has compromised a network - facing application or via a drive -by -download attack. Figure 1 presents the lines of code needed to implement each attack, and the size of the corresponding kernel module. This figure shows the relative ease with which rootkits can be developed. It also shows that the small size of kernel modules allows for easy delivery, even on bandwidth -constrained smart phones. Although our implementation and discussion in this section are restricted to the Neo Freerunner platform, the attacks are broadly applicable to smart phones running different operating systems. For example, Android is a platform derived from Linux and can sup- 2