2023/12/13 Council Agenda Packet

surements itself is reasonably small —about 1000 measurements on a typical Linux system [23], which results in the transfer of about 20KB-30KB data between the phone and the attestor —frequent ex- ecutions of the protocol (e.g., to ensure continuous integrity mea- surement) may consume both network bandwidth and battery power. To be applicable to smart phones, integrity measurement protocols mast therefore be adapted to be resource efficient. -based Rootkit Detection Virtualization offers an alternative approach to implement rootkit detection. In this approach, the smart phone's operating system and the monitor execute in separate virtual machines (VM). The monitor queries the VM that runs the phone s operating system and extracts the contents of its memory locations to perform rootkit de- tection [15]. A number of commercial efforts are currently under- way to build virtual machine monitors for smart phones [4, 8, 16], with the goal of allowing users to have multiple personalities on a single physical device. For example, the same phone can be used with multiple accounts and providers, such as a corporate account and a personal account. Cox and Chen [13] also provide examples of several other novel applications that can be enabled by deploying virtualization on smart phones. Rootkit detection tools can possibly leverage these virtual ma- chine monitors to isolate themselves from the smart phone's operat- ing system. However, most existing rootkit detection tools [10, 11, 18, 21] operate by periodically fetching and scanning kernel mem- ory snapshots of the operating system being monitored. Such al- gorithms are CPU intensive and can potentially dram the battery of the phone. For example, the Gibraltar rootkit detection system [10] can detect sophisticated rootkits that operate by modifying arbi- trary kernel data structures. However, it operates by periodically fetching memory pages from the monitored system, reconstructing data structures, and checking these data structures against integrity specifications, each of which is a CPU -intensive operation. Gibral- tar can potentially be optimized for use on a smart phone by re- ducing the frequency at which it scans kernel memory for rootkits, e.g., by enabling rootkit detection only when the phone is being charged. However, domg so introduces a tradeoff between security and energy -efficiency. One way to address this tradeoff would be to adapt Gibraltar to selectively fetch memory pages to be analyzed, e.g. only pages that were recently modified. To develop a VMM- based rootkit detector, a smart phone will need to support the in- stallation of a VMM. Currently, there is no platform that supports this Further research is therefore needed to make rootkit detection more -efficient and practical for use on.virtualized smart phones. 5. S ARY Rootkits evade detection by compromising the operating system, thereby allowing them to defeat user -space detection tools and op- erate stealthily for extended periods of time. This paper demon- strated that kernel -level rootkits can exploit smart phone operating systems often with serious social consequences. The popularity of the mobile platform has already attracted attackers, who have increasingly begun to develop and deploy viruses and worms that target these platforms. As these threats gain notoriety, so will the power of tools to detect these threats. We believe that this trend, combined with the increasing complexity of operating systems on modern smart phones, will push attackers to employing rootkits to achieve their malicious goals. Currently, there is no available tech- nique to detect rootkits on smart phones. We therefore conclude with a call for research on tools and techniques to effectively and efficiently detect rootkits on smart phones. References [1] F-secure warns of mobile malware growth. www . vnunet . com/ vnunet/news/2230481/f-secure-launches-mobile. Google fixes android root -access flaw. www . z dnet a s i a . com/ news/security/O,39044215,62048148,00.htm Meafee mobile security report 2008. www.mcafee.com/us/ research/mobil e_security report._2008.html. OKL4 embedded hypervisor: Open kernel labs. www . ok—labs . com/. Openmoko Neo FreeRunner. wiki . openmoko . org/wiki / Neo_FreeRunner. Qtopia software stack (Qtextended.org). qtopia . n Smartphones will soon turn computing on its head. com/8301-13579_3-9906697-37.html. VMware mobile virtualization platform www . technology/mobile/. Rootkits, part 1 of 3: A growing threat, April 2006. MacAfee AVERT Labs Whitepaper A. Baliga, V Ganapathy, and L. Iftode. Automatic inference and en- forcement of kernel data structure invariants. In Pmc. Annual Com- puter Security and Applications Conference, 2008. A. Baliga, L. Iftode, and X. Chen. Automated containment of rootkit attacks. Computers & Security, 27(7-8):323 — 334, 2008. [12] A Baliga, P. Kamat, and L. Iftode. Lurking in the shadows: Identi- fying systemic threats to kernel data. In Proc. 2007 IEEE Symposium on Secunty and Privacy, 2007 [13] L. Cox and P. M. Chen Pocket hypervisors: Challenges and opportu- nities. In Pmc HotMobile, 2007. [14] W Enck, P. Traynor, P. Mcdaniel, and T. La Porta. Exploiting open functionality in sms-capable cellular networks. In Pmc. ACM Confer- ence on Computer and Communication Security, 2005. [15] T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Dis- tributed Systems Security Symposium, 2003. [16] J. Hwang, S. Suh, S. Heo, C. Park, J. Ryu, S Park, and C. Kim. Xen on ARM: System virtualization using Xen hypervisor for ARM -based secure mobile phones. In IEEE CCNC, 2008. [17] M. Hypponen. The state of cell phone malware in 2007. www . usenix.org/events/sec07/tech/hypponen.pdf [18] N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor -based kernel runtime integrity monitor In Proc. USENIX Security Symposium, 2004. [19] AiAA Martin. FireWire memory dump of a Windows XP com- puter: A forensic approach, 2007. whit epapers . zdnet . com/ abstract .aspx?docid=38780. [20] Bank of America Mobile Banking. One millionth mobile banker logs on to Bank of America. tinyurl . com/yb72f4e. [21] N. L. Petroni and M. Hicks. Automated detection of persistent ker- nel control -flow attacks. In Proc. ACM Conference on Computer and Communications Security, 2007. [22] R. Racic, D. Ma, , and H. Chen. Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery. In Proc. 2nd International Conference on Security and Privacy in Communication Networks, Au- gust 2006. [23] R. Sailer, X. Zhang, T. Jaeger, and L. van Doom. Design and imple- mentation of a tcg-based integrity measurement architecture. In Proc. UJSENIX Security Symposium, August 2004. TCG. Trusted computing group: Mobile trusted computing platform. https://www.trustedcomputinggroup.org/ groups/mobile. G. Xu, C. Borcea, and L. Mode. Satem: Trusted service code across transactions In 25th Symposium on Reliable Distributed Systems, Oct 2006. [26] X Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor -based intrusion detection. In Proc. 10th workshop on ACM SIGOPS European workshop: beyond the PC, 2002. All URLs were last verified on January 10, 2010. [2] [3] [4] [5] [6] [7] [24] [25] et. news .cnet. vmware.com/ 6