TrustDump: Reliable Memory Acquisition on Smartphones

详细信息    查看全文

• 作者：He Sun (17) (18) (19) (20)
  Kun Sun (20)
  Yuewu Wang (17) (18)
  Jiwu Jing (17) (18)
  Sushil Jajodia (20)
  
• 关键词：TrustZone ; Non ; Maskable Interrupt ; Memory Acquisition
• 刊名：Lecture Notes in Computer Science
• 出版年：2014
• 出版时间：2014
• 年：2014
• 卷：8712
• 期：1
• 页码：202-218
• 全文大小：271 KB
• 参考文献：1. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)
  2. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box-semantic view reconstruction. In: ACM Conference on Computer and Communications Security, pp. 128-38 (2007)
  3. Fu, Y., Lin, Z.: Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: IEEE Symposium on Security and Privacy, pp. 586-00 (2012)
  4. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J.T., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297-12 (2011)
  5. Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security, pp. 51-2 (2008)
  6. Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC, pp. 289-98 (2013)
  7. Yan, L.K., Yin, H.: Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 29. USENIX Association (2012)
  8. McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: EuroSys, pp. 315-28 (2008)
  9. McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V.D., Perrig, A.: Trustvisor: Efficient tcb reduction and attestation. In: IEEE Symposium on Security and Privacy, pp. 143-58 (2010)
  10. Martignoni, L., Poosankam, P., Zaharia, M., Han, J., McCamant, S., Song, D., Paxson, V., Perrig, A., Shenker, S., Stoica, I.: Cloud terminal: secure access to sensitive applications from untrusted systems. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, p. 14. USENIX Association (2012)
  11. Zhang, F., Leach, K., Sun, K., Stavrou, A.: Spectre: A dependable introspection framework via system management mode. In: DSN, pp. 1-2 (2013)
  12. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: ACM Conference on Computer and Communications Security, pp. 38-9 (2010)
  13. Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: A hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol.?6307, pp. 158-77. Springer, Heidelberg (2010) CrossRef
  14. Azab, A.M., Ning, P., Zhang, X.: Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In: ACM Conference on Computer and Communications Security, pp. 375-88 (2011)
  15. ARM: TrustZone Introduction, trustzone/index.php" class="a-plus-plus"> http://www.arm.com/products/processors/technologies/trustzone/index.php
  16. Alves, T., Felton, D.: Trustzone: Integrated hardware and software security. ARM White Paper 3(4) (2004)
  17. ARM: Cortex-A8 Technical Reference Manual, http://infocenter.arm.com/help/topic/com.arm.doc.ddi0344k/DDI0344K_cortex_a8_r3p2_trm.pdf
  18. ARM: Cortex-A9 Technical Reference Manual, http://infocenter.arm.com/help/topic/com.arm.doc.ddi0388f/DDI0388F_cortex_a9_r2p2_trm.pdf
  19. ARM: ARM Cortex-A15 MPCore Processor Technical Reference Manual, http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0438i/index.html
  20. ARM: Interrupt Behavior of Cortex-M1, http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dai0211a/index.html
  21. ARM: Cortex-M4 Devices Generic User Guide, http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/Cihfaaha.html
  22. Freescale: Imx53qsb: i.mx53 quick start board, http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=IMX53QSB&tid=vanIMXQUICKSTART
  23. Adeneo Embedded: Reference BSPs for Freescale i.MX53 Quick Start Board, http://www.adeneo-embedded.com/en/Products/Board-Support-Packages/Freescale-i.MX53-QSB
  24. Paul Bakker: PolarSSL, https://polarssl.org/
  25. Michael Coppola: Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM, http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/
  26. Heriyanto, A.P.: Procedures and tools for acquisition and analysis of volatile memory on android smartphones. In: Proceedings of The 11th Australian Digital Forensics Conference. SRI Security Research Institute, Edith Cowan University, Perth, Western Australia (2013)
  27. Sylve, J., Case, A., Marziale, L., Richard III, G.G.: Acquisition and analysis of volatile memory from android devices. Digital Investigation?8(3-4), 175-84 (2012) CrossRef
  28. Google: Using ddms for debugging, http://developer.android.com/tools/debugging/ddms.html
  29. Stevenson, A.: Boot into Recovery Mode for Rooted and Un-rooted Android devices, http://androidflagship.com/605-enter-recovery-mode-rooted-un-rooted-android
  30. Dall, C., Nieh, J.: Kvm for arm. In: Proceedings of the 12th Annual Linux Symposium (2010)
  31. Dall, C., Nieh, J.: Kvm/arm: The design and implementation of the linux arm hypervisor. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2014 (2014)
  32. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation?1(1), 50-0 (2004) CrossRef
  33. Breeuwsma, I.M.F.: Forensic Imaging of Embedded Systems Using JTAG (Boundary-scan). Digit. Investig.?3(1) (March 2006)
  34. Jovanovic, Z., Redd, I.D.D.: Android forensics techniques. International Academy of Design and Technology (2012)
  35. Me, G., Rossi, M.: Internal forensic acquisition for mobile equipments. In: IPDPS, pp. 1- (2008)
  
• 作者单位：He Sun (17) (18) (19) (20)
  Kun Sun (20)
  Yuewu Wang (17) (18)
  Jiwu Jing (17) (18)
  Sushil Jajodia (20)
  
  17. State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, P.R. China
  18. Data Assurance and Communication Security Research Center, CAS, Beijing, P.R. China
  19. University of Chinese Academy of Sciences, Beijing, P.R. China
  20. George Mason University, Fairfax, VA, USA
  
• ISSN：1611-3349

文摘

With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and steal the sensitive data from the mobile applications. Anti-malware tools should be continuously updated via static and dynamic malware analysis to detect and prevent the newest malware. Dynamic malware analysis depends on a reliable memory acquisition of the OS and the applications running on the smartphones. In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capable of reliably obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or has been compromised. The mobile OS is running in the TrustZone’s normal domain, and the memory acquisition tool is running in the TrustZone’s secure domain, which has the access privilege to the memory in the normal domain. Instead of using a hypervisor to ensure an isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base (TCB) of about 450 lines of code. We build a TrustDump prototype on Freescale i.MX53 QSB.