Uncloaking Rootkits on Mobile Devices with a Hypervisor-Based Detector

Cell phones have evolved into general purpose computing devices, which are tightly integrated into many IT infrastructures. As such, they provide a potential malware entry point that cannot be easily dismissed if attacks by determined adversaries are considered. Most likely, such targeted attacks will employ rootkit technologies so as to hide their presence for as long as possible.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Claudia Eckert,et al.  Persistent Data-only Malware: Function Hooks without Code , 2014, NDSS.

[3]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[4]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[5]  Julian Vetter,et al.  XNPro: Low-Impact Hypervisor-Based Execution Prevention on ARM , 2015, TrustED@CCS.

[6]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[7]  Roy H. Campbell,et al.  Cloaker: Hardware Supported Rootkit Concealment , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[8]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[9]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[10]  Junyuan Zeng,et al.  PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework , 2015, VEE.

[11]  Alec Wolman,et al.  Protecting Data on Smartphones and Tablets from Memory Attacks , 2015, ASPLOS.

[12]  BongNam Noh,et al.  Android platform based linux kernel rootkit , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[13]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[16]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[17]  Jeff Polakow Embedding a full linear Lambda calculus in Haskell , 2015, Haskell.

[18]  Grant Osborne,et al.  On the E ectiveness of Virtualisation Assisted View Comparison for Rootkit Detection , 2015, AISC.

[19]  Johannes Götzfried,et al.  ARMORED: CPU-Bound Encryption for Android-Driven ARM Devices , 2013, 2013 International Conference on Availability, Reliability and Security.

[20]  Harvey Tuch,et al.  The VMware mobile virtualization platform: is that a hypervisor in your pocket? , 2010, OPSR.

[21]  Zhilei Xu,et al.  Tracking Rootkit Footprints with a Practical Memory Analysis System , 2012, USENIX Security Symposium.

[22]  Rachit Mathur,et al.  PREDICTING THE FUTURE OF STEALTH ATTACKS , 2011 .