Rootkit Detection on Embedded IoT Devices

IoT systems are subject to cyber attacks, including infecting embedded IoT devices with rootkits. Rootkits are malicious software that typically run with elevated privileges, which makes their detection challenging. In this paper, we address this challenge: we propose a rootkit detection approach for embedded IoT devices that takes advantage of a trusted execution environment (TEE), which is often supported on popular IoT platforms, such as ARM based embedded boards. The TEE provides an isolated environment for our rootkit detection algorithms, and prevents the rootkit from interfering with their execution even if the rootkit has root privileges on the untrusted part of the IoT device. Our rootkit detection algorithms identify modifications made by the rootkit to the code of the operating system kernel, to system programs, and to data influencing the control flow (e.g., hooking system calls), as well as inconsistencies created by the rootkit in certain kernel data structures (e.g., those responsible to handle process related information). We also propose algorithms to detect rootkit components in the persistent storage of the device. Besides describing our approach and algorithms in details, we also report on a prototype implementation and on the evaluation of our design and implementation, which is based on testing our prototype with rootkits that we developed for this purpose.

[1]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[2]  Hongli Zhang,et al.  The research on rootkit for information system classified protection , 2011, 2011 International Conference on Computer Science and Service System (CSSS).

[3]  Xiaoxin Chen,et al.  Paladin : Automated Detection and Containment of Rootkit Attacks , 2006 .

[4]  Cliff Changchun Zou,et al.  SMM rootkit: a new breed of OS independent malware , 2013, Secur. Commun. Networks.

[5]  Yun Shen,et al.  Before Toasters Rise Up: A View into the Emerging IoT Threat Landscape , 2018, RAID.

[6]  R Carbone Malware Memory Analysis of the Jynx2 Linux Rootkit (Part 1): Investigating a Publicly Available Linux Rootkit Using the Volatility Memory Analysis Framework , 2014 .

[7]  Gilbert L. Peterson,et al.  Analysis of Tools for Detecting Rootkits and Hidden Processes , 2007, IFIP Int. Conf. Digital Forensics.

[8]  Andreas Bunten UNIX and Linux based Rootkits Techniques and Countermeasures , 2004 .

[9]  Larry Rudolph,et al.  Thunderstrike: EFI firmware bootkits for Apple MacBooks , 2015, SYSTOR.

[10]  Ming Xian,et al.  A Linux rootkit improvement based on inline hook , 2016 .

[11]  Raghu Bharadwaj Mastering Linux Kernel Development , 2017 .

[12]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[13]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[14]  Analysis of Rootkits : Attack Approaches and Detection Mechanisms , 2006 .

[15]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[16]  Dave Levin,et al.  Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet , 2019, NDSS.

[17]  Arati Baliga,et al.  Detecting Kernel-Level Rootkits Using Data Structure Invariants , 2011, IEEE Transactions on Dependable and Secure Computing.

[18]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[19]  Terrance E. Boult,et al.  A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions , 2016, IEEE Communications Surveys & Tutorials.