Efficient and Trusted Detection of Rootkit in IoT Devices via Offline Profiling and Online Monitoring

We present LKRDet: a framework based on a Trusted Execution Environment to detect Kernel rootkits in IoT devices. LKRDet checks the consistency of hardware events, occurring in specific system call routines, to detect abnormalities caused by the kernel rootkits. LKRDet relies on Hardware Performance Counters to efficiently and safely count the hardware events occurring in the system. We implement a prototype of LKRDet for the ARM TrustZone architecture, on top of the Open Portable Trusted Execution Environment and evaluate our prototype with four popular rootkits. Our evaluation reveals that LKRDet can accurately detect the presence of all the rootkits in the device.

[1]  Ramesh Karri,et al.  Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[2]  Ming Xian,et al.  A Linux rootkit improvement based on inline hook , 2016 .

[3]  Donguk Kim,et al.  Prime+Count: Novel Cross-world Covert Channels on ARM TrustZone , 2018, ACSAC.

[4]  Yiorgos Makris,et al.  Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[5]  Thomas Nolte,et al.  Virtualization technologies in embedded real-time systems , 2013, 2013 IEEE 18th Conference on Emerging Technologies & Factory Automation (ETFA).

[6]  Daniel Martin,et al.  TrustZone Explained: Architectural Features and Use Cases , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[7]  Ruby B. Lee,et al.  Characterizing hypervisor vulnerabilities in cloud computing servers , 2013, Cloud Computing '13.

[8]  Manos Antonakakis,et al.  SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Ajay Joshi,et al.  Hardware Performance Counters Can Detect Malware: Myth or Fact? , 2018, AsiaCCS.

[10]  Ramesh Karri,et al.  Hardware and embedded security in the context of internet of things , 2013, CyCAR '13.

[11]  Sudipta Chattopadhyay,et al.  An Experimental Analysis of Security Vulnerabilities in Industrial IoT Devices , 2020, ACM Trans. Internet Techn..

[12]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[13]  Matt Spisak Hardware-Assisted Rootkits: Abusing Performance Counters on the ARM and x86 Architectures , 2016, WOOT.

[14]  Mordechai Guri,et al.  JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[15]  Houman Homayoun,et al.  Customized Machine Learning-Based Hardware-Assisted Malware Detection in Embedded Devices , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[16]  Julian Vetter,et al.  The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture , 2016, ICICS.

[17]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[18]  Michail Maniatakos,et al.  ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters , 2015, 2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[19]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[20]  Dan Meng,et al.  TZ-KPM:Kernel Protection Mechanism on Embedded Devices on Hardware-Assisted Isolated Environment , 2016, 2016 IEEE 18th International Conference on High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[21]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[22]  Gunter Ollmann Session management: Best Practice in Managing HTTP-Based Client Sessions , 2003 .

[23]  DemmeJohn,et al.  On the feasibility of online malware detection with performance counters , 2013 .