Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms - - PowerPoint PPT Presentation

retroac ve detec on of malware with applica ons to mobile
SMART_READER_LITE
LIVE PREVIEW

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms - - PowerPoint PPT Presentation

Nov 13, 2023 612 likes •793 views

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms Markus Jakobsson KarlAnders Johansson FatSkunk 1 Market forecast for mobile More smartphones than PCs in 23 years Dominant pla@orms targeted 4G will fuel

slide-1
SLIDE 1

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms

Markus Jakobsson Karl‐Anders Johansson FatSkunk

1

slide-2
SLIDE 2

Market forecast for mobile

  • More smartphones than PCs in 2‐3 years

– Dominant pla@orms targeted

  • 4G will fuel apps and mobile Internet use

– M‐commerce, M‐voJng, Parental Control, …

  • Phones are personal, have rich data

– Social use makes users more vulnerable

  • Power limitaJons stymie AnJ Virus products

– Power consumpJon increases with # threats

  • Likely big threats:

– Bluetooth viruses, (piracy) trojans, social malware

slide-3
SLIDE 3

Trends: Faster, stealthier, smarter

kits, recompilers, polymorphism malware oTen installs AV (limit compeJJon) produced by organized crime

slide-4
SLIDE 4

Contrast: What the consumer wants

Freedom

Undo

slide-5
SLIDE 5

What makes this challenging

  • 1. Malware masquerades and deceives
  • 2. Malware will not allow itself be erased
  • 3. Malware can catch interrupts
  • 4. Malware can edit system calls/responses
  • 5. Malware is bad, will not cooperate
slide-6
SLIDE 6

Main principles

  • To block detecJon, malware must be ac2ve.
  • To be acJve, malware needs to be in RAM.
  • RAM is faster than flash and radio.

6

slide-7
SLIDE 7

monolith kernel cache RAM

  • 1. Swap out all programs

(malware may refuse)

7

Contact markus@fatskunk.com for more details incl. improvements.

slide-8
SLIDE 8

monolith kernel cache RAM

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content(malware refuses again)

8

Contact markus@fatskunk.com for more details incl. improvements.

slide-9
SLIDE 9

monolith kernel cache RAM

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content(malware refuses again)

9

Contact markus@fatskunk.com for more details incl. improvements.

slide-10
SLIDE 10

monolith kernel cache RAM

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content (malware refuses again)

  • 3. Compute keyed digest of all RAM

(access order unknown a priori)

10

Contact markus@fatskunk.com for more details incl. improvements.

slide-11
SLIDE 11

monolith kernel cache RAM

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content (malware refuses again)

  • 3. Compute keyed digest of all RAM

(access order unknown a priori)

11

Contact markus@fatskunk.com for more details incl. improvements.

slide-12
SLIDE 12

monolith kernel cache RAM

12

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content (malware refuses again)

  • 3. Compute keyed digest of all RAM

(access order unknown a priori) Contact markus@fatskunk.com for more details incl. improvements.

External verifier provides this

slide-13
SLIDE 13

monolith kernel cache RAM

13

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content (malware refuses again)

  • 3. Compute keyed digest of all RAM

(access order unknown a priori) Contact markus@fatskunk.com for more details incl. improvements.

External verifier will Jme this (and check result of computaJon)

slide-14
SLIDE 14

Contact markus@fatskunk.com for more details incl. improvements. monolith kernel cache RAM

14

  • 1. Swap out all programs

(malware may refuse)

  • 2. Overwrite all “free” RAM

pseudo‐random content (malware refuses again)

  • 3. Compute keyed digest of all RAM

(access order unknown a priori) AcJve malware agent can:

  • 1. Send to flash (incurs delays)
  • 2. Recompute contents (ow!)
  • 3. Get external help (latency)
  • 4. Do all correctly, then cause

hand‐over to wrong process

  • 5. Agree to die / get detected

1‐4 will fail Adversary wants to replace the legiJmate monolith kernel F with a funcJon F’ s.t. F'(x)=F(x) for all x, running in same amount of Jme, where F and F’ do not hand

  • ver control to the same processes

at the end of their execuJon.

slide-15
SLIDE 15

Some details

  • Only requirement: know amount/type hardware
  • Full use of caching (instrucJon + data)
  • Strategy to maximize penalty for flash access
  • Two adversarial models: external aoacker or no
  • SIM card can be used as low‐latency Jmer

15

Contact markus@fatskunk.com for more details incl. improvements.

slide-16
SLIDE 16

Some stats

  • Variant implemented ‐ takes <3s on

256MB, 600 MHz Android board

  • Speedup for mulJ‐core
  • Detects all acJve malware – retroacJvely
  • Provable security – no heurisJcs
  • Suitable for mobile pla@orms
  • Can be combined with a “secure rsync”

16

Contact markus@fatskunk.com for more details incl. improvements.