retroac ve detec on of malware with applica ons to mobile
play

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms - PowerPoint PPT Presentation

Nov 13, 2023 •612 likes •790 views

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms Markus Jakobsson KarlAnders Johansson FatSkunk 1 Market forecast for mobile More smartphones than PCs in 23 years Dominant pla@orms targeted 4G will fuel

  1. Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms Markus Jakobsson Karl‐Anders Johansson FatSkunk 1

  2. Market forecast for mobile • More smartphones than PCs in 2‐3 years – Dominant pla@orms targeted • 4G will fuel apps and mobile Internet use – M‐commerce, M‐voJng, Parental Control, … • Phones are personal , have rich data – Social use makes users more vulnerable • Power limitaJons stymie AnJ Virus products – Power consumpJon increases with # threats • Likely big threats: – Bluetooth viruses, (piracy) trojans, social malware

  3. Trends: Faster, stealthier, smarter kits, recompilers, polymorphism malware oTen installs AV (limit compeJJon) produced by organized crime

  4. Contrast: What the consumer wants Freedom Undo

  5. What makes this challenging 1. Malware masquerades and deceives 2. Malware will not allow itself be erased 3. Malware can catch interrupts 4. Malware can edit system calls/responses 5. Malware is bad, will not cooperate

  6. Main principles • To block detecJon, malware must be ac2ve . • To be acJve, malware needs to be in RAM . • RAM is faster than flash and radio. 6

  7. monolith kernel 1. Swap out all programs (malware may refuse) cache RAM Contact markus@fatskunk.com for more details incl. improvements. 7

  8. monolith kernel 1. Swap out all programs (malware may refuse) 2. Overwrite all “free” RAM pseudo‐random content(malware refuses again) cache RAM Contact markus@fatskunk.com for more details incl. improvements. 8

  9. monolith kernel 1. Swap out all programs (malware may refuse) 2. Overwrite all “free” RAM pseudo‐random content(malware refuses again) cache RAM Contact markus@fatskunk.com for more details incl. improvements. 9

  10. monolith kernel 1. Swap out all programs (malware may refuse) 2. Overwrite all “free” RAM pseudo‐random content (malware refuses again) 3. Compute keyed digest of all RAM cache (access order unknown a priori) RAM Contact markus@fatskunk.com for more details incl. improvements. 10

  11. monolith kernel 1. Swap out all programs (malware may refuse) 2. Overwrite all “free” RAM pseudo‐random content (malware refuses again) 3. Compute keyed digest of all RAM cache (access order unknown a priori) RAM Contact markus@fatskunk.com for more details incl. improvements. 11

  12. monolith kernel 1. Swap out all programs (malware may refuse) 2. Overwrite all “free” RAM pseudo‐random content (malware refuses again) 3. Compute keyed digest of all RAM cache (access order unknown a priori) External verifier provides this RAM Contact markus@fatskunk.com for more details incl. improvements. 12

  13. monolith kernel 1. Swap out all programs (malware may refuse) 2. Overwrite all “free” RAM pseudo‐random content (malware refuses again) 3. Compute keyed digest of all RAM cache (access order unknown a priori) External verifier will Jme this (and check result of computaJon) RAM Contact markus@fatskunk.com for more details incl. improvements. 13

  14. Adversary wants to replace the legiJmate monolith kernel F with a monolith funcJon F’ s.t. F'(x)=F(x) for all x, kernel running in same amount of Jme, where F and F’ do not hand 1. Swap out all programs over control to the same processes (malware may refuse) at the end of their execuJon. 2. Overwrite all “free” RAM pseudo‐random content (malware refuses again) 3. Compute keyed digest of all RAM cache AcJve malware agent can: (access order unknown a priori) 1. Send to flash (incurs delays) 2. Recompute contents (ow!) 3. Get external help (latency) 4. Do all correctly, then cause hand‐over to wrong process 5. Agree to die / get detected 1‐4 will fail RAM Contact markus@fatskunk.com for more details incl. improvements. 14

  15. Some details • Only requirement: know amount/type hardware • Full use of caching (instrucJon + data) • Strategy to maximize penalty for flash access • Two adversarial models: external aoacker or no • SIM card can be used as low‐latency Jmer Contact markus@fatskunk.com for more details incl. improvements. 15

  16. Some stats • Variant implemented ‐ takes <3s on 256MB, 600 MHz Android board • Speedup for mulJ‐core • Detects all acJve malware – retroacJvely • Provable security – no heurisJcs • Suitable for mobile pla@orms • Can be combined with a “secure rsync” Contact markus@fatskunk.com for more details incl. improvements. 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detec%ng Inconsistencies in JavaScript MVC Applica%ons Frolin S.

Detec%ng Inconsistencies in JavaScript MVC Applica%ons Frolin S.

Detec%ng Inconsistencies in JavaScript MVC Applica%ons Frolin S. Ocariza, Jr., Karthik PaAabiraman and Ali Mesbah University of British Columbia Most popular

504 views • 37 slides
Assimila'on of func'onal data and applica'on to ac've fires detec'on from satellites Jan Mandel

Assimila'on of func'onal data and applica'on to ac've fires detec'on from satellites Jan Mandel

Assimila'on of func'onal data and applica'on to ac've fires detec'on from satellites Jan Mandel University of Colorado Denver Ins5tute of Informa5cs, Czech Academy of Sciences With Ivan Kasanick, Adam K. Kochanski, Sher Schranz, and Mar5n

1.05k views • 47 slides
Detec%ng Unknown Inconsistencies in Web Applica%ons Frolin Ocariza Jr. Karthik Pa:abiraman Ali

Detec%ng Unknown Inconsistencies in Web Applica%ons Frolin Ocariza Jr. Karthik Pa:abiraman Ali

Detec%ng Unknown Inconsistencies in Web Applica%ons Frolin Ocariza Jr. Karthik Pa:abiraman Ali Mesbah 1 95% of all websites use JavaScript JavaScript The most popular language on both GitHub and StackOverflow for 4 years 2 Bugs abound

481 views • 35 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki Computer Science Dept. Worcester Polytechnic Institute (WPI) 1 Introduction Mobile Malware is fairly recent July 2004 Cabir virus came out on

487 views • 24 slides
WHY MOBILE TO MOBILE MALWARE WONT CAUSE A STORM Nathaniel Husted Steven Myers Indiana

WHY MOBILE TO MOBILE MALWARE WONT CAUSE A STORM Nathaniel Husted Steven Myers Indiana

WHY MOBILE TO MOBILE MALWARE WONT CAUSE A STORM Nathaniel Husted Steven Myers Indiana University Monday, April 4, 2011 MOBILE TO MOBILE MALWARE Bluetooth (Mabir/Cabir/Commwarrior) Vs. MMS (Mabir/Commwarrior) Symbian OS -- Dominant

338 views • 21 slides
Data Storage Mobile Applica,on Development in iOS School of EECS Washington State University

Data Storage Mobile Applica,on Development in iOS School of EECS Washington State University

Xcode 11.4 with iOS 13.4 and Swift 5.2 is here! Data Storage Mobile Applica,on Development in iOS School of EECS Washington State University Instructor: Larry Holder Mobile Applica,on Development in iOS 1 Data Storage Already seen:

616 views • 37 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect

Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect

Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect physics to detect undesirable routines Guy Stewart VP Engineering Fatskunk Inc. The Malware Problem The Malware Problem Trojans, Rootkits, the

454 views • 18 slides
Are these Ads Safe: Detec/ng Hidden A4acks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detec/ng Hidden A4acks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detec/ng Hidden A4acks through Mobile App-Web Interfaces Vaibhav Rastogi 1 , Rui Shao 2 , Yan Chen 3 , Xiang Pan 3 , Shihong Zou 4 , and Ryan Riley 5 1 University of Wisconsin and Pennsylvania State University 2 Zhejiang

481 views • 30 slides
ZigZag: Automa,cally Hardening Web Applica,ons Against Client- side Valida,on Vulnerabili,es

ZigZag: Automa,cally Hardening Web Applica,ons Against Client- side Valida,on Vulnerabili,es

ZigZag: Automa,cally Hardening Web Applica,ons Against Client- side Valida,on Vulnerabili,es PRESENTED BY SAI TEJ KANCHARLA Content Introduc,on Mo,va,on And Threat Model System Overview Invariant Detec,on Invariant

549 views • 26 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel &amp; Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Foundations Security in MAS Conclusion Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till Drges td@pre-secure.de PRESECURE Consulting GmbH June 20, 2007 Till Drges Protection Malware seen

739 views • 57 slides
Android'Applica,on'Components:' Lifecycle'and'State' ' Mobile'and'Ubiquitous'Compu,ng'

Android'Applica,on'Components:' Lifecycle'and'State' ' Mobile'and'Ubiquitous'Compu,ng'

Android'Applica,on'Components:' Lifecycle'and'State' ' Mobile'and'Ubiquitous'Compu,ng' MEIC/MERC'2015/16' ' ' Nuno'Santos' 1.#APPLICATION#COMPONENTS# Mobile'and'Ubiquitous'Compu,ng'2015/16' Android'Components'

704 views • 35 slides
FlowDroid Alex Mariakakis From CSE 501 again Motivation All sorts of mobile malware exist

FlowDroid Alex Mariakakis From CSE 501 again Motivation All sorts of mobile malware exist

FlowDroid Alex Mariakakis From CSE 501 again Motivation All sorts of mobile malware exist Selling user information to advertisement/ marketing companies Stealing user credentials Premium rate calls and SMS SMS spam

843 views • 17 slides
Manipulao de Bytecode Java Mantendo o esprito Hacker no mundo das linguagens de alto nvel

Manipulao de Bytecode Java Mantendo o esprito Hacker no mundo das linguagens de alto nvel

Manipulao de Bytecode Java Mantendo o esprito Hacker no mundo das linguagens de alto nvel Andr Luiz Breves de Oliveira andre.breves@gmail.com class Hello { public static void main(String[] args) { System.out.println(&quot;Hello

217 views • 21 slides
SEP Antrittsvortrag Vertrauenswrdige Auslieferung von Zertifikaten fr Network Access Control

SEP Antrittsvortrag Vertrauenswrdige Auslieferung von Zertifikaten fr Network Access Control

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen SEP Antrittsvortrag Vertrauenswrdige Auslieferung von Zertifikaten fr Network Access Control mit EAP-(T)TLS Michael Bothmann Betreuer:

587 views • 15 slides
Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management

Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management

KTH ROYAL INSTITUTE OF TECHNOLOGY Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management Infrastructure Mohammad Khodaei Networked Systems Security Group (NSS) November 1, 2016 July 2, 2018

1.03k views • 38 slides
Measuring the net Markus Peuhkuri 2003-08-18 Lecture topics Why network is measured How

Measuring the net Markus Peuhkuri 2003-08-18 Lecture topics Why network is measured How

Measuring the net Markus Peuhkuri 2003-08-18 Lecture topics Why network is measured How network can be measured What is measured How one can utilize measurements IP networks assumed Focus on quality-related measurements,

626 views • 9 slides
Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise 2.0? Enterprise 2.0 is the term for the technologies and business practices that liberate the workforce from the constraints of legacy

378 views • 36 slides
Opportunity : Approach to New Product Development Idea and Opportunity A form, look or

Opportunity : Approach to New Product Development Idea and Opportunity A form, look or

From Idea to Opportunity : Approach to New Product Development Idea and Opportunity A form, look or appearance of a thing as opposed to its reality A conception existing in the mind A thought, a mental image, a notion An

649 views • 63 slides
Picking up the Blitz Recognizing &amp; Countering the Technology Rush in Our Homes Tim Keeter

Picking up the Blitz Recognizing &amp; Countering the Technology Rush in Our Homes Tim Keeter

Picking up the Blitz Recognizing &amp; Countering the Technology Rush in Our Homes Tim Keeter timkeeter@gmail.com How todays parents recall their first computer How your kids may recall their first computer The Home Network (1990s)

859 views • 44 slides
The Contribution of Male Peer Support What is Revenge Pornography? Following Salter and Crofts

The Contribution of Male Peer Support What is Revenge Pornography? Following Salter and Crofts

The Contribution of Male Peer Support What is Revenge Pornography? Following Salter and Crofts (2015), Revenge porn images and videos are typically made by men with the consent of the women they were intimately involved with, but then

456 views • 16 slides

More recommend