Security versus Energy Tradeoffs in Host-Based Mobile Malware - - PowerPoint PPT Presentation

security versus energy tradeoffs in
SMART_READER_LITE
LIVE PREVIEW

Security versus Energy Tradeoffs in Host-Based Mobile Malware - - PowerPoint PPT Presentation

Nov 12, 2022 407 likes •713 views

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H. Andrs Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University # AT&T Labs Research Smart Phone

slide-1
SLIDE 1

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection

Jeffrey Bickford *, H. Andrés Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University # AT&T Labs – Research

slide-2
SLIDE 2

Email Location Banking

Smart Phone Apps

Contacts

Store personal and private information

slide-3
SLIDE 3

The Rise of Mobile Malware

2004 2006 2011

Mobisys 6/30/2011 3

slide-4
SLIDE 4

Mobisys 6/30/2011 4

Traditional Malware Detection

  • Periodically scan the attack target

– System comprised of code and data

  • Personal files, executables, databases,

network activity

Antivirus 2011 Cancel Scan 30469 of 121876 scanned Remaining Time: 1 hour 2 minutes

Battery life decreases 2x faster!

slide-5
SLIDE 5
  • Typical machines can execute malware

detection systems 24/7

  • Mobile devices are limited by their battery
  • Detection mechanisms in their current state

lead to high energy cost

  • Executing malware detection systems
  • nly when charging is not sufficient

Mobile Detection Problem

Mobisys 6/30/2011 5

slide-6
SLIDE 6

Mobisys 6/30/2011 6

Contributions

Explore the tradeoffs between security monitoring and energy consumption on mobile devices

  • 1. Framework to quantify the security vs. energy

tradeoffs on a mobile device

  • 2. Create energy optimized versions of two security

tools

  • 3. Introduce a balanced security profile
slide-7
SLIDE 7

Mobisys 6/30/2011 7

How Do I Conserve Energy?

Frequency of Checks Attack Surface What to Check When to Check

  • Frequency of Checks

– When to check? – Scan less frequently – Timing vs events

  • Attack Surface

– What to check? – Scan fewer code/data

  • bjects
slide-8
SLIDE 8

Mobisys 6/30/2011 8 Mobisys 6/30/2011 8

Security-Energy Tradeoff

Frequency of Checks Attack Surface

  • Scan all continuously

– Best possible security – High energy cost

  • Periodically Scan

– Vulnerable between scans

  • Scan Subset

– Vulnerable to attacks

  • utside of subset

Various Attacks

Is there a sweet spot?

slide-9
SLIDE 9

Mobisys 6/30/2011 9

Rootkits

App App App

Kernel Space

Libraries Kernel Code

System Call Table

Drivers Process Lists

Anti Virus

Rootkit

Virus

Rootkits are sophisticated malware requiring complex detection algorithms User Space

slide-10
SLIDE 10

Attacker

Send SMS Rootkit Infected

Dial me “666-6666”

Call Attacker Turn on Mic

Delete SMS

Rootkit stealthily hides from the user

Demonstrated Attack

Conversation Snooping Attack

Mobisys 6/30/2011 10

[Bickford et al. HotMobile ‘10]

slide-11
SLIDE 11

Host Machine Hypervisor

Trusted User OS

Detector

Rootkit Detection

Mobisys 6/30/2011 11

OS must be monitored using a hypervisor

  • Detection tools run in

trusted domain

  • Mobile hypervisors soon

– VMWare – OKL4 Microvisor (Evoke) – Samsung Xen on ARM

slide-12
SLIDE 12

Mobisys 6/30/2011 12

Experimental Setup

  • Viliv S5

– Intel Atom – 3G, WiFi, GPS, Bluetooth

  • Xen Hypervisor

– Evaluated the tradeoff using two existing rootkit detectors within trusted domain

  • Workloads

– 3G and WiFi workload simulating user browsing – Lmbench for a CPU intensive workload

slide-13
SLIDE 13

Mobisys 6/30/2011 13

Detecting Data-Driven Attacks

  • Gibraltar [Baliga et al. IEEE TDSC ‘11]

typifies the usual form of rootkit defense for kernel data attacks

– Primarily pointer-based control flow – Scans data structures within the OS Kernel

  • Scanning approach analogous to antivirus scans
  • Original version monitored all data structures all of

the time

slide-14
SLIDE 14

Detecting Data-Driven Attacks

Hypervisor

Guest domain Trusted domain

Kernel Code Kernel Data Gibraltar daemon Invariant DB

Data page

2

Reconstruct data structures

?

3

Alert user

Mobisys 6/30/2011 14

Fetch Page

1

slide-15
SLIDE 15

Mobisys 6/30/2011 15

Problem – High Energy Cost

while(1) { for all kernel data structures { get current value check against invariant } }

  • Maximum security
  • 100 % CPU usage
  • Poor Energy Efficiency

Idle Continuous Scan

Must tradeoff security for energy

slide-16
SLIDE 16

Tradeoffs for Data-Based Detectors

Poll Frequency (seconds) Attack Surface Static Data All Data Function Pointers All Lists Process List 1 5 30 100 120 50 10 1 Original design

  • f Gibraltar

Frequency of Checks

Mobisys 6/30/2011 16

Event Threshold: (page changes between checks)

slide-17
SLIDE 17

while(1) { for all kernel data structures { get current value check against invariant } } while(1) { every “x” seconds { for all kernel data structures { get current value check against invariant } }

Mobisys 6/30/2011 17

Frequency of Checks

Idle Scan

slide-18
SLIDE 18

Evaluating the Tradeoff

Sweet Spot!

Mobisys 6/30/2011 18

slide-19
SLIDE 19

Mobisys 6/30/2011 19

while(1) { for all kernel data structures { get current value check against invariant } }

Attack Surface

while(1) { for all kernel data structures { for a subset of data structures { get current value check against invariant } }

slide-20
SLIDE 20

Evaluating the Tradeoff

96% of rootkits!

[Petroni et al. CCS ‘07]

Mobisys 6/30/2011 20

slide-21
SLIDE 21
  • Patagonix [Litty et al. USENIX Security ‘08]

typifies most code integrity monitoring systems

  • A different class of rootkits attack code

– trojaned system utilities – kernel code modifications

  • Can protect both kernel code and user space code
  • Protects against a different set of attacks compared

to Gibraltar

Mobisys 6/30/2011 21

Detecting Code-Driven Attacks

slide-22
SLIDE 22

Detecting Code-Driven Attacks

Hypervisor

Guest domain Trusted domain

Code: OS & applications Data Patagonix daemon Hash DB

Code page

Resume guest

1 2 3

hash(page)

Alert user

Mobisys 6/30/2011 22

?

slide-23
SLIDE 23

Tradeoffs for Code-Based Detectors

All Code Root Processes Kernel Code 1 5 30 341 120 50 10 1 Original design

  • f Patagonix

Poll Frequency (seconds) Frequency of Checks Event Threshold: (pages exec between checks) Attack Surface

Mobisys 6/30/2011 23

slide-24
SLIDE 24

Mobisys 6/30/2011 24

Putting it Together

  • Cover 96% of Rootkits
  • Polling sweet spot – 30 sec
slide-25
SLIDE 25

Conclusion

  • Mobile malware is a threat
  • Security tools costly when energy constrained
  • Developed a framework to quantify the tradeoff

between energy efficiency and security

  • Optimized two previously existing tools
  • Generated a “balanced” security profile

Mobisys 6/30/2011 25

slide-26
SLIDE 26

Thank You!

Mobisys 6/30/2011 26

Fully Secure Select a security plan: High risk Low risk Balanced

Learn how to conserve power More security options Smart Phone Security Center

slide-27
SLIDE 27

Mobisys 6/30/2011 27

Randomization

Frequency of Checks Attack Surface

  • Periodically scan
  • Attackers will attempt

to exploit the system while idle

  • Randomize the time

the system is idle

slide-28
SLIDE 28

Cloud Offload Feasibility

Mobisys 6/30/2011 28

Cloud offload impractical energy-wise