research-article

Efficient and Trusted Detection of Rootkit in IoT Devices via Offline Profiling and Online Monitoring

Authors:

Sudipta ChattopadhyayAuthors Info & Claims

GLSVLSI '20: Proceedings of the 2020 on Great Lakes Symposium on VLSI

Pages 433 - 438

https://doi.org/10.1145/3386263.3406939

Published: 07 September 2020 Publication History

Abstract

We present LKRDet: a framework based on a Trusted Execution Environment to detect Kernel rootkits in IoT devices. LKRDet checks the consistency of hardware events, occurring in specific system call routines, to detect abnormalities caused by the kernel rootkits. LKRDet relies on Hardware Performance Counters to efficiently and safely count the hardware events occurring in the system. We implement a prototype of LKRDet for the ARM TrustZone architecture, on top of the Open Portable Trusted Execution Environment and evaluate our prototype with four popular rootkits. Our evaluation reveals that LKRDet can accurately detect the presence of all the rootkits in the device.

Supplementary Material

MP4 File (3386263.3406939.mp4)

Presentation video

Download
12.57 MB

References

[1]

2003. Kernel Security Therapy Anti-Trolls. (2003). http://freshmeat.sourceforge.net/projects/kstat [accessed 13-May-2019].

[2]

2018. The Rootkit Hunter project. (2018). http://rkhunter.sourceforge.net/

[3]

2019. McAfee Labs 2019 Threats Predictions Report. (2019). https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-2019-threats-predictions/ [Online; accessed 8-June-2019].

[4]

2019. Open Portable Trusted Execution Environment. (2019). https://www.op-tee.org/ [Online; accessed 13-May-2019].

[5]

Sina Bahram et al. 2010. Dksm: Subverting virtual machine introspection for fun and profit. In 2010 29th IEEE symposium on reliable distributed systems. 82--91.

[6]

Robert Buhren et al. 2016. The threat of virtualization: Hypervisor-based rootkits on the ARM architecture. In Proc. of ICICS. 376--391.

[7]

Haehyun Cho et al. 2018. Prime+Count: Novel Cross-world Covert Channels on ARM TrustZone. In Proc. of the 34th ACSAC.

[8]

Sanjeev Das et al. 2019. SoK: The challenges, pitfalls, and perils of using hardware performance counters for security. In Proc. of IEEE S&P 2019.

[9]

John Demme et al. 2013. On the feasibility of online malware detection with performance counters. In ACM SIGARCH Computer Architecture News, Vol. 41. 559--570.

Digital Library

[10]

Jun Gu et al. 2016. A Linux rootkit improvement based on inline hook. (2016).

[11]

Mordechai Guri et al. 2015. JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1. 65--73.

[12]

Xingbin Jiang et al. 2020. An Experimental Analysis of Security Vulnerabilities in Industrial IoT Devices. ACM Trans. Internet Technol., Vol. 20, 2, Article 16 (2020).

[13]

Arun Kanuparthi et al. 2013. Hardware and embedded security in the context of internet of things. In Proc. of ACM CyCAR. 61--64.

[14]

M. Mounika and C. Chinnaswamy. 2016. A comprehensive review on embedded hypervisors. computing, Vol. 5, 5 (2016).

[15]

Bernard Ngabonziza et al. 2016. Trustzone explained: Architectural features and use cases. In Proc. of IEEE CIC. 445--451.

[16]

Diego Perez-Botero et al. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proc. of ACM SCC. 3--10.

[17]

Ryan Riley et al. 2009. Multi-aspect profiling of kernel rootkit behavior. In Proc. of ACM EuroSys. 47--60.

[18]

Kristian Sandström et al. 2013. Virtualization technologies in embedded real-time systems. In Proc. of IEEE ETFA. IEEE, 1--8.

[19]

Hossein Sayadi et al. 2018. Customized machine learning-based hardware-assisted malware detection in embedded devices. In Proc. of TrustCom/BigDataSE. 1685--1688.

[20]

Baljit Singh et al. 2017. On the detection of kernel-level rootkits using hardware performance counters. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 483--493.

[21]

Matt Spisak. 2016. Hardware-Assisted Rootkits: Abusing Performance Counters on the ARM and x86 Architectures. In 10th USENIX Workshop on Offensive Technologies (WOOT 16).

[22]

Xueyang Wang et al. 2015. Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In Proc. of IEEE/ACM ICCAD. 544--551.

[23]

Xueyang Wang and Ramesh Karri. 2015. Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 35, 3 (2015), 485--498.

Digital Library

[24]

Xianyi Zheng et al. 2016. TZ-KPM: Kernel Protection Mechanism on Embedded Devices on Hardware-Assisted Isolated Environment. In Proc. of HPCC/SmartCity/DSS. 663--670.

[25]

Boyou Zhou et al. 2018. Hardware performance counters can detect malware: Myth or fact?. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 457--468.

[26]

Liwei Zhou and Yiorgos Makris. 2018. Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution. In Proc. of the IEEE/ACM DATE. 1580--1585.

Cited By

Halabi T(2023)Stealthy Rootkits vs Low-Power IoT Devices: A Process-level Colonel Blotto Game2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00260(1914-1918)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00260
Pham DMarion DHeuser A(2022)ULTRA: Ultimate Rootkit Detection over the AirProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545962(232-251)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545962

Index Terms

Efficient and Trusted Detection of Rootkit in IoT Devices via Offline Profiling and Online Monitoring
1. Security and privacy

Recommendations

ULTRA: Ultimate Rootkit Detection over the Air
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

Rootkits are the most challenging malware threats against server and desktop systems. They are created by highly skilled actors and are deployed in advanced persistent threat attacks. Lately and even in the future, rootkits will become a real threat to ...
A forced sampled execution approach to kernel rootkit identification
RAID'07: Proceedings of the 10th international conference on Recent advances in intrusion detection

Kernel rootkits are considered one of the most dangerous forms of malware because they reside inside the kernel and can perform the most privileged operations on the compromised machine. Most existing kernel rootkit detection techniques attempt to ...
Multi-aspect profiling of kernel rootkit behavior
EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

Kernel rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

GLSVLSI '20: Proceedings of the 2020 on Great Lakes Symposium on VLSI

September 2020

597 pages

ISBN:9781450379441

DOI:10.1145/3386263

General Chairs:
Tinoosh Mohsenin
University of Maryland, Baltimore County, USA
,
Weisheng Zhao
Beihang University, China
,
Program Chairs:
Yiran Chen
Duke University, USA
,
Onur Mutlu
ETH Zurich, Switzerland

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 September 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Ministry of Education - Singapore

Conference

GLSVLSI '20

GLSVLSI '20: Great Lakes Symposium on VLSI 2020

September 7 - 9, 2020

Virtual Event, China

Acceptance Rates

Overall Acceptance Rate 312 of 1,156 submissions, 27%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
177
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Halabi T(2023)Stealthy Rootkits vs Low-Power IoT Devices: A Process-level Colonel Blotto Game2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00260(1914-1918)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00260
Pham DMarion DHeuser A(2022)ULTRA: Ultimate Rootkit Detection over the AirProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545962(232-251)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545962

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents