next generation mobile rootkits
play

Next generation mobile rootkits Hack In Paris 2013 leveldown - PowerPoint PPT Presentation

Sep 16, 2022 •213 likes •986 views

Next generation mobile rootkits Hack In Paris 2013 leveldown security Thomas Roth Hi! Thomas Roth Embedded security (Payment terminals etc.) Distributed computing (and breaking) Web-stuff Social: @stacksmashing leveldown

  1. Next generation mobile rootkits Hack In Paris 2013 leveldown security Thomas Roth

  2. Hi! • Thomas Roth • Embedded security (Payment terminals etc.) • Distributed computing (and breaking) • Web-stuff • Social: @stacksmashing leveldown security Thomas Roth

  3. Prologue Mobile rootkits & Trustzone leveldown security Thomas Roth

  4. What are we protecting? Communication Data Credentials Payment Tracking leveldown security Thomas Roth

  5. In the wild • CarrierIQ (Usage statistics) • FinFisher (Governmental surveillance) • Cloaker (Research) leveldown security Thomas Roth

  6. Where do they hide? Baseband Memory CPU leveldown security Thomas Roth

  7. Where do they hide? Baseband Memory CPU TrustZone leveldown security Thomas Roth

  8. Short ARM intro • 32-bit RISC architecture • All instructions 32 bit long • Except in “Thumb-mode”, 16-bit instructions • Peripherals are mapped in memory (i.e. IOs at 0x40000000) • CP15 = System Control Coprocessor • Controls features like MMU, power saving, caches ... leveldown security

  9. ARM TrustZone • Allows the processor to switch into a “secure mode” • Secure access to screen, keyboard and other peripherals • Tries to protect against: “...malware, trojans and rootkits” • So called TEEs (Trusted Execution Environments) run in it • Introduced with ARMv6KZ leveldown security Thomas Roth Source for quotes: http://www.arm.com/products/processors/technologies/trustzone.php

  10. ARM TrustZone • Allows the processor to switch into a “secure mode” • Secure access to screen, keyboard and other peripherals • Tries to protect against: “...malware, trojans and rootkits” • So called TEEs (Trusted Execution Environments) run in it • Introduced with ARMv6KZ leveldown security Thomas Roth Source for quotes: http://www.arm.com/products/processors/technologies/trustzone.php

  11. ARM TrustZone • Splits the CPU into two worlds: Secure and normal • Communication between both worlds via shared memory mappings • State of the CPU is indicated to peripherals using a bit on AXB/AHB • Allowing secure-only on- & off-chip peripherals leveldown security Thomas Roth

  12. Trusted Execution Environments • Small operating system running in TrustZone and providing services to the ‘real’ operating system/apps • You write apps for them and pay ??? to integrate them • Use them via a driver in your operating system • Drivers are often open-source leveldown security Thomas Roth

  13. Example: Netflix • Netflix requires a device-certification • For SD, the device just needs to be fast enough to play video • For HD, the labels require ‘end-to-end’ DRM, so that the video-stream can’t be grabbed at any time • Video decoding running in TrustZone with direct access to screen, no way to record it from Android leveldown security Thomas Roth Source: http://www.anandtech.com/show/4480/ti-omap4-first-to-be-awarded-netflix-hd-1080p-hd-sri-certification

  14. Attacker Model • Protect against: • Device owners (DRM and other copy protection methods) • Malware (Steal PayPass informations from the device) • Freedom leveldown security Thomas Roth

  15. How does it work? • A second register set to the first CPU core • Mode switch from normal world: • SMC instruction ( Secure Monitor Call ) • Hardware exception (IRQ, FIQ, etc.) • NS bits on the internal bus (AXI/AHB) for indicating state to peripherals leveldown security Thomas Roth

  16. How does it work? Normal Secure SMC instruction World World or Hardware exception Monitor Privileged modes Privileged modes Mode User mode User mode leveldown security Thomas Roth Diagram inspired by: http://www.arm.com/products/processors/technologies/trustzone.php

  17. How does it actually work? Standard CPU modes SMC Hardware interrupt/SMC call User, FIQ, IRQ, SVC ... Mode State handling & NS-bit leveldown security Thomas Roth

  18. How does it actually work? • SMC: (Always has the NS bit enabled) • Detect whether coming from normal or secure world • Store registers of current world • Load registers of new world • Toggle NS bit • Give execution to new world leveldown security Thomas Roth

  19. Memory in TrustZone Normal World Secure World TrustZone enabled MMU Normal-world memory Shared Secure-only memory leveldown security Thomas Roth

  20. Memory in TrustZone • Normal-world only sees its own memory as well as the shared segment • Secure-world can access everything leveldown security Thomas Roth

  21. Memory in TrustZone • Normal-world only sees its own memory as well as the shared segment • Secure-world can access everything I guess you see why this is could useful... leveldown security Thomas Roth

  22. Boot process Start 1. stage bootloader (ROM) Hardware abstraction Integrity verification of 2. stage bootloader 2. stage bootloader (Flash) Initialization of TrustZone + TrustZone Kernel Lockdown of TrustZone Load & configure OS Operating System Android Windows ... leveldown security Thomas Roth

  23. Boot process Start 1. stage bootloader (ROM) T Hardware abstraction R Integrity verification of 2. stage bootloader U S 2. stage bootloader (Flash) T E Initialization of TrustZone + TrustZone Kernel D Lockdown of TrustZone Load & configure OS Operating System Android Windows ... leveldown security Thomas Roth

  24. By the way • “Unlocking” a bootloader does not mean that you can do what you want. • Most hardware vendors still lockdown a significant part of the boot chain, locking you out of TrustZone. leveldown security Thomas Roth

  25. Hardware support • All modern smartphone CPUs: • Qualcomm Snapdragon • TI OMAP • ... leveldown security Thomas Roth

  26. So basically... • The vendor installs a small operating system in a part of the CPU • This OS can do -anything- and third party apps are installed in it leveldown security Thomas Roth

  27. So basically... • The vendor installs a small operating system in a part of the CPU • This OS can do -anything- and third party apps are installed in it What could possibly go wrong? leveldown security Thomas Roth

  28. Chapter 1 Building a rootkit in TrustZone leveldown security Thomas Roth

  29. What? • Super small rootkit that runs in TrustZone (and now even in SMC!) • First TrustZone rootkit • Implemented entirely in assembler • (Compilers are for losers) leveldown security

  30. Why? • It’s fun! • People haven’t talked about the problems that come with TrustZone • The ‘trusted’ in Trusted Computing is not only about the user trusting the hardware, but also about the vendor distrusting the user leveldown security Thomas Roth

  31. Why? leveldown security Thomas Roth

  32. Where to test? • Developing on actual hardware: • Need an OMAP HS (not GP) Dev-board • Beagleboards & co (OMAP) switch to normal world in ROM • (Hardware is locked down with strong keys) leveldown security Thomas Roth

  33. Where to test? • Software emulation: • QEMU supports ARM • Paper “A flexible software development and emulation framework for ARM TrustZone” • “qemu-trustzone” • Johannes Winter, Paul Wiegele, Martin Pirker, and Ronald Toegl • Open-source ( GPL ) TEE by sierraware (Open Virtualization) leveldown security Thomas Roth

  34. Where to test? • Using hardware hack for $vendor to execute code in TrustZone leveldown security Thomas Roth

  35. Where to test? • Let’s just hack into a TEE! leveldown security Thomas Roth

  36. Getting a binary-image of a TEE • Firmware updates are signed, but not encrypted. • Firmware updates are often downloaded via HTTP . • Vendors have ‘hidden’ FTP-servers. leveldown security Thomas Roth

  37. Workflow • Disassemble bootloader • IDA Pro & co can’t just find code parts, need to analyze by hand & with scripts • Analyze coprocessor instructions to find memory layout • (almost automated) leveldown security

  38. Looking for mitigations leveldown security Thomas Roth

  39. Looking for mitigations • No ASLR • No DEP (NX) • Executable heap, stack, data, everything leveldown security Thomas Roth

  40. Exploiting like it’s 1999 Yeah Baby! leveldown security Thomas Roth

  41. Let’s talk about strncpy • strncpy(char *destination, char *source, size_t destination_size); • strncpy sucks, it only NUL-terminates if: • strlen(destination) < destination_size • (Please, use strlcpy. Also, did I mention I do code reviews?) • Still often pretty hard to exploit. leveldown security Thomas Roth

  42. Where to test? • Official boards seem to be hard to obtain • QEMU • On smartphone via hardware hack • On smartphone via software exploit leveldown security Thomas Roth

  43. Scheduling the rootkit • Switch to monitor mode in (ir)regular intervals without help of the operating system • The latency induced by the switch to the rootkit must be kept as low as possible leveldown security Thomas Roth

  44. Latency Normal world interrupt/SMC Monitor code Rootkit scheduler Monitor code Back to normal world leveldown security Thomas Roth

  45. Latency Normal world interrupt/SMC Monitor code Rootkit scheduler Monitor code Back to normal world leveldown security Thomas Roth

Recommend

INTERNET FOR A MOBILE INTERNET FOR A MOBILE GENERATION GENERATION www.itu.int/mobileinternet

INTERNET FOR A MOBILE INTERNET FOR A MOBILE GENERATION GENERATION www.itu.int/mobileinternet

ITU Internet Report 2002 INTERNET FOR A MOBILE INTERNET FOR A MOBILE GENERATION GENERATION www.itu.int/mobileinternet ITU Internet Report 2002: Internet for a Mobile Generation Mobile and Internet: Identical twins born two years apart?

442 views • 17 slides
Linux rootkits &amp; TTY Hijacking Antonio Prez Prez &lt;antonio.perez.perez@cern.ch&gt; CERN

Linux rootkits &amp; TTY Hijacking Antonio Prez Prez &lt;antonio.perez.perez@cern.ch&gt; CERN

Linux rootkits &amp; TTY Hijacking Antonio Prez Prez &lt;antonio.perez.perez@cern.ch&gt; CERN Computer Security Team EGI Technical Forum 2011, Lyon, France Outline Rootkits: Introduction Linux rootkits History Detection and monitoring

423 views • 26 slides
Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016 Agenda Today 1. How do they get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2

546 views • 35 slides
Hydrogen Generation Hydrogen Generation Analyzing the viability of Hydrogen as a mobile energy

Hydrogen Generation Hydrogen Generation Analyzing the viability of Hydrogen as a mobile energy

Hydrogen Generation Hydrogen Generation Analyzing the viability of Hydrogen as a mobile energy carrier 1 Introduction 5 Cycles and Previous Studies Why Are We Interested in 6 Thermodynamic Analysis Hydrogen? Hydrogen Technologies

780 views • 63 slides
Mobile Communications Wireless Telecommunication Systems Systems Generation 1 (1G)

Mobile Communications Wireless Telecommunication Systems Systems Generation 1 (1G)

Mobile Communications Wireless Telecommunication Systems Systems Generation 1 (1G) Generation 3 (3G) Generation 2 (2G) Generation 4 (4G) Generation 2.5 (2.5G) TETRA Mobile Communication Wireless Telecommunication 1

880 views • 48 slides
Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher Demystifying Modern Windows Rootkits Black Hat USA 2020 1 Who Am I? 18 years old Sophomore at the Rochester Institute of Technology Windows

847 views • 73 slides
Predictive View Generation to Enable Mobile 360-degree and VR Experiences Xueshi Hou, Sujit Dey

Predictive View Generation to Enable Mobile 360-degree and VR Experiences Xueshi Hou, Sujit Dey

Predictive View Generation to Enable Mobile 360-degree and VR Experiences Xueshi Hou, Sujit Dey Jianzhong Zhang, Madhukar Budagavi Mobile Systems Design Lab, Samsung Research America Center for Wireless Communications, UC San Diego

368 views • 19 slides
-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too seriously, I fuzz the Human brain! The capitalist &quot;pig&quot; degrees: Economics &amp; MBA. Worked for the evil banking system! Security

833 views • 80 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics &amp; MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC (August 2006) Srivaths Ravi (Email: sravi@nec- labs. com) NEC Laboratories America Princeton, NJ Security Requirements of Mobile Appliances

159 views • 12 slides
Mobile I Pv6 Service Mobile I Pv6 Service over the KAI ST Cam pus over the KAI ST Cam pus w

Mobile I Pv6 Service Mobile I Pv6 Service over the KAI ST Cam pus over the KAI ST Cam pus w

Mobile I Pv6 Service Mobile I Pv6 Service over the KAI ST Cam pus over the KAI ST Cam pus w ith KOREN w ith KOREN 2 0 0 6 . 1 .2 4 2 1 st APAN Meeting, Tokyo Jaew ha Lee, Heesang Park KOREN NOC Next Generation I nternet Division Advanced

468 views • 16 slides
Key Technologies and Architectures h l d A h for Next Generation Mobile Networks Krishan K.

Key Technologies and Architectures h l d A h for Next Generation Mobile Networks Krishan K.

Key Technologies and Architectures h l d A h for Next Generation Mobile Networks Krishan K. Sabnani, SVP , Networking Research, Bell Labs August 27, 2007 The Network Evolution Yesterday Today Networks were designed to

887 views • 31 slides
WEBINAR: Update on US Leisure Travel Latest Research on Mobile Use &amp; Behavior Use of Mobile

WEBINAR: Update on US Leisure Travel Latest Research on Mobile Use &amp; Behavior Use of Mobile

UPCOMING WEBINAR: Update on US Leisure Travel Latest Research on Mobile Use &amp; Behavior Use of Mobile in Trip Planning Process Global DMO Mobile Readiness Index Ryerson University Spotlight: 5 Best Practices for Next Generation

1.34k views • 85 slides
Presentation outline Introductory Remarks Mobile Power (MP) and Distributed Generation

Presentation outline Introductory Remarks Mobile Power (MP) and Distributed Generation

Mobile Power and Distributed Generation: a Viable Component to Power Pools Presented by Vic Abrahamian Pratt &amp; Whitney Power Systems, Windsor, CT - USA 15 th Congress of UPDEA June 7, 2005 Accra, Ghana Presentation outline

447 views • 9 slides
Multicast in the Mobile Environment and 3G Next Generation Wireless Networks Yoan Mich

Multicast in the Mobile Environment and 3G Next Generation Wireless Networks Yoan Mich

Introduction MBMS Conclusion Multicast in the Mobile Environment and 3G Next Generation Wireless Networks Yoan Mich Department of Computer Science TKK November, 23th 2005 Yoan Mich Multicast in the Mobile Environment and 3G

248 views • 24 slides
$ Circumventing Forensic Live-acquisition Tools &gt; Rootkits for

$ Circumventing Forensic Live-acquisition Tools &gt; Rootkits for

$ Circumventing Forensic Live-acquisition Tools &gt; Rootkits for dubious defensive purposes &gt; Yonne de Bruijn (yonne.debruijn@os3.nl) Digital Forensics $ retrieve

304 views • 27 slides
Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To

Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To

Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To get it to do (potentially illicit) work for you for free! E.g., send spam Stages of an attack Get on the system Get administrator

449 views • 16 slides
Contactless Mobile Services February 2010 1 Introduction (1/2) The next generation of

Contactless Mobile Services February 2010 1 Introduction (1/2) The next generation of

Contactless Mobile Services February 2010 1 Introduction (1/2) The next generation of telephones will provide contactless services. Mobile usages Emulation of other smartcards NFC Technology Transport Transport Payment Payment

473 views • 26 slides
Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior

Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior

Exploring the Design of the Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior Product Manager 1 Cortex-A15: Next Generation Leadership Cortex-A class multi-processor 1 TB physical addressing

717 views • 33 slides
Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Malware: Viruses, Worms, Rootkits, Botnets Spring 2015 Franziska (Franzi) Roesner

403 views • 37 slides
Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect

Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect

Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect physics to detect undesirable routines Guy Stewart VP Engineering Fatskunk Inc. The Malware Problem The Malware Problem Trojans, Rootkits, the

454 views • 18 slides
eScience and Shared Workspaces: Enabler for a next generation research environment

eScience and Shared Workspaces: Enabler for a next generation research environment

eScience and Shared Workspaces: Enabler for a next generation research environment PrimeLife/IFIP Summer School 2010 Helsingborg, 2010-08-04 Christian Weber T-Mobile Chair of Mobile Business &amp; Multilateral S ecurity Institute of

357 views • 23 slides
T-1 1 0 .4 5 6 Next generation cellular netw orks Multim edia Services in Mobile and W ireless

T-1 1 0 .4 5 6 Next generation cellular netw orks Multim edia Services in Mobile and W ireless

T-1 1 0 .4 5 6 Next generation cellular netw orks Multim edia Services in Mobile and W ireless Helsinki University of Technology Telecommunication Software and Multimedia Laboratory Konstantin Moroz 16.03.2005 1 Overall structure

433 views • 28 slides
Mobile Web Services T-110.456 Next Generation Cellular Networks 13.04.2005 Yrj Raivio 28916V

Mobile Web Services T-110.456 Next Generation Cellular Networks 13.04.2005 Yrj Raivio 28916V

Mobile Web Services T-110.456 Next Generation Cellular Networks 13.04.2005 Yrj Raivio 28916V T-110.456 Next Generation Cellular Networks/13.04.2005/YR Contents Motivation Standardization bodies Web Services Interoperability

537 views • 20 slides

More recommend