TrustDump: Reliable Memory Acquisition on Smartphones

trustdump n.w
1 / 21
Embed
Share

TrustDump is a reliable memory acquisition technique designed for smartphones, aiming to combat malicious mobile operating systems and withstand crashes. The architecture involves TrustZone for secure execution domains and deployment of Trusted Applications for secure data handling. Recent work in this field includes isolating guest OS and hypervisor within TrustZone.

  • Memory Forensics
  • Smartphone Security
  • TrustZone
  • TrustDump
  • Mobile OS
rayaanacharya
van_ema Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. TrustDump: Reliable Memory Acquisition on Smartphones 1 September 1, 2014

  2. Outline 2 Motivation Background TrustDump Architecture Implementation Details Evaluation Summary

  3. Outline 3 Motivation Background TrustDump Architecture Implementation Details Evaluation Summary

  4. Memory Forensics on Smartphones 4 In-the-box approach (Thing et al., 2010; Sylve et al., 2011) Vulnerable to armored malware using anti-forensics Virtual Machine Introspection (VMI) (Yan et al., 2012) Trusted Computing Base (TCB) is large Hardware-based solution: ( Android Debug Bridge (ADB), JTAG, Chip-off) ADB and JTAG: need the support of the forensic target Chip-off: physical damage and usually irreversible

  5. Goals 5 Reliable Against malicious mobile OS Withstand mobile OS crash Small TCB Non-invasive ARM TrustZone

  6. TrustZone Background 6 TrustZone A system-wide approach Two isolated execution domains: secure domain and normal domain TZIC (TrustZone Interrupt Controller) Secure interrupt--FIQ Non-secure interrupt--IRQ GPIO (General Purpose I/O) SCR.NS=0 SCR.NS=1 Monitor SMC or other methods Change mode Change mode SMC Set NS=1 Supervisor FIQ System Supervisor FIQ System Secure Privileged Mode other than Monitor Mode Non-secure Privileged Mode User User Non-secure State Secure State

  7. Recent Work on TrustZone 7 Trusted Application (TA) deployed in TrustZone in the payments at point of sale (POS) (Marforio et al., NDSS 14) Trusted Language Runtime in TrustZone (Santos et al., ASPLOS 14) Isolate Guest OS and Hypervisor with TrustZone (Kalkowski et al., FOSDEM 14)

  8. TrustDumpArchitecture 8 Normal Domain Secure Domain Remote Monitor TrustDumper Reliable Switching Data Acquisition Monitor Rich OS Analysis Exporting

  9. TrustDumpArchitecture 9 TrustDump Deployment Port Rich OS to the normal domain Install the TrustDumper in the secure domain Reliable Switching Normal Domain Secure Domain Non-maskable interrupt (NMI) Remote Monitor TrustDumper Reliable Switching Data Acquisition and Transmission Data Acquisition Monitor Rich OS Online and offline memory forensics Analysis Exporting

  10. Implementation Details 10 Freescale i.MX53 Quick Start Board A Cortex-A8 1GHz Processor 1GB DDR3 RAM 4GB MicroSD card Android 2.3.4 in normal domain Thinkpad-T430

  11. TrustDump Deployment 11 Android Porting Based on the Board Support Package published by Adeneo Embedded Intended to run in the secure domain Access resource of secure domain in normal domain: secure I/O interfaces void secure_write(unsigned int data, unsigned int pa); unsigned int secure_read(unsigned int pa); Self-contained TrustDumper in the secure domain

  12. Interrupt Control Flow 12 ARM Processor Secure Configuration Register (SCR) 4 4 3 3 FIQ AXI and AHB Buses FIQ IRQ Current Program Status Register (CPSR) IRQ TZIC 2 2 Interrupt Request Interrupt Engine 1 1 Peripheral Interrupt Request Interrupt Control Unit

  13. Reliable Switching 13 Configure User-defined button 1 as NMI Enable FIQ exception: CPSR.F=0 Ensure CPSR.F cannot be modified by the normal domain: SCR.FW=0 I. II. III. Enforce the ARM processor to branch to the monitor mode on an FIQ exception: SCR.FIQ=1 IV. Configure GPIO-2 as secure peripheral

  14. Conflict of Peripheral Access 14 Button 1 is for NMI in secure domain and Button 2 is used as the Home Key in normal domain User-defined Button 1 and 2 share the same access policy Disable the non-secure access to Button 1 The non-secure access to Button 2 is disabled

  15. Fine-grained Peripheral Control 15 Set the peripherals sharing the same policy as secure peripheral Release those peripherals needed in the normal domain by adding them into the Whitelist in secure domain The Rich OS uses the secure I/O interfaces to access the released peripherals

  16. Conflict of Interrupt Generation 16 One interrupt number for all the 32 pins of GPIO-2 Button 2 will trigger the same NMI, instead of serving as the Home Key as designed in the Rich OS Forward the interrupt requests of button 1 and button 2 to different domains

  17. Fine-grained Interrupt Control 17 Normal Domain Secure Domain Operation Codes Button 2 TrustDumper Button 1 Interrupt Number Interrupt Number NMI For FIQ IRQ FIQ Rich OS Exception Handler Exception Handler Exception Handler Monitor Rich OS IRQ FIQ Hardware Interrupt

  18. TrustDumper 18 Data Acquisition and Transmission Integrity Checking and Rootkit Detection next task current task struct task_struct{ struct list_head tasks; pid_t pid; struct mm_struct *mm; } struct task_struct{ struct list_head tasks; pid_t pid; struct mm_struct *mm; } current thread_info struct thread_info{ unsigned long flags; int preempt_count; mm_segment_t addr_limit; struct task_struct *task; } tasks previous task struct task_struct{ struct list_head tasks; pid_t pid; struct mm_struct *mm; } struct task_struct{ struct list_head tasks; pid_t pid; struct mm_struct *mm; } stack pointer & (0x1FFFF)

  19. Evaluation 19 Switching time Analysis time NMI: 1.7 us Kernel Integrity Checking: hardware (1.56 ms), software (578.6 ms) SMC: 0.3 us Memory Dumping Performance Processes Traversing: 2.13 ms Scale (Byte) Bit rate (bit/s) DMA 92178.12 92163.38 92163.01 92163.09 CPU 10 100 1K 10K 92178.49 92165.45 92163.43 92163.11

  20. Summary 20 TrustDump Reliable memory acquisition mechanism based on TrustZone Hardware-assisted isolation NMI as the reliable switching Fine-grained peripheral control and fine-grained interrupt control

  21. 21 Thanks! Questions? hsun01@wm.edu

Related


No related presentations.

More Related Content