1 / 21

TrustDump : Reliable Memory Acquisition on Smartphones

TrustDump : Reliable Memory Acquisition on Smartphones. September 1, 2014. Outline. Motivation Background TrustDump Architecture Implementation Details Evaluation Summary. Outline. Motivation Background TrustDump Architecture Implementation Details Evaluation Summary.

diane
Télécharger la présentation

TrustDump : Reliable Memory Acquisition on Smartphones

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TrustDump:Reliable Memory Acquisition on Smartphones September 1, 2014

  2. Outline • Motivation • Background • TrustDump Architecture • Implementation Details • Evaluation • Summary

  3. Outline • Motivation • Background • TrustDump Architecture • Implementation Details • Evaluation • Summary

  4. Memory Forensics on Smartphones • In-the-box approach (Thing et al., 2010; Sylve et al., 2011) • Vulnerable to armored malware using anti-forensics • Virtual Machine Introspection (VMI) (Yan et al., 2012) • Trusted Computing Base (TCB) is large • Hardware-based solution: ( Android Debug Bridge (ADB), JTAG, Chip-off) • ADB and JTAG: need the support of the forensic target • Chip-off: physical damage and usually irreversible

  5. Goals • Reliable • Against malicious mobile OS • Withstand mobile OS crash • Small TCB • Non-invasive ARM TrustZone

  6. TrustZone Background • TrustZone • A system-wide approach • Two isolated execution domains: secure domain and normal domain • TZIC (TrustZone Interrupt Controller) • Secure interrupt--FIQ • Non-secure interrupt--IRQ • GPIO (General Purpose I/O)

  7. Recent Work on TrustZone • Trusted Application (TA) deployed in TrustZone in the payments at point of sale (POS) (Marforio et al., NDSS’14) • Trusted Language Runtime in TrustZone (Santos et al., ASPLOS’14) • Isolate Guest OS and Hypervisor with TrustZone (Kalkowski et al., FOSDEM ’14)

  8. TrustDump Architecture

  9. TrustDump Architecture • TrustDump Deployment • Port Rich OS to the normal domain • Install the TrustDumper in the secure domain • Reliable Switching • Non-maskable interrupt (NMI) • Data Acquisition and Transmission • Online and offline memory forensics

  10. Implementation Details • Freescale i.MX53 Quick Start Board • A Cortex-A8 1GHz Processor • 1GB DDR3 RAM • 4GB MicroSD card • Android 2.3.4 in normal domain • Thinkpad-T430

  11. TrustDumpDeployment • Android Porting • Based on the Board Support Package published by Adeneo Embedded • Intended to run in the secure domain • Access resource of secure domain in normal domain: secure I/O interfaces • void secure_write(unsigned int data, unsigned int pa); • unsigned int secure_read(unsigned int pa); • Self-contained TrustDumper in the secure domain

  12. Interrupt Control Flow

  13. Reliable Switching • Configure User-defined button 1 as NMI • Enable FIQ exception: CPSR.F=0 • Ensure CPSR.F cannot be modified by the normal domain: SCR.FW=0 • Enforce the ARM processor to branch to the monitor mode on an FIQ exception: SCR.FIQ=1 • Configure GPIO-2 as secure peripheral

  14. Conflict of Peripheral Access • Button 1 is for NMI in secure domain and Button 2 is used as the Home Key in normal domain User-defined Button 1 and 2 share the same access policy Disable the non-secure access to Button 1 The non-secure access to Button 2 is disabled

  15. Fine-grained Peripheral Control • Set the peripherals sharing the same policy as secure peripheral • Release those peripherals needed in the normal domain by adding them into the Whitelist in secure domain • The Rich OS uses the secure I/O interfaces to access the released peripherals

  16. Conflict of Interrupt Generation • One interrupt number for all the 32 pins of GPIO-2 • Button 2 will trigger the same NMI, instead of serving as the Home Key as designed in the Rich OS • Forward the interrupt requests of button 1 and button 2 to different domains

  17. Fine-grained Interrupt Control Button 2 Button 1

  18. TrustDumper • Data Acquisition and Transmission • Integrity Checking and Rootkit Detection stack pointer & (0x1FFFF)

  19. Evaluation • Switching time • NMI: 1.7 us • SMC: 0.3 us • Memory Dumping Performance • Analysis time • Kernel Integrity Checking: hardware (1.56 ms), software (578.6 ms) • Processes Traversing: 2.13 ms

  20. Summary • TrustDump • Reliable memory acquisition mechanism based on TrustZone • Hardware-assisted isolation • NMI as the reliable switching • Fine-grained peripheral control and fine-grained interrupt control

  21. Thanks! Questions? hsun01@wm.edu

More Related