JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface

Mordechai Guri; Yuri Poliak; Bracha Shapira; Yuval Elovici

doi:https://doi.org/10.1109/Trustcom.2015.358

JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface

Mordechai Guri, Yuri Poliak, Bracha Shapira, Yuval Elovici

Department of Software and Information Systems Engineering

Ben-Gurion University of the Negev

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present 'JoKER' - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.

Original language	American English
Title of host publication	Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Pages	65-73
Number of pages	9
ISBN (Electronic)	9781467379519
DOIs	https://doi.org/10.1109/Trustcom.2015.358
State	Published - 2 Dec 2015
Event	14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 - Helsinki, Finland Duration: 20 Aug 2015 → 22 Aug 2015

Publication series

Name	Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Volume	1

Conference

Conference	14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Country/Territory	Finland
City	Helsinki
Period	20/08/15 → 22/08/15

Keywords

Android
Forensics
JTAG
Rootkits
Security
Trusted Detection

All Science Journal Classification (ASJC) codes

Computer Networks and Communications

Access to Document

https://doi.org/10.1109/Trustcom.2015.358

Cite this

Guri, M., Poliak, Y., Shapira, B., & Elovici, Y. (2015). JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface. In Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 (pp. 65-73). Article 7345266 (Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015; Vol. 1). https://doi.org/10.1109/Trustcom.2015.358

Guri, Mordechai ; Poliak, Yuri ; Shapira, Bracha et al. / JoKER : Trusted detection of kernel rootkits in android devices via JTAG interface. Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015. 2015. pp. 65-73 (Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015).

@inproceedings{bdc7c021890c4990839a64b3ed68fe6f,

title = "JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface",

abstract = "Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present 'JoKER' - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.",

keywords = "Android, Forensics, JTAG, Rootkits, Security, Trusted Detection",

author = "Mordechai Guri and Yuri Poliak and Bracha Shapira and Yuval Elovici",

note = "Publisher Copyright: {\textcopyright} 2015 IEEE.; 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 ; Conference date: 20-08-2015 Through 22-08-2015",

year = "2015",

month = dec,

day = "2",

doi = "https://doi.org/10.1109/Trustcom.2015.358",

language = "American English",

series = "Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015",

pages = "65--73",

booktitle = "Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015",

}

Guri, M, Poliak, Y, Shapira, B & Elovici, Y 2015, JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface. in Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015., 7345266, Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, vol. 1, pp. 65-73, 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, Helsinki, Finland, 20/08/15. https://doi.org/10.1109/Trustcom.2015.358

JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface. / Guri, Mordechai; Poliak, Yuri; Shapira, Bracha et al.
Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015. 2015. p. 65-73 7345266 (Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - JoKER

T2 - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015

AU - Guri, Mordechai

AU - Poliak, Yuri

AU - Shapira, Bracha

AU - Elovici, Yuval

PY - 2015/12/2

Y1 - 2015/12/2

N2 - Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present 'JoKER' - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.

AB - Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present 'JoKER' - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.

KW - Android

KW - Forensics

KW - JTAG

KW - Rootkits

KW - Security

KW - Trusted Detection

UR - http://www.scopus.com/inward/record.url?scp=84967163372&partnerID=8YFLogxK

U2 - https://doi.org/10.1109/Trustcom.2015.358

DO - https://doi.org/10.1109/Trustcom.2015.358

M3 - Conference contribution

T3 - Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015

SP - 65

EP - 73

BT - Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015

Y2 - 20 August 2015 through 22 August 2015

ER -

Guri M, Poliak Y, Shapira B , Elovici Y. JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface. In Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015. 2015. p. 65-73. 7345266. (Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015). doi: https://doi.org/10.1109/Trustcom.2015.358

JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this