Janis Danisevskis

Dark Side of the Shader: Mobile GPU-Aided Malware Delivery

Mobile phones are the most intimate computing devices of our time. We use them for private and business purposes. At the same time lax update habits of manufacturers make them accumulate disclosed vulnerabilities. That is why smartphones have become very attractive targets for attackers. Until today Graphics Processing Units (GPU) were not considered an interesting mean of payload delivery in mobile devices. However, in this paper, we present how the Direct Memory Access (DMA) capabilities of a mobile GPU can be abused for a privilege escalation attack. We describe a successful and real-world GPU-based attack, discuss problems that the GPU’s different programming model poses, and techniques that lead to a successful attack. We also show a proof-of-concept exploit against a very popular smartphone line. We conclude that DMA-based malware is a serious threat to mobile devices.

XNPro: Low-Impact Hypervisor-Based Execution Prevention on ARM

As virtually all smartphones today run general purpose operating systems, they have to consider malware attacks, with rootkits being among the most hideous ones. Since rootkits execute with the same privileges as the OS kernel, traditional countermeasures are inherently fragile. While virtualization-based technologies have proven themselves capable means to see off rootkit attacks, being especially effective when used to foil code injection attacks, the approach has been dismissed so far as impractical for mobile devices on grounds of constrained resources. In this paper we make the case for using virtualization to counter kernel code injection on mobile devices. To that end, we designed EXecute Never Protection (XNPro), a small Type-I hypervisor that ensures that only authorized code is executed by the guest OS kernel even in the case that an adversary gains unfettered control over the guest. Our design emphasizes a small size of the hypervisor, ease of porting guests, and good runtime performance. To validate our design, we implemented a prototype on a ARM Cortex A7 platform. Various benchmark measurements of the prototype prove the feasibility of our approach.

L4Android security framework on the Samsung galaxy S2

There is a recent trend to use privately owned mobile devices in corporate environments. This poses serious threats on the security of corporate data. In this demo we show how we applied an efficient sandboxing mechanism to the Android software stack. This allows us to run multiple instances of Android securely isolated side-by-side on one device. We implemented a prototype on the Samsung Galaxy S2.

Undermining Isolation through Covert Channels in the Fiasco.OC Microkernel

System designers have come to recognize the merits of building critical systems on top of small kernels for their ability to provide strong isolation at system level. This is due to the fact that enforceable isolation is the prerequisite for any reasonable security policy. Towards this goal we examine some internals of Fiasco.OC, a microkernel of the prominent L4 family. Despite its recent success in certain high-security projects for governmental use, we prove that Fiasco.OC is not suited to ensure strict isolation between components meant to be separated. Unfortunately, in addition to the construction of system-wide denial of service attacks, our identified weaknesses of Fiasco.OC also allow covert channels across security perimeters with high bandwidth. We verified our results in a strong affirmative way through many practical experiments. Indeed, for all potential use cases of Fiasco.OC we implemented a full-fledged system on its respective archetypical hardware: Desktop server/workstation on AMD64 x86 CPU, Tablet on Intel Atom CPU, Smartphone on ARM Cortex A9 CPU. The measured peak channel capacities ranging from \(\sim \)13,500 bits/s (Cortex-A9 device) to \(\sim \)30,500 bits/s (desktop system) clearly falsify Fiasco.OC’s isolation guarantee.

Uncloaking Rootkits on Mobile Devices with a Hypervisor-Based Detector

Cell phones have evolved into general purpose computing devices, which are tightly integrated into many IT infrastructures. As such, they provide a potential malware entry point that cannot be easily dismissed if attacks by determined adversaries are considered. Most likely, such targeted attacks will employ rootkit technologies so as to hide their presence for as long as possible.