Jeffrey Bickford

Rootkits on smart phones: attacks, implications and opportunities

Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems. In this paper, we focus on the threat posed by smart phone rootkits. Rootkits are malware that stealthily modify operating system code and data to achieve malicious goals, and have long been a problem for desktops. We use three example rootkits to show that smart phones are just as vulnerable to rootkits as desktop operating systems. However, the ubiquity of smart phones and the unique interfaces that they expose, such as voice, GPS and battery, make the social consequences of rootkits particularly devastating. We conclude the paper by identifying the challenges that need to be addressed to effectively detect rootkits on smart phones.

Security versus energy tradeoffs in host-based mobile malware detection

The rapid growth of mobile malware necessitates the presence of robust malware detectors on mobile devices. However, running malware detectors on mobile devices may drain their battery, causing users to disable these protection mechanisms to save power. This paper studies the security versus energy tradeoffs for a particularly challenging class of malware detectors, namely rootkit detectors. We investigate the security versus energy tradeoffs along two axes: attack surface and malware scanning frequency, for both code and data based rootkit detectors. Our findings, based on a real implementation on a mobile handheld device, reveal that protecting against code-driven attacks is relatively cheap, while protecting against all data-driven attacks is prohibitively expensive. Based on our findings, we determine a sweet spot in the security versus energy tradeoff, called the balanced profile, which protects a mobile device against a vast majority of known attacks, while consuming a limited amount of extra battery power.

What you see predicts what you get—lightweight agent-based malware detection

Because of the always connected nature of mobile devices, as well as the unique interfaces they expose, such as short message service (SMS), multimedia messaging service (MMS), and Bluetooth, classes of mobile malware tend to propagate using means unseen in the desktop world. In this paper, we propose a lightweight malware detection system on mobile devices to detect, analyze, and predict malware propagating via SMS and MMS messages. We deploy agents in the form of hidden contacts on the device to capture messages sent from malicious applications. Once captured, messages can be further analyzed to identify a message signature as well as potentially a signature for the malicious application itself. By feeding the observed messages over time to a latent space model, the system can estimate the current dynamics and predict the future state of malware propagation within the mobility network. One distinct feature of our system is that it is lightweight and suitable for wide deployment. The system shows a good performance even when only 10% of mobile devices are equipped with three agents on each device. Moreover, the model is generic and independent of malware propagation schemes. We prototype the system on the Android platform in a universal mobile telecommunications system laboratory network to demonstrate the feasibility of deploying agents on mobile devices as well as collecting and blocking malware-carrying messages within the mobility network. We also show that the proposed latent space model estimates the state of malware propagation accurately, regardless of the propagation scheme. Copyright

Towards synchronization of live virtual machines among mobile devices

The mobile computing experience would improve if users could switch seamlessly from one device to another, with both data and computation state preserved across the switch without apparent delay. This paper proposes VMsync, a system for synchronizing the state of live virtual machines (VMs) among mobile devices. VMsync seeks to incrementally transfer changes in an active VM on one device to standby VMs in other devices, so as to maintain a consistent VM image and minimize switching latency. However, constraints of the mobile environment make these goals difficult to achieve and raise many research questions. We present our preliminary design for VMsync and a feasibility study aimed at determining how much data would need to be transferred under different mobile workloads and synchronization policies. For example, through experiments with a Xen VM running Android and playing a YouTube video, we show that sending dirty memory pages transfers 3 times more data than sending only the bytes that actually changed in those pages. Overall, we conclude that VMsync is a feasible approach deserving of further research.

Catching the Wily Hacker: A multilayer deception system

In recent years, enterprises have been facing a growing number of highly customized attacks using sophisticated techniques that seek to compromise important company assets. In this paper, we propose a multi-layer deception system that provides an in depth defense against such sophisticated attacks. Specifically, based on previous knowledge and patterns of such attacks, we model the attacker as trying to compromising an enterprise network via multiple stages of penetration and propose defenses at each of these layers using deception based detection. We present a proof of concept implementation of one of the key deception methods proposed. Due to various financial constraints of an enterprise, we model the design of the deception system as an optimization problem in order to minimize the expected losses due to system deployment and asset compromise.

Traffic backfilling: subsidizing lunch for delay-tolerant applications in UMTS networks

Mobile application developers pay little attention to the interactions between applications and the cellular network carrying their traffic. This results in waste of device energy and network signaling resources. We place part of the blame on mobile OSes: they do not expose adequate interfaces through which applications can interact with the network. We propose traffic backfilling, a technique in which delay-tolerant traffic is opportunistically transmitted by the OS using resources left over by the naturally occurring bursts caused by interactive traffic. Backfilling presents a simple interface with two classes of traffic, and grants the OS and network large flexibility to maximize the use of network resources and reduce device energy consumption. Using device traces and network data from a major US carrier, we demonstrate a large opportunity for traffic backfilling.

WhatApp: Modeling mobile applications by domain names

Characterizing mobile traffic is important to network operators from a network performance and security standpoint. In many cases, such as a performance degradation or security threat, it is useful to know that traffic is being generated by a specific mobile application. Recent methods for identifying mobile traffic have relied on computationally expensive detailed inspection of HTTP flows which may not scale across large networks. This paper proposes a lightweight method to generate a probabilistic model of an application based on a distribution of domain names. We observe that a large portion of mobile applications have traffic to domain names that are critical to how the application functions. Network operators can use this model to verify if a set of one or more domain names is associated with a mobile application during a performance issue or security event. Based on analysis of real mobile network traffic, the model can correctly correlate domain names with associated applications at a rate of 90% in various scenarios. These results show that identifying applications by domain names via this lightweight solution is feasible and merits continued future work.

Dandelion - Revealing Malicious Groups of Interest in Large Mobile Networks

There are an enormous number of security anomalies that occur across the Internet on a daily basis. These anomalies are typically viewed as individual security events that are manually analyzed in order to detect an attack and take action. Important characteristics of an attack may go unnoticed due to limited manual resources. Mobile attacks introduce further complexity by typically traversing multiple types of networks making correlation and detection even more challenging. In this paper, we propose a system Dandelion, which aims to automatically correlate individual security anomalies together to reveal an entire mobile attack campaign. The system also identifies previously unknown malicious network entities that are highly correlated. Our prototype system correlates thousands of network anomalies across both the SMS and IP networks of a large US tier-1 mobile service provider, reducing them to approximately \(20\sim 30\) groups of interest a day. To demonstrate Dandelion’s value, we show how our system has provided the critical information necessary to human analysts in detecting and mitigating previously unknown mobile attacks.

Detecting Malicious Activity on Smartphones Using Sensor Measurements

Mobile devices have long been targets of malware attacks, exploiting the inherent trust that users place in them. They possess unique features, such as continuous internet connectivity, the ability to make premium phone calls and send premium SMS messages, storing sensitive information, and programmatically turning on the camera or microphone. Compromising these features opens up new attack possibilities and enlarges revenue streams for attackers. Despite various existing solutions for detecting mobile malware through binary analysis techniques, mobile malware infections have steadily been on the rise. This paper presents a novel system for detecting the malicious behavior based on smartphone sensor measurements. The system identifies various unique trigger events that should only occur via user action, such as sending SMS messages or turning on the camera or microphone, and determines whether the user initiated them. It can detect various categories of malware, including spamming botnets, premium service fraud, and spyware. The initial version of the prototype is implemented by modifying the default Android SMS messaging app to show that malware sending malicious messages can be detected based on smartphone sensor measurements.

Safe Internet Browsing Using a Transparent Virtual Browser

With the proliferation of Internet access across the globe, as well as the advancement of many new devices and next generation networks, there is no surprise that malware infection via web browsing is still one of the most significant threats to Internet users today. Over the past several years we have also seen the increase in advanced targeted attacks against corporations which steal intellectual property and sensitive customer information. This problem is amplified as security is bypassed for work productivity and usability, while mobile devices increasingly access sensitive information. Though many organizations are beginning to invest significantly into securing their internal corporate network, users are typically given access to the Internet for web browsing purposes, leaving the enterprise vulnerable to drive-by downloads and data exfiltration attacks. In this work we propose a new method to safely browse the Internet by redirecting web requests to a cloud-based Transparent Virtual Browser. Web browsing requests are automatically redirected to the Transparent Virtual Browser via a transparent network proxy, protecting against user configuration errors or malware running on the device. The virtual browsing session is streamed back to the user securely, while maintaining a seamless user experience. Experiments show that our architecture can isolate web-attacks from a users machine, protecting enterprises from most of the attacks to which they are vulnerable today. Using a small user trial we tested our solution with several popular web browsers on various operating systems and report on their feedback. Our testing also shows that our prototype only incurs a small initial delay when browsing to a webpage while maintaining a seamless browsing experience for the rest of the browsing session.