Students Win Best Paper Honors for Cell Phone Malware Research

Conference attendees

A group of computer science researchers associated with the Information Trust Institute have won Best Student Paper honors at the 2008 IEEE Symposium on Security and Privacy for their paper entitled "Cloaker: Hardware Supported Rootkit Concealment." The paper, authored by Ph.D. students Francis David, Ellick Chan, and Jeffrey Carlyle and Professor Roy Campbell, looked at the issue of rootkit concealment from the point of view of an attacker.

According to the group, rootkits, which are used by malicious attackers who desire to run software on a compromised machine without being detected, have become stealthier over the years as a consequence of the ongoing struggle between attackers and system defenders. In order to stay ahead of the security curve, the researchers explored how hardware features could be coerced by an attacker to hide malware. Knowledge of these techniques allows designers and vendors to mitigate attacks before hackers can exploit them in real-world devices.

A primary goal for the group in the design of Cloaker was to avoid altering any part of the host operating system (OS) code or data, thereby achieving immunity to all existing rootkit detection techniques. To that end, Cloaker does not leave any detectable trace in the file system and is thus invisible to typical intrusion detection tools that scan file systems. In addition, Cloaker does not modify OS code or data. Therefore, it cannot be detected by integrity checks of the host OS. The result is an extraordinarily stealthy rootkit.

"In essence, Cloaker is a malicious and hidden micro-OS environment that coexists with the existing OS on the device," said the team.

The team built their proof-of-concept on the ARM platform, which powers 90% of mobile handsets shipped today. They focused on the platform because of the vast proliferation of mobile devices compared to PCs and an increasing deployment of ARM-based phones worldwide. However, they cautioned that similar vulnerabilities may exist on PCs as well.

"We hope that our work motivates future computer system designers to carefully evaluate security gaps at the boundary between computer architecture and system software and consider deploying a defensive framework similar to the one we present in the paper, or other appropriate countermeasures," said the group. They emphasized that additional research is needed to devise comprehensive defenses.

Rootkits such as Cloaker can be effectively discovered and disabled by code that has in-depth knowledge of hardware features and settings. Such code is typically present only in device drivers. Therefore, in order to detect rootkits like Cloaker, the team advocates the design of a framework for OS device drivers that can check the integrity of their associated hardware.

The group's research is funded by Motorola and DoCoMo. More information and the complete paper can be found on the Systems Software Research Group security website. An overview of trust research at the University of Illinois at Urbana-Champaign can be obtained at the Information Trust Institute website.

Writers: Jennifer C. La Montagne with Jenny Applequist. Contact: Jenny Applequist, Information Trust Institute, 217/244-8920, applequi AT iti.uiuc.edu.

May 30, 2008