The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture

被引:4
作者
Buhren, Robert [1 ]
Vetter, Julian [1 ]
Nordholz, Jan [1 ]
机构
[1] Tech Univ Berlin, Berlin, Germany
来源
INFORMATION AND COMMUNICATIONS SECURITY, ICICS 2016 | 2016年 / 9977卷
关键词
Rootkit; Hypervisor; ARM; Virtualization;
D O I
10.1007/978-3-319-50011-9_29
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The virtualization capabilities of today's systems offer rootkits excellent hideouts, where they are fairly immune to countermeasures. In this paper, we evaluate the vulnerability to hypervisor-based rootkits of ARM-based platforms, considering both ARMv7 and ARMv8. We implement a proof-of-concept rootkit to prove the validity of our findings. We then detail the anatomy of an attack wherein a hypervisor rootkit and a userspace process collaborate to undermine the isolation properties enforced by the Linux kernel. Based on our discoveries, we explore the possibilities of mitigating each attack vector. Finally, we discuss methods to detect such highly privileged rootkits so as to conceive more effective countermeasures.
引用
收藏
页码:376 / 391
页数:16
相关论文
共 25 条
[1]  
Alves T., 2004, INFORM Q, V3, P18
[2]  
[Anonymous], 2004, ARM DUAL TIMER MODUL
[3]  
[Anonymous], 2012, ARM ARCHITECTURE REF
[4]  
[Anonymous], 2017, ARM Architecture Reference Manual. ARMv8
[5]  
[Anonymous], 2009, P LINUX S, P19
[6]  
ARM Security Technology, 2009, BUILD SEC SYST US TR
[7]  
Coppola M., 2013, SUTERUSU ROOTKIT INL
[8]  
CVE, 2016, DET ULT SEC VULN DAT
[9]  
Dall C., 2014, KVM ARM DESIGN IMPLE, P333
[10]  
Dall Christoffer, 2013, KVM/ARM: Experiences Building the Linux ARM Hypervisor
123