TrustDump: Reliable memory acquisition on smartphones

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8712 LNCS, Issue PART 1, 2014, Pages 202-218

  Sun, He ^a,b,c,d   Sun, Kun ^d   Wang, Yuewu ^a,b   Jing, Jiwu ^a,b   Jajodia, Sushil ^d  

^a University of Chinese Academy of Sciences   (China)

^b INSTITUTE OF GEOLOGY AND GEOPHYSICS   (China)

^c UNIVERSITY OF CHINESE ACADEMY OF SCIENCES   (China)

^d GEORGE MASON UNIVERSITY   (United States)

Author keywords

Memory Acquisition; Non Maskable Interrupt; TrustZone

Indexed keywords

COMPUTER CRIME; MALWARE; SECURITY OF DATA; SECURITY SYSTEMS; SMARTPHONES;

DYNAMIC MALWARE ANALYSIS; HARDWARE-ASSISTED; MEMORY ACQUISITION TOOLS; MEMORY ACQUISITIONS; MOBILE APPLICATIONS; NON-MASKABLE INTERRUPT; TRUSTED COMPUTING BASE; TRUSTZONE;

RANDOM ACCESS STORAGE;

EID: 84906505419     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-11203-9_12     Document Type: Conference Paper

References (35)

1. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)
2. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based "out-of-thebox" semantic view reconstruction. In: ACMConference on Computer and Communications Security, pp. 128-138 (2007)
3. Fu, Y., Lin, Z.: Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: IEEE Symposium on Security and Privacy, pp. 586-600 (2012)
4. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J.T., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297-312 (2011)
5. Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security, pp. 51-62 (2008)
6. Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC, pp. 289-298 (2013)
7. Yan, L.K., Yin, H.: Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 29. USENIX Association (2012)
8. McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: EuroSys, pp. 315-328 (2008)
9. McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V.D., Perrig, A.: Trustvisor: Efficient tcb reduction and attestation. In: IEEE Symposium on Security and Privacy, pp. 143-158 (2010)
10. Martignoni, L., Poosankam, P., Zaharia, M., Han, J., McCamant, S., Song, D., Paxson, V., Perrig, A., Shenker, S., Stoica, I.: Cloud terminal: secure access to sensitive applications from untrusted systems. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, p. 14. USENIX Association (2012)
11. Zhang, F., Leach, K., Sun, K., Stavrou, A.: Spectre: A dependable introspection framework via system management mode. In: DSN, pp. 1-12 (2013)
12. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: ACM Conference on Computer and Communications Security, pp. 38-49 (2010)
13. Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: A hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158-177. Springer, Heidelberg (2010)
14. Azab, A.M., Ning, P., Zhang, X.: Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In: ACM Conference on Computer and Communications Security, pp. 375-388 (2011)
15. ARM: TrustZone Introduction, http://www.arm.com/products/processors/ technologies/trustzone/index.php
16. Alves, T., Felton, D.: Trustzone: Integrated hardware and software security. ARM White Paper 3(4) (2004)
17. ARM: Cortex-A8 Technical Reference Manual, http://infocenter.arm.com/ help/topic/com.arm.doc.ddi0344k/DDI0344K cortex a8 r3p2 trm.pdf
18. ARM: Cortex-A9 Technical Reference Manual, http://infocenter.arm.com/ help/topic/com.arm.doc.ddi0388f/DDI0388F cortex a9 r2p2 trm.pdf
19. ARM: ARM Cortex-A15 MPCore Processor Technical Reference Manual, http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0438i/index.html
20. ARM: Interrupt Behavior of Cortex-M1, http://infocenter.arm.com/help/ index.jsp?topic=/com.arm.doc.dai0211a/index.html
21. ARM: Cortex-M4 Devices Generic User Guide, http://infocenter.arm.com/ help/index.jsp?topic=/com.arm.doc.dui0553a/Cihfaaha.html
22. Freescale: Imx53qsb: i.mx53 quick start board, http://www.freescale.com/ webapp/sps/site/prod summary.jsp?code=IMX53QSB&tid= vanIMXQUICKSTART
23. Adeneo Embedded: Reference BSPs for Freescale i.MX53 Quick Start Board, http://www.adeneo-embedded.com/en/Products/Board-Support-Packages/Freescale-i. MX53-QSB
24. Paul Bakker: PolarSSL, https://polarssl.org/
25. Michael Coppola: Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM, http://poppopret.org/2013/01/07/suterusu-rootkit-inlinekernel-function- hooking-on-x86-and-arm/
26. Heriyanto, A.P.: Procedures and tools for acquisition and analysis of volatile memory on android smartphones. In: Proceedings of The 11th Australian Digital Forensics Conference. SRI Security Research Institute, Edith Cowan University, Perth, Western Australia (2013)
27. Sylve, J., Case, A.,Marziale, L., Richard III, G.G.: Acquisition and analysis of volatile memory from android devices. Digital Investigation 8(3-4), 175-184 (2012)
28. Google: Using ddms for debugging, http://developer.android.com/tools/ debugging/ddms.html
29. Stevenson, A.: Boot into Recovery Mode for Rooted and Un-rooted Android devices, http://androidflagship.com/605-enter-recovery-mode-rooted-un-rooted- android
30. Dall, C., Nieh, J.: Kvm for arm. In: Proceedings of the 12th Annual Linux Symposium (2010)
31. Dall, C., Nieh, J.: Kvm/arm: The design and implementation of the linux arm hypervisor. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2014 (2014)
32. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50-60 (2004)
33. Breeuwsma, I.M.F.: Forensic Imaging of Embedded Systems Using JTAG (Boundary-scan). Digit. Investig. 3(1) (March 2006)
34. Jovanovic, Z., Redd, I.D.D.: Android forensics techniques. International Academy of Design and Technology (2012)
35. Me, G., Rossi, M.: Internal forensic acquisition for mobile equipments. In: IPDPS, pp. 1-7 (2008)