5.5. Discussion and Conclusion 103
Targeting this circumstance, it becomes urgent to extend Barrier to smartphones.
Unfortunately, the silicon deployed in mobile handsets are primarily ARM architec-ture CPUs, which do not include the hardware virtualization capabilities of Intel or AMD architectures. As a result, to extend Barrier to smartphones, we have to first find an appropriate software-based mobile virtualization technology to represent such hardware capabilities. At present, mobile virtualization is an underhyped yet far-reaching technol-ogy. The competitors in this area include VMware s Mobile Virtualization Platform [7], Red Bend’s VLX [85], OKL4 Microvisor [41], and some open source hypervisors such as Xen for ARM [47] and KVM/ARM [21]. As the main principle of Barrier is leveraging memory virtualization to isolate the memory spaces of different kernel modules, we study memory-virtualization implementations in these proposals to see whether we can build barrier on them.
In general, software memory virtualization can be implemented in two ways: (1) complete paravirtualization of page table and memory management or (2) providing a virtual MMU faithful to the original architecture via trap-and-emulate. Since the first method involves making changes to extant guest data structures and algorithms, all the above hypervisors opted for the latter, which is much simpler and only replaces some sensitive instructions. In this implementation, the guest OS maintains as before a set of page tables. However, these page tables are no longer used by hardware MMU and can only translate guest virtual addresses to guest physical addresses. Hyperviors will be responsible for the mapping from guest physical to host physical. They introduce a new layer of page tables named Shadow Page Tables, which cache the derived guest virtual to machine physical mappings and are accessed by hardware MMU. The shadow page table contents are kept coherent with the guest page table and hypervisor physical page mapping data structure by intercepting traps resulting from guest page faults and TLB maintenance related register accesses. Since shadow page tables are hidden from the guest OS, they become optimal places for Barrier to implement kernel module isolation as it does in HPTs. Therefore, so long as mobile virtualization technologies get mature, we can extend Barrier to smartphones.
5.5.3 Conclusion
We have presented the design and implementation of Barrier: a lightweight hypervi-sor designed to protect OS from kernel rootkits. It leverages the hardware virtualization technology to isolate the kernel modules into different address spaces and then strictly examines the inter-module interactions based on some predefined normal-behavior rules.
This prevents the kernel rootkits freely attacking kernel modules as they want. Since Bar-rier takes all the kernel modules into consideration, it better protects the kernel integrity compared with those proposals just isolate the dynamic extensions. Our evaluations on Linux show that Barrier brings acceptable performance overheads to the running of the protected system and can detect various types of kernel rootkits in the wild.
105
Chapter 6
SMS-based C&C and Its Countermeasures
6.1 Introduction
As we know, Command & Control (C&C) is the core of a botnet. To successfully command and control the compromised devices, the botmaster has to first establish an efficient channel that can disseminate his commands to these devices rapidly and stealthily. As the quick development of the computing and communication abilities of smartphones, many C&C technologies in traditional PC botnets such as those based on HTTP [51] can be easily reused in mobile botnets. However, besides these common technologies, some particular functions and characteristics of smartphones may provide botmasters with additional means to construct special C&C channels for mobile botnets.
Because these channels are peculiar to mobile phones, current countermeasures against traditional PC C&C have no effects on them and they are more ”secure” than traditional ones. Although there’no such effective channel in reality by now, most researchers believe they will appear sooner or later.
In this chapter, we aim to study the feasibility to use Short Message Service (SMS) to construct an efficient and stealth C&C channel. We choose SMS because of two reasons.
Firstly, as a mandatory capability, SMS is supported nearly by all the existing mobile phones. Since this service is text-based and system-independent, hackers can utilize it to disseminate their commands among heterogeneous platforms. Secondly, SMS is
quite simple and reliable: all you need is a phone number, and you can immediately send a message to the target phone with a negligible error rate. Thus, SMS provides mobile botnets an ideal C&C medium. However, besides advantages, SMS also has some drawbacks: SMS messages cost money and have to go through the cellular network that is monitored by operators. This means that if the bots have to send too many messages abnormally, they will easily attract the attention of both operators and users. So a successful SMS-based C&C channel should meet the following requirements:
(1) It is completely P2P and there is no centralized infrastructure. Even some bots are captured, few information about other bots are leaked.
(2) The channel is efficient: a command issued by the botmaster can reach most of the bots in a short time. What’s more, for security reason each bot should only send a small number of SMS messages in this process.
(3) Because all the SMS messages are under the monitoring of the telecom operators, those C&C related messages should pretend to be normal ones to avoid being filtered out.
(3) Once a botnet is constructed, we need special mechanisms to maintain it. This mainly involves two issues: Firstly, the botmaster usually wants to master the runtime statuses of their controlled bots. Thereby, besides a command propagation channel, we need another reporting channel from the bots to the botmaster. Secondly, the botmaster has the requirement to update the malware distributed on the bots regularly. The sizes of these updates usually greatly exceed the maximum payload of a single SMS message, so we need an extra updating mechanism.
If such a SMS-based C&C is proved effective, we should further propose countermea-sures against them because we are defenders not attackers.