A magazine found in IEEE for Lab Meeting

1. RootGuard: Protecting
Rooted Android Phones
Yuru Shao, Xiapu Luo, and Chenxiong Qian,
The Hong Kong Polytechnic University
June 18 2014

2. Outline
 Introduction
 Related Work
 System Overview
 Proposed Approach
 Result and Conclusion

3. Introduction
 Most popular smartphone operating system
 Limitations – ROOT!
 ROOT security threats
-access to entire system and low-level hardware
 Root-management
 RootGuard

4. Related Work
 Rooting android and managing root privilege
 Security flaws in available root-management tools
1. Behaving like legitimate apps.
2. Rootmanagement tools cannot defend themselves.
 Attacking the root request Intent
-Intent spoofing.
-Intent hijacking and eavesdropping.

5. Related Work
 Attacking su
 Attacking Superuser’s policy storage
 Attacking the local socket file
 ROOTGUARD
1. Provides fine-grain control.
2. Defends itself against attacks

6. System Overview
 The root-privilege management model.

7. System Overview
 RootGuard-enhanced root-management model.

8. Design and Implementation
 RootGuard’s three main components consist of SuperuserEx.

9. Design and Implementation
 SuperuserEx
-Offer user a GUI. Built on top of the open source.
 Policy storage database
-/etc/rootguard
-/dev/rootguard
 Kernel module
-Linux Security Module(LSM)
-LSM hooks. -rg_mount
-System call hook. –sys_execve
 Security Server

10. Design and Implementation
 Default policies
-apps for browsing the entire file system and editing files
-apps for backing up files
-security apps providing real-time detection and protection
-apps for accessing and configuring hardware settings.
 Mounting system partitions. - /system
 Accessing hardware devices. -/dev
 Accessing system files or other apps’ private data.
 Manipulating process memory

11. Evaluation
 Threat 1: Silent installation and uninstallation.
-pm install, pm uninstall
 Threat 2: Antimalware tool termination.
-kill
 Threat 3: Irremovability.
-system/app
 Threat 4: Access to other apps’ private data.
 Threat 5: Back doors.
 Threat 6: Rootkits and bootkits.

12. Case studies showing
RootGuard’s effectiveness
 RootSmart (Threats 1, 3, and 5).
-download other malware from remote servers
-creating a backdoor (/system/xbin/smart/sh) into the
system partition
 AVPass (Threat 4).
- modify the signature databases of many popular
antimalware apps

13. Case studies showing
RootGuard’s effectiveness
 DKFBootKit (Threat 6)
-mounts the system partition as writable
-copies itself into the /system/lib directory
-replaces several commonly used utility programs
(for example, ifconfig and mount)
 PoC app (Threat 2)
-terminates process by executing the kill <pid> command
-query key components of an antimalware tool and
disable them

14. Result
 RootGuard-enhanced device user experience
-Titanium Backup, CPU Tuner, Root Explorer, LBE
Privacy Guard, and Root App Delete
-Inspect in SuperuserEx and modify policy

15. Performance overhead
 AnTuTu benchmark for two Google Nexus S
-basic AOSP
-RootGuard

16. Performance overhead

17. Other Security Considerations
 Kernel-mode rootkits
 Exploit kernel vulnerabilities
 Direct kernel object modification (DKOM)
 Disabled support for the Linux loadable kernel module
(LKM)
 Who knows RootGuard’s default policies