1. RootGuard: Protecting
Rooted Android Phones
Yuru Shao, Xiapu Luo, and Chenxiong Qian,
The Hong Kong Polytechnic University
June 18 2014
2. Outline
Introduction
Related Work
System Overview
Proposed Approach
Result and Conclusion
3. Introduction
Most popular smartphone operating system
Limitations – ROOT!
ROOT security threats
-access to entire system and low-level hardware
Root-management
RootGuard
4. Related Work
Rooting android and managing root privilege
Security flaws in available root-management tools
1. Behaving like legitimate apps.
2. Rootmanagement tools cannot defend themselves.
Attacking the root request Intent
-Intent spoofing.
-Intent hijacking and eavesdropping.
5. Related Work
Attacking su
Attacking Superuser’s policy storage
Attacking the local socket file
ROOTGUARD
1. Provides fine-grain control.
2. Defends itself against attacks
9. Design and Implementation
SuperuserEx
-Offer user a GUI. Built on top of the open source.
Policy storage database
-/etc/rootguard
-/dev/rootguard
Kernel module
-Linux Security Module(LSM)
-LSM hooks. -rg_mount
-System call hook. –sys_execve
Security Server
10. Design and Implementation
Default policies
-apps for browsing the entire file system and editing files
-apps for backing up files
-security apps providing real-time detection and protection
-apps for accessing and configuring hardware settings.
Mounting system partitions. - /system
Accessing hardware devices. -/dev
Accessing system files or other apps’ private data.
Manipulating process memory
11. Evaluation
Threat 1: Silent installation and uninstallation.
-pm install, pm uninstall
Threat 2: Antimalware tool termination.
-kill
Threat 3: Irremovability.
-system/app
Threat 4: Access to other apps’ private data.
Threat 5: Back doors.
Threat 6: Rootkits and bootkits.
12. Case studies showing
RootGuard’s effectiveness
RootSmart (Threats 1, 3, and 5).
-download other malware from remote servers
-creating a backdoor (/system/xbin/smart/sh) into the
system partition
AVPass (Threat 4).
- modify the signature databases of many popular
antimalware apps
13. Case studies showing
RootGuard’s effectiveness
DKFBootKit (Threat 6)
-mounts the system partition as writable
-copies itself into the /system/lib directory
-replaces several commonly used utility programs
(for example, ifconfig and mount)
PoC app (Threat 2)
-terminates process by executing the kill <pid> command
-query key components of an antimalware tool and
disable them
14. Result
RootGuard-enhanced device user experience
-Titanium Backup, CPU Tuner, Root Explorer, LBE
Privacy Guard, and Root App Delete
-Inspect in SuperuserEx and modify policy
17. Other Security Considerations
Kernel-mode rootkits
Exploit kernel vulnerabilities
Direct kernel object modification (DKOM)
Disabled support for the Linux loadable kernel module
(LKM)
Who knows RootGuard’s default policies