Skip to main content

ASU Global menu

Skip to Content Report an accessibility problem ASU Home My ASU Colleges and Schools Sign In
Arizona State University Arizona State University
ASU Library KEEP

Main navigation

Home Browse Collections Share Your Work
Copyright Describe Your Materials File Formats Open Access Repository Practices Share Your Materials Terms of Deposit API Documentation
Skip to Content Report an accessibility problem ASU Home My ASU Colleges and Schools Sign In
  1. KEEP
  2. Theses and Dissertations
  3. Barrett, The Honors College Thesis/Creative Project Collection
  4. Memory Inspection Resistant Rootkit: An implementation and analysis
  5. Full metadata

Memory Inspection Resistant Rootkit: An implementation and analysis

Full metadata

Description

The purpose of this project was to implement and analyze a new proposed rootkit that claims a greater level of stealth by hiding in cache. Today, the vast majority of embedded devices are powered by ARM processors. To protect their processors from attacks, ARM introduced a hardware security extension known as TrustZone. It provides an isolated execution environment within the embedded device that enables us to run various memory integrity and malware detection tools to identify possible breaches in security to the normal world. Although TrustZone provides this additional layer of security, it also adds another layer of complexity, and thus comes with its own set of vulnerabilities. This new rootkit identifies and exploits a cache incoherence in the ARM device as a result of TrustZone. The newly proposed rootkit, called CacheKit, takes advantage of this cache incoherence to avoid memory introspection from tools in secure world. We implement CacheKit on the i.MX53 development board, which features a single ARM Cortex A8 processor, to analyze the limitations and vulnerabilities described in the original paper. We set up the Linux environment on the computer to be able to cross-compile for the development board which will be running the FreeScale android 2.3.4 platform with a 2.6.33 Linux kernel. The project is implemented as a kernel module that once installed on the board can manipulate cache as desired to conceal the rootkit. The module exploits the fact that in TrustZone, the secure world does not have access to the normal world cache. First, a technique known as Cache-asRAM is used to ensure that the rootkit is loaded only into cache of the normal world where it can avoid detection from the secure world. Then, we employ the cache maintenance instructions and resisters provided in the cp15 coprocessor to keep the code persistent in cache. Furthermore, the cache lines are mapped to unused I/O address space so that if cache content is flushed to RAM for inspection, the data is simply lost. This ensures that even if the rootkit were to be flushed into memory, any trace of the malicious code would be lost. CacheKit prevents defenders from analyzing the code and destroys any forensic evidence. This provides attackers with a new and powerful tool that is excellent for certain scenarios that were previously thought to be secure. Finally, we determine the limitations of the prototype to determine possible areas for future growth and research into the security of networked embedded devices.

Date Created
2016-12
Contributors
  • Gutierrez Barnett, Mauricio Antonio (Author)
  • Zhao, Ziming (Thesis director)
  • Doupe, Adam (Committee member)
  • Computer Science and Engineering Program (Contributor)
  • Barrett, The Honors College (Contributor)
Topical Subject
  • Information Assurance
  • Computer Systems Engineering
  • Embedded Systems
Resource Type
Text
Extent
19 pages
Language
eng
Copyright Statement
In Copyright
Primary Member of
Barrett, The Honors College Thesis/Creative Project Collection
Series
Academic Year 2016-2017
Handle
https://hdl.handle.net/2286/R.I.42621
Level of coding
minimal
Cataloging Standards
asu1
System Created
  • 2017-10-30 02:50:58
System Modified
  • 2021-08-11 04:09:57
  •     
  • 1 year 5 months ago
Additional Formats
  • OAI Dublin Core
  • MODS XML

Quick actions

About this item

Overview
 Copy permalink

Share this content

Feedback

ASU University Technology Office Arizona State University.
KEEP

Contact Us

Repository Services
Home KEEP PRISM ASU Research Data Repository
Resources
Terms of Deposit Sharing Materials: ASU Digital Repository Guide Open Access at ASU

The ASU Library acknowledges the twenty-three Native Nations that have inhabited this land for centuries. Arizona State University's four campuses are located in the Salt River Valley on ancestral territories of Indigenous peoples, including the Akimel O’odham (Pima) and Pee Posh (Maricopa) Indian Communities, whose care and keeping of these lands allows us to be here today. ASU Library acknowledges the sovereignty of these nations and seeks to foster an environment of success and possibility for Native American students and patrons. We are advocates for the incorporation of Indigenous knowledge systems and research methodologies within contemporary library practice. ASU Library welcomes members of the Akimel O’odham and Pee Posh, and all Native nations to the Library.

Number one in the U.S. for innovation. ASU ahead of MIT and Stanford. - U.S. News and World Report, 8 years, 2016-2023
Maps and Locations Jobs Directory Contact ASU My ASU
Copyright and Trademark Accessibility Privacy Terms of Use Emergency COVID-19 Information