JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

22 Scopus citations

Abstract

Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present 'JoKER' - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.

Original languageEnglish
Title of host publicationProceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages65-73
Number of pages9
ISBN (Electronic)9781467379519
DOIs
StatePublished - 2 Dec 2015
Event14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 - Helsinki, Finland
Duration: 20 Aug 201522 Aug 2015

Publication series

NameProceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Volume1

Conference

Conference14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Country/TerritoryFinland
CityHelsinki
Period20/08/1522/08/15

Keywords

  • Android
  • Forensics
  • JTAG
  • Rootkits
  • Security
  • Trusted Detection

Fingerprint

Dive into the research topics of 'JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface'. Together they form a unique fingerprint.

Cite this