2014-05-01
Abstract
In the latest of his ‘Greetz from Academe’ series, highlighting some of the work going on in academic circles, John Aycock looks at PREC: practical root exploit containment for Android devices.
Copyright © 2014 Virus Bulletin
It seems I may have accidentally set the bar too high in last month’s Greetz from Academe by mentioning both Robert Louis Stevenson and Alan Turing in the same piece. Juxtaposing literary and intellectual greats? Anything that follows will surely pale in comparison. As the astute reader will have surmised, I will not be presenting the long-awaited Mark Twain/Einstein grudge match; sorry to disappoint. Instead, I will begin with the media.
While some academics embrace the media, I also have a number of colleagues who are either wary of it or outright scornful, because media stories often gloss over subtle scientific points. Of course, it is also true that some academic research areas tend not to make a lot of headlines. Somehow I doubt that my colleague researching category theory gets too many calls from Fox News.
For my part, I always enjoy reading media press releases about computer security. They tend to have a tantalizing combination of being ill-informed along with a level of breathlessness so great that I wonder if the writer will expire mid-sentence. Earlier last week I was skimming ACM TechNews, a digest of various media stories and press releases related to computer science. It usually contains at least one security-related story, and that day was no exception: ‘Student Devises Novel Way to Detect Hackers’, blared the headline [1].
The original press release was from Binghamton University in New York [2], and after a lengthy blurb about the Ph.D. researcher’s upbringing, mixed with a healthy sprinkling of cyber-fearmongering, we arrived at the obligatory technical part: ‘Instead of reviewing all programs run by a network to find the signature of one of millions of known malware programs [...] they have developed a technology to assess behavior of individual computers.’ So far, so good. ‘This is done by monitoring system calls,’ the press release goes on to say, and the other shoe drops. I’ll spare you the remainder, but essentially, to anyone in security the press release reads as though they reinvented system call monitoring and anomaly detection. I’m sure there’s more to the researchers’ work than that, but it’s a great example of subtleties being lost.
Of course, the idea of monitoring system calls to detect anomalies has been around for many years, with key academic research by Stephanie Forrest et al. published in 1996 [3]; even their ACSAC talk on the topic, labelled in the ACSAC conference program as a ‘Classic Paper’, is itself approaching its sixth birthday [4]. All of this means that whenever a new paper appears flying the system-call-monitoring banner, there should be some new spin on it. No novelty equals no publication in academia, after all.
This brings me to ‘PREC: Practical root exploit containment for Android devices’ [5], a freshly published paper involving system call monitoring. Malware detection on mobile devices has been an open problem for some time: how do you detect malware while leaving sufficient CPU, memory, and battery life to play Angry Birds? The PREC work combines the two, as the majority of the malicious test cases involve Angry Birds being repackaged by the researchers with different root exploits. I’m not kidding.
The main idea behind PREC is perhaps best summed up as follows: ‘PREC focuses on third-party native code which is very difficult, if not totally impossible, to decompile’ [5, p. 192]. This may come as a surprise to anyone who does reverse engineering on a daily basis, but it does capture both PREC’s premise and its mechanism. One of many assumptions PREC makes is that most Android root exploit shenanigans stem from third-party native code. This means that the scope of system call monitoring – and hence the overhead PREC imposes – can be restricted to that alone. Execution of third-party native code is shunted to a pool of threads whose system calls are monitored and compared, on device, to a system call profile precomputed off-device (e.g. in the cloud). Threads that deviate too far from the known profile are contained by outright termination or else slowed down to the point of uselessness.
In my opinion, PREC makes a few too many assumptions, since each assumption in a security system serves mostly to yield a blueprint for bypassing it. However, it does offer a low-impact re-spin of system call monitoring that fits in nicely with efforts to shift work into the cloud, making PREC interesting as a starting point if not a panacea. No need to stop the presses, but it might be worth watching the film at eleven.
