With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and steal the sensitive data from the mo- bile applications. Anti-malware tools should be continuously updated via static and dynamic malware analysis to detect and prevent the newest malware. Dynamic malware analysis depends on a reliable memory acquisition of the OS and the applications running on the smartphones.
In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capa- ble of reliably obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or has been compromised.
TrustDump is installed in the secure domain to perform memory dump and malware analysis of the Rich OS. TrustZone can ensure the TrustDumper is securely isolated from the Rich OS, so that a compromised Rich OS cannot compromise the memory acquisition module. When the Rich OS has crashed or some suspicious behaviors have been detected in the Rich OS, TrustDump ensures a reliable system switch from the normal domain to the secure domain by pressing a hardware button on the smartphone to trigger a non- maskable interrupt (NMI) to the ARM processor.
The NMI guarantees that a malicious Rich OS cannot launch attacks to block or intercept the switching process. Since the secure domain has the access privilege to the memory and registers in the normal do- main, TrustDumper can freely access the physical RAM memory and the CPU states of the Rich OS. When the system switches into the secure domain, the Rich OS is frozen, so the malware has no time to clean its attacking traces.
Besides checking the OS kernel integrity and perform online malware analysis, TrustDumper can send the memory dump and CPU states to a remote machine for further analysis. A hash value of the memory dump is also calculated and sent to verify a correct data transmission. The remote machine can use various powerful memory forensics tools to uncover the malicious behaviors recorded in the memory dump.
The mobile OS is running in the TrustZone’s normal domain, and the memory acquisition tool is running in the TrustZone’s secure domain, which has the access privilege to the memory in the normal domain. Instead of using a hypervisor to ensure an isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base (TCB) of about 450 lines of code.
We built a TrustDump prototype on Freescale i.MX53 QSB. TrustDump is OS agnostic and we do not need any changes to the Rich OS, which satisfies the smartphone forensic principle of extracting the digital evi- dence without altering the data contents.
To read this external content in full, download the complete paper from the online archives at William and Mary College, Virginia.