Unauthorized modifications made to an electronic device with the objective of gaining super-user and/or administrator access or the removal of all user limitations from the electronic device, e.g. rooting for Android operating systems or jail breaking for iphone operating systems, renders the electronic device vulnerable to security breaches and compromises the overall security of the device. Critical or privileged modules in electronic devices include system critical processes or system management daemons that are executed within a device's Operating System (OS) kernel or within the device's system.
Most unauthorized modifications to an electronic device will leave some trace in the operating system of the device. For example, in Linux devices, when such a device is rooted, the rooting process will create a SU command module (i.e. a module that enables unauthorized applications to obtain higher privileges) or will escalate privileges accorded to certain processes. Hence, a method of verifying whether a device has been rooted involves scanning the device for SU command modules or for the escalation of privileges of certain processes. Other ways of verifying the integrity of the device involves checking the device's file system, checking fixed memory locations for certain kernel codes or checking a dynamic portion of the device's memory for unknown processes that have root/system privileges. Unsurprisingly, malicious attackers will adapt to these scanning techniques and will constantly come up with new ways to cover their tracks thereby avoiding detection.
A common problem faced by such anti-malware solutions is that the detection/protection programs are usually installed in the operating system that is to be protected. Therefore, if the attacker is aware of the existence of such anti-malware solutions running in the system, the attackers may implement an attack that causes the anti-malware solution to be modified thereby effectively disabling the usefulness of the solution. In short, anti-malware solutions installed within the normal operating space are always vulnerable to well-designed attacks.
A proposed method for determining integrity of a device involves periodically checking the device kernel's data against data contained within an original kernel. The module that performs this method is provided within a secure state of the device. Verification modules are typically installed within such secure areas because in theory, only super-users or system administrators may access or make modifications to modules provided in this area. This ensures that modules installed within such secure areas will be isolated from attacks and unauthorized modifications.
A solution known in the art that does this is the Trust Zone-based Integrity Measurement Architecture (TIMA) solution. The TIMA solution runs in a trusted environment entirely as a result, no attacks may modify the TIMA mechanism. However, as applications installed within the normal operating system are not utilized in the TIMA solution, this means that the TIMA solution can only check for simple attack traces. For example, it is only able to check whether the kernel code has been modified (i.e. by computing a digital hash of a known memory region and comparing the result to a predetermined value), and is only able to verify the signature of modules with a secret key stored in the trusted environment. As a result, it is not able to detect complex changes to the device or operating system of the device such as data that has been modified, process privilege that have been changed and etc. In fact, there are some known attack tools, for example, “towelroot”, “pingpong root” and “kingroot” that can be used to attack TIMA implemented devices without being detected. In addition, it is much more difficult to implement updates to applications or modules that are installed within the trusted environment. As result, these modules in the trusted environment won't be able to handles the latest attacks due to the inefficiencies and difficulties in the updating of these modules.
Other proposed methods for verifying integrity of a device or preventing a device from attacks involve utilizing information that is constantly updated by a remote server. By analysing attack samples, the remote server is able to improve the accuracy and efficiency of the verification/protection processes and this updated information is periodically updated into the device. Secure boot/trusted boot/dm-verity are other solutions that rely on the idea that, if only verified components are allowed to be loaded and run in the system, most, if not all, attacks may be detected and addressed. To achieve this, these solutions require the to-be-loaded modules to be verified by a preinstalled module; whereby the preinstalled module is initially verified by hardware verification modules. In addition, the secure boot solution also ensures that critical components will be executed upon system start up, using a technique known as “boot-chain”. For example, in Linux operating systems, a proposed secure boot-chain solution implements the following booting sequence when the device initially powers on:
1) The device's processor will load a boot-loader program from a predetermined location that is not editable after the device has been manufactured;
2) The boot-loader program will verify and load a “u-boot”, or a universal boot-loader, that handles the basic input and output processes of the device, similar to what a BIOS does for personal computers; and
3) The u-boot will then load a kernel, which loads the Android system.
The secure boot solution proposed above allows verifications to be carried out using hardware components. However, these verifications are only carried out when the modules are initially loaded, and no further verification steps are carried out beyond that. As a result, this solution does not protect an operating system against run-time attacks such as the abovementioned attack tools.
For the above reasons, those skilled in the art are constantly striving to come up with a system and method to verify system integrity of an electronic device in an efficient and reliable manner.