1. Field of the Subject Disclosure
The subject disclosure relates to balancing malware rootkit detection with power consumption on mobile devices. In particular, the subject disclosure relates to optimizing power consumption by modulating the rootkit detection as a function of time and coverage.
2. Background of the Subject Disclosure
Mobile electronic devices, or mobile devices, have become an integral part of our everyday lives. Cellular telephones, smartphones, netbooks, and several other devices are used by billions to perform everyday tasks for communication, scheduling, etc. Essentially, the core components of historically larger computers, such as transceivers, displays, storage, and powerful processors are being miniaturized and crammed into small portable devices that are becoming more and more ubiquitous.
With the benefits of packing computing power and networking into a small package also come the costs. One increasing problem is that of malicious software, or malware. Malware is created by malicious entities for several nefarious purposes, spreads itself like a computer virus, and may cripple or even completely disable an electronic device. A particularly potent form of malware is a rootkit, so called because they target the root of the system, i.e., the operating system (OS) kernel itself. By infecting the code and data of the OS kernel, rootkits gain control over the layer traditionally considered the trusted computing base (TCB). Rootkits are therefore able to evade standard user-space malware detectors, such as signature-based scanners. Further, rootkits enable other attacks by hiding malicious processes, allow attackers to stealthily retain long-term control over infected devices, and serve as stepping stones for other attacks such as key-loggers or backdoors.
Early rootkits attempted to hide the presence of malicious processes by compromising system utilities that are used for diagnostics. For instance, a rootkit that replaces the UNIX LS and PS binaries with infected versions can hide the presence of malicious files and processes. Such rootkits are easy to detect by an uncompromised TCB that certifies the integrity of user-space utilities with checksums.
The next generation of rootkits attempt to evade detection by affecting the integrity of kernel code. Such corruption is usually achieved by coercing the system into loading malicious kernel modules. Once a rootkit has gained kernel execution privileges, it can mislead all detection attempts from user or kernel space.
A large majority of rootkits today corrupt kernel control data by modifying function pointers in data structures such as the system call table or the interrupt descriptor table. This attack technique allows rootkits to redirect control to attacker code when the kernel is invoked. Finally, a recent study has reported a 600% increase in the number of rootkits in a three year period between 2004 and 2006. As this explosive growth continues, the increasing complexity of the hardware and software stack of mobile devices, coupled with the increasing economic value of personal data stored on mobile devices, point to an impending adoption of rootkits in the mobile malware arena.
Several approaches currently exist for defending against malware. However, as mentioned above, traditional signature based scanning does not protect against subversive rootkits. Signature based scanning may be supplemented with more powerful techniques, such as those that deploy behavior-based detection algorithms. Existing methods for detecting rootkits include the use of code integrity monitors such as Patagonix, and kernel data integrity monitors such as Gibraltar. Patagonix offers protection against malicious code in the kernel by checking the integrity of static code pages (kernel inclusive). Gibraltar offers protection against malicious data in the kernel by scanning the kernel's data segment and ensuring that its data structures satisfy certain integrity properties, which are normally violated in rootkit-infected kernels.
This checking of the integrity of all kernel data structures and executable code is a thorough process, but requires significant processing overhead. With mobile devices, this leads to another problem: excessive power consumption. Security mechanisms today focus on well-provisioned computers such as heavy-duty servers or user desktops. Mobile devices present a fundamental departure from these classes of machine because they are critically resource-constrained.
While advances throughout the last decade in mobile processor, GPU, and wireless capabilities have been staggering, the hard fact is that mobile devices utilize batteries with a limited amount of stored power. Without the limit of resource constraints, security mechanisms will check everything they can, all the time. In a mobile device aggressively performing checks on large sets of security targets will inexorably lead to resource exhaustion and the inability to carry on useful tasks. However, no currently known approach addresses the problem of providing security mechanisms in a battery-constrained environment.
What is therefore needed is a modified rootkit detector or scanner that balances rootkit detection with energy consumption.