Detecting Malicious Behavior in OpenWrt with QEMU Tracing

Autor: Porter, Jeremy
Jazyk: angličtina
Rok vydání: 2019
Předmět:
Druh dokumentu: Text
Popis: In recent years embedded devices have become more ubiquitous than ever before and are expected to continue this trend. Embedded devices typically have a singular or more focused purpose, a smaller footprint, and often interact with the physical world. Some examples include routers, wearable heart rate monitors, and thermometers. These devices are excellent at providing real time data or completing a specific task quickly, but they lack many features that make security issues more obvious. Generally, Embedded devices are not easily secured. Malware or rootkits in the firmware of an embedded system are difficult to detect because embedded devices do not have the usual human interfaces such as a keyboard, video, or a mouse. Traditional rootkits typically come in three variants: binary, library, and kernel. Binary rootkits aim to replace a binary file in the operating system such as ls (list files) or cd (change directory). Library rootkits replace system libraries with malicious code that can intercept system calls and provide incomplete or false information as it is relayed between user and kernel spaces. Kernel rootkits hook directly into the kernel and provide false or incomplete information to system calls. Kernel rootkits are often loadable kernel modules (LKM) that can be installed at run time. Typically, countermeasures and detection methods require specific security hardware tools or scanning the system in a traditional way with some interactive inputs/outputs provided to an end user or security researcher. These methods don't work well with embedded devices that lack additional security hardware and a keyboard, video, or mouse to display or interact. A more tailored and focused approach is required for embedded devices. This thesis takes a step toward building a framework for embedded device security auditing. The first component of this framework is a malicious router, the second component is QEMU used to trace the execution of the malicious router. An example OpenWrt router with malicious behavior is demonstrated. The system consists of a client, a router, and a server. The router contains MITM Proxy software used to monitor and modify HTTP requests. The client uses wget and the server uses uhttpd to simulate an HTTP request/response scenario. The router is able to inject/modify HTTP requests and provide a response different than what the server would provide. The second component, QEMU with tracing is explored and shown to be an effective measure to provide truthful data with respect to the operation of the malicious router. We believe this framework is a flexible paradigm for examining embedded device firmware. QEMU offers multiple tracing methods with more granular data as required. In conclusion, we propose a two part detection method for detecting rootkits in embedded devices. The first part, a suspect system demonstrated by a router that performs HTTP injection and a second part that uses QEMU to trace the execution of the suspect system with some level of trust. We discuss some additional malicious systems that can be used with the Diamorphine rootkit.
Databáze: Networked Digital Library of Theses & Dissertations