Skip to main content
Springer Nature Link
Log in

DScope: To Reliably and Securely Acquire Live Data from Kernel-Compromised ARM Devices

  • Conference paper
  • First Online:
Computer Security – ESORICS 2023 (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14347))

Included in the following conference series:

  • 647 Accesses

Abstract

Live data acquisition from a mobile device controlled by a corrupted kernel is challenging as the adversary can block data reporting from the inside and also sabotage external I/O interactions. This paper proposes DScope as a reliable live data acquisition system for ARM devices without trusting their kernels. It ensures that a device user can always launch DScope to securely extract the needed virtual memory data when the device is under attack. Besides its reliability, DScope also preserves kernel semantic and support user-customized acquisition routines. We have built a prototype of DScope on a Raspberry Pi 4 development board and have also tested DScope ’s reliability against various forms of denial of service attacks. Our experiments show that a user can dynamically import data acquisition routines to the device to extract kernel objects and runtime stacks from an attack scene or a kernel crashing site.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Alder, F., Van Bulck, J., Piessens, F., Mühlberg, J.T.: Aion: enabling open systems through strong availability guarantees for enclaves. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 1357–1372 (2021)

    Google Scholar 

  2. Aliaj, E., Nunes, I.D.O., Tsudik, G.: \(\{\)GAROTA\(\}\): generalized active \(\{\)Root-Of-Trust\(\}\) architecture (for tiny embedded devices). In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 2243–2260 (2022)

    Google Scholar 

  3. ARM. Generic Interrupt Controller Architecture version 2.0 (2013)

    Google Scholar 

  4. Bahram, S., et al.: DKSM: subverting virtual machine introspection for fun and profit. In: Proceedings of the 29th IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 82–91. IEEE (2010)

    Google Scholar 

  5. Chen, X., et al.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2008)

    Google Scholar 

  6. Cheng, Y., Ding, X., Deng, R.H.: Efficient virtualization-based application protection against untrusted operating system. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2015)

    Google Scholar 

  7. Dall, C., Nieh, J.: KVM/ARM: the design and implementation of the Linux ARM hypervisor. ACM SIGPLAN Not. 49(4), 333–348 (2014)

    Article  Google Scholar 

  8. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the 32nd IEEE Symposium on Security and Privacy (SP), pp. 297–312. IEEE (2011)

    Google Scholar 

  9. Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pp. 75–88 (2006)

    Google Scholar 

  10. Fu, Y., Lin, Z.: Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (SP), pp. 586–600. IEEE (2012)

    Google Scholar 

  11. Herder, J.N., Bos, H., Gras, B., Homburg, P., Tanenbaum, A.S.: Fault isolation for device drivers. In: 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, pp. 33–42. IEEE (2009)

    Google Scholar 

  12. Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: Inktag: secure applications on an untrusted operating system. In: Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2013)

    Google Scholar 

  13. Huber, M., Hristozov, S., Ott, S., Sarafov, V., Peinado, M.: The lazarus effect: healing compromised devices in the internet of small things. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 6–19 (2020)

    Google Scholar 

  14. Hwang, J.-Y., et al.: Xen on ARM: system virtualization using Xen hypervisor for ARM-based secure mobile phones. In: Proceedings of the 5th IEEE Consumer Communications and Networking Conference, CCNC (2008)

    Google Scholar 

  15. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (SP) (2014)

    Google Scholar 

  16. Kwon, D., et al.: Hypernel: a hardware-assisted framework for kernel protection without nested paging. In: Proceedings of the 55th Annual Design Automation Conference, pp. 1–6 (2018)

    Google Scholar 

  17. Manes, V.J.M., Jang, D., Ryu, C., Kang, B.B.: Domain isolated kernel: a lightweight sandbox for untrusted kernel extensions. Comput. Secur. 74, 130–143 (2018)

    Article  Google Scholar 

  18. McVoy, L.: lmbench: portable tools for performance analysis. http://www.bitmover.com/lmbench/

  19. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (S &P) (2008)

    Google Scholar 

  20. Saberi, A., Fu, Y., Lin, Z.: Hybrid-bridge: efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  21. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP) (2007)

    Google Scholar 

  22. Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 477–487. ACM (2009)

    Google Scholar 

  23. SPEC. Standard performance evaluation corporation. http://www.spec.org/cpu2006/index.html

  24. Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient out-of-VM approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 363–374. ACM (2011)

    Google Scholar 

  25. Sun, H., Sun, K., Wang, Y., Jing, J., Jajodia, S.: TrustDump: reliable memory acquisition on smartphones. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 202–218. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_12

    Chapter  Google Scholar 

  26. Swift, M.M., Martin, S., Levy, H.M., Eggers, S.J.: Nooks: an architecture for reliable device drivers. In: Proceedings of the 10th Workshop on ACM SIGOPS European Workshop, pp. 102–107 (2002)

    Google Scholar 

  27. Vasudevan, A., Chaki, S., Jia, L., McCune, J., Newsome, J., Datta, A.: Design, implementation and verification of an extensible and modular hypervisor framework. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (S &P) (2014)

    Google Scholar 

  28. Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles, pp. 203–216 (1993)

    Google Scholar 

  29. Wang, J., Zhang, F., Sun, K., Stavrou, A.: Firmware-assisted memory acquisition and analysis tools for digital forensics. In: 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 1–5. IEEE (2011)

    Google Scholar 

  30. Wang, J., Li, A., Li, H., Lu, C., Zhang, N.: RT-TEE: real-time system availability for cyber-physical systems using arm trustzone. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 352–369. IEEE (2022)

    Google Scholar 

  31. Xu, M., et al.: Dominance as a new trusted computing primitive for the internet of things. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1415–1430. IEEE (2019)

    Google Scholar 

  32. Zhao, S., Ding, X.: FIMCE: a fully isolated micro-computing environment for multicore systems. ACM Trans. Priv. Secur. (TOPS) 21(3), 1–30 (2018)

    Article  Google Scholar 

  33. Zhao, S., Ding, X., Xu, W., Gu, D.: Seeing through the same lens: introspecting guest address space at native speed. In: Proceedings of the 26th USENIX Security Symposium (2017)

    Google Scholar 

  34. Zhou, Y., Wang, X., Chen, Y., Wang, Z.: ARMLock: hardware-based fault isolation for ARM. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 558–569 (2014)

    Google Scholar 

Download references

Acknowledgement

We thank anonymous reviewers and the shepherd for their revision suggestions. This research/project is supported by the National Research Foundation, Singapore, and Cyber Security Agency of Singapore under its National Cybersecurity R &D Programme, National Satellite of Excellence in Mobile Systems Security and Cloud Security (NRF2018NCR-NSOE004-0001). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore and Cyber Security Agency of Singapore.

Author information

Authors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Zhe Chen, Haiqing Qiu & Xuhua Ding

Authors
  1. Zhe Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haiqing Qiu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xuhua Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xuhua Ding .

Editor information

Editors and Affiliations

  1. University of California, Irvine, CA, USA

    Gene Tsudik

  2. University of Padua, Padua, Italy

    Mauro Conti

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. Delft University of Technology, Delft, The Netherlands

    Georgios Smaragdakis

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chen, Z., Qiu, H., Ding, X. (2024). DScope: To Reliably and Securely Acquire Live Data from Kernel-Compromised ARM Devices. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14347. Springer, Cham. https://doi.org/10.1007/978-3-031-51482-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-51482-1_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-51481-4

  • Online ISBN: 978-3-031-51482-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics