Interrupt And IPC Driven Kernel Framework For Prevention Against Smartphone Malware

Open Access
Chaugule, Ashwin
Graduate Program:
Computer Science and Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
March 16, 2009
Committee Members:
  • Sencun Zhu, Thesis Advisor
  • ipc
  • interrupts
  • kernel
  • smartphones
  • malware
  • security
Smartphones have several network interfaces like WiFi, Bluetooth and GSM. Since today's telephony infrastructure supports 3G and various other protocols of data transfer like WAP, GPRS and EVDO, it is possible to bring the desktop internet experience on the handheld device. With this comes the same level of security risk that we see on desktop machines. There is extensive research on securing such desktops. But there is only a recent effort in securing handheld devices. The computing power of such devices restricts the portability of security solutions from the desktop over to embedded systems. Due to these restrictions, there is a need to optimize the security solutions without compromising on the effectiveness. The key idea behind the solutions presented here is to detect a real users intent to trigger an event such as sending an SMS or making a phone call. Malware which attempts to perform these events tries to do so without the knowledge of the user and hence the events triggered are purely generated in software. The way to differentiate these events is to monitor the hardware interrupts generated by the keypad or touchscreen of the device, since it is the only way a real user can begin an event such as sending a message or making a call. Our framework resides entirely in the kernel and adopts a specification based prevention approach. The specification is defined by signatures of application behavior using their inter-process communication patterns. Using the hardware interrupt as a necessary event for any function of the device, followed by a signature defined communication pattern, we are able to prevent two of the most common attacks (messaging and covert audio channel attacks) found on mobile devices. The framework is lightweight and has almost negligible overheads (20 micro secs) during the normal functionality of the running system.