Chapter

Computer Security - ESORICS 2014

Volume 8712 of the series Lecture Notes in Computer Science pp 202-218

TrustDump: Reliable Memory Acquisition on Smartphones

  • He SunAffiliated withState Key Laboratory of Information Security, Institute of Information Engineering, CASData Assurance and Communication Security Research Center, CASUniversity of Chinese Academy of SciencesGeorge Mason University
  • , Kun SunAffiliated withGeorge Mason University
  • , Yuewu WangAffiliated withState Key Laboratory of Information Security, Institute of Information Engineering, CASData Assurance and Communication Security Research Center, CAS
  • , Jiwu JingAffiliated withState Key Laboratory of Information Security, Institute of Information Engineering, CASData Assurance and Communication Security Research Center, CAS
  • , Sushil JajodiaAffiliated withGeorge Mason University

* Final gross prices may vary according to local VAT.

Get Access

Abstract

With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and steal the sensitive data from the mobile applications. Anti-malware tools should be continuously updated via static and dynamic malware analysis to detect and prevent the newest malware. Dynamic malware analysis depends on a reliable memory acquisition of the OS and the applications running on the smartphones. In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capable of reliably obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or has been compromised. The mobile OS is running in the TrustZone’s normal domain, and the memory acquisition tool is running in the TrustZone’s secure domain, which has the access privilege to the memory in the normal domain. Instead of using a hypervisor to ensure an isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base (TCB) of about 450 lines of code. We build a TrustDump prototype on Freescale i.MX53 QSB.

Keywords

TrustZone Non-Maskable Interrupt Memory Acquisition