TrustDump: Reliable Memory Acquisition on Smartphones

  • He Sun
  • Kun Sun
  • Yuewu Wang
  • Jiwu Jing
  • Sushil Jajodia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)


With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and steal the sensitive data from the mobile applications. Anti-malware tools should be continuously updated via static and dynamic malware analysis to detect and prevent the newest malware. Dynamic malware analysis depends on a reliable memory acquisition of the OS and the applications running on the smartphones. In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capable of reliably obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or has been compromised. The mobile OS is running in the TrustZone’s normal domain, and the memory acquisition tool is running in the TrustZone’s secure domain, which has the access privilege to the memory in the normal domain. Instead of using a hypervisor to ensure an isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base (TCB) of about 450 lines of code. We build a TrustDump prototype on Freescale i.MX53 QSB.


TrustZone Non-Maskable Interrupt Memory Acquisition 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)Google Scholar
  2. 2.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: ACM Conference on Computer and Communications Security, pp. 128–138 (2007)Google Scholar
  3. 3.
    Fu, Y., Lin, Z.: Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: IEEE Symposium on Security and Privacy, pp. 586–600 (2012)Google Scholar
  4. 4.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J.T., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297–312 (2011)Google Scholar
  5. 5.
    Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security, pp. 51–62 (2008)Google Scholar
  6. 6.
    Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: ACSAC, pp. 289–298 (2013)Google Scholar
  7. 7.
    Yan, L.K., Yin, H.: Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 29. USENIX Association (2012)Google Scholar
  8. 8.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: EuroSys, pp. 315–328 (2008)Google Scholar
  9. 9.
    McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V.D., Perrig, A.: Trustvisor: Efficient tcb reduction and attestation. In: IEEE Symposium on Security and Privacy, pp. 143–158 (2010)Google Scholar
  10. 10.
    Martignoni, L., Poosankam, P., Zaharia, M., Han, J., McCamant, S., Song, D., Paxson, V., Perrig, A., Shenker, S., Stoica, I.: Cloud terminal: secure access to sensitive applications from untrusted systems. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, p. 14. USENIX Association (2012)Google Scholar
  11. 11.
    Zhang, F., Leach, K., Sun, K., Stavrou, A.: Spectre: A dependable introspection framework via system management mode. In: DSN, pp. 1–12 (2013)Google Scholar
  12. 12.
    Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: ACM Conference on Computer and Communications Security, pp. 38–49 (2010)Google Scholar
  13. 13.
    Wang, J., Stavrou, A., Ghosh, A.: Hypercheck: A hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Azab, A.M., Ning, P., Zhang, X.: Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In: ACM Conference on Computer and Communications Security, pp. 375–388 (2011)Google Scholar
  15. 15.
  16. 16.
    Alves, T., Felton, D.: Trustzone: Integrated hardware and software security. ARM White Paper 3(4) (2004)Google Scholar
  17. 17.
  18. 18.
  19. 19.
    ARM: ARM Cortex-A15 MPCore Processor Technical Reference Manual,
  20. 20.
  21. 21.
  22. 22.
  23. 23.
    Adeneo Embedded: Reference BSPs for Freescale i.MX53 Quick Start Board,
  24. 24.
    Paul Bakker: PolarSSL,
  25. 25.
    Michael Coppola: Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM,
  26. 26.
    Heriyanto, A.P.: Procedures and tools for acquisition and analysis of volatile memory on android smartphones. In: Proceedings of The 11th Australian Digital Forensics Conference. SRI Security Research Institute, Edith Cowan University, Perth, Western Australia (2013)Google Scholar
  27. 27.
    Sylve, J., Case, A., Marziale, L., Richard III, G.G.: Acquisition and analysis of volatile memory from android devices. Digital Investigation 8(3-4), 175–184 (2012)CrossRefGoogle Scholar
  28. 28.
  29. 29.
    Stevenson, A.: Boot into Recovery Mode for Rooted and Un-rooted Android devices,
  30. 30.
    Dall, C., Nieh, J.: Kvm for arm. In: Proceedings of the 12th Annual Linux Symposium (2010)Google Scholar
  31. 31.
    Dall, C., Nieh, J.: Kvm/arm: The design and implementation of the linux arm hypervisor. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2014 (2014)Google Scholar
  32. 32.
    Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50–60 (2004)CrossRefGoogle Scholar
  33. 33.
    Breeuwsma, I.M.F.: Forensic Imaging of Embedded Systems Using JTAG (Boundary-scan). Digit. Investig. 3(1) (March 2006)Google Scholar
  34. 34.
    Jovanovic, Z., Redd, I.D.D.: Android forensics techniques. International Academy of Design and Technology (2012)Google Scholar
  35. 35.
    Me, G., Rossi, M.: Internal forensic acquisition for mobile equipments. In: IPDPS, pp. 1–7 (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • He Sun
    • 1
    • 2
    • 3
    • 4
  • Kun Sun
    • 4
  • Yuewu Wang
    • 1
    • 2
  • Jiwu Jing
    • 1
    • 2
  • Sushil Jajodia
    • 4
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringCASBeijingP.R. China
  2. 2.Data Assurance and Communication Security Research CenterCASBeijingP.R. China
  3. 3.University of Chinese Academy of SciencesBeijingP.R. China
  4. 4.George Mason UniversityFairfaxUSA

Personalised recommendations