HIMDroid—A Measurement of Android Kernel Based on Kernel Data Invariants

Abstract

In order to reduce the threat of rootkits to the integrity of Android system, based on kernel data invariants, an Android kernel measurement method HIMDroid is proposed. Recent work has demonstrated that rootkits malicilously modify not only control data but also non-control data. HIMDroid can detect rootkits modifying both control and non-control data. The data structures of the measured kernel invariants are gained by analyzing the kernel control and non-control data that affect the integrity of the kernel during the running of the Android system. By using ARM virtualization technology, HIMDroid separates the measurement module from the measured Android system, preventing the measurement software being attacked. These core data structures of the measured kernel invariants are reconstructed and analyzed in the measurement module. HIMDroid, on the one hand, measures control data and non-control data in the Android kernel while eliminating the attack surface of the Android kernel layer to the measurement software, and effectively reducing the TCB (trusted computing base) of the monitoring model; on the other hand, it has no significant performance loss.