Super Root: A New Stealthy Rooting Technique on ARM Devices

Abstract

Root attack is an unauthorized process of gaining the highest privilege by exploiting the vulnerabilities of a system. After that, attackers can fully control the system, arbitrarily access system resources, and steal private and sensitive information. Fortunately, such root attacks are traceable and detectable by system detection tools as they cannot wholly remove the fingerprints, such as UID and setuid files. In this paper, we propose a new powerful and stealthy root attack, named super root. Comparing to traditional root that grants a user process root privilege, our super root technique can escalate a piece of code to the hypervisor privilege, which is typically left unoccupied in real ARM devices with virtualization support. The super root can do whatever traditional root does, and also can efficiently do Virtual Machine Introspection (VMI) based attacks, such as monitoring system events or steal credential information. The super root can remove the memory fingerprints and thus makes itself stealthy to both kernel and all user detection tools. We implement two VMI-based super root attacks on Pi-top, a Raspberry pi powered machine. We measure their performance overheads using two existing benchmark tools and do the security evaluations using root detection tools. The results show that the overhead of the super root is negligible, and the root detection tools cannot detect the existence of the super root.