Skip to Main Content
Frequently Asked Questions
Submit an ETD
Global Search Box
Need Help?
Keyword Search
Participating Institutions
Advanced Search
School Logo
Files
File List
2019-08-03_thesis.pdf (1.89 MB)
ETD Abstract Container
Abstract Header
Detecting Malicious Behavior in OpenWrt with QEMU Tracing
Author Info
Porter, Jeremy
ORCID® Identifier
http://orcid.org/0000-0001-8873-1972
Permalink:
http://rave.ohiolink.edu/etdc/view?acc_num=wright1564840733498961
Abstract Details
Year and Degree
2019, Master of Science in Cyber Security (M.S.C.S.), Wright State University, Computer Engineering.
Abstract
In recent years embedded devices have become more ubiquitous than ever before and are expected to continue this trend. Embedded devices typically have a singular or more focused purpose, a smaller footprint, and often interact with the physical world. Some examples include routers, wearable heart rate monitors, and thermometers. These devices are excellent at providing real time data or completing a specific task quickly, but they lack many features that make security issues more obvious. Generally, Embedded devices are not easily secured. Malware or rootkits in the firmware of an embedded system are difficult to detect because embedded devices do not have the usual human interfaces such as a keyboard, video, or a mouse. Traditional rootkits typically come in three variants: binary, library, and kernel. Binary rootkits aim to replace a binary file in the operating system such as ls (list files) or cd (change directory). Library rootkits replace system libraries with malicious code that can intercept system calls and provide incomplete or false information as it is relayed between user and kernel spaces. Kernel rootkits hook directly into the kernel and provide false or incomplete information to system calls. Kernel rootkits are often loadable kernel modules (LKM) that can be installed at run time. Typically, countermeasures and detection methods require specific security hardware tools or scanning the system in a traditional way with some interactive inputs/outputs provided to an end user or security researcher. These methods don't work well with embedded devices that lack additional security hardware and a keyboard, video, or mouse to display or interact. A more tailored and focused approach is required for embedded devices. This thesis takes a step toward building a framework for embedded device security auditing. The first component of this framework is a malicious router, the second component is QEMU used to trace the execution of the malicious router. An example OpenWrt router with malicious behavior is demonstrated. The system consists of a client, a router, and a server. The router contains MITM Proxy software used to monitor and modify HTTP requests. The client uses wget and the server uses uhttpd to simulate an HTTP request/response scenario. The router is able to inject/modify HTTP requests and provide a response different than what the server would provide. The second component, QEMU with tracing is explored and shown to be an effective measure to provide truthful data with respect to the operation of the malicious router. We believe this framework is a flexible paradigm for examining embedded device firmware. QEMU offers multiple tracing methods with more granular data as required. In conclusion, we propose a two part detection method for detecting rootkits in embedded devices. The first part, a suspect system demonstrated by a router that performs HTTP injection and a second part that uses QEMU to trace the execution of the suspect system with some level of trust. We discuss some additional malicious systems that can be used with the Diamorphine rootkit.
Committee
Junjie Zhang, Ph.D. (Advisor)
Krishnaprasad Thirunarayan, Ph.D. (Committee Member)
Meilin Liu, Ph.D. (Committee Member)
Pages
85 p.
Subject Headings
Computer Engineering
;
Computer Science
Keywords
embedded devices
;
malware
;
rootkits
;
malicious router
;
QEMU
;
OpenWrt
;
HTTP request
Recommended Citations
Refworks
EndNote
RIS
Mendeley
Citations
Porter, J. (2019).
Detecting Malicious Behavior in OpenWrt with QEMU Tracing
[Master's thesis, Wright State University]. OhioLINK Electronic Theses and Dissertations Center. http://rave.ohiolink.edu/etdc/view?acc_num=wright1564840733498961
APA Style (7th edition)
Porter, Jeremy.
Detecting Malicious Behavior in OpenWrt with QEMU Tracing.
2019. Wright State University, Master's thesis.
OhioLINK Electronic Theses and Dissertations Center
, http://rave.ohiolink.edu/etdc/view?acc_num=wright1564840733498961.
MLA Style (8th edition)
Porter, Jeremy. "Detecting Malicious Behavior in OpenWrt with QEMU Tracing." Master's thesis, Wright State University, 2019. http://rave.ohiolink.edu/etdc/view?acc_num=wright1564840733498961
Chicago Manual of Style (17th edition)
Abstract Footer
Document number:
wright1564840733498961
Download Count:
1,117
Copyright Info
© 2019, some rights reserved.
Detecting Malicious Behavior in OpenWrt with QEMU Tracing by Jeremy Porter is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Based on a work at etd.ohiolink.edu.
This open access ETD is published by Wright State University and OhioLINK.