隨著智慧型手機的大量普及，智慧型手機已經成為重要的日常工
具，其可以做的事情已經足以比擬一台桌上型電腦。而在智慧型手機
成為提供重要服務的工具，像是存取網路銀行、線上消費、辦公文件
等，其安全性就顯得更加重要。目前Google所開發的Android手機作
業系統是市佔率最高，自然就成為很多惡意攻擊的目標。
在目前眾多針對Android系統的攻擊中，其中一種手法是取得手
機的最高管理者權限（Root Escalation），一旦惡意程式透過系統的
漏洞拿到管理者權限，惡意程式便可以在手機中植入各種惡意的系統
監控，以及任意的資源存取，也可以在暗中安裝各種程式到手機中，
對手機將造成極大的傷害。
本論文提出一個系統RootGuard，透過修改Android底層的Linux
Kernl去偵測系統中是否有任何的惡意舉動，以程式行為為基礎去偵測
這些惡意軟體，並而做出防範的行動，來達到阻止惡意程式入侵系統
的行為。

Smartphone has gain a lot of attention in recent years. It pro-
vides lots of important features such as checking bank accounts and
receive emails. It has been as important as a PC nowadays. As the
importance of smartphone arise, the security has became a signicant
consideration. Currently, Google has developed an operating system
Android with highest market share. So it has been a main target for
attackers.
Among the attack methods, Root Escalation is one of the most
frequently used method to attack Android system. Once the attacker
gain root privilege of system, he or she can do almost anything they
want, including accessing user's private data and inject malicious ap-
plications into the phone. This may cause a lot of damage for user.
This paper propose a system called RootGuard. It modies the
Linux kernel underlying the Android framework to achieve detecting
any illegal behaviours in the system. Further more, it stops the ma-
licious applications by applying policies of illegal behaviours. Finally,
this system can prevent user from Root Escalation attack.

[1] BI Intellengence. Chart of the day: Smartphone sales
are on the verge of overtaking feature phone sales.
http://www.businessinsider.com/chart-of-the-day-
smartphones-to-beat-feature-phone-sales-2013-6, June
2013.
[2] Google Inc. Google I/O 2013 keynote. https://developers.
google.com/live/shows/517795853, May 2013.
[3] TrendMicro Inc. 2012 mobile threat and security roundup. http:
//www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/reports/rpt-repeating-history.pdf, 2013.
[4] Google Inc. Android architecture. http://developer.android.
com/images/system-architecture.jpg, May 2013.
[5] The IEEE and The Open Group. sh - shell, the standard
command language interpreter. http://pubs.opengroup.org/
onlinepubs/9699919799/utilities/sh.html.
[6] Intrepidus Group. Android root source code: Looking at
the c-skills. https://intrepidusgroup.com/insight/2010/09/
android-root-source-code-looking-at-the-c-skills/.
[7] C-Skills. Droid2. http://c-skills.blogspot.tw/2010/08/
droid2.html.
[8] National Vulnerability Database. Vulnerability summary for
cve-2011-1823. http://web.nvd.nist.gov/view/vuln/detail?
vulnId=CVE-2011-1823.
[9] Xuxian Jiang. Gingermaster: First android malware utilizing
a root exploit on android 2.3 (gingerbread). http://www.csc.
ncsu.edu/faculty/jiang/GingerMaster/.
[10] C-Skills. yummy yummy, gingerbreak! http://c-skills.
blogspot.tw/2011/04/yummy-yummy-gingerbreak.htmll.
[11] National Vulnerability Database. Vulnerability summary for
cve-2013-2094. http://web.nvd.nist.gov/view/vuln/detail?
vulnId=CVE-2013-2094.
[12] Joe Damato. A closer look at a recent privilege escalation bug
in linux (cve-2013-2094). http://timetobleed.com/a-closer-
look-at-a-recent-privilege-escalation-bug-in-linux-
cve-2013-2094/.
[13] Xuxian Jiang. Security alert: New sophisticated android malware
droidkungfu found in alternative chinese app markets. http://
www.csc.ncsu.edu/faculty/jiang/DroidKungFu.html.
[14] Lookout. Security alert: Droiddream malware found in ocial
android market. https://blog.lookout.com/blog/2011/03/
01/security-alert-malware-found-in-official-android-
market-droiddream/.
[15] Lookout. Android malware droiddream: How it works.
https://blog.lookout.com/blog/2011/03/02/android-
malware-droiddream-how-it-works/.
[16] Lookout. Security alert: Droiddreamlight, new malware from
the developers of droiddream. https://blog.lookout.com/
blog/2011/05/30/security-alert-droiddreamlight-new-
malware-from-the-developers-of-droiddream/.
[17] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P Cox,
Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. Taint-
droid: An information-
ow tracking system for realtime privacy
monitoring on smartphones.
[18] Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer,
and Ahmad-Reza Sadeghi. Xmandroid: A new android evolution
to mitigate privilege escalation attacks. Technische Universitat
Darmstadt, Technical Report TR-2011-04, 2011.
[19] Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and
Marcel Winandy. Privilege escalation attacks on android. In In-
formation Security, pages 346{360. Springer, 2011.
[20] Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer,
Ahmad-Reza Sadeghi, and Bhargava Shastry. Towards taming
privilege-escalation attacks on android.
[21] Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, you,
get o of my market: Detecting malicious apps in ocial and
alternative android markets. In NDSS, 2012.
[22] Yeongung Park, ChoongHyun Lee, Chanhee Lee, J Lim, Sangchul
Han, Minkyu Park, and Seong-Je Cho. Rgbdroid: a novel
response-based approach to android privilege escalation attacks.
In Proceedings of the 5th USENIX conference on Large-Scale Ex-
ploits and Emergent Threats, LEET, volume 12, pages 9{9, 2012.
[23] Oracle vm virtualbox. https://www.virtualbox.org/.
[24] Contagio mobile. http://contagiominidump.blogspot.com/.
[25] Androidrank market analysis, stats and rankings. http://www.
androidrank.org/.
[26] Antutu benchmark. https://play.google.com/store/apps/
details?id=com.antutu.ABenchMark.
[27] Andebench. https://play.google.com/store/apps/details?
id=com.eembc.coremark.