COMS 6998 10 Spring 2013 Instructor Li Erran Li lel2139columbiaedu httpwwwcscolumbiaedu lierranlicoms6998 10Spring2013 Lecture 12 Mobile Platform Security Attacks and Defenses ID: 234780
Download Presentation The PPT/PDF document "Cellular Networks and Mobile Computing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cellular Networks and Mobile ComputingCOMS 6998-10, Spring 2013
Instructor: Li Erran Li (lel2139@columbia.edu)http://www.cs.columbia.edu/~lierranli/coms6998-10Spring2013/Lecture 12: Mobile Platform Security: Attacks and Defenses
4/16/13
1Slide2
Mobile Security Attacks and DefensesInter application communication related
attacks (Lianhao Qu and Joseph Orilogbon on QUIRE and Akhila on XManDroid)Permission re-delegation (confused deputy attacks) Collusion attacksSystem vulnerability based attacks (Ying-Chi Meng and Sichang
Li on MoCFI)
Control flow attacks (code injection attacks)
Root exploits (e.g.
adbd bug used by DroidKungfu malware)Application specific attacks (Jill Jermyn and Snigdha Challa on texting apps)
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
2Slide3
Sven
Bugiel,
Lucas
Davi
TU
Darmstadt/CASED,
Germany
Ahmad-Reza Sadeghi, Bhargava Shastry Fraunhofer SIT/CASED, Darmstadt, Germany
Thomas FischerRuhr-University Bochum
19th Annual Network & Distributed System Security SymposiumTowards Taming Privilege Escalation Attacks on Android Alexandra Dmitrienko Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany
@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
3Slide4
User
Install Requested
permissions
are
reasonable
App
Installation
in
AndroidAndroid Market Movie Player Download
App Permissions
@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)4Slide5
3
Can
apps
go
beyond
their
privileges?
YES Privilege escalation attacks@FraunhoferSIT/CASED 2012 Alexandra
Dmitrienko, NDSS 2012 DO
NOT DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)5Slide6
4
Confused Deputy
Attack
Do
not have
a
right
permission?
Ask your neighbor! Benign appPrivileges: P1
Android OS Android
Middleware1) Invoke browser to download malicious files (Lineberry et al., BlackHat 2010)2) Invoke Phone app to perform a phone call (Enck et al., TechReport 2008)3) Invoke Android Scripting Environment
to send SMS messages (Davi et al., ISC’2010) MalwarePrivileges:
none
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
6Slide7
5
Collusion Attack
Two
(or
more)
apps
collude
to
launch
the attack Android OS1) Apps communicate
directly Example: Claudio Marforio
et. al, TechReport ETH Zurich MalwarePrivileges: P1 AndroidSystem App Benign appPrivileges: P2@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)7Slide8
6
Collusion Attack
Two
(or
more)
apps
collude
to
launch
the attack Android OS2)
Apps communicate via covert
(e.g., volume settings) or overt (e.g.,content providers) channels in Android System components Example: Soundcomber (Schlegel et al., NDSS’2011) MalwarePrivileges: P1 AndroidSystem App Benign appPrivileges: P2
@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
8Slide9
Inter-Application
Communication
Inter-process
communication
(IPC)
Intents and remote
procedure calls File
system (files, Unix domain sockets) Network sockets7Application layer MiddlewareLinux kernelAppAAppB IPCFile System Network Sockets Reference Monitor
Discretionaryaccess control of Linux@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
9Slide10
8
Android Middleware
Linux
Kernel
Installer
Saint
Reference
Monitor
Saint App BPerm. P2 Perm. P
3App APerm. P
1Dalvik VMTaintDroid Apex KirinPermission DatabaseSELinuxQUIREStatic and Offline Analysis Tools ded ComDroid StowawayAppFence Porscha Mediator Paranoid
Android Apex CRePEIPC Inspection QUIRE TrustDroid
TrustDroid
Related
Work
Sensitive
Data
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
10Slide11
XManDroid
9
Application
layer
Middleware
Linux
kernel
IPC
File
System Network Sockets Reference Monitor Discretionaryaccess control of Linux XManDroid: eXtended Monitoring on Android Monitors all communication channels between apps Validates if the requested communication
link complies to a system- centric security policyAppAAppB
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
11Slide12
Create
File/SocketAndroid
Middleware
Read/Write
File/Socket
XManDroid
Architecture
10
Reference
Monitor Decision MakerApplication layer
App A
Android PermissionsSystem ViewApp B Middleware layer Kernel layerLinux Discretionary Access ControlXManDroid Mandatory Access Control File System/Internet Sockets@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012
DO NOT DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)12Slide13
XManDroid’s
SystemView:
Graph-based
Representation
Android
Core
System
Components
Application
sandboxes
Files
IPC
calls
Access
to
files
Socket
connections
Internet
sockets
11
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
13Slide14
A
BXManDroid:
Simplified
Example
Android
Core
C
P2P1 Policy Rule:
Sandbox A: permission P1
, no P2 Sandbox B: permission P2, no P1 Communication type: Direct Decision: Deny 12@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
14Slide15
A
BXManDroid:
Simplified
Example
Android
Core
C
P2P1 Policy Rule:
Sandbox A: permission P1
, no P2 Sandbox B: permission P2, no P1 Communication type: Indirect Decision: Deny 13@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
15Slide16
Contributions
14
Design
A
general
framework
towards
taming
privilege
escalation
attacks
System-centric
policy
enforcement
Implementation
Kernel-level
mandatory
access
control
based
on
TOMOYO
Callback
channel
between
kernel-
level
and
the
middleware
System-centric
IPC
call
chain
tracking
for
Intents
(inspired
by
QUIRE)
Tests
Evaluation
Study
on
inter-
application
communication
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
16Slide17
Evaluation
15
Effectiveness
(attack
prevention)
Performance
Rate
of
falsely
denied
communications
1
2
3
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
17Slide18
Study
on
Application
Communication
Patterns
16
@FraunhoferSIT/CASED
2012
Alexandra Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE
FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)18Slide19
IPC-based
Application
Communication
17
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko, NDSS 2012 DO NOT DISTRIBUTE FURTHER4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)19Slide20
File
and
Socket-based
Application
Communication
18
@FraunhoferSIT/CASED
2012 Alexandra Dmitrienko, NDSS 2012 DO NOT
DISTRIBUTE FURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)20Slide21
Conclusion
and
Future
Work
First
general approach towards tackling privilege escalation attacks (at application
level) Runtime monitoring,
but quite efficient No false negatives No false positives, but conceptually they are possible Current workLarge scale evaluationAutomatic policy engineeringFull IPC call
chain trackingApplying XManDroid framework19BizzTrust for domain
isolation
on
Android
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
21Slide22
1
@TU Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)22Slide23
2
@TU Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)23Slide24
3
@TU Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)24Slide25
4
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
25Slide26
5
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
26Slide27
6
BBL 1
entry
ins, ins,
ins,
…
exit
BBL 2entryins, ins, ins, …exit
BBL 4
entry ins, ins, ins, … exit BBL 3entryins, ins, ins, …exit BBL 5 entry ins, ins, ins, … exitEntry: Any instruction that
is target of a branch (e.g., first instruction of a function)
Exit:
Any
branch
(e.g.,
indirect
or
direct
jump
and
call,
return)
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
27Slide28
7
entryins, ins,
ins,
…exit
BBL
1
entry
ins,
ins, ins, …exitBBL 3entryins,
ins, ins, …exit
BBL 4entryins, ins, ins, …exit ShellcodeBBL 2Malicious Code LibraryCodeInstructionSequencesLibraryFunctions BBL 5entryins, ins, ins, …exit1Entry: Any instruction that is
target of a branch (e.g., first instruction of a function)
Exit:
Any
branch
(e.g.,
indirect
or
direct
jump
and
call,
return)
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
Code
Injection
2
ROP;
ret2libc
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
28Slide29
8
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
29Slide30
9
BBL 1
label_1
entry
ins,
ins,
ins,
…
exit
BBL
3label_3entryins, ins, ins, …exitins,
ins, ins, …exit
BBL 2label_2entry BBL 4label_4entryins, ins, ins, …exit BBL 5label_5entryins, ins, ins, …exit1.Insert LABEL instructions (thatserve as nop instructions) at
thebeginning of each BBL@TU Darmstadt/CASED 2012LucasDavi, NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
30Slide31
10
BBL 1
label_1
entry
ins,
ins,
ins,
…
exit
BBL
3label_3entryins, ins, ins, …exitins,
ins, ins, …exit
BBL 2label_2entry BBL 4label_4entryins, ins, ins, …exit BBL 5label_5entryins, ins, ins, …exit CFI Check:*BBL3[exit] == label_52.Rewrite all exit
instructions witha control-flowcheck@TU Darmstadt/CASED 2012LucasDavi, NDSS 2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
31Slide32
11
BBL 1
BBL
3
label_1
entry
ins,
ins,
ins, … exit BBL 2label_2entryins,
ins, ins, …exit
BBL 4 label_4 entry ins, ins, ins, … exitMalicious CodeShellcode LibraryCode InstructionSequences LibraryFunctionslabel_3entryins, ins, ins, …exit 1 2 BBL
5 label_5 entry ins, ins, ins, … exit CFI
Check:
*BBL3[exit]
==
label_5
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
32Slide33
12
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
33Slide34
13
Intel
x86
Approach
[Abadi
et
al.,
CCS
2005]
ARM
•Not
compatible
to
application
signing
•Requires
sophisticated
binary
instrumentation
framework
(Vulcan)
and
debugging
information
•Program
counter
directly
accessible
•No
dedicated
return
instructions
•Side-Effects
of
control-flow
instructions,
e.g.,
POP
{r4-r7,pc}
•ARM
supports
two
instruction
sets
(ARM/THUMB)
Smartphones
•Application
Signing
•Application
Encryption
•Typically,
no
access
to
source
code
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
34Slide35
14
2
First
control-flow
integrity
framework
for
smartphone
platforms
We
present
rewriting
techniques
that
tackle
unique
challenges
of
smartphones
Our
prototype
for
iOS
requires
no
source
code
and
efficiently
performs
CFI
at
runtime
1
3
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
Contributions
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
35Slide36
15
Control-Flow Graph
Generator
Runtime
Enforcement
Unprotectedand
encryptediOSBinary
1
Preprocessor Decryption Disassembling 2
Unprotectedplain iOSBinary 3
Generate Rewriting Information Static AnalysisPatchfileControl-Flow Graph10011…01100…Instructions…call Func_A 4@TU Darmstadt/CASED 2012LucasDavi, NDSS
2012DO NOT DISTRIBUTEFURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)36Slide37
16
45
Control-Flow
Graph
Generator
MoCFI
Library
Load-TimeModule
RuntimeModule Binary Rewriting CFI Enforcement 6
CFIProtected iOSBinaryStatic Analysis
Runtime EnforcementUnprotectedandencryptediOSBinary 1 Preprocessor Decryption Disassembling 2 Unprotectedplain iOSBinary 3Generate Rewriting InformationPatchfileControl-Flow Graph10011…01100…Instructions…call Func_A@TU
Darmstadt/CASED 2012LucasDavi, NDSS 2012DO NOT DISTRIBUTEFURTHER4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
37Slide38
17
Generate Rewriting
Information
CFIProtected
iOSBinary
Instructions…
call
CFI_Library
4
5
Control-Flow Graph Generator MoCFI Library
Load-TimeModule RuntimeModule Binary Rewriting
CFI Enforcement 6Static AnalysisRuntime EnforcementUnprotectedandencryptediOSBinary 1 Preprocessor Decryption Disassembling 2Unprotectedplain iOSBinary 3PatchfileControl-Flow Graph10011…01100…Instructions…call Func_A
7@TU Darmstadt/CASED 2012LucasDavi, NDSS 2012DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
38Slide39
18
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
39Slide40
Load-Time
Module – Binary
Rewriting
19
Instruction,
…
INDIRECT
JUMP
Instruction BBL Entry RETURN Data“BBL Entry”
refers to an instruction
that is target of other branchinstructions in the program@TU Darmstadt/CASED 2012LucasDavi, NDSS 2012DO NOT DISTRIBUTEFURTHERControl-Flow Graph Shadow Stacks MoCFI Runtime Module
4 ByteTHUMBInstruction! Original iOS Binary Header Code
Instruction
Instruction,
…
CALL
Function
Instruction
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
40Slide41
Load-Time
Module – Binary
Rewriting
20
Data
Original
iOS
Binary
Header CodeInstructionInstruction, …CALL Function
InstructionInstruction, …INDIRECT
JUMPInstructionBBL EntryRETURNDataRewritten iOS Binary Header Code Instruction Instruction, … CALL Trampoline_1 Trampoline_1Save RegistersJUMPRuntime_ModuleReset RegistersJUMP Function“BBL Entry” refers to an
instruction that is target of other branchinstructions in the program
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
Control-Flow
Graph
Shadow
Stacks
MoCFI
Runtime
Module
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
41Slide42
Load-Time
Module – Binary
Rewriting
21
Original
iOS
Binary
Header
CodeInstructionInstruction, …CALL FunctionInstruction
Instruction, …INDIRECT JUMP
InstructionBBL EntryRETURN DataRewritten iOS Binary Header Code Instruction Instruction, … CALL Trampoline_1 Instruction JUMP Trampoline_2 Data Trampoline_1Save RegistersJUMPRuntime_ModuleReset RegistersJUMP
Function Trampoline_2Previous InstructionSave RegistersJUMPRuntime_ModuleReset RegistersINDIRECT
JUMP
“BBL
Entry”
refers
to
an
instruction
that
is
target
of
other
branch
instructions
in
the
program
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
Control-Flow
Graph
Shadow
Stacks
MoCFI
Runtime
Module
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
42Slide43
Load-Time
Module – Binary
Rewriting
22
Original
iOS
Binary
Header
CodeInstructionInstruction, …CALL FunctionInstruction
Instruction, …INDIRECT JUMP
InstructionBBL EntryRETURN DataRewritten iOS Binary Header Code Instruction Instruction, … CALL Trampoline_1 Instruction JUMP Trampoline_2 Instruction BBL Entry #ILLEGAL INS Data Trampoline_1Save RegistersJUMP
Runtime_ModuleReset RegistersJUMP Function Trampoline_2Previous InstructionSave Registers
JUMP
Runtime_Module
Reset
Registers
INDIRECT
JUMP
Exception
Handler
“BBL
Entry”
refers
to
an
instruction
that
is
target
of
other
branch
instructions
in
the
program
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
Control-Flow
Graph
Shadow
Stacks
MoCFI
Runtime
Module
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
43Slide44
Library
Injection
Our
MoCFI
library
is
injected
into
the
process
of
the
application
by
setting
DYLD_INSERT_LIBRARIES
Jailbreak?
We
require
a
jailbreak
for
setting
one
environment
variable
and
installing
our
library
In
order
to
perform
binary
rewriting,
we
require
the
dynamic
code-signing
entitlement
23
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
44Slide45
Time
in Seconds
24
80
60
40
20
0
100
FPU/ALU
4,87PI Calc 3,85MD5
Calc 1,19ScrShot 1,02
RAM5,00Disk1,21Quartz2D 1,03ResizeIMG 1,01Trans3D 1,09with MoCFIwithout MoCFIn=1,000n=10,0000.473 ms6.725 ms 6.186 ms81.163 msPerformance Measurements for quicksort Factor
Without MoCFI With MoCFI n=100 0.047 ms 0.432 ms
Performance
Measurements
Worst-Case
Scenario:
quicksort
application
that
frequently
demands
a
CFI
check
Average
overhead
measurement
with
gensystek
Benchmarks
and
Slowdown
Factor
for
gensystek
Applied
MoCFI
to
popular
iOS
apps
(e.g.,
Facebook,
Texas
Holdem,
Minesweeper)
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
45Slide46
First
CFI
framework
for
smartphone
platforms
It
performs
CFI
enforcement
on-the-fly
at
runtime
Compatible
to
application
signing/encryption
and
memory
randomization
(e.g.,
ASLR)
Requires
no
access
to
source
code
Ongoing
Work
CFI
for
native
iOS
libraries
Formal
Analysis
CFI
for
Android
25
@TU
Darmstadt/CASED
2012
LucasDavi,
NDSS
2012
DO
NOT
DISTRIBUTEFURTHER
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
46Slide47
Guess Who’s Texting You?
Evaluating the Security of Smartphone Messaging ApplicationsSebastian Schrittwieser
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
47Slide48
Smartphone Messaging
Aim at replacing traditional text messaging (SMS) and GSM/CDMA/3G callsFree phone calls and text messages over the InternetNovel authentication conceptPhone number used as single authenticating identifier
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
48Slide49
Internet
Telecom infrastructure
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
49Slide50
Motivation
Traditional SMS/talk
Messenger/VoIP Apps
Protocol
proprietary
HTTP(S), XMPP
Security
cryptographically sound authentication
(SIM card)
application depended, much weaker authentication (phone number, IMEI, UDID)
Users
’
perception
SMS/talk
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)50Slide51
Evaluation
Authentication Mechanism and Account HijackingSender ID Spoofing / Message Manipulation
Unrequested SMS / phone calls
User Enumeration
Modifying Status Messages
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
51Slide52
Experimental Setup
Samsung Nexus S running Android 2.3.3 and Apple iPhone 4 running iOS 4.3.3SSL proxy to read encrypted HTTPS trafficUsed to understand the protocol, not for the actual attack (i.e., MITM between victim and server)!
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
52Slide53
Certificates?
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)53Slide54
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)54Slide55
WhatsApp
WowTalk
Viber
Forfone
Tango
EasyTalk
Voypi
eBuddy XMS
HeyTell
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
55Slide56
WhatsApp
Paper:Guess who
’s texting you? Evaluating the Security of Smartphone Messaging Applications
Schrittwieser, S., Frühwirt, P., Kieseberg, P., Leithner, M., Mulazzani, M., Huber, M., Weippl, E., NDSS 2012
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
56Slide57
WhatsApp
Instant MessagingStatus messages23+ million users worldwide (estimation)> 10 billion messages per dayClients available for Android, iOS, Symbian and Blackberry
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
57Slide58
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
58Slide59
Authentication in WhatsApp
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
59Slide60
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)60Slide61
Attack against authentication
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)61Slide62
Attack againstauthentication
Intercepting the connection between the server and the attacker’s phoneThe victim’s phone isn’t involved in the attack at allSimilar attacks successful in 6 out of 9 tested applications4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
62Slide63
WowTalk
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)63Slide64
Free SMS (WhatsApp)
Authentication code in HTTPS request can be replaced with arbitrary textNo server-side validation (command injection?)Forwarded to SMS proxy and sent via SMSCan be misused for sending free SMS4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)64Slide65
Status Messages
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
65Slide66
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)66Slide67
https://s.whatsapp.net/client/iphone/u.php?cc=
countrycode&me=phonenumber&s=statusmessage4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
67Slide68
Sender ID spoofingExample: Forfone
Messages are authenticated by IMEI (Android) or UDID (iOS)Both numbers can be accessed by 3rd party applicationsVoypi: no authentication at all4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)68Slide69
User Enumeration
Applications upload the user’s address book to the serverServer compares the contained phone numbers to already registered phone numbersServer returns a subset list containing only phone numbers that are registeredEntire user base enumeration?4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)69Slide70
User EnumerationUS area code 619 (Southern San Diego)
Number range: +1 (619) XXXXXXX10 million possible phone numbersUploaded entire number range in chunks of 5000 numbers eachWhatsApp returned a subset containing 21.095 (active) phone numbers4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)70Slide71
On vacation
Sleeping
at work but not doing shit
Nicaragua in
4 days!!
Heartbroken
Missing my love!
At work ... Bleh.
On my way to Ireland!
I
’
m never drinking again
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
71Slide72
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)72Slide73
User EnumerationEntire Austria (population: 8.3 million)
4 carriers, 12.3 million SIM cardsUploaded entire number range in chunks of 5000 numbers eachServer returned 182.793 WhatsApp users (phone number + status message) in less than 5 hours4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)73Slide74
Results
Account Hijacking
Spoofing/Manipulation
Unrequested SMS
Enumeration
Other Vulnerabilities
WhatsApp
yes
no
yes
yes
yes
Viber
no
no
yes
yes
no
eBuddy XMS
no
no
yes
yes
no
Tango
yes
no
yes
yes
no
Voypi
yes
yes
yes
yes
yes
Forfone
no
yes
yes
yes
no
HeyTell
yes
no
no
limited
no
EasyTalk
yes
no
yes
yes
no
Wowtalk
yes
no
yes
yes
yes
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
74Slide75
Responsible Disclosure
Research between spring and fall 2011Vendors notified in November 2011Vulnerabilities weren’t made public until NDSSWhatsApp fixed some vulnerabilities:Account hijacking & free SMS(Modifying status messages)4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
75Slide76
Independent Results (WhatsApp)
Andreas Kurtz (June 2011)account hijackingSEC Consult Vulnerability Lab (September 2011)updating arbitrary users' statusaccount hijacking (brute force)usage of plain text protocolsSeveral blog posts on WhatsApp security in 20114/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
76Slide77
Conclusions
6 out of 9 tested applications have broken authentication mechanismsMany other vulnerabilitiesAll identified flaws stem from well-known software design and implementation errorsTrusting the clientNo input validationNo/weak authentication mechanisms4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)77Slide78
Additional SlidesPermission Re-delegation: Attacks and Defenses
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)78Slide79
Permission Re-delegation: Attacks and Defenses
Adrienne Porter Felt1, Helen J Wang2, Alexander Moshchuk2, Steve Hanna1, Erika Chin11University of California, Berkeley2Microsoft Research
79
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)Slide80
modern client platforms
Applications are untrusted, or partially trustedIsolated from each other, except for IPCBy default, denied access to private devices and dataUsers explicitly grant permissions for devices, dataEach application may have its own set of permissions80
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide81
permissions
Android, iOS, HTML5, browser extensions…81
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide82
permission re-delegation
Permission re-delegation occurs when an application without a permission gains additional privileges through another applicationA special case of the confused deputy problemPrivilege obtained through user permissions824/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide83
83
APISettings
Demo malware
toggleWifi
()
pressButton
(0)
Permission System
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide84
Outline
Threat modelPermission re-delegation is a real problem, andsystems should not permit permission re-delegationWe propose IPC Inspection as a defense mechanism844/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide85
API
The permission systemPermission system enforces user’s permission policy
Malware
Deputy
toggleWifi
()
85
Permission System
toggleWifi
()
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide86
The deputy
Has user authorizationNot malicious, but not a security watchdogExposes public services Confused? Careless?
Malware
Deputy
Malware
86
API
Permission System
toggleWifi
()
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide87
The attacker
User installs/runs it, but doesn’t trust itExploits a deputy to access a resource
Malware
API
Deputy
Malware
toggleWifi
()
pressButton
(0)
87
Permission System
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)Courtesy: Felt et. alSlide88
Real world permission re-delegation
attacksAndroid case study,precautionary for the future of the web884/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide89
Identifying candidates
Two necessary preconditions for an attack: Has a dangerous permissionHas a public interfaceAnalyzed manifests of 872 Android applications16 system apps, 756 most popular, 100 recently uploaded320 apps (37%) are candidates for attacks894/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide90
Finding exploits
Built tool for finding attacksCall graph analysis:find paths from public entry points to protected API callsManually verified all exploits
90
Public
e
ntry points
API calls
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide91
attacks
Built attacks using 5 of the 16 system appsFound 15 attacks in the 5 applicationsSeveral confirmed and fixedThis is a lower bound; likely more exist914/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide92
92
APISettings
Demo malware
wifiManager.setWifiEnabled
(true)
Message:
0://0#0
Permission System
Attack on the settings app
com.android.settings.widget
.
SettingsAppWidgetProvider
User pressed button[0]
4/16/13Cellular Networks and Mobile Computing (COMS 6998-10)Courtesy:
Felt et. alSlide93
More example attacksDeskClock
:Start an internal serviceTell it to infinitely vibrate with a WAKE_LOCK onPhone:Trigger the “phone call answered” message receiverPhone call will be silenced, vibrate cancelled934/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide94
Preventing permission re-delegation
944/16/13Cellular Networks and Mobile Computing (COMS 6998-10)Courtesy: Felt et. alSlide95
Our goalsWe don’t want to rely on application developers for prevention
Enable the system to prevent permission re-delegationWe don’t want to break applications954/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide96
IPC Inspection
When a deputy receives a message, system reduces deputy’s permissions (for the session) to: {requester’s permissions} {deputy’s permissions}A deputy’s current set of permissions captures its communication historyDeputy can specify who can(not) send it messagesGeneralizes stack inspection to IPC calls
96
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide97
Handling a potential attack
Time-of-use systemAdd a new runtime prompt for permission re-delegationInstall-time systemRequester must statically ask for necessary permissionsPermission re-delegation is simply blocked at runtime97
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide98
Application instances
Deputy might need to service user and multiple app requesters simultaneouslySolution: create one instance per requestUser interacts with primary instance When new interaction starts, create a new “application instance”Each instance has its own set of current permissionsHowever, instances share app storage, etc.984/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide99
implementation
Android implementation: modify PackageManager, ActivityManagerPackageManager installs applications, stores permissions, enforces permission requirementsActivityManager notifies PackageManager when relevant events happen, e.g. starting Activity, receiving Broadcast IntentA few hundred lines of code99
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide100
evaluation
Do we break applications?Do we stop attacks?1004/16/13Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy: Felt et. alSlide101
Broken applications
Intentional Deputy5 applications (25%) Requester6 applications (30%)101
One application is both an intentional deputy and a requester
Developers
might
need to make changes to these applications:Of those requesters:
2 of 6 requesters (10% of apps) need to add permissions
20 Android applications
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide102
Effectiveness at Attack prevention
102Unintentional Deputy4 applications (20%)IPC Inspection prevents these from being exploited:
Also stops all the attacks on the built-in system applications
20 Android applications
4/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. alSlide103
Conclusion
Real world permission re-delegation vulnerabilities existA third of Android system applications contain permission re-delegation attacksFuture systems should be designed to prevent permission re-delegationIPC Inspection: an OS mechanism that prevents permission re-delegationInstall-time: some requesters will need to add permissions1034/16/13
Cellular Networks and Mobile Computing (COMS 6998-10)
Courtesy:
Felt et. al