Practical P olicy E nforcement for Android Applications Hassen Saidi Rubin Xu Ross Anderson Usenix Security 2012 Fall 2014 Presenter Kun Sun PhD Most ID: 195627
Download Presentation The PPT/PDF document "Aurasium" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Aurasium: Practical Policy Enforcement for Android Applications
Hassen Saidi, Rubin Xu, Ross Anderson, Usenix Security 2012.
Fall 2014Presenter: Kun Sun, Ph.D.
Most
slides are borrowed
from
https
://www.usenix.org/sites/default/files/saidi_usenixsecurity12_slides.pptSlide2
GoalAddress the multiple threats posed by malicious applications on AndroidSlide3
Android Malicious AppsSlide4
Introduction to AndroidSecurity Features
Process IsolationLinux user/group permissionApp requests permission to OS functionalitiesMost checked in remote end i.e. system servicesA few (Internet, Camera) checked in Kernel, as special user groupSlide5
Introduction to AndroidSecurity Features
Application Code------------------------ActivityServiceBroadcast ReceiverContent Provider
Framework CodeKernel Boundary
Process Boundary
com.android.demo. app
Binder (IPC)
Telephony Manger
Location Manger
Activity Manager
Package Manager
……
Framework Code
Socket
Camera
System Services
Permission
Check
Permission
Check
Android Runtime
(Dalvik VM)Slide6
Malicious Android AppsAbuse permissions:
Permissions are granted for as long as an App is installed on a deviceNo restrictions on how often resources and data are accessedAccess and transmit private dataAccess to malicious remote serversapplication-level privilege escalationConfused deputy attacksGain root privilegeSlide7
Alternative ApproachesApp vetting: Google’s Bouncer
40% decrease in malwareIneffective once App installed on the deviceCan be fingerprintedAV products:ScanningHave no visibility into the runtime of an AppFine grain permissions checkingRequire modifications to the OSVirtualizationRequire modification to the OS Slide8
Related workExisting Work
TaintDroid (OSDI 10)CRePE (ISC 10)AppFence (CCS 11)Quire (USENIX Security 2011)SELinux
on AndroidTaming Privilege-Escalation (NDSS 2012)LimitationsModify OS – requires rooting and flashing firmware.Slide9
Related Approaches
HardwareLinux kernelAndroid Middleware
QuireSELinux
TainDroid
AppFence
CRePE
Information flow
Access control
Call chain IPCSlide10
Solution: Aurasium
HardwareLinux kernel
Android Middleware
X
Repackage Apps to intercept all
Interactions with the OS
Information flow
Access control
Call chain IPC
and many more!
XSlide11
Aurasium InternalsTwo Problems to Solve
Introducing alien code to arbitrary application packageReliably intercepting application interaction with the OSSlide12
Aurasium InternalsHow to add code to existing applications
Android application building and packaging process
Java Source CodeApplication Resource
.class files
Classes.dex
javac
dx
Compiled Resources
AndroidManifest.xml
Application Package (.apk)
aapt
Other Files
Zip & SignSlide13
Aurasium InternalsHow to add code to existing applications
apktool
Application Resources.smali files
Classes.dex
Compiled Resources
Textual
AndroidManifest.xml
Application
Package
Insert Our Java Code
Other Files
Insert Metadata
Insert Our Native Library
apktool
Secured
Application
apktoolSlide14
Enforcing Security & Privacy Policy
Aurasium wayPer-application basisNo need to root phone and flash firmwareAlmost non-bypassable
Application Code------------------------ActivityServiceBroadcast ReceiverContent ProviderFramework Code
com.android.demo.SecuredApp
Kernel
AurasiumSlide15
Aurasium InternalsHow to Intercept
A closer look at app processApplication Code
Framework Code - JavaKernelFramework Code - Native (C++)
Java Native Interface
libdvm.so
libandroid_runtime.so
libbinder.so
…….
libm.so
libstdc++.so
libc.soSlide16
Aurasium InternalsHow to Intercept
Example: Socket ConnectionApplication CodeFramework - Java
Framework - NativeJava Native InterfaceNative LibrariesApkMonitorActivity.onClick()HttpURLConnectionImpl.makeConnection()
HttpConnection.<init>()
Socket.connect()
PlainSocketImpl.connect()
OSNetworkSystem.connect()
OSNetworkSystem_connect() @ libnativehelper.so
connect() @
libc.soSlide17
Aurasium InternalsHow to Intercept
Example: Send SMSApplication CodeFramework - Java
Framework - NativeJava Native InterfaceNative LibrariesApkMonitorActivity.onClick()
SmsManager.sendTextMessage()
Isms$Stub$Proxy.sendText()
BinderProxy.transact()
transact() @ libbinder.so
ioctl() @
libc.soSlide18
Aurasium InternalsHow to Intercept
Intercept at lowest boundary – libc.soApplication CodeFramework Code – Native (C++)
Framework Code - JavaJava Native Interfacelibdvm.so
libandroid_runtime.so
libbinder.so
…….
libm.so
libstdc++.so
libc.so
Monitoring Code
DetourSlide19
Aurasium InternalsHow to Intercept
Look closer at library calls - dynamic linkinglibbinder.so
libc.so
Indirect memory reference
Control flow transferSlide20
Aurasium InternalsHow to Intercept
Key: Dynamically linked shared object fileEssence: Redo dynamic linking with pointers to our detour code.somelib.so
libc.soMonitoring Code
XSlide21
Aurasium InternalsHow to Intercept
Implemented in native codeAlmost non-bypassableJava code cannot modify arbitrary memoryJava code cannot issue syscall directlyAttempts to load native code is monitored
dlopen()Slide22
What can you do with Aurasium?
Total visibility into the interactions of an App with the OS and other AppsInternet connectionsconnect()IPC Binder communicationsioctl()
File system manipulationswrite(), read()Access to resourcesIoctl(), read, write()Linux system callsfork(), execvp()Slide23
Aurasium InternalsHow to add code to existing applications
Inevitably destroy original signatureIn Android, signature = authorshipIndividual app not a problemSlide24
Aurasium InternalsHow to add code to existing applications
apktool
Application Resources.smali files
Classes.dex
Compiled Resources
Textual
AndroidManifest.xml
Application
Package
Insert Our Java Code
Other Files
Insert Metadata
Insert Our Native Library
apktool
Secured
Application
apktool
Detour libc calls
Point to Detour Activity
GUI & PolicySlide25
EvaluationSlide26
EvaluationSlide27
EvaluationSlide28
EvaluationSlide29
EvaluationSlide30
EvaluationTested on Real-world Apps
3491 apps from third-party application store.1260 malware corpus from Android Genome.ResultsRepackaging:3476/1258 succeed (99.6%/99.8%)Failure mode: apktool/baksmali assembly crashes
Device runsNexus S under Monkey – UI Exerciser in SDKIntercept calls from all of 3189 runnable application.Slide31
Limitations99.9% is not 100%
Rely on robustness of apktoolManual edit of Apps as a workaroundNative code can potentially bypass Aurasium:Already seen examples of native code in the wild that is capable of doing soSome mitigation techniques existThe policy in Java code may be modified.Slide32
ConclusionNew approach to Android security/privacy
Per-app basis, no need to root phoneTested against many real world appsHave certain limitationsSlide33
The EndTry it out at
www.aurasium.com