Roman Schlegel

Roman Schlegel Roman Schlegel - Start

2017-06-20 43K 43 0 0

Roman Schlegel - Description

City University of Hong Kong. Kehuan. Zhang. Xiaoyong. Zhou. Mehool. . Intwala. Apu. . Kapadia. XiaoFeng. Wang. Indiana University Bloomington. NDSS Symposium 2011. 報告人:張逸文. Soundcomber. ID: 561382 Download Presentation

Download Presentation

Roman Schlegel




Download Presentation - The PPT/PDF document "Roman Schlegel" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentations text content in Roman Schlegel

Slide1

Roman SchlegelCity University of Hong KongKehuan ZhangXiaoyong ZhouMehool IntwalaApu KapadiaXiaoFeng WangIndiana University BloomingtonNDSS Symposium 2011報告人:張逸文

Soundcomber

A Stealthy and Context-Aware Sound Trojan for

Smartphones

Slide2

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

2

Slide3

Introduction(1/2)

Full-fledged computing platformsThe plague of data-stealing malwareSensory malware, ex:video camera, microphoneSecurity protectionsJava virtual machines on AndroidAnti-virusControl installing un-trusted software Tow new observationsContext of phone conversation is predictable and fingerprintedBuilt-in covert channel

3

Slide4

Introduction(2/2)

4

Main goal

Extract a small amount of high-value private data from phone conversations and transmit it to a malicious party

Major contributions

Targeted, context-aware information discovery from sound recordings

Stealthy data transmission

Implementation and evaluation

Defensive architecture

Slide5

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

5

Slide6

Overview(1/2)

6

Assumptionswork under limited privilegesArchitectural overview

Slide7

Overview(2/2)

7

Video Demo.

4392 2588 8888 8888

Slide8

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

8

Slide9

Context-Aware Information Collection(1/7)

9

monitor

the phone state

identify, record, analysis, extract

Audio recording

Audio processing

Targeted data extraction

using

profiles

Slide10

Context-Aware Information Collection(2/7)

10

Audio recording

When to

record

Whenever the user initiates a phone call

Recording in the background

Determining the number

called

intercept outgoing phone calls / read contact data

the first segment

compare

with keywords

in

database

r

elevant, non-overlapping keywords

minimize necessary permissions

Slide11

Context-Aware Information Collection(3/7)

11

Audio processingdecode filespeech/tone recognitionspeech/tone extraction

Slide12

Context-Aware Information Collection(4/7)

12

tone recognitionDTMF(dual-tone multi-frequency)signaling channel to inform mobile phone network of the pressed keyaural feedback leaks to side-channelGoertzel’s algorithm

Slide13

Context-Aware Information Collection(5/7)

13

Speech recognitionGoogle service:speech recognition functionalityPocketSphinxSegmentation --- contain speech

Slide14

Context-Aware Information Collection(6/7)

14

Targeted data extraction using profilesfocus on IVRs (Interactive Voice Response system)Phone menusbased on predetermined profiles

Slide15

Context-Aware Information Collection(7/7)

15

g

eneral profiles

Speech signatures

Sequence detection

Speech characteristics

Slide16

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

16

Slide17

Stealthy Data Transmission

17

Processing centrally isn’t ideal

No local processing on 1 minute

recording

→ 94KB

Credit card number

→ 16 bytes

Legitimate, existing application with network access

A

paired Trojan

application with network access and communication through

covert channel

Slide18

Leveraging third-party applications

18

Permission mechanism only restricts

individual

application

Ex

using browser

open URL http

: // target ?

number=N

d

rawback

more

noticeable due to “foreground

Ads to cover

Slide19

Covert channels with paired Trojans(1/4)

19

paired Trojans

Soundminer

,

Deliverer

Installation

of

paired

Trojan

applications

Pop-up

ad.

Packaged

app.

Covert

channels

on

the

smartphone

Vibration settings

Volume settings

Screen

File locks

Slide20

Covert channels with paired Trojans(2/4)

20

Vibration

settings

any application can change the vibration settings

communication channel

every

time the setting is changed, the system sends a notification to interested applications

saving

and restoring original

settings at

opportune times

no

permissions needed

not

leave any traces

Slide21

Covert channels with paired Trojans(3/4)

21

Volume settingsnot automatically broadcastedset and check the volume alternatively3 bits per iterationSending at timesReading at timesmiss a window Screeninvisible visible channelcovert channel:screen settingsprevent the screen from actually turning onpermission WAKE_LOCK

Slide22

Covert channels with paired Trojans(4/4)

22

File locks

e

xchange information through competing for a file lock

s

ignaling files, S

1

,……,

S

m

one data file

S

1

~S

m/2

for

Soundminer

,

S

m

/2+1

~S

m

for

Deliverer

Slide23

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

23

Slide24

Defense Architecture

24

a

dd a context-sensitive reference monitor to control the

AudioFinger

service

b

lock

all applications from accessing the audio data when

a sensitive call

is in progress

Reference Service

RIL

radio interface layer

enter/leave a sensitive state

Controller

Embedded in the

AudioFinger

service

Exclusive Mode / Non-Exclusive Mode

Slide25

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

25

Slide26

Evaluation(1/2)

26

Experiment settings

Environment

Service hotline detection

Tone recognition

Speech recognition ---

getrusage

()

Profile-based data discovery --- extracted high-value information

Cover channel study --- bandwidth in bits per second

Reference monitor

Slide27

Evaluation(2/2)

27

Experiment results

Effectiveness

Service hotline detection

Tone/speech recognition

Detection by anti-virus applications

Performance

Slide28

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

28

Slide29

Discussion

29

Improvements on attack

Defenses

Slide30

Conclusion

30

Soundminer

, innocuous permissions

Defense on sensor data stealing

Highlighted the threat of stealthy sensory malware

Slide31

31

Thanks ~

Slide32

Goertzel’s algorithm

32

Slide33

Performance

33


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.