COMS 6998 7 Spring 2014 Instructor Li Erran Li lel2139columbiaedu httpwwwcscolumbiaedu lierranlicoms6998 7 Spring2014 Lecture 12 Mobile Platform Security Attacks and Defenses ID: 411426
Download Presentation The PPT/PDF document "Cellular Networks and Mobile Computing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cellular Networks and Mobile ComputingCOMS 6998-7, Spring 2014
Instructor: Li Erran Li (lel2139@columbia.edu)http://www.cs.columbia.edu/~lierranli/coms6998-7Spring2014/Lecture 12: Mobile Platform Security: Attacks and Defenses
4/21/14
1
Cellular Networks and Mobile Computing (COMS 6998-7)Slide2
Review of Previous LectureHow does malware get installed?How to detect malware?
4/21/14Cellular Networks and Mobile Computing (COMS 6998-7)2Slide3
Malware Installation3
Users tend not to install malware intentionallyAttackers trick users into installing malwareRepackagingUpdate attackDrive-by downloadCellular Networks and Mobile Computing (COMS 6998-7)Courtesy Yajin Zhou et al.
4/21/14Slide4
Footprint-Based Detection EngineFilter apps with essential permissions
4MalwareEssential PermissionsApps
Geinimi
INTERNET, SEND_SMS7, 620 (4.17%)
ADRD
INTERNET, ACCESS_NETWORK_STATE
RECEIVE_BOOT_COMPLETED
10, 379 (5.68%)
Pjapps
INTERNET, RECEIVE_SMS
4, 637 (2.54%)
Bgserv
INTERNET, RECEIVE_SMS, SEND_SMS
2, 880 (1.58%)
DroidDream
CHANGE_WIFI_STATE
4, 096 (2.24%)
zHash
CHANGE_WIFI_STATE
4, 096 (2.24%)BaseBridgeNATIVE CODE8, 272 (4.52%)DroidDreamLightINTERNET, READ_PHONE_STATE71, 095 (38.89%)ZsoneRECEIVE_SMS, SEND_SMS3, 204 (1.75%)jSMSHiderINSTALL_PACKAGES1, 210 (0.66%)
Reduced to 0.67% when considering a broadcast receiver
Cellular Networks and Mobile Computing (COMS 6998-7)
7
Courtesy
Yajin
Zhou et al.
4/21/14Slide5
Footprint-Based Detection EngineDistill malware behaviors as behavioral footprintInformation in manifest file
Contain a receiver listening to SMS_RECEIVEDSemantics in the byte-codeRegister a receiver listening to SMS_RECEIVEDCall abortBroadcast in the receiverSend SMS messages to premium numbersStructural layout of the appMatch apps with malware behavioral footprints
Behavioral
footprint of
Zsone
Cellular Networks and Mobile Computing (COMS 6998-7)
8
Courtesy
Yajin
Zhou et al.
4/21/14Slide6
Heuristics-Based Detection EngineFilter apps with dynamic Java/native code loading1055 apps load Java code508 apps load native code from non-standard locations
Monitor apps’ dynamic execution behaviorsJava code: permission-related framework APIsNative code: system calls requiring root privilegesCellular Networks and Mobile Computing (COMS 6998-7)6Courtesy Yajin Zhou et al.
4/21/14Slide7
OutlineMiddleware layer: Android framework vulnerabilities based attacksPermission
re-delegation (confused deputy attacks) Collusion attacksKernel layer: system vulnerability based attacksRoot exploits (e.g. adbd bug used by DroidKungfu malware)Control flow attacks (code injection attacks)4/21/14Cellular Networks and Mobile Computing (COMS 6998-7)
7Slide8
SoundcomberA Stealthy and Context-Aware Sound Trojan for Smartphones
Roman SchlegelCity University of Hong KongKehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng WangIndiana University Bloomington4/21/148Cellular Networks and Mobile Computing (COMS 6998-7)Courtesy: Roman et. alSlide9
The smartphone in your pocket is really a computer
1 GHz Processor512MB / 16GBAndroid OS (Linux)4/21/149Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide10
No surprise malware targets smartphonesAndroid malware steals info from 1’
000’000 users¹Trojan sends premium-rate text messages²Security experts release Android root-kit³1. http://nakedsecurity.sophos.com/2010/07/29/android-malware-steals-info-million-phone-owners/
2. http://news.cnet.com/8301-27080_3-20013222-245.html
3.
http://www.reuters.com/article/idUSTR
E66T52O20100730
4/21/14
10
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide11
But “sensory malware” can do much more
Compass
GPS
Gyroscope
Microphone
Camera
[15]
N. Xu et al.
4/21/14
11
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide12
What can malware overhear?
Nah, how would anybody ever find out? Do you think anybody will ever figure out
that I keep a spare door key in the flower
pot
on my front porch?
4/21/14
12
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide13
Some situations are easy
to recognize
Bank
“
Please enter or speak your
credit card number now.
”
4/21/14
13
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide14
Internet
Malware
Master
Data
Valuable
Information
1
’
000
’
000 phones ≈ 1TB/day
Naive approach:
record and upload
≈ 500KB/day
4/21/14
14
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide15
Certain combinations of permissions are suspicious
Can easily be recognized and disallowed
([5]
W. Enck et al.
)
4/21/14
15
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide16
Our contributions overthe naive approach
targeted and local extraction of valuable datainconspicuous permissionsstealthiness4/21/1416Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy: Roman et. alSlide17
Internet
Malware
Master
Data
Valuable
Information
Naive approach:
record and upload
4/21/14
17
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide18
Internet
Soundcomber approach:
process and upload
Malware
Master
Valuable
Information
4/21/14
18
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide19
Internet
Two trojans are stealthier
than one
Microphone
Soundcomber
app
Deliverer
app
(c)overt
channel
4/21/14
19
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide20
Soundcomber minimizes the necessary permissions
voice-memo app
wake-up alarm app
4/21/14
20
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide21
Hotline greetings can be fingerprinted easily
Bank 1
“
Thank you for calling...”
Bank 2
“
Welcome to ...
”
Bank 1
Bank 2
?
?
4/21/14
21
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide22
pop-up adpackaged appTricking the user intoinstalling two apps
Click Here!
4/21/14
22
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide23
Record
AudioProcessAudio
To
Deliverer
Soundcomber extracts sensitive information locally
Microphone
Soundcomber App
Profile
Database
0111010100110101011....
982030
5180812615025219029103892...
5180 8126 1502 5219
Record
Audio
Extract
Data
4/21/14
23
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide24
Profiles allow for
context aware extraction
Initial Menu Options
Prompt for Account Number
Loan & Credit Card
Acquire PIN
Credit Card Information
Termination
Sensitive Information Acquired
Prompt for Credit Card #
1
2
2
1
Enter
Account #
Enter
PIN
other
input
other
input
Enter
CC #
4/21/14
24
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide25
DTMF tones are “dual tones”
8 frequencies2 simultaneous frequencies for each digitused to navigate hotline menus
1209 Hz
1336 Hz
1477 Hz
1633 Hz
697 Hz
1
2
3
A
770 Hz
4
5
6
B
852 Hz
7
8
9
C
941 Hz
*
0
#
D
4/21/14
25
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide26
Soundcomber dynamically adjusts thresholds to detect faint tones
4/21/1426Cellular Networks and Mobile Computing (COMS 6998-7)Courtesy:
Roman et. alSlide27
Android introduces newcovert channelsvibration settings (87 bps)volume settings (150 bps)screen (5.3 bps)file locks (685 bps)
4/21/14
27
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide28
Vibration settings are broadcast to interested apps
set vibration
setting
vibration setting
changed notification
Setting
Bit
VIBRATE_SETTING_ON
0
VIBRATE_SETTING_
ONLY_SILENT
1
Audio Manager
register broadcast
receiver
Android
OS
Deliverer App
Soundcomber App
4/21/14
28
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide29
Volume settings can be modified and accessed by any app
set volume
setting
get volume
setting
Volume
Data
0
000
1
001
...
...
7
111
small
delay
Audio Manager
Audio Manager
small
delay
Soundcomber App
Deliverer App
4/21/14
29
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide30
Soundcomber is fast and accurate
No Error
1 Error
>= 2 Errors
1 missing
>= 2 missing
Speech
55 %
12.5 %
15 %
7.5 %
10 %
Tone
85 %
5 %
0
10 %
0
Recording Length
Processing Time
Speech
20 s
7 s
Tone
45 s
8 s
4/21/14
30
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide31
Hotlines can be fingerprinted with reasonable accuracy20 recorded samples of 5 different hotlines (4 each)20 samples of normal conversation
Correct
Missed
Wrong
Hotline
55 %
40 %
5 %
Correct
Conversation
100 %
4/21/14
31
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide32
Keeping Soundcomber hidden and undetectabledefer/throttle processingtrack user presenceperformance enhancements
4/21/1432Cellular Networks and Mobile Computing (COMS 6998-7)Courtesy: Roman et. alSlide33
Controller
Controller
Audio
Service
Controller
Defense: disable recording when a sensitive number is called
Radio Interface Layer
Microphone
UI
Recorder
Baseband
Reference
Service
4/21/14
33
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide34
Conclusionstealthy, sensory malware is a real threatneed to explore other such threats
develop generalized defenses to such attacks
4/21/14
34
Cellular Networks and Mobile Computing (COMS 6998-7)
Courtesy:
Roman et. alSlide35
Sec
urity Enhanced (SE) An
dro
id:
B
ri
n
g
i
n
g
F
l
e
xi
b
l
e MAC to AndroidStephen Smalley and Robert
Craig
Trust
ed Syst
em
s Rese
arch N
a
t
io
na
l
S
ecu
r
it
y
A
gen
cy
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
35Slide36
Mot
ivation36●
A
ndr
o
i
d
s
e
cu
ri
t
y
r
e
l
i
es on Linux DAC.●To protect the system from app
s. To
isola
te apps fr
om one
anot
her.To p
r
e
ve
n
t
bypa
s
s
o
f
A
ndro
i
d
p
e
r
m
i
ss
i
o
n
s
.
●
●
●
D
AC
sho
r
t
co
m
i
ng
s
a
re
w
e
l
l
es
t
a
bli
sh
e
d
.
●
F
u
nda
m
en
t
a
ll
y
i
nad
e
qua
t
e
t
o
p
r
o
t
e
ct
a
g
a
i
n
s
t
f
l
a
w
ed
a
n
d
m
a
lici
ous
a
p
p
l
i
c
a
t
i
o
n
s
.
S
E
L
in
u
x
c
a
n
a
d
d
r
es
s
t
he
se
shortcoming
s.●
4/21/14Cellular Networks and Mobile Computing (COMS 6998-7)Slide37
Cha
llenges37●
Ke
rn
el
●
N
o
s
u
p
port
fo
r
pe
r
-file security labeling (yaffs2). Unique kernel sub
systems
lack SE
Linux support.
●
●
U
s
ers
p
ace
●
N
o
ex
i
st
i
n
g
SE
L
i
nu
x
s
u
p
port.
A
l
l
a
pp
s
f
ork
e
d
f
r
o
m
t
h
e
s
a
m
e
pr
o
ce
s
s
(zy
g
o
te).
S
h
a
r
i
n
g
th
ro
ug
h
fram
ework
se
rvi
c
es.
●
●
●
Po
l
i
c
y
●
E
x
i
st
i
n
g
po
li
c
i
e
s
un
s
u
i
t
e
d
t
o
A
n
dr
o
i
d.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide38
Kernel Su
pport11●
Im
ple
m
en
t
e
d
per
-
f
i
l
e
se
c
urity labeling for yaffs2.●Using recent support for ext
ended att
ributes
. Enhanced t
o l
abel new
inodes at
c
r
e
at
i
on.
●
●
A
nal
yzed
an
d
in
s
t
ru
m
en
t
e
d
B
inde
r
f
o
r
SE
L
i
nu
x
.
●
P
e
r
m
i
ss
i
o
n
chec
k
s
o
n
I
P
C
oper
a
t
i
ons.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide39
Userspace S
upport39●
xa
ttr
an
d
A
T
_
S
E
C
U
R
E
suppor
t in bionic. Minimal port of SELinux libraries and tools. Labeling suppor
t in
build
and updater t
ools.
Policy
loading, dev
i
ce
&
s
oc
k
e
t
label
i
n
g
(
i
ni
t
)
.
A
p
p
s
e
cu
r
i
t
y
labe
l
in
g
(
z
y
go
t
e,
d
a
l
v
i
k,
i
n
st
al
l
d)
.
P
r
oper
t
y
s
er
v
i
c
e
and zy
gote controls.
Runt
ime
po
l
i
c
y
m
anage
m
en
t
s
u
p
p
o
r
t.
●
●
●
●
●
●
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide40
Policy Co
nfiguration40●
E
n
f
o
r
ce
a
s
m
al
l
s
e
t
of platform security goals.●Confine privileged ser
vices.
Sandbox
and isolate
apps
.
●●
K
e
y
p
r
operti
es:
●
S
ma
l
l
,
f
i
x
ed
po
l
i
c
y
.
N
o
po
l
i
c
y
w
r
it
i
n
g
f
or
a
p
p
de
v
e
l
op
e
r
s
.
I
n
v
isi
b
l
e
t
o
u
ser
s
.
●
●
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide41
Pol
icy Size & Complexity
41
S
E
Androi
d
Fedor
a
Siz
e
71
K
4828
K
Domain
s
3
9
70
2
Type
s
18
2
319
7
Allow
s
125
1
9601
0
Transition
s
6
5
1496
3
Unconfine
d
3
6
1
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide42
Middleware MAC
(MMAC)42●Man
y
attac
k
s
o
c
cur
en
t
i
r
el
y
a
t middleware layer.●Cannot be addressed via kernel
layer
MAC.
●
SELinux
user
space object
m
anage
r
m
ode
l
n
o
t
r
eadil
y
appli
c
abl
e.
●
B
i
n
de
r
I
P
C
,
m
u
l
t
i
-
stag
e
c
a
l
l
c
ha
i
ns.
c
h
e
c
k
P
e
r
m
i
ss
i
o
n
A
P
I.
I
m
p
li
c
ations fo
r S
ELi
nux
p
o
l
i
c
y
.
●
●
●
Requi
r
e
d
a
separ
a
t
e
m
idd
l
e
w
a
r
e
M
A
C
l
a
y
er
.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide43
MMAC mechanis
ms43●I
nst
all
-
t
i
m
e
M
A
C
●
E
n
f
o
r
ced by PackageManagerService. Based on app certificate, package name. Can disable even pre-installed apps.
Linkage to
SELinux policy
via seinfo tag.
●
●
●
●
P
e
r
m
i
s
s
i
o
n
r
evo
c
a
t
ion
I
n
t
en
t
M
A
C
,
C
on
t
en
t
P
r
ovide
r
M
A
C
●
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide44
Case St
udies44●
Roo
t
e
x
plo
i
ts.
E
x
p
l
o
i
d
,
RageAgainstTheCage, GingerBreak, KillingInTheNameOf, Zimperlich, mempodroid.Flawed apps●Skype, Lo
okout Mo
bile,
Opera Mobile
.
●
All
m
i
t
iga
t
e
d
b
y
S
E
A
nd
r
oi
d.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide45
Case Study:
/proc/pid/mem45●
/
p
r
oc
/
pi
d
/
m
em
●
Kernel
i
n
t
e
rface for accessing process memory. Write acce
ss enabl
ed in
Linux 2.6.3
9+.
●
●
C
VE
-2012
-
0056
●
I
n
c
or
r
e
c
t
p
e
r
m
i
ss
i
on
ch
e
c
king
.
I
nd
u
c
e
s
e
t
u
i
d
p
r
o
g
r
am
i
n
t
o
w
r
it
i
n
g
o
w
n
mem
or
y
.
●
●
De
m
onst
r
a
t
e
d
b
y
m
e
mp
o
d
r
oi
d
e
x
p
l
oi
t.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide46
Mempodroid:
Overview46●
S
ome
c
o
m
ple
x
i
t
y
o
m
it
t
ed.
Exploit invokes setuid root run-as program with open fd to
/proc/
pid/me
m as stderr
and
shell
code as
a
r
gu
m
en
t
.
r
un-a
s
prog
r
a
m
ove
r
w
ri
t
e
s
sel
f
w
i
t
h
s
hel
l
code
w
h
e
n
w
r
i
t
in
g
e
r
r
o
r
m
e
s
sag
e
.
She
l
l
c
o
de
s
e
t
s
uid
/gid to 0
and
e
xecs
s
h
e
l
l
or
c
o
m
m
and
.
●
●
●
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide47
Mempodroid vs
SE Android Part 147
●
W
it
h
n
o
sp
e
c
ifi
c
po
l
i
cy for run-as. Write to /proc/pid/mem will still su
cceed.Bu
t run-a
s program runs
in
calle
r's securi
t
y
con
t
ex
t
.
●
●
●
S
t
i
l
l
r
es
t
r
i
c
t
e
d
b
y
SE
Lin
u
x
p
o
l
i
c
y
.
N
o
pr
i
v
i
leg
e
es
c
al
a
t
i
o
n
.
B
u
t
al
s
o
n
o
s
u
p
p
o
r
t
f
o
r
run
-
a
s
f
un
c
t
ional
i
t
y
.
●
●
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide48
Mempodroid vs
SE Android Part 248
●
W
it
h
p
oli
c
y
an
d
cod
e
chan
ges for run-as.●Sufficient to support legitimat
e functi
onality.
●
Op
en file
to /p
ro
c
/
p
i
d
/
mem
cl
ose
d
b
y
S
E
L
i
n
u
x
du
e
t
o
d
o
m
a
i
n
t
r
ans
i
t
i
on
.
●
N
o
m
e
m
o
r
y
ove
r
w
r
i
t
e
,
e
x
p
l
oi
t
f
a
i
ls.●
r
u
n-a
s
c
o
n
f
in
e
d
t
o
l
eas
t
p
r
i
v
il
e
g
e
.
●
Min
i
m
a
l
c
apabi
l
i
t
i
e
s
,
re
q
u
i
r
e
d
t
r
ans
i
t
ion.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide49
Case Study:
Lookout Mobile49●
S
e
cu
ri
t
y
ap
p
f
o
r
A
nd
r
oid. LOOK-11-001●●Created files via nat
ive call
s with
out setting
um
ask.Le
aving t
hem
w
o
r
l
d
-
reada
b
l
e
and
-
w
r
i
t
a
b
l
e
.
●
●
A
n
y
o
t
h
e
r
a
p
p
o
n
t
h
e
d
e
v
i
c
e
cou
l
d
:
●
D
i
s
ab
l
e
or
r
e
c
o
n
f
i
g
u
r
e
Lo
o
k
ou
t
.
R
ead
p
r
iv
a
t
e
u
s
er
d
a
t
a
.
●
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide50
SE
Android vs Lookout
vu
lner
a
b
il
i
ty
50
●
Clas
s
i
c
e
x
a
mple of DAC vs. MAC.●DAC: Permissions
are left t
o the discret
ion of each applicati
on.M
AC: Permiss
ions are defined
b
y
t
he
a
d
m
i
n
i
st
ra
to
r
a
nd
e
n
fo
rc
e
d
fo
r
a
l
l
app
li
c
at
i
o
n
s.
●
●
A
l
l
t
hi
r
d
par
t
y
app
s
denie
d
a
c
ce
s
s
t
o
files crea
ted by o
ther apps.
●
E
ach
a
p
p
a
nd
i
t
s
f
i
l
e
s
h
a
v
e
a
u
n
i
q
u
e
SE
L
i
n
u
x
c
at
e
go
r
y
s
et.
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide51
Size
Comparison (maguro, 4.2)
51
AOS
P
S
E
ANDROI
D
INCREAS
E
boo
t
4400
K
4552
K
+152
K
syste
m
194072
K
194208
K
+136
K
recover
y
4900
K
5068
K
+168
K
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide52
AnT
uTu (maguro, 4.2)
m
e
m
o
ry
i
n
t
e
g
e
r
f
l
o
a
t
sc
o
r
e
2
d
sc
o
r
e
3
d
s
d
r
e
a
d
s
d
w
r
i
t
e
d
a
t
a
b
a
se
A
O
S
P
S
E
A
n
d
r
o
i
d
6
0
0
4
0
0
2
0
0
0
52
1
4
0
0
1
2
0
0
1
0
0
0
8
0
0
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)Slide53
Sven
Bugiel,
Lucas
Davi
TU
Darmstadt/CASED,
Germany
Ahmad-Reza
Sadeghi,
Bhargava
Shastry Fraunhofer SIT/CASED, Darmstadt, GermanyThomas FischerRuhr-University Bochum
19th
Annual
Network & Distributed
System Security
Symposium
Towards
Taming
Privilege
Escalation
Attacks
on
Android
Alexandra
Dmitrienko
Fraunhofer
Institute
for
Secure
Information
Technology,
Darmstadt,
Germany
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
53Slide54
User
Install Requestedpermissions
are
reasonable
App
Installation
in
Android
Android
Market
Movie
Player Download App Permissions
@FraunhoferSIT/CASED 2012
Alexandra
Dmitrienko, NDSS 2012
DO NOT
DISTRIBUTE FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
54Slide55
3
Can
apps
go
beyond
their
privileges?
YES
Privilege
escalation
attacks@FraunhoferSIT/CASED 2012 Alexandra Dmitrienko, NDSS 2012 DO
NOT DISTRIBUTE
FURTHER4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)55Slide56
4
Confused Deputy AttackDo
not
have
a
right
permission?
Ask
your
neighbor!
Benign
appPrivileges: P1 Android OS Android Middleware
1)
Invoke browser
to download
malicious
files
(Lineberry et
al.,
BlackHat
2010)
2)
Invoke
Phone
app
to
perform
a
phone
call
(Enck
et
al.,
TechReport
2008)
3)
Invoke
Android
Scripting
Environment
to
send
SMS
messages
(Davi
et
al.,
ISC’2010)
Malware
Privileges:
none
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
56Slide57
5
Collusion AttackTwo
(or
more)
apps
collude
to
launch
the
attack
Android
OS1) Apps communicate directly Example: Claudio Marforio
et. al,
TechReport
ETH Zurich
Malware
Privileges:
P1
Android
System
App
Benign
app
Privileges:
P
2
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
57Slide58
6
Collusion AttackTwo
(or
more)
apps
collude
to
launch
the
attack
Android
OS2) Apps communicate via covert (e.g.,
volume
settings) or
overt (e.g.,
content
providers)
channels in
Android
System
components
Example:
Soundcomber
(
Schlegel
et
al.,
NDSS’2011)
Malware
Privileges:
P
1
Android
System
App
Benign
app
Privileges:
P
2
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
58Slide59
Inter-Application
Communication
Inter-process
communication
(IPC)
Intents
and
remote
procedure calls File
system (files,
Unix
domain sockets)
Network
sockets
7
Application
layer
Middleware
Linux
kernel
AppA
AppB
IPC
File
System
Network
Sockets
Reference
Monitor
Discretionary
access
control
of
Linux
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
59Slide60
XManDroid
9
Application
layer
Middleware
Linux
kernel
IPC
File
System
Network
Sockets
Reference
Monitor
Discretionary
access
control
of
Linux
XManDroid:
eXtended
Monitoring
on
Android
Monitors
all
communication
channels
between
apps
Validates
if
the
requested
communication
link
complies
to
a
system-
centric
security
policy
AppA
AppB
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
60Slide61
Create
File/SocketAndroid Middleware
Read/Write
File/Socket
XManDroid
Architecture
10
Reference
Monitor
Decision
Maker
Application
layer
App A Android
Permissions
System
View
App
B
Middleware
layer
Kernel
layer
Linux
Discretionary
Access
Control
XManDroid
Mandatory
Access
Control
File
System/Internet
Sockets
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
61Slide62
XManDroid’s
SystemView:
Graph-based
Representation
Android
Core
System
Components
Application
sandboxes
Files
IPC
calls
Access
to
files
Socket
connections
Internet
sockets
11
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
62Slide63
A
BXManDroid: Simplified
Example
Android
Core
C
P
2
P
1
Policy
Rule:
Sandbox A: permission P1,
no
P2
Sandbox
B:
permission P
2,
no
P
1
Communication
type:
Direct
Decision:
Deny
12
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
63Slide64
A
BXManDroid: Simplified
Example
Android
Core
C
P
2
P
1
Policy
Rule:
Sandbox A: permission P1,
no
P2
Sandbox
B:
permission P
2,
no
P
1
Communication
type:
Indirect
Decision:
Deny
13
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
64Slide65
Contributions
14
Design
A
general
framework
towards
taming
privilege
escalation
attacks
System-centric
policy
enforcement
Implementation
Kernel-level
mandatory
access
control
based
on
TOMOYO
Callback
channel
between
kernel-
level
and
the
middleware
System-centric
IPC
call
chain
tracking
for
Intents
(inspired
by
QUIRE)
Tests
Evaluation
Study
on
inter-
application
communication
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
65Slide66
Evaluation
15
Effectiveness
(attack
prevention)
Performance
Rate
of
falsely
denied
communications
1
2
3
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
66Slide67
Study
on
Application
Communication
Patterns
16
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO NOT DISTRIBUTE FURTHER4/21/14Cellular Networks and Mobile Computing (COMS 6998-7)67Slide68
IPC-based
Application
Communication
17
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT DISTRIBUTE FURTHER4/21/14Cellular Networks and Mobile Computing (COMS 6998-7)68Slide69
File
and
Socket-based
Application
Communication
18
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012 DO NOT DISTRIBUTE FURTHER4/21/14Cellular Networks and Mobile Computing (COMS 6998-7)69Slide70
Conclusion
and
Future
Work
First
general
approach
towards
tackling
privilege escalation attacks (at application level) Runtime monitoring, but
quite
efficient
No false
negatives
No
false positives,
but
conceptually
they
are
possible
Current
work
Large
scale
evaluation
Automatic
policy
engineering
Full
IPC
call
chain
tracking
Applying
XManDroid
framework
19
BizzTrust
for
domain
isolation
on
Android
@FraunhoferSIT/CASED
2012
Alexandra
Dmitrienko,
NDSS
2012
DO
NOT
DISTRIBUTE
FURTHER
4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)
70Slide71
Questions?4/21/14
Cellular Networks and Mobile Computing (COMS 6998-7)71