android security secure meta markets
play

Android Security & Secure Meta-Markets Alessandro Armando - PowerPoint PPT Presentation

Android Security & Secure Meta-Markets Alessandro Armando (joint work with G. Costa, A. Merlo, and L. Verderame) DIBRIS, U. of Genova & Security and Trust Research Unit, FBK, Trento NeSSoS 2013, Sept. 05, 2013 Alessandro Armando (UNIGE


  1. Android Security & Secure Meta-Markets Alessandro Armando (joint work with G. Costa, A. Merlo, and L. Verderame) DIBRIS, U. of Genova & Security and Trust Research Unit, FBK, Trento NeSSoS 2013, Sept. 05, 2013 Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 1 / 21

  2. Research Threads on Mobile Security at U. of Genova Security Assessment of Android Cross-layer Architecture 1 BYODroid: a Secure Meta-Market for BYOD Policies 2 Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 2 / 21

  3. Security Assessment of Android Cross-layer Architecture Java stack built on top of Linux Kernel Combination of well-known security solutions (sandboxing + Linux DAC) Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 3 / 21

  4. Why bothering? Android security is a hot topic. Yet, most work has been focusing on the Application Framework (permissions exploitation, IPC, privilege escalation,. . . ) little/no work on the Android architecture as a whole. Kernel assumed secure. Android stack and Linux Kernel rely on different security models (namely Android Permissions and Linux DAC). Are they smoothly integrated? Interactions between layers not documented and poorly understood. Android sandboxing leads to non-standard use of Linux Kernel. Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 4 / 21

  5. Android Design Principle Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 5 / 21

  6. Android Design Principle Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 5 / 21

  7. Android Design Principle TRUE? Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 5 / 21

  8. A Fork Bomb Attack Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 6 / 21

  9. A Fork Bomb Attack A. Armando, A. Merlo, M. Migliardi, L. Verderame. Would You Mind Forking This Process? A Denial of Service attack on Android (and Some Countermeasures) . In Proc. of the 27th IFIP International Information Security and Privacy Conference (SEC 2012), Best Paper Award . A. Armando, A. Merlo, M. Migliardi, L. Verderame. Breaking and fixing the Android Launching Flow. In Computers & Security. In press. Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 6 / 21

  10. Forking in Android Application Launch Android Layer: Application StartApplication(Intent) (Binder IPC) System Server startActivityLocked Android Layer: (function call) Activity Manager Application Service New Activity / Framework New Service LAUNCH ACTIVITY/SERVICE Process.start() Zygote process Android Layer: (socket call) Application Runtime Pid Zygote VM fork() (JNI Call) attach fork command Android Layer: Pid Zygote library Libraries fork() (syscall) Zygote Linux Layer Socket listening Activity Thread New Linux Process Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 7 / 21

  11. Exploiting the vulnerability Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 8 / 21

  12. The next step Lesson learned : ASF does not discriminate the identity of the caller of the fork (i.e. malicious application vs. trusted service in the AF). Some questions arise: Is the problem related to the fork syscall only? 1 Are applications able to directly execute Kernel calls? 2 Is it acceptable from a security point of view? 3 and, above all, Are there other cross-layer vulnerabilities? Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 9 / 21

  13. Empirical Assessment of Kernel Call Invocation Relate kernel calls with trusted services in the AF through 1 experimentation ⇒ Monotoring Kernel Module (MKM) Try to reproduce the very same kernel calls from a malicious 2 unprivileged application ⇒ Kernel Call Tester (KCT) Check whether replicated kernel calls have been executed 3 successfully. Automatically analyze logs to search for vulnerabilities and 4 malicious ”flows” of kernel calls. Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 10 / 21

  14. Testing Kernel Calls Malicious behavior Standard behavior KernelCallTester Application Replay Service Application System Server Framework jni(SysCall, … ) receiveMsg jni(SysCall, … ) Application Runtime DVM DVM System Server Libraries KernelCallTester Library sys(Sys_name,par_1, … ,par_n) Linux NetLink socket sendMsg MKM Sys_call_table sys(Sys_name, par_1,..,par_n) Linux Kernel Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 11 / 21

  15. Results The ASF does not discriminate the caller of any direct kernel call. Two new vulnerabilities pave the way to: Denial-of-Service attack that exhausts memory. 1 Privacy Leakage attack of browser data. 2 The new vulnerabilities affect all Android builds. A. Armando, A. Merlo and L. Verderame. An Empirical Evaluation of the Android Security Framework. In Proc. of the 28th IFIP International Information Security and Privacy Conference (SEC 2013). Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 12 / 21

  16. Future Work Further, finer-grained analysis of MKM logs needed to discover other interplay-related vulnerabilities (if any). Extend approach to other cross-layer calls. Leverage profiling technology (e.g. MKM) for run-time monitoring and/or anomaly detection. Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 13 / 21

  17. Research Threads on Mobile Security at U. of Genova Security Assessment of Android Cross-layer Architecture 1 BYODroid: a Secure Meta-Market for BYOD Policies 2 Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 14 / 21

  18. The BYOD Paradigm The Bring Your Own Device paradigm strives to bring usage of personal devices inside organizations. BYOD solutions must allow users to freely personalize devices outside the organization 1 ensure security of corporate data accessed by personal devices. 2 Existing mobile OSes do not support the latter. Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 15 / 21

  19. Android, Security and Users App market Android applications come up with a manifest file, containing required permissions. Manifests and Apps Manifest of A X Users must accept at install time all - Internet the required permissions. - Access SD card Do users understand both the meaning and the impact of such permissions on their Manifest of A Y security/privacy? Personal Device Device owner A 1 , A 2 , , A N - Access SD card Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 16 / 21

  20. BYODroid: a Secure Meta-Market for BYOD App market Corporation Manifests and Apps Require A Y BYOD Policy Approve/reject installation Secure Meta-market Personal Device BYODroid allows for A 1 , A 2 , , A N definition and enforcement of security policies spanning all the applications installed on the device. BYODroid supports retrieval and automatic security analysis of applications from different, possibly untrusted, sources, while ensuring that the installed applications collectively comply with a global security policy. This is achieved by a fruitful combination of static analysis, model checking, and code instrumentation. Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 17 / 21

  21. Anatomy of BYODroid Model Extraction (Androguard) Policy Compliance Verification (SPIN) Policy Customization and Storage (Partial Model Checking) Application Instrumentation and Monitoring (Redexer) Alessandro Armando (UNIGE & FBK) Android Security & Secure Meta-Markets NeSSoS 2013, Sept. 05, 2013 18 / 21

Recommend


More recommend