flexdroid enforcing in app privilege separa on in android
play

FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek - PowerPoint PPT Presentation

FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek Seo* , Daehyeok Kim*, Donghyun Cho*, Taesoo Kim, Insik shin* * KAIST Georgia Ins;tute of Technology 1 3 rd -party libraries become popular in Android Applica;on Host code


  1. FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek Seo* , Daehyeok Kim*, Donghyun Cho*, Taesoo Kim†, Insik shin* * KAIST † Georgia Ins;tute of Technology 1

  2. 3 rd -party libraries become popular in Android Applica;on Host code 3rd-party libraries Ad, Analy;cs, Game engine, Billing, Social 2

  3. 3 rd -party libraries become popular in Android Applica;on How can we trust them? Host code 3rd-party libraries Ad, Analy;cs, Game engine, Billing, Social 3

  4. 4

  5. In NDSS 16 The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads What Mobile Ads Know About Mobile Users Free for All! Assessing User Data Exposure to Adver;sing Libraries on Android 5

  6. In NDSS 16 The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads Fundamental problem in Android’s permission system What Mobile Ads Know About Mobile Users Free for All! Assessing User Data Exposure to Adver;sing Libraries on Android 6

  7. Problem: Android Permission System • The unit of trust in Android: ApplicaDon Loca;on <uses-permission ... LocaDon > <uses-permission ... Contacts > App Contacts Denied Calendar 7

  8. Problem: Android Permission System • Third-party library : having the same access right as the host app <uses-permission ... LocaDon > <uses-permission ... Contacts > Loca;on App 3 rd -party lib Contacts (The unit of trust) 8

  9. Problem: Android Permission System • Third-party library : having the same access right as the host app A third-party library can abuse <uses-permission ... LocaDon > the permissions of its host app <uses-permission ... Contacts > Loca;on App 3 rd -party lib Contacts (The unit of trust) 9

  10. FLEXDROID Goal : In-app privilege separa;on between a host applica;on and its third-party libraries 10

  11. Overview of FLEXDROID Specifying the package name and its permissions in AndroidManifest.xml <uses-permission ... LocaDon > <uses-permission ... Contacts > Loca;on App com.ad.sdk com.ad.sdk Deny Contacts < flexdroid android:name=“ com.ad.sdk ” > <allow … LocaDon > < /flexdroid > 11

  12. Contributions 1. Report poten;al privacy threats of third-party libraries by analyzing 100,000 real-world Android apps 2. Provide an in-app privilege separa;on in Android – Suppor;ng JNI, reflec;on, and mul;-threading 3. Adopt a fault isola;on using ARM Memory Domain to sandbox na;ve code in Android 12

  13. Inves;ga;ng Real-world Threats • Inves;gate 100,000 Android apps from Google Play using a sta;c analysis Q1: How many third-party libraries use undocumented permissions? Q2: How many of them rely on dynamic code execu;on? 13

  14. Undocumented Permissions Required Op;onal Undocumented Facebook (Social) Flurry (Analy;cs) Paypal (Billing) InMobi (Ad) Chartboost (Ad) 14

  15. Undocumented Permissions Required Op;onal Undocumented From XXXBank: Your One-Time Facebook (Social) Password is Flurry (Analy;cs) 34819. Valid for 5 mins. Paypal (Billing) InMobi (Ad) Chartboost (Ad) 15

  16. Analysis of Real-World Apps • Control-flow and data dependency – Class Inheritance 71.5% • Dynamic run;me behavior – Java Na;ve Interface (JNI) 17.1% – Run;me class loading 27.9% – Reflec;on 49.6% 16

  17. Challenges • Control-flow and data dependency à Naïvely separa;ng third-party libraries from the host app is not applicable • Dynamic run;me behavior à Sta;cally or dynamically detec;ng malicious behaviors introduces low accuracy 17

  18. Threat Model • Poten;ally malicious third-party libraries – Obfuscated code and logic • Use of dynamic features (e.g., JNI, reflec;on, mul;-threading) • App developers specifying permissions of each third-party library 18

  19. SYSTEM DESIGN 19

  20. Key Idea Adjus;ng permissions dynamically whenever an app requests a resource 20

  21. Dynamic Permission Adjustment When execu;ng the host applicaDon’s code Permissions of host applica;on App Permissions • Loca;on • Contacts Permissions of third-party library • Loca;on 21

  22. Dynamic Permission Adjustment When execu;ng the 3 rd -party lib’s code Permissions of host applica;on • Loca;on • Contacts Permissions of third-party library App Permissions • Loca;on 22

  23. Iden;fica;on of Executed Code 1. Iden;fy the principal using stack inspec;on 2. Apply the stack inspec;on to Android 3. Protect the integrity of call stack informa;on against asacks via: – JNI – Reflec;on – Mul;-threading 23

  24. Stack Inspec;on in Security Context Process of determining the permissions allowed to the current thread according to principals shown in the call stack P Call stack Perm = Perm(A) ê A com.A.func;onA ∩ Perm(B) B com.B.func;onB ∩ Perm(C) C com.C.func;onC 24

  25. Inter-process Stack Inspec;on Permission Checker Loca;on App PM Manager Dalvik Dalvik Dalvik User Space Kernel Space SD Card File Sysm Internet Permission Checker 25

  26. Inter-process Stack Inspec;on Permission Checker Loca;on App PM Manager Stack Dalvik Dalvik Dalvik Tracer User Space Kernel Space SD Card File Sysm Internet Stack Transmission Channel 26

  27. Poten;al Asack Surface Reflection Multi-threading Loca;on App PM Manager JNI Stack Dalvik Dalvik Dalvik Tracer User Space Kernel Space Stack Transmission Channel 27

  28. Poten;al Asack Surface • Compromising stack tracer JNI • Manipula;ng Dalvik call stack JNI, Reflection, Multi-threading • Hijacking the control data e.g., code injec;on on Dalvik JNI func;ons, manipula;ng code pointers 28

  29. Protec;ng Integrity of Call Stack • JNI Sandbox • JNI Sandbox • Defense mechanism against asacks via • Defense mechanism against asacks via reflec;on reflec;on • Defense mechanism against asacks via • Defense mechanism against asacks via mul;-threading mul;-threading 29

  30. JNI Sandbox • Inspired by ARMlock (CCS’14), applying Fault Isola5on using ARM Memory Domain to Android • Key Idea – Regard JNI code of 3 rd -party libraries as poten;ally malicious code – Run JNI in an isolated and restricted memory domain 30

  31. Fault Isola;on using ARM Memory Domain App address space libc.so libdvm.so Heap Stack Thread Local Storage (TLS) … Java domain 31

  32. Fault Isola;on using ARM Memory Domain App address space libc.so libdvm.so Heap Stack Thread Local Storage (TLS) … Java domain JNI domain 32

  33. Fault Isola;on using ARM Memory Domain App address space FLEXDROID allows Dalvik VM to access both memory domains Dalvik VM Java domain JNI domain 33

  34. Fault Isola;on using ARM Memory Domain App address space by setting Domain Access Control Register of each thread JNI code Java domain JNI domain 34

  35. Fault Isola;on using ARM Memory Domain App address space Domain JNI code Fault Java domain JNI domain 35

  36. Memory and Shared Libraries for JNI App address space libc.so Heap Stack TLS … Stay in Java domain!! Java domain JNI domain 36

  37. Memory and Shared Libraries for JNI • Shared libraries (e.g., libc.so), heap, stack and TLS are in Java domain – JNI cannot access them à FLEXDROID provides JNI with independent shared libraries, heap, stack and TLS 37

  38. Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on 38

  39. Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on package com.malicious.lib P Call stack class A method launch_attack ê H com.host.C.runCallback generateClass(“com.host.B”) L com.host.B.malFunc generateClass(“com.host.B”, “malFunction”) loadClass(“com.host.B”) com.host.C.setCallback(new com.host.B()) end method end class 39

  40. Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on package com.malicious.lib P Call stack class A method launch_attack ê H com.host.C.runCallback generateClass(“com.host.B”) L com.host.B.malFunc generateClass(“com.host.B”, “malFunction”) loadClass(“com.host.B”) com.malicious.lib com.host.C.setCallback(new com.host.B()) end method FLEXDROID maintains end class the informa;on of class loader 40

  41. Implementa;on • Android 4.4.4 Kitkat / Linux 3.4.0 # of Files InserDon (LoC) DeleDon (LoC) Kernel 28 1831 25 Android Framework 46 1466 77 Dalvik VM 24 6081 22 Bionic 23 2827 70 Others 12 95 24 Total 133 12300 218 41

  42. EVALUATION 42

  43. Overview • How effec;ve is FLEXDROID’s policy to restrict third-party libraries? • How easy is it to adopt FLEXDROID’s policy to exis;ng Android apps? • How much performance overhead does FLEXDROID impose when adopted? 43

  44. Blocking Permissions with FLEXDROID • Choosing 8 third-party libraries from real-world apps • Repackaging their host applica;ons with FLEXDROID policy – No permission given to third-party libraries à Denying all accesses to resources from third-party libraries 44

  45. Blocking Permissions with FLEXDROID • Choosing 8 third-party libraries from real-world apps • Repackaging their host applica;ons with FLEXDROID can block FLEXDROID policy permission abuses of 3 rd -party libs – No permission given to third-party libraries à Denying all accesses to resources from third-party libraries 45

Recommend


More recommend