FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek Seo* , Daehyeok Kim*, Donghyun Cho*, Taesoo Kim†, Insik shin* * KAIST † Georgia Ins;tute of Technology 1
3 rd -party libraries become popular in Android Applica;on Host code 3rd-party libraries Ad, Analy;cs, Game engine, Billing, Social 2
3 rd -party libraries become popular in Android Applica;on How can we trust them? Host code 3rd-party libraries Ad, Analy;cs, Game engine, Billing, Social 3
4
In NDSS 16 The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads What Mobile Ads Know About Mobile Users Free for All! Assessing User Data Exposure to Adver;sing Libraries on Android 5
In NDSS 16 The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads Fundamental problem in Android’s permission system What Mobile Ads Know About Mobile Users Free for All! Assessing User Data Exposure to Adver;sing Libraries on Android 6
Problem: Android Permission System • The unit of trust in Android: ApplicaDon Loca;on <uses-permission ... LocaDon > <uses-permission ... Contacts > App Contacts Denied Calendar 7
Problem: Android Permission System • Third-party library : having the same access right as the host app <uses-permission ... LocaDon > <uses-permission ... Contacts > Loca;on App 3 rd -party lib Contacts (The unit of trust) 8
Problem: Android Permission System • Third-party library : having the same access right as the host app A third-party library can abuse <uses-permission ... LocaDon > the permissions of its host app <uses-permission ... Contacts > Loca;on App 3 rd -party lib Contacts (The unit of trust) 9
FLEXDROID Goal : In-app privilege separa;on between a host applica;on and its third-party libraries 10
Overview of FLEXDROID Specifying the package name and its permissions in AndroidManifest.xml <uses-permission ... LocaDon > <uses-permission ... Contacts > Loca;on App com.ad.sdk com.ad.sdk Deny Contacts < flexdroid android:name=“ com.ad.sdk ” > <allow … LocaDon > < /flexdroid > 11
Contributions 1. Report poten;al privacy threats of third-party libraries by analyzing 100,000 real-world Android apps 2. Provide an in-app privilege separa;on in Android – Suppor;ng JNI, reflec;on, and mul;-threading 3. Adopt a fault isola;on using ARM Memory Domain to sandbox na;ve code in Android 12
Inves;ga;ng Real-world Threats • Inves;gate 100,000 Android apps from Google Play using a sta;c analysis Q1: How many third-party libraries use undocumented permissions? Q2: How many of them rely on dynamic code execu;on? 13
Undocumented Permissions Required Op;onal Undocumented Facebook (Social) Flurry (Analy;cs) Paypal (Billing) InMobi (Ad) Chartboost (Ad) 14
Undocumented Permissions Required Op;onal Undocumented From XXXBank: Your One-Time Facebook (Social) Password is Flurry (Analy;cs) 34819. Valid for 5 mins. Paypal (Billing) InMobi (Ad) Chartboost (Ad) 15
Analysis of Real-World Apps • Control-flow and data dependency – Class Inheritance 71.5% • Dynamic run;me behavior – Java Na;ve Interface (JNI) 17.1% – Run;me class loading 27.9% – Reflec;on 49.6% 16
Challenges • Control-flow and data dependency à Naïvely separa;ng third-party libraries from the host app is not applicable • Dynamic run;me behavior à Sta;cally or dynamically detec;ng malicious behaviors introduces low accuracy 17
Threat Model • Poten;ally malicious third-party libraries – Obfuscated code and logic • Use of dynamic features (e.g., JNI, reflec;on, mul;-threading) • App developers specifying permissions of each third-party library 18
SYSTEM DESIGN 19
Key Idea Adjus;ng permissions dynamically whenever an app requests a resource 20
Dynamic Permission Adjustment When execu;ng the host applicaDon’s code Permissions of host applica;on App Permissions • Loca;on • Contacts Permissions of third-party library • Loca;on 21
Dynamic Permission Adjustment When execu;ng the 3 rd -party lib’s code Permissions of host applica;on • Loca;on • Contacts Permissions of third-party library App Permissions • Loca;on 22
Iden;fica;on of Executed Code 1. Iden;fy the principal using stack inspec;on 2. Apply the stack inspec;on to Android 3. Protect the integrity of call stack informa;on against asacks via: – JNI – Reflec;on – Mul;-threading 23
Stack Inspec;on in Security Context Process of determining the permissions allowed to the current thread according to principals shown in the call stack P Call stack Perm = Perm(A) ê A com.A.func;onA ∩ Perm(B) B com.B.func;onB ∩ Perm(C) C com.C.func;onC 24
Inter-process Stack Inspec;on Permission Checker Loca;on App PM Manager Dalvik Dalvik Dalvik User Space Kernel Space SD Card File Sysm Internet Permission Checker 25
Inter-process Stack Inspec;on Permission Checker Loca;on App PM Manager Stack Dalvik Dalvik Dalvik Tracer User Space Kernel Space SD Card File Sysm Internet Stack Transmission Channel 26
Poten;al Asack Surface Reflection Multi-threading Loca;on App PM Manager JNI Stack Dalvik Dalvik Dalvik Tracer User Space Kernel Space Stack Transmission Channel 27
Poten;al Asack Surface • Compromising stack tracer JNI • Manipula;ng Dalvik call stack JNI, Reflection, Multi-threading • Hijacking the control data e.g., code injec;on on Dalvik JNI func;ons, manipula;ng code pointers 28
Protec;ng Integrity of Call Stack • JNI Sandbox • JNI Sandbox • Defense mechanism against asacks via • Defense mechanism against asacks via reflec;on reflec;on • Defense mechanism against asacks via • Defense mechanism against asacks via mul;-threading mul;-threading 29
JNI Sandbox • Inspired by ARMlock (CCS’14), applying Fault Isola5on using ARM Memory Domain to Android • Key Idea – Regard JNI code of 3 rd -party libraries as poten;ally malicious code – Run JNI in an isolated and restricted memory domain 30
Fault Isola;on using ARM Memory Domain App address space libc.so libdvm.so Heap Stack Thread Local Storage (TLS) … Java domain 31
Fault Isola;on using ARM Memory Domain App address space libc.so libdvm.so Heap Stack Thread Local Storage (TLS) … Java domain JNI domain 32
Fault Isola;on using ARM Memory Domain App address space FLEXDROID allows Dalvik VM to access both memory domains Dalvik VM Java domain JNI domain 33
Fault Isola;on using ARM Memory Domain App address space by setting Domain Access Control Register of each thread JNI code Java domain JNI domain 34
Fault Isola;on using ARM Memory Domain App address space Domain JNI code Fault Java domain JNI domain 35
Memory and Shared Libraries for JNI App address space libc.so Heap Stack TLS … Stay in Java domain!! Java domain JNI domain 36
Memory and Shared Libraries for JNI • Shared libraries (e.g., libc.so), heap, stack and TLS are in Java domain – JNI cannot access them à FLEXDROID provides JNI with independent shared libraries, heap, stack and TLS 37
Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on 38
Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on package com.malicious.lib P Call stack class A method launch_attack ê H com.host.C.runCallback generateClass(“com.host.B”) L com.host.B.malFunc generateClass(“com.host.B”, “malFunction”) loadClass(“com.host.B”) com.host.C.setCallback(new com.host.B()) end method end class 39
Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on package com.malicious.lib P Call stack class A method launch_attack ê H com.host.C.runCallback generateClass(“com.host.B”) L com.host.B.malFunc generateClass(“com.host.B”, “malFunction”) loadClass(“com.host.B”) com.malicious.lib com.host.C.setCallback(new com.host.B()) end method FLEXDROID maintains end class the informa;on of class loader 40
Implementa;on • Android 4.4.4 Kitkat / Linux 3.4.0 # of Files InserDon (LoC) DeleDon (LoC) Kernel 28 1831 25 Android Framework 46 1466 77 Dalvik VM 24 6081 22 Bionic 23 2827 70 Others 12 95 24 Total 133 12300 218 41
EVALUATION 42
Overview • How effec;ve is FLEXDROID’s policy to restrict third-party libraries? • How easy is it to adopt FLEXDROID’s policy to exis;ng Android apps? • How much performance overhead does FLEXDROID impose when adopted? 43
Blocking Permissions with FLEXDROID • Choosing 8 third-party libraries from real-world apps • Repackaging their host applica;ons with FLEXDROID policy – No permission given to third-party libraries à Denying all accesses to resources from third-party libraries 44
Blocking Permissions with FLEXDROID • Choosing 8 third-party libraries from real-world apps • Repackaging their host applica;ons with FLEXDROID can block FLEXDROID policy permission abuses of 3 rd -party libs – No permission given to third-party libraries à Denying all accesses to resources from third-party libraries 45
Recommend
More recommend