quantdroid quantitative approach towards mitigating
play

QuantDroid: Quantitative Approach towards Mitigating Privilege - PowerPoint PPT Presentation

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013


  1. QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013 - Communications and Informations Systems Security Symposium 1/ 14

  2. Motivation Android popularity → increasing Privacy under attack! → Soundcomber (NDSS, 2011), PlaceRaider (NDSS, 2013), … Permission model → confusing & inflexible Source: PlaceRaider [2] 2/ 14

  3. Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured Android Security & Communication System Security Common Linux security High-level permissions Sandbox for apps ↓ High-level IPC Source: Programming Android [3] 3/ 14

  4. Android Security & Communication Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured System Security Common Linux security High-level permissions Sandbox for apps ↓ High-level IPC Source: Programming Android [3] 3/ 14

  5. Objective Identifying privilege escalation Detecting illegal information flow ◮ Dishonest/Colluding apps ◮ Abused apps → Prevent mobile privacy invasion → Using information flow analysis 4/ 14

  6. IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended Merely message independent interface-level permission control. Related Work XManDroid (NDSS, 2012) Graph based App permissions Direct & indirect communication Source: XManDroid [4] 5/ 14

  7. Related Work XManDroid (NDSS, 2012) Graph based IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended App permissions Direct & indirect communication Merely message independent interface-level permission control. Source: XManDroid [4] 5/ 14

  8. FlowGraphService Real-time collection Communication graph Containing all running apps Quantitative data flow Limit enforcement Monitoring Characteristics Enforce data flow limits Sender (PID, UID) Based on taint tags Receiver (PID, UID) Countermeasures Size Kill app Taint Tag ( , , , , …) Block IPC message IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection 6/ 14

  9. FlowGraphService Real-time collection Communication graph Containing all running apps Quantitative data flow Limit enforcement Enforce data flow limits Based on taint tags Countermeasures Kill app Block IPC message IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) 6/ 14

  10. Limit enforcement Enforce data flow limits Based on taint tags Countermeasures Kill app Block IPC message IPC Monitoring with FlowGraphService IPC Monitoring FlowGraphService At IPC boundary Real-time collection High-level communication Communication graph methods ◮ Containing all running apps ◮ Quantitative data flow Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) 6/ 14

  11. IPC Monitoring with FlowGraphService IPC Monitoring FlowGraphService At IPC boundary Real-time collection High-level communication Communication graph methods ◮ Containing all running apps ◮ Quantitative data flow Forwarding data collection Limit enforcement Monitoring Characteristics Enforce data flow limits Sender (PID, UID) Based on taint tags Receiver (PID, UID) Countermeasures Size ◮ Kill app ◮ Block IPC message Taint Tag ( , , , , …) 6/ 14

  12. Taint Tagged IPC Interpreted Code ted Code Trusted A pplication U ntrusted A ppli Interpreted Code Trusted A pplication Untrusted A pplication TrustedApplication Trusted A pplication UntrustedApplication U ntrusted A pplicatio Interpreted Code (8) (8) Interpre (8) Taint Source Taint Source Taint Source Taint Source (1) (1) Tai Ta (1) (1) Trusted Library Taint Sink (9) (9) (7) (3) (9) (2) Userspace Userspace (3) (3) (7) rspace (3) (7) (6) Userspace (4) (6) (4) (6) (4) (4) (6) (2) (5) (2) (5) (2) (5) Dalvik VM Dalvik VM Use Virtual Taint Map Virtual Taint Map Interpreter Interpreter Virtual Taint Map Virtual Taint Virtual Taint Map Virtual Virtual Taint Map Virtual Taint M DV M Intepreter DV M Int DV M Intepreter DV Binder IPC Library Binder Hook Binder Hook Binder IPC Library DV M Intepreter DV M Inte (5) K ernel Binder K ernel M odule K ernel l Kernel rne Binder K ernel M odule Binder Kernel M odule Binder K ernel M odule K e Utilising Dynamic Taint Tagging TaintDroid (OSDI, 2010) Dynamic taint tagging Tag = data source Dalvik VM only, no native code Across IPC − → Source: TaintDroid [6] 7/ 14

  13. Utilising Dynamic Taint Tagging Taint Tagged IPC Interpreted Code ted Code Trusted A pplication U ntrusted A ppli Interpreted Code Trusted A pplication Untrusted A pplication TrustedApplication UntrustedApplication Interpreted Code Trusted A pplication U ntrusted A pplicatio TaintDroid (OSDI, 2010) (8) (8) Interpre (8) Taint Source Taint Source Taint Source Dynamic taint tagging Taint Source (1) (1) Tai Ta (1) (1) Trusted Library Taint Sink (9) (9) Tag = data source (7) (3) (9) (2) Dalvik VM only, Userspace Userspace (3) (3) (7) rspace (3) (7) (6) Userspace (4) (6) (4) (6) (4) (4) (6) (2) (5) (2) (5) no native code (2) (5) Dalvik VM Dalvik VM Use Virtual Taint Map Virtual Taint Map Interpreter Interpreter Virtual Taint Map Virtual Taint Virtual Taint Map Virtual Virtual Taint Map Virtual Taint M Across IPC − → DV M Intepreter DV M Int DV M Intepreter DV Binder IPC Library Binder Hook Binder Hook Binder IPC Library DV M Intepreter DV M Inte (5) K ernel Binder K ernel M odule K ernel l Kernel rne Binder K ernel M odule Binder Kernel M odule Binder K ernel M odule K e Source: TaintDroid [6] 7/ 14

  14. Visualisation Current graph via custom fgdump -tool Graphviz for rendering Example Snapshot UID 10012 UID 10014 Tag: IMEI Tag: CONTACTS Tag: CONTACTS Throughput: 1664 Bytes/min Throughput: 1664 Bytes/min Throughput: 3968 Bytes/min android.process.media com.example.servicecomreceiver UID 10008 com.example.servicecomsender 8/ 14

  15. Evaluation Cirteria Privilege escalation − → sensitive data propagates across apps Works with standard Android SDK APIs Test Scenarios i) Conspiring apps ii) Confused-deputy 9/ 14

  16. Scenario: Conspiring apps Setup Attack scenario: conspiring apps Start Activity Intent <<component>> <<component>> WeatherEntryActivity MappingActivity Service Call Service Reply Service Call Activity Result <<component>> <<component>> WeatherReporterService WeatherWidget Service Reply Objective Innocent looking apps siphoning off contact data to send it off-site. 10/ 14

  17. Scenario: Conspiring apps Execution T 1 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID 10041 com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

  18. Scenario: Conspiring apps Execution T 2 UID 10042 216 bytes ≈ 1 contact com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

  19. Scenario: Conspiring apps Execution T 3 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

  20. Scenario: Conspiring apps Execution T 3 to T 4 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min X com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

  21. Scenario: Conspiring apps Execution T 4 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID 10041 com.example.snr_a.weatherreporter 11/ 14

  22. Scenario: Confused-deputy Attack scenario: confused-deputy Service Call Service Reply <<component>> EvilSMSBrowser <<component>> Activity NiceSMSBrowser <<component>> Activity SMSFormatterService Service Reply Service Call Objective SMS theft due to insecure/open API. Execution See our paper. 12/ 14

  23. Outlook Analyse apps from Play Store Investigating data flow threshold heuristics Conclusion & Outlook Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets 13/ 14

  24. Conclusion & Outlook Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets Outlook Analyse apps from Play Store Investigating data flow threshold heuristics 13/ 14

Recommend


More recommend