scalable and precise taint analysis for android
play

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao - PowerPoint PPT Presentation

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at


  1. Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1

  2. Taint Analysis for Android  Tracks flow of private data Controlled at installation Private Untrusted unencrypted data parties SOURCES : SINKS : Phone number, Network, Location, IMEI, etc. Logs, etc. 2

  3. Motivating Example [From DroidBench] public class Data { String f; String get() { return f; } void set(String p) { f = p; } } public class FieldSensitivity3 { protected void onCreate(Bundle b) { Data dt = new Data(); … String sim = tm.getSimSerialNumber(); dt.set(sim); Leak! String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } } 3

  4. Solution – DFlow/DroidInfer Subtyping: public class Data { safe <: tainted String f; String get() { return f; } void set(String p) { f = p; } } Source: the return public class FieldSensitivity3 { value is tainted protected void onCreate(Bundle b) { tainted Data dt = new Data(); tainted String sim = Sink: the parameter tm.getSimSerialNumber(); is safe dt.set(sim); tainted String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } Type error! } 4

  5. Contributions  DFlow: A context-sensitive information flow type system  DroidInfer: An inference algorithm for DFlow  CFL-Explain: A CFL-reachability algorithm to explain type errors  Effective handling of Android-specific features  Implementation and evaluation ◦ DroidBench, Contagio, Google Play Store 5

  6. Inference and Checking Framework  Build DFlow/DroidInfer on top of our type inference and checking framework ◦ Programmers provide parameters to instantiate their own type system  Context sensitivity is encoded with viewpoint adaptation ◦ F ramework infers the “best” typing  If inference succeeds, this verifies the absence of errors  Otherwise, this reveals errors in the program 6

  7. Framework Structure Parameters  Immutability (ReIm)  Universe Types (UT)  Ownership Types (OT)  SFlow  DFlow  AJ  EnerJ  More? Unified Typing Rules Program Instantiated Rules Source Set-Based Solver Annotated Set-based Solution Libraries Extract Best Typing Concrete Typing Type Checking 7

  8. DFlow  Type qualifiers: ◦ tainted: A variable x is tainted, if there is flow from a sensitive source to x ◦ safe: A variable x is safe if there is flow from x to an untrusted sink ◦ poly: The polymorphic qualifier, is interpreted as tainted in some contexts and as safe in other contexts  Subtyping hierarchy: ◦ safe <: poly <: tainted 8

  9. DFlowTyping Rules (Simplified) ( TWRITE )       x y f ( ) q ( ) q typeof ( ) q q : q q x y f x y f   y.f x T ( TREAD )       x y f ( ) q ( ) q typeof ( ) q q q : q x y f y f x   x y.f T ( TCALL )         x y z m ( ) q ( ) q ( ) q typeof ( ) q , q q x y z this p ret    i i i q : q q q : q q q q : q y this z p ret x   x y.m z i ( ) T 9

  10. Inference Example public class Data { { p o l y , t a i n t e d } String f; { s a f e , p o l y , t a i n t e d } String get({ s a f e , p o l y , t a i n t e d } Data this) {return this.f;} void set({ s a f e , p o l y , t a i n t e d } Data this, { s a f e , p o l y , t a i n t e d } String p) {this.f = p;} } public class FieldSensitivity3 { protected void onCreate(Bundle b) { { s a f e , p o l y , t a i n t e d } Data dt = new Data(); { s a f e , p o l y , t a i n t e d } String sim = tm.getSimSerialNumber(); // source dt.set(sim); { s a f e , p o l y , t a i n t e d } String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } } 10

  11. Inference Example public class Data { { p o l y , t a i n t e d } String f; { s a f e , p o l y , t a i n t e d } String get({ s a f e , p o l y , t a i n t e d } Data this) {return this.f;} void set({ s a f e , p o l y , t a i n t e d } Data this, { s a f e , p o l y , t a i n t e d } String p) {this.f = p;} } sg <: 𝑟 ⊳ safe public class FieldSensitivity3 { protected void onCreate(Bundle b) { { s a f e , p o l y , t a i n t e d } Data dt = new Data(); { s a f e , p o l y , t a i n t e d } String sim = tm.getSimSerialNumber(); // source dt.set(sim); { s a f e , p o l y , t a i n t e d } String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } } 11

  12. Inference Example public class Data { { p o l y , t a i n t e d} String f; { s a f e , p o l y , t a i n t e d } String get({ s a f e , p o l y , t a i n t e d } Data this) {return this.f;} void set({ s a f e , p o l y , t a i n t e d } Data this, { s a f e , p o l y , t a i n t e d } String p) {this.f = p;} } public class FieldSensitivity3 { protected void onCreate(Bundle b) { { s a f e, p o l y , t a i n t e d } Data dt = new Data(); Type Error! { s a f e, p o l y , t a i n t e d } String sim = tm.getSimSerialNumber(); // source dt.set(sim); { s a f e , p o l y , t a i n t e d } String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } dt <: sg } 12

  13. CFL-Explain  Type error: 𝑟 ⊳ ret getSimSerialNumber { tainted } <: sim { safe }  Construct a dependency graph based on CFL-reachability  Map a type error into a source-sink path in the graph 13

  14. CFL-Explain – Construct Graph  Field read: this ⊳ f <: ret ] 𝐠 ret return this.f; this  Field write: p <: this ⊳ f [ 𝐠 this this.f = p; p 14

  15. CFL-Explain – Construct Graph (Cont’d) String sg = dt.get(); dt <: 𝑟 2 ⊳ this get 𝑟 2 ⊳ ret get <: sg ( 𝟑 this get ) 𝟑 sg dt ret get 15

  16. CFL-Explain Output Type Error Dependency Graph CFL-Explain Call Graph Source-Sink No Path Path ( 𝟓 p [ 𝐠 this set ) 𝟓 dt ( 𝟑 source sim ] 𝐠 ret get ) 𝟑 sg sink this get 16

  17. CFL-Explain Output Type Error Dependency Graph CFL-Explain Call Graph Source-Sink No Path Path Reasons: • Unreachable methods on the call graph • False positive due to partial field insensitivity 17

  18. Outline  DFlow type system  Inference algorithm for DFlow  CFL-Explain  Handling Android-specific features  Implementation and evaluation 18

  19. Android-Specific Features  Libraries ◦ Flow through library method  Multiple Entry Points and Callbacks ◦ Connections among callback methods  Inter-Component Communication(ICC) ◦ Explicit/implicit Intents 19

  20. Libraries  Insert annotations into Android library ◦ source → {tainted} sink → {safe}  Type all parameters/returns of library methods as ◦ poly, poly → poly  Method n overrides m : (this n , p n → ret n ) this m <: this n <: p m <: p n (this m , p m → ret m ) ret n <: ret m 20

  21. Example l <: loc  Library source: LocationListener.onLocationChanged (tainted Location l) loc <: 𝑟 ⊳ poly  Type library method as: 𝑟 ⊳ poly <: lat poly double getLatitude (poly Location this) public class MyListener { @Override public void onLocationChanged(Location loc) { double lat = loc.getLatitude(); Log.d (…, ”Latitude: ” + lat); // sink } loc <: lat } Type error: leak! 21

  22. Callbacks  Component objects (e.g., Activity) are instantiated by the Android framework  No explicit instance to “link” the this parameters of callback methods  DroidInfer creates equality constraints for this parameters to “link” callback methods this callbackMethod1 = this callbackMethod2 22

  23. Callbacks this onResume ⊳ latitude <: safe public LocationLeak2 extends Activity { poly double latitude; void onResume(safe LocationLeak2 this) { safe double d = this.latitude; Log.d (…, ”Latitude: ” + d); // sink } Miss Leak! void onLocationChanged(tainted Locationleak2 this, tainted Location loc) { tainted double lat = loc.getLatitude(); this.latitude = lat; } this onResume = this onLocationChanged tainted <: this onLocationChanged ⊳ latitude } 23

  24. Inter-Component Communication (ICC)  Android components interact through Intents  Explicit Intent ◦ Have an explicit target component ◦ DroidInfer connects them using placeholders  Implicit Intent ◦ Do not have a target component ◦ DroidInfer conservatively considers them as sinks 24

  25. ICC Example public class SmsReceiver extends BroadcastReceiver { public void onReceiver(Context c, Intent i) { tainted String s = …; // source Intent it = new Intent(c, TaskService.class); it.putExtra (“data”, s); startService(i); } } public class TaskService exennds Service { public void onStart(Intent it, int d) { String body = it.getSerializableExtra (“data”); list.add(body); Entity e = new UrlEncodedFormEntity (list, “UTF8”); post.setEntity(e); // sink } } 25

Recommend


More recommend