Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1
Taint Analysis for Android Tracks flow of private data Controlled at installation Private Untrusted unencrypted data parties SOURCES : SINKS : Phone number, Network, Location, IMEI, etc. Logs, etc. 2
Motivating Example [From DroidBench] public class Data { String f; String get() { return f; } void set(String p) { f = p; } } public class FieldSensitivity3 { protected void onCreate(Bundle b) { Data dt = new Data(); … String sim = tm.getSimSerialNumber(); dt.set(sim); Leak! String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } } 3
Solution – DFlow/DroidInfer Subtyping: public class Data { safe <: tainted String f; String get() { return f; } void set(String p) { f = p; } } Source: the return public class FieldSensitivity3 { value is tainted protected void onCreate(Bundle b) { tainted Data dt = new Data(); tainted String sim = Sink: the parameter tm.getSimSerialNumber(); is safe dt.set(sim); tainted String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } Type error! } 4
Contributions DFlow: A context-sensitive information flow type system DroidInfer: An inference algorithm for DFlow CFL-Explain: A CFL-reachability algorithm to explain type errors Effective handling of Android-specific features Implementation and evaluation ◦ DroidBench, Contagio, Google Play Store 5
Inference and Checking Framework Build DFlow/DroidInfer on top of our type inference and checking framework ◦ Programmers provide parameters to instantiate their own type system Context sensitivity is encoded with viewpoint adaptation ◦ F ramework infers the “best” typing If inference succeeds, this verifies the absence of errors Otherwise, this reveals errors in the program 6
Framework Structure Parameters Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow DFlow AJ EnerJ More? Unified Typing Rules Program Instantiated Rules Source Set-Based Solver Annotated Set-based Solution Libraries Extract Best Typing Concrete Typing Type Checking 7
DFlow Type qualifiers: ◦ tainted: A variable x is tainted, if there is flow from a sensitive source to x ◦ safe: A variable x is safe if there is flow from x to an untrusted sink ◦ poly: The polymorphic qualifier, is interpreted as tainted in some contexts and as safe in other contexts Subtyping hierarchy: ◦ safe <: poly <: tainted 8
DFlowTyping Rules (Simplified) ( TWRITE ) x y f ( ) q ( ) q typeof ( ) q q : q q x y f x y f y.f x T ( TREAD ) x y f ( ) q ( ) q typeof ( ) q q q : q x y f y f x x y.f T ( TCALL ) x y z m ( ) q ( ) q ( ) q typeof ( ) q , q q x y z this p ret i i i q : q q q : q q q q : q y this z p ret x x y.m z i ( ) T 9
Inference Example public class Data { { p o l y , t a i n t e d } String f; { s a f e , p o l y , t a i n t e d } String get({ s a f e , p o l y , t a i n t e d } Data this) {return this.f;} void set({ s a f e , p o l y , t a i n t e d } Data this, { s a f e , p o l y , t a i n t e d } String p) {this.f = p;} } public class FieldSensitivity3 { protected void onCreate(Bundle b) { { s a f e , p o l y , t a i n t e d } Data dt = new Data(); { s a f e , p o l y , t a i n t e d } String sim = tm.getSimSerialNumber(); // source dt.set(sim); { s a f e , p o l y , t a i n t e d } String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } } 10
Inference Example public class Data { { p o l y , t a i n t e d } String f; { s a f e , p o l y , t a i n t e d } String get({ s a f e , p o l y , t a i n t e d } Data this) {return this.f;} void set({ s a f e , p o l y , t a i n t e d } Data this, { s a f e , p o l y , t a i n t e d } String p) {this.f = p;} } sg <: 𝑟 ⊳ safe public class FieldSensitivity3 { protected void onCreate(Bundle b) { { s a f e , p o l y , t a i n t e d } Data dt = new Data(); { s a f e , p o l y , t a i n t e d } String sim = tm.getSimSerialNumber(); // source dt.set(sim); { s a f e , p o l y , t a i n t e d } String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } } 11
Inference Example public class Data { { p o l y , t a i n t e d} String f; { s a f e , p o l y , t a i n t e d } String get({ s a f e , p o l y , t a i n t e d } Data this) {return this.f;} void set({ s a f e , p o l y , t a i n t e d } Data this, { s a f e , p o l y , t a i n t e d } String p) {this.f = p;} } public class FieldSensitivity3 { protected void onCreate(Bundle b) { { s a f e, p o l y , t a i n t e d } Data dt = new Data(); Type Error! { s a f e, p o l y , t a i n t e d } String sim = tm.getSimSerialNumber(); // source dt.set(sim); { s a f e , p o l y , t a i n t e d } String sg = dt.get(); sms.sendTextMessage (…, sg ,…); // sink } dt <: sg } 12
CFL-Explain Type error: 𝑟 ⊳ ret getSimSerialNumber { tainted } <: sim { safe } Construct a dependency graph based on CFL-reachability Map a type error into a source-sink path in the graph 13
CFL-Explain – Construct Graph Field read: this ⊳ f <: ret ] 𝐠 ret return this.f; this Field write: p <: this ⊳ f [ 𝐠 this this.f = p; p 14
CFL-Explain – Construct Graph (Cont’d) String sg = dt.get(); dt <: 𝑟 2 ⊳ this get 𝑟 2 ⊳ ret get <: sg ( 𝟑 this get ) 𝟑 sg dt ret get 15
CFL-Explain Output Type Error Dependency Graph CFL-Explain Call Graph Source-Sink No Path Path ( 𝟓 p [ 𝐠 this set ) 𝟓 dt ( 𝟑 source sim ] 𝐠 ret get ) 𝟑 sg sink this get 16
CFL-Explain Output Type Error Dependency Graph CFL-Explain Call Graph Source-Sink No Path Path Reasons: • Unreachable methods on the call graph • False positive due to partial field insensitivity 17
Outline DFlow type system Inference algorithm for DFlow CFL-Explain Handling Android-specific features Implementation and evaluation 18
Android-Specific Features Libraries ◦ Flow through library method Multiple Entry Points and Callbacks ◦ Connections among callback methods Inter-Component Communication(ICC) ◦ Explicit/implicit Intents 19
Libraries Insert annotations into Android library ◦ source → {tainted} sink → {safe} Type all parameters/returns of library methods as ◦ poly, poly → poly Method n overrides m : (this n , p n → ret n ) this m <: this n <: p m <: p n (this m , p m → ret m ) ret n <: ret m 20
Example l <: loc Library source: LocationListener.onLocationChanged (tainted Location l) loc <: 𝑟 ⊳ poly Type library method as: 𝑟 ⊳ poly <: lat poly double getLatitude (poly Location this) public class MyListener { @Override public void onLocationChanged(Location loc) { double lat = loc.getLatitude(); Log.d (…, ”Latitude: ” + lat); // sink } loc <: lat } Type error: leak! 21
Callbacks Component objects (e.g., Activity) are instantiated by the Android framework No explicit instance to “link” the this parameters of callback methods DroidInfer creates equality constraints for this parameters to “link” callback methods this callbackMethod1 = this callbackMethod2 22
Callbacks this onResume ⊳ latitude <: safe public LocationLeak2 extends Activity { poly double latitude; void onResume(safe LocationLeak2 this) { safe double d = this.latitude; Log.d (…, ”Latitude: ” + d); // sink } Miss Leak! void onLocationChanged(tainted Locationleak2 this, tainted Location loc) { tainted double lat = loc.getLatitude(); this.latitude = lat; } this onResume = this onLocationChanged tainted <: this onLocationChanged ⊳ latitude } 23
Inter-Component Communication (ICC) Android components interact through Intents Explicit Intent ◦ Have an explicit target component ◦ DroidInfer connects them using placeholders Implicit Intent ◦ Do not have a target component ◦ DroidInfer conservatively considers them as sinks 24
ICC Example public class SmsReceiver extends BroadcastReceiver { public void onReceiver(Context c, Intent i) { tainted String s = …; // source Intent it = new Intent(c, TaskService.class); it.putExtra (“data”, s); startService(i); } } public class TaskService exennds Service { public void onStart(Intent it, int d) { String body = it.getSerializableExtra (“data”); list.add(body); Entity e = new UrlEncodedFormEntity (list, “UTF8”); post.setEntity(e); // sink } } 25
Recommend
More recommend