S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018, Stockholm, Sweden, 20th June 2018 www.iaik.tugraz.at
Paper A inferred app starts via /proc/vmstat. Paper A inferred app starts via /proc/vmstat. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper B inferred keyboard input via /proc/interrupts. Paper C inferred browsing behavior via the TrafficStats API. Motivation and Contribution Side-channel attacks on mobile devices allow inferring lot’s of sensitive information. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper C inferred browsing behavior via the TrafficStats API. Paper D - So - this is all based on manual analysis? Yeah!? Dude, wouldn’t it be easier to automate this analysis?
www.iaik.tugraz.at Cat and Mouse Game? Manual analysis of resource Countermeasure Exploitation (restrict access) of resource Spreitzer, Palfinger, Mangard 3 WiSec 2018, Stockholm, Sweden, 20th June 2018
(3) Trigger event (5) Fetch data (4) Log (1) Fetch (2) Parse packages (6) Analyze www.iaik.tugraz.at SCAnDroid Android Developers Website Backend (3) Trigger event SCAn- Analyzer Parser Controller Droid (5) Fetch data (4) Log Package Index (1) Fetch (2) Parse . packages (6) Analyze . . Spreitzer, Palfinger, Mangard 4 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Analysis Dynamic time warping (DTW) Compare time series X = ( x 1 , ..., x n ) Y = ( y 1 , ..., y m ) No background information No human interaction Ignoring misaligned, stretched, or compressed traces time X Y Spreitzer, Palfinger, Mangard 5 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Classification DTW-based approach (template attacks) Training data: T = { ( e i , X i ) } Test sample s = ( e j , X ) : i = argmin DTW ( X , Y i ) ⇒ two time series result from the same event if they yield a low distance to each other K-fold cross validation Accuracy better than random guessing? ⇒ information leak identified Spreitzer, Palfinger, Mangard 6 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Coverage of Analyzed Methods Methods # % Documented in the Android API 36339 Relevant (get, is, has, query) 12012 100% In abstract classes or interfaces 2860 23.8% Removed (crashed, missing constructors, etc) 5075 42.3% Theoretically to be profiled 4077 33.9% Actually profiled 5046 42.1% Methods that “react” to events 36 Spreitzer, Palfinger, Mangard 7 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Case Study: Website Inference Correlations between website launches and API calls amazon.com reddit.com Time series 1 6 · 10 5 3 · 10 5 Time series 2 File.getFreeSpace() File.getFreeSpace() Time series 3 4 · 10 5 2 · 10 5 1 · 10 5 2 · 10 5 Time series 1 Time series 2 0 Time series 3 0 0 2 4 6 8 10 0 2 4 6 8 10 Time [s] Time [s] Spreitzer, Palfinger, Mangard 8 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Website Inference on Android 8 20 websites, 8 samples, 10 seconds API Accuracy android.net.TrafficStats.getMobileTxBytes() 89.4 % android.net.TrafficStats.getTotalTxBytes() 88.8 % android.net.TrafficStats.getMobileTxPackets() 86.2 % android.net.TrafficStats.getTotalRxPackets() 85.6 % android.net.TrafficStats.getTotalTxPackets() 85.0 % android.net.TrafficStats.getMobileRxPackets() 83.1 % android.net.TrafficStats.getTotalRxBytes() 79.4 % android.net.TrafficStats.getMobileRxBytes() 76.2 % android.app.usage.StorageStatsManager. 46.9 % getFreeBytes(java.util.UUID) java.io.File.getUsableSpace() 39.4 % java.io.File.getFreeSpace() 38.1 % android.os.storage.StorageManager. 36.2 % getAllocatableBytes(java.util.UUID) android.os.Process.getElapsedCpuTime() 21.9 % Spreitzer, Palfinger, Mangard 9 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Case Study: Website Inference on Android 8 1 0.8 TrafficStats.getMobileTxBytes() 0.6 Accuracy TrafficStats.getMobileRxBytes() File.getUsableSpace() 0.4 Random guessing 0.2 0 1 2 3 4 5 6 7 8 9 10 Top N results Spreitzer, Palfinger, Mangard 11 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Case Study: Google Maps Search Inference Correlations between Google Maps search queries and API calls Eiffel Tower The Great Wall TrafficStats.getMobileRxBytes() TrafficStats.getMobileRxBytes() 2 , 5 · 10 5 3 · 10 5 Time series 1 Time series 2 Time series 3 2 · 10 5 1 , 5 · 10 5 1 · 10 5 Time series 1 50000 Time series 2 Time series 3 0 0 1,000 5,000 10,000 15,000 1,000 5,000 10,000 15,000 Time [ms] Time [ms] Spreitzer, Palfinger, Mangard 12 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Google Maps Search Inference on Android 8 20 POIs, 8 samples, 15 seconds API Accuracy android.net.TrafficStats.getTotalRxBytes() 87.5 % android.net.TrafficStats.getMobileRxBytes() 83.8 % android.net.TrafficStats.getMobileRxPackets() 76.2 % android.net.TrafficStats.getTotalRxPackets() 73.1 % android.net.TrafficStats.getTotalTxPackets() 68.1 % android.net.TrafficStats.getMobileTxPackets() 66.9 % android.net.TrafficStats.getTotalTxBytes() 49.4 % android.net.TrafficStats.getMobileTxBytes() 48.8 % android.app.usage.StorageStatsManager. 16.2 % getFreeBytes(java.util.UUID) android.os.storage.StorageManager. 13.1 % getAllocatableBytes(java.util.UUID) android.os.Process.getElapsedCpuTime() 13.1 % java.io.File.getFreeSpace() 11.9 % java.io.File.getUsableSpace() 10.6 % Spreitzer, Palfinger, Mangard 13 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Discussion Limitation: false negatives No leaks identified → secure? More specialized features Timing side channels not considered iOS: fileExistsAtPath API [ZWB + 18] Countermeasures Restrict access to APIs SCAnDroid could be used to eliminate side channels in upcoming Android versions (before they are released) Spreitzer, Palfinger, Mangard 14 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Take-Home Message Manual analysis of side-channel leaks Tedious and error-prone SCAnDroid Framework to scan the Java-based Android APIs automatically Identified several side-channel leaks Available at https://github.com/IAIK/SCAnDroid Spreitzer, Palfinger, Mangard 15 WiSec 2018, Stockholm, Sweden, 20th June 2018
S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018, Stockholm, Sweden, 20th June 2018 www.iaik.tugraz.at
www.iaik.tugraz.at Disclaimer The xkcd comic, in particular the stick figures, and the plots have been drawn based on StackExchange [sta12] and the xkcd comic “Teaching Physics” [xkc11]. Spreitzer, Palfinger, Mangard 17 WiSec 2018, Stockholm, Sweden, 20th June 2018
www.iaik.tugraz.at Bibliography [sta12] StackExchange: Create xkcd style diagram in TeX. https://tex.stackexchange.com/questions/74878/create-xkcd-style-diagram-in-tex/74881#74881 , 2012. Accessed: May 31, 2018. [xkc11] xkcd Comic: Teaching Physics. https://xkcd.com/895/ , 2011. Accessed: May 31, 2018. [ZWB + 18] Xiaokuan Zhang, Xueqiang Wang, Xiaolong Bai, Yinqian Zhang, and XiaoFeng Wang. OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS. In Network and Distributed System Security Symposium − NDSS 2018, 2018. Spreitzer, Palfinger, Mangard 18 WiSec 2018, Stockholm, Sweden, 20th June 2018
Recommend
More recommend