Scippa: System-Centric IPC Provenance on Android Michael Backes, - - PowerPoint PPT Presentation

scippa system centric ipc provenance on android
SMART_READER_LITE
LIVE PREVIEW

Scippa: System-Centric IPC Provenance on Android Michael Backes, - - PowerPoint PPT Presentation

Feb 20, 2023 436 likes •663 views

Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling Saarland Univeristy, Germany 2014 Annual Computer Security Applications Conference Presenter: Qi Wang 1 Android application separation One

slide-1
SLIDE 1

Scippa: System-Centric IPC Provenance

  • n Android

Michael Backes, Sven Bugiel, Sebastian Gerling Saarland Univeristy, Germany

1

Presenter: Qi Wang 2014 Annual Computer Security Applications Conference

slide-2
SLIDE 2

Android application separation

  • One Linux User ID per App
  • File system access control via UID
  • Permissions bound to App UID

2

slide-3
SLIDE 3

Android app components

  • Activities

– A single screen with a user interface.

  • Services

– A component that runs in the background to perform long- running operations.

  • Broadcast Receivers

– A component that responds to system-wide broadcast announcements.

  • Content Providers

– Manage a shared set of app data. Through the content provider,

  • ther apps can query or even modify the data.

3

slide-4
SLIDE 4

Inter-app communication on Android

4

Wi-Fi Se,ngs App Se,ngs Widget

“Turn off Wi-Fi” [Bluetooth, GPS,…] Turn off

slide-5
SLIDE 5

Inter-process communication on Android

5

Wi-Fi UI Component Receiver Component UID A UID B

slide-6
SLIDE 6

Inter-process communication on Android

6

Wi-Fi Process Boundary Process Boundary UI Component Receiver Component Receiver Component UID A UID B UID S

IPC Mechanism must provide message provenance informaRon.

slide-7
SLIDE 7

Binder

  • A lightweight IPC mechanism on Android.
  • The primary channel for inter-app communication.

7

slide-8
SLIDE 8

Binder transaction protocol

  • Binder IPC provides receiver process with UID/PID of

sender process.

8

App Process A (Sender) Binder Kernel Module App Process S (Receiver)

  • 1. transaction = {recv, payloadA}
  • 2. transaction = {payloadA, UID=A}

If two-way transaction

  • 3. reply = {payloadS}
  • 4. reply = {payloadS}
slide-9
SLIDE 9

Losing provenance information

  • Cause 1: Message dispatching between threads

9

App Process A (Sender) App Process B (Receiver)

IPC Thread Main Thread

Binder Kernel Module

calling UID = A

  • 1. trans
  • 2. trans = {P

, UID=A} Dispatch Payload calling UID =

slide-10
SLIDE 10

Losing provenance information

  • Cause 2: Indirection communication

10

Intent sender Intent Receiver AcRvity Massager Service A B S

send intent deliver intent First binder transacRon Second binder transacRon

slide-11
SLIDE 11

Attacks

  • Confused deputy attack

– A malicious app with an insufficient set of permissions for its malign purpose tricks a privileged app into executing its privileges on behalf of the malicious app.

  • Intent hijacking

– A malicious app can intercept an implicit Intent simply by declaring an Intent filter with all of the actions, data, and categories listed in the Intent.

  • Intent spoofing

– A malicious app can launch an Intent spoofing attack by sending an Intent to an exported component that is not expecting Intents from that application.

11

slide-12
SLIDE 12

IPC provenance requirements

  • Availability of provenance information
  • Building system-centric IPC call-chains
  • Returning call-chains to senders
  • Tagging asynchronous messages

– Sticky Broadcast Intents are kept in the system and are delivered even to recipients that register after the broadcast was sent.

12

slide-13
SLIDE 13

Scippa

  • System-centric approach to remedy the situation
  • Extend Binder kernel module and Android’s

message handlers

  • Build call-chains across multiple app processes
  • Provide call-chains to all application components
  • Return call-chains to senders

13

slide-14
SLIDE 14

Scippa: idea

14

IPC Thread Main Thread

calling UID = [A,S]

App Process A (Sender) Binder Kernel Module System Process App Process B (Receiver)

1st TransacRon

  • 1. transA-S
  • 2. transA-S UID=[A]

2nd TransacRon

  • 3. transS-B
  • 4. transS-B = {P, UID=[A,S]}

Dispatch P Dispatch UID=[A,S]

slide-15
SLIDE 15

Linking nested transactions

15

IPC TransacRon Stack:

Trans #1 Trans #1 Trans #2 Trans #2 Trans #3 Trans #3

App A App B App C

Trans #1 Trans #2

App D

Trans #3 UID=[A,B] UID=[A,B,C] UID=[A]

Extend the transacRon data structure to hold call-chain.

slide-16
SLIDE 16

Linking one-way transactions

16

App

Incoming Trans #1 Outgoing Trans #1 Outgoing Trans #2

App ExecuGon State

WaiRng for IPC ExecuRng incoming trans #1 ExecuRng incoming trans #2

Forward call-chain from Trans #2

WaiRng for IPC

Store call-chain from Trans #1 Forward call-chain from Trans #1

WaiRng for IPC

Incoming Trans #2 Store call-chain from Trans #2

slide-17
SLIDE 17

Further techniques

  • Intra-app call-chain propagaRon

– Extended Message and Handler classes and Thread life-cycle funcRons of applicaRon runRme environment

  • Tagging Pending Intents and sRcky Broadcast Intents

– Extending Intent class and Broadcast subsystem: Restore IPC context from Intent object before sending

  • Accessing call-chains from user-space

– New API funcRons: getCallingUids / getCallingPids

  • Returning call-chains to sender

– Extended Binder protocol with BR_CALLCHAIN to return finished chain branches

17

slide-18
SLIDE 18

Transaction microbenchmark

  • Measure 52777 Binder transactions

– Weighted average overhead: 2.23%

18

45560

1 10 100 1,000 10,000 100,000 0.00% 0.50% 1.00% 1.50% 2.00% 2.50% 32 36 40

Payload Frequency

(512 B Bins)

Performance Overhead

4 8 12 16 20 24 28

Message Payload (KB)

Frequency Overhead

slide-19
SLIDE 19

User space benchmark

  • Measure the overhead from the app layer

perspective

19

3.70-25.33% overhead 12.70-26.73% overhead

slide-20
SLIDE 20

Call-chain statistics

20

General Branching Dispatching #Call-chains: 54,670 #Chains with branches: 54,670 (100%) #Chains with dispatching: 3,237 (5.91 %) Chain length: 1.56±0.01 #Branches (total): 141,330 #Dispatches (total): 24,966 Max length: 13 #Branches (per chain): 2.59±0.08 #Dispatches (per chain): 7.71±1.92

slide-21
SLIDE 21

IPC provenance evaluation

21 10048:1574:1585 1000:403:698 10048:1574:1574 10045:1679:1690 10044:1658:1677 1000:403:777 10044:1658:1658 10046:1419:1430 10045:1679:1679 10047:1520:1531 10047:1520:1520 1000:403:420 10043:1698:1698 10046:1419:1419 Parallel Broadcast Ordered Broadcast Binder IPC Message Dispatch IPC Thread Main Thread Receiver App System Server Thread Main Thread Sender App UID:PID:TID

1000:403:777

slide-22
SLIDE 22

Discussion

  • What’s the contribution of this paper?
  • What’s the limitation of Scippa?
  • Could the feedback mechanism in Scippa violate

privacy?

  • Call sender&receiver vs. call chain?
  • What other data can be collected to provide

more sufficient IPC provenance information?

  • How data provenance could be used in Android
  • r other areas?

22