static analysis for extracting permission checks of a
play

Static Analysis for Extracting Permission Checks of a Large Scale - PowerPoint PPT Presentation

Nov 17, 2022 •206 likes •992 views

Android Framework Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android Alexandre Bartel University of Luxembourg September 8, 2014 Supervisor: Yves Le Traon Advisors:

  1. Android Framework Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android Alexandre Bartel University of Luxembourg September 8, 2014 Supervisor: Yves Le Traon Advisors: Jacques Klein & Martin Monperrus Alexandre Bartel Static Analysis of Permission-Based Systems 1 / 22

  2. Android Framework Static Analysis of a Permission-Based Security System Application Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  3. Android Framework Static Analysis of a Permission-Based Security System s The application 2 3 4 declares permissions Application p 1 and p 2 5 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  4. Android Framework Static Analysis of a Permission-Based Security System s The application 2 3 4 declares permissions Application p 1 and p 2 5 e 1 e 2 e 3 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  5. Android Framework Static Analysis of a Permission-Based Security System s The application 2 3 4 declares permissions Application p 1 and p 2 5 e 1 e 2 e 3 e 4 Framework Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  6. Android Framework Static Analysis of a Permission-Based Security System s The application 2 3 4 declares permissions Application p 1 and p 2 5 e 1 e 2 e 3 e 4 f 1 f 2 f 3 f 8 Framework f 4 f 5 f 9 f 6 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  7. Android Framework Static Analysis of a Permission-Based Security System s The application 2 3 4 declares permissions Application p 1 and p 2 5 e 1 e 2 e 3 e 4 f 1 f 2 f 3 f 8 Framework ck 2 f 4 f 5 f 9 f 6 ck 1 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  8. Android Framework Static Analysis of a Permission-Based Security System s The application 2 3 4 declares permissions Application p 1 and p 2 5 e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 ck 2 f 4 f 5 f 9 p 1 f 6 ck 1 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  9. Android Framework Static Analysis of a Permission-Based Security System ( e 1 e 2 e 3 e 4 ) Application 1 1 1 0 e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 ck 2 f 4 f 5 f 9 p 1 f 6 ck 1 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  10. Android Framework Static Analysis of a Permission-Based Security System ( e 1 e 2 e 3 e 4 ) Application 1 1 1 0 p 1 p 2 p 3  1 0 0  e 1 e 2 1 0 0 Framework     0 0 0 e 3   e 4 0 1 0 Alexandre Bartel Static Analysis of Permission-Based Systems 2 / 22

  11. Android Framework Methodology to Compute Permission Set (Step 1/3) Step 1: Extract Framework Permission Matrix p 1 p 2 p 3  1 0 0  e 1 1 0 0 e 2   M =   e 3 0 0 0   0 1 0 e 4 This step is only done once (for a given framework). Alexandre Bartel Static Analysis of Permission-Based Systems 3 / 22

  12. Android Framework Methodology to Compute Permission Set (Step 2/3) Step 2: Extract Application Access Vector ( e 1 e 2 e 3 e 4 ) AV app = 1 1 1 0 This step is done for every application . Alexandre Bartel Static Analysis of Permission-Based Systems 4 / 22

  13. Android Framework Methodology to Compute Permission Set (Step 3/3) Step 3: Infer Permission Set of the Application  1 0 0  1 0 0   ( ) IP app = 1 1 1 0 ·   0 0 0   0 1 0 ( ) IP app = 1 0 0 This step is done for every application . Alexandre Bartel Static Analysis of Permission-Based Systems 5 / 22

  14. Android Framework Android Framework Call Graph Construction e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 f 4 f 5 f 9 ck 2 p 1 ck 1 f 6 Alexandre Bartel Static Analysis of Permission-Based Systems 6 / 22

  15. Android Framework Android Framework Call Graph Construction e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 f 4 f 5 f 9 ck 2 p 1 ck 1 f 6 Alexandre Bartel Static Analysis of Permission-Based Systems 6 / 22

  16. Android Framework Android Framework Call Graph Construction e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 f 4 f 5 f 9 ck 2 p 1 ck 1 f 6 Alexandre Bartel Static Analysis of Permission-Based Systems 6 / 22

  17. Android Framework Android Framework Call Graph Construction e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 f 4 f 5 f 9 ck 2 p 1 ck 1 f 6 Alexandre Bartel Static Analysis of Permission-Based Systems 6 / 22

  18. Android Framework Android Framework Call Graph Construction e 1 e 2 e 3 e 4 p 3 f 1 f 2 f 3 f 8 Framework p 2 f 4 f 5 f 9 ck 2 p 1 ck 1 f 6 Alexandre Bartel Static Analysis of Permission-Based Systems 6 / 22

  19. Android Framework Call Graph Construction Techniques for Java ▶ Not precise: CHA (based on class hierarchy) ▶ CHA essential (1/4) ▶ CHA intelligent (2/4) ▶ Field sensitive: Spark ▶ Spark naive (3/4) ▶ Spark intelligent (4/4) Alexandre Bartel Static Analysis of Permission-Based Systems 7 / 22

  20. Android Framework CHA Essential (1/4) Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  21. Android Framework CHA Essential (1/4) ▶ Uses CHA algorithm for call graph Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  22. Android Framework CHA Essential (1/4) ▶ Uses CHA algorithm for call graph ▶ Locates check methods in the call graph Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  23. Android Framework CHA Essential (1/4) ▶ Uses CHA algorithm for call graph ▶ Locates check methods in the call graph ▶ Extracts names of checked permissions Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  24. Android Framework CHA Essential (1/4) ▶ Uses CHA algorithm for call graph ▶ Locates check methods in the call graph ▶ Extracts names of checked permissions Permission Set # entry points with 0 permissions 31,791 (64%) with 1 permissions 1 ( < 0.01%) with 105 permissions 18,237 (36%) 50,029 (100%) Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  25. Android Framework CHA Essential (1/4) ▶ Uses CHA algorithm for call graph ▶ Locates check methods in the call graph ▶ Extracts names of checked permissions Permission Set # entry points with 0 permissions 31,791 (64%) with 1 permissions 1 ( < 0.01%) with 105 permissions 18,237 (36%) 50,029 (100%) ▶ Why explosion of permission set size? Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  26. Android Framework CHA Essential (1/4) ▶ Uses CHA algorithm for call graph ▶ Locates check methods in the call graph ▶ Extracts names of checked permissions Permission Set # entry points with 0 permissions 31,791 (64%) with 1 permissions 1 ( < 0.01%) with 105 permissions 18,237 (36%) 50,029 (100%) ▶ Why explosion of permission set size? ▶ Call graph goes through binder code Alexandre Bartel Static Analysis of Permission-Based Systems 8 / 22

  27. Android Framework CHA Essential (1/4): The Real World System with Multiple Software Layers (source: Gargenta, 2012) Alexandre Bartel Static Analysis of Permission-Based Systems 9 / 22

  28. Android Framework CHA Essential (1/4): The Reason of the Explosion S 1 m 1 p 0 S 1 m 2 p 0 S 1 m 3 p 1 S 1 m 4 − S 1 m 5 p 2 S 1 m 6 p 0 S 1 S 2 m 1 p 3 . . . Api S 1 . 1 S 3 m 1 p 6 . . S g . S h S i . . . . . . Binder Services Services API target transact onTransact methods method methods methods Alexandre Bartel Static Analysis of Permission-Based Systems 10 / 22

  29. Android Framework CHA Intelligent (2/4) Alexandre Bartel Static Analysis of Permission-Based Systems 11 / 22

  30. Android Framework CHA Intelligent (2/4) ▶ Uses CHA algorithm for call graph Alexandre Bartel Static Analysis of Permission-Based Systems 11 / 22

  31. Android Framework CHA Intelligent (2/4) ▶ Uses CHA algorithm for call graph ▶ Finds check methods in the call graph Alexandre Bartel Static Analysis of Permission-Based Systems 11 / 22

  32. Android Framework CHA Intelligent (2/4) ▶ Uses CHA algorithm for call graph ▶ Finds check methods in the call graph ▶ Extracts names of checked permissions Alexandre Bartel Static Analysis of Permission-Based Systems 11 / 22

  33. Android Framework CHA Intelligent (2/4) ▶ Uses CHA algorithm for call graph ▶ Finds check methods in the call graph ▶ Extracts names of checked permissions ▶ Handles system service communication through the ”Binder” Alexandre Bartel Static Analysis of Permission-Based Systems 11 / 22

  34. Android Framework CHA Intelligent (2/4): Handling Binder Account System Service Application Code getPassword() { Service Call checkPermission(); r = getSystemService() return password; } p = r.getPassword() Binder (Linux module) Alexandre Bartel Static Analysis of Permission-Based Systems 12 / 22

  35. Android Framework CHA Intelligent (2/4): Handling Binder Account System Service Application Code getPassword() { Service Call checkPermission(); r = getSystemService() return password; 1 } p = r.getPassword() Binder (Linux module) Alexandre Bartel Static Analysis of Permission-Based Systems 12 / 22

Recommend

Program Analysis Program Analysis Extracting information, in order to present Extracting

Program Analysis Program Analysis Extracting information, in order to present Extracting

Program Analysis Program Analysis Extracting information, in order to present Extracting static and dynamic information from a software system abstractions of, or answer questions about, a software system Static Analysis: Examines the

201 views • 6 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Extracting a Data Flow Analyser in Constructive Logic David Cachera, Thomas Jensen, David

Extracting a Data Flow Analyser in Constructive Logic David Cachera, Thomas Jensen, David

Extracting a Data Flow Analyser in Constructive Logic David Cachera, Thomas Jensen, David Pichardie and Vlad Rusu APPSEM04, Tallinn Static program analysis The goals of static program analysis To prove properties about the run-time

966 views • 51 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Hardware Supported Permission Checks On Persistent Objects for Performance and Programmability

Hardware Supported Permission Checks On Persistent Objects for Performance and Programmability

Hardware Supported Permission Checks On Persistent Objects for Performance and Programmability Tiancong Wang, Sakthikumaran Sambasivam, James Tuck twang14@ncsu.edu or jtuck@ncsu.edu 1 NVM Programming 2 NVM Programming

1.67k views • 98 slides
Solar-Cell Measurements: Extracting Information and Avoiding Pitfalls Jim Sites, Physics

Solar-Cell Measurements: Extracting Information and Avoiding Pitfalls Jim Sites, Physics

Solar-Cell Measurements: Extracting Information and Avoiding Pitfalls Jim Sites, Physics Department Colorado State University (1) Current-voltage (J-V) curves (2) Current-voltage analysis Visual messages and reality checks (3) Diode

823 views • 43 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and transforms a program to the stream of tokens: removes empty symbols and commentaries; identifies keywords, indentifiers and literal

400 views • 37 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen,

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang &amp; Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

605 views • 36 slides
Quiz: Types A. What is the static type of: int f(int x, float y) { return x y; } B. What are

Quiz: Types A. What is the static type of: int f(int x, float y) { return x y; } B. What are

Quiz: Types A. What is the static type of: int f(int x, float y) { return x y; } B. What are the values of the static type? C. What are the operations of this type? Oberon Types Rules (Phase I Checks) Numeric types The INTEGER and REAL types

468 views • 12 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides

More recommend