������� ��� �������� � � ������� ��� �������� �������� ������ ���������� �� �������� ������� ��� ����������� ������������ ����� ��������������������� ���� �� �������������� �������� TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones OSDI’10 William Enck , Peter Gilbert, Byung-Gon Chun, Landon P . Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1
Smartphone Privacy? (http://www.flickr.com/photos/pong/2404940312/) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2
Monitoring Smartphone Behavior • There are tens of thousands of smartphone apps that provide both fun and valuable utility. • General challenge : balance fun and utility with privacy • Step 1: “look inside” of applications to watch how they use privacy sensitive data ‣ location ‣ phone identifiers ‣ microphone ‣ camera ‣ address book Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3
Challenges • Goal : Monitor app behavior to determine when privacy sensitive information leaves the phone • Challenges ... ‣ Smartphones are resource constrained ‣ Third-party applications are entrusted with several types of privacy sensitive information ‣ Context-based privacy information is dynamic and can be difficult to identify even when sent in the clear ‣ Applications can share information Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4
Dynamic Taint Analysis • Dynamic taint analysis is a technique that tracks information dependencies from an origin • Conceptual idea: c = taint_source() ‣ Taint source ... ‣ Taint propagation a = b + c ‣ Taint sink ... network_send(a) • Limitations : performance and granularity is a trade-off Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5
TaintDroid • TaintDroid is a system-wide integration of taint tracking into the Android platform ‣ Variable tracking throughout Dalvik VM environment ‣ Patches state after native method invocation ‣ Extends tracking between applications and to storage Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Method-level Native System Libraries tracking File-level Network Interface Secondary Storage tracking • TaintDroid is a firmware modification, not an app Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6
VM Variable-level Tracking • We modified the Dalvik VM interpreter to store and propagate taint tags (a taint bit-vector) on variables. • Local variables and args : taint tags stored adjacent to variables on the internal execution stack. out0 out0 taint tag ‣ 64-bit variables span 32-bit storage out1 out1 taint tag • Class fields : similar to locals, but (unused) VM goop inside static and instance field v0 == local0 heap objects v0 taint tag v1 == local1 • Arrays : one taint tag per array v1 taint tag v2 == in0 to minimize overhead v4 taint tag Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7
DEX Propagation Logic • Data flow : propagate source regs to destination reg , , . , , - Op Format Op Semantics Taint Propagation Description v A ← C τ ( v A ) ← ∅ const-op v A C Clear v A taint v A ← v B τ ( v A ) ← τ ( v B ) move-op v A v B Set v A taint to v B taint v A ← R τ ( v A ) ← τ ( R ) move-op-R v A Set v A taint to return taint R ← v A τ ( R ) ← τ ( v A ) Set return taint ( ∅ if void) return-op v A v A ← E τ ( v A ) ← τ ( E ) move-op-E v A Set v A taint to exception taint E ← v A τ ( E ) ← τ ( v A ) throw-op v A Set exception taint v A ← ⊗ v B τ ( v A ) ← τ ( v B ) unary-op v A v B Set v A taint to v B taint v A ← v B ⊗ v C τ ( v A ) ← τ ( v B ) ∪ τ ( v C ) Set v A taint to v B taint ∪ v C taint binary-op v A v B v C v A ← v A ⊗ v B τ ( v A ) ← τ ( v A ) ∪ τ ( v B ) binary-op v A v B Update v A taint with v B taint v A ← v B ⊗ C τ ( v A ) ← τ ( v B ) binary-op v A v B C Set v A taint to v B taint v B [ v C ] ← v A τ ( v B [ · ]) ← τ ( v B [ · ]) ∪ τ ( v A ) aput-op v A v B v C Update array v B taint with v A taint v A ← v B [ v C ] τ ( v A ) ← τ ( v B [ · ]) ∪ τ ( v C ) aget-op v A v B v C Set v A taint to array and index taint f B ← v A τ ( f B ) ← τ ( v A ) sput-op v A f B Set field f B taint to v A taint v A ← f B τ ( v A ) ← τ ( f B ) sget-op v A f B Set v A taint to field f B taint v B ( f C ) ← v A τ ( v B ( f C )) ← τ ( v A ) iput-op v A v B f C Set field f C taint to v A taint v A ← v B ( f C ) τ ( v A ) ← τ ( v B ( f C )) ∪ τ ( v B ) iget-op v A v B f C Set v A taint to field f C and object reference taint Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8
DEX Propagation Logic • Data flow : propagate source regs to destination reg , , . , , - Op Format Op Semantics Taint Propagation Description v A ← C τ ( v A ) ← ∅ const-op v A C Clear v A taint v A ← v B τ ( v A ) ← τ ( v B ) move-op v A v B Set v A taint to v B taint v A ← R τ ( v A ) ← τ ( R ) move-op-R v A Set v A taint to return taint R ← v A τ ( R ) ← τ ( v A ) Set return taint ( ∅ if void) return-op v A v A ← E τ ( v A ) ← τ ( E ) move-op-E v A Set v A taint to exception taint E ← v A τ ( E ) ← τ ( v A ) throw-op v A Set exception taint v A ← ⊗ v B τ ( v A ) ← τ ( v B ) unary-op v A v B Set v A taint to v B taint ← ← ∪ v A ← v B ⊗ v C τ ( v A ) ← τ ( v B ) ∪ τ ( v C ) Set v A taint to v B taint ∪ v C taint · · binary-op v A v B v C v A ← v A ⊗ v B τ ( v A ) ← τ ( v A ) ∪ τ ( v B ) v A ← v B [ v C ] τ ( v A ) ← τ ( v B [ · ]) ∪ τ ( v C ) binary-op v A v B Update v A taint with v B taint aget-op v A v B v C v A ← v B ⊗ C τ ( v A ) ← τ ( v B ) binary-op v A v B C Set v A taint to v B taint ← ← sput-op v B [ v C ] ← v A τ ( v B [ · ]) ← τ ( v B [ · ]) ∪ τ ( v A ) aput-op v A v B v C Update array v B taint with v A taint v A ← v B [ v C ] τ ( v A ) ← τ ( v B [ · ]) ∪ τ ( v C ) aget-op v A v B v C Set v A taint to array and index taint f B ← v A τ ( f B ) ← τ ( v A ) sput-op v A f B Set field f B taint to v A taint v A ← f B τ ( v A ) ← τ ( f B ) sget-op v A f B Set v A taint to field f B taint v B ( f C ) ← v A τ ( v B ( f C )) ← τ ( v A ) iput-op v A v B f C Set field f C taint to v A taint v A ← v B ( f C ) τ ( v A ) ← τ ( v B ( f C )) ∪ τ ( v B ) iget-op v A v B f C Set v A taint to field f C and object reference taint Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8
DEX Propagation Logic • Data flow : propagate source regs to destination reg , , . , , - Op Format Op Semantics Taint Propagation Description v A ← C τ ( v A ) ← ∅ const-op v A C Clear v A taint v A ← v B τ ( v A ) ← τ ( v B ) move-op v A v B Set v A taint to v B taint v A ← R τ ( v A ) ← τ ( R ) move-op-R v A Set v A taint to return taint R ← v A τ ( R ) ← τ ( v A ) Set return taint ( ∅ if void) return-op v A v A ← E τ ( v A ) ← τ ( E ) move-op-E v A Set v A taint to exception taint E ← v A τ ( E ) ← τ ( v A ) throw-op v A Set exception taint v A ← ⊗ v B τ ( v A ) ← τ ( v B ) unary-op v A v B Set v A taint to v B taint ← ← ← ← ∪ A B C B C A B C A v A ← v B ⊗ v C τ ( v A ) ← τ ( v B ) ∪ τ ( v C ) Set v A taint to v B taint ∪ v C taint · · binary-op v A v B v C v A ← v B ( f C ) τ ( v A ) ← τ ( v B ( f C )) ∪ τ ( v B ) v A ← v A ⊗ v B τ ( v A ) ← τ ( v A ) ∪ τ ( v B ) v A ← v B [ v C ] τ ( v A ) ← τ ( v B [ · ]) ∪ τ ( v C ) binary-op v A v B iget-op v A v B f C Update v A taint with v B taint aget-op v A v B v C v A ← v B ⊗ C τ ( v A ) ← τ ( v B ) binary-op v A v B C Set v A taint to v B taint ← ← sput-op v B [ v C ] ← v A τ ( v B [ · ]) ← τ ( v B [ · ]) ∪ τ ( v A ) aput-op v A v B v C Update array v B taint with v A taint v A ← v B [ v C ] τ ( v A ) ← τ ( v B [ · ]) ∪ τ ( v C ) aget-op v A v B v C Set v A taint to array and index taint f B ← v A τ ( f B ) ← τ ( v A ) sput-op v A f B Set field f B taint to v A taint v A ← f B τ ( v A ) ← τ ( f B ) sget-op v A f B Set v A taint to field f B taint v B ( f C ) ← v A τ ( v B ( f C )) ← τ ( v A ) iput-op v A v B f C Set field f C taint to v A taint v A ← v B ( f C ) τ ( v A ) ← τ ( v B ( f C )) ∪ τ ( v B ) iget-op v A v B f C Set v A taint to field f C and object reference taint Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8
Native Methods • Applications execute native methods through the Java Native Interface (JNI) • TaintDroid uses a combination of heuristics and method profiles to patch VM tracking state ‣ Applications are restricted to only invoking native methods in system-provided libraries Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Method-level Native System Libraries tracking File-level Network Interface Secondary Storage tracking Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9
Recommend
More recommend
