Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions •...
Transcript of Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions •...
![Page 1: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/1.jpg)
1
Application-layer security extensions
• Inlined Reference Monitoring• App Virtualization• Compiler-based instrumentation
![Page 2: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/2.jpg)
GOALS &USE-CASES
§ Deploysecuritysolutionsindependentlyfromthedevice/OSvendororappdevelopers
- Endusershouldempowered
§ Ifpossibleabstainfromescalatedprivileges,i.e.,fromroot
§ Providestrongestpossiblesecurityguarantees
2
![Page 3: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/3.jpg)
POSSIBLE APPLICATION-LAYER SOLUTIONS
§ Variousapplicationareas,suchas:
- Privacyprotection• E.g.,AppGuard [99],Aurasium [100],I-ARM-Droid[101],RetroSkeleton [102],DroidForce [103]
- Deployingthird-partysecuritypatches• E.g.,AppSealer [104],Capper[105]
- Enforcingenterprisepolicies• E.g.,DeepDroid [106]
- PatchingAndroidvulnerabilities• E.g.,PatchDroid [107]
- Appvirtualization• E.g.,Boxify [108],NJAS[109]
3
![Page 4: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/4.jpg)
4
Application-layer security extensions
Inlined Reference Monitoring
![Page 5: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/5.jpg)
MOTIVATION
Existingpermissionsystem Understandanappsbehavior Enforceadesiredlevelofprivacy
![Page 6: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/6.jpg)
How to enforce such dynamic permissions?
![Page 7: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/7.jpg)
PROBLEM DESCRIPTION
§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!
UntrustedApp
OperatingSystem
Monitor
![Page 8: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/8.jpg)
PROBLEM DESCRIPTION
§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!
§ Androidisolatesappprocesses:“allappsarecreatedequal”à Monitornotprivilegedenough!
Untr.App
OperatingSystem
MonitorApp
![Page 9: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/9.jpg)
PROBLEM DESCRIPTION
§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!
§ Androidisolatesappprocesses:“allappsarecreatedequal”à Monitornotprivilegedenough!
§ Solution: Combinemonitorandappinto“self-monitoring”app
OperatingSystem
Monitor
UntrustedApp
![Page 10: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/10.jpg)
INLINE REFERENCE MONITORING
§ DynamicAccessControl
– Preventappsfromaccessingcertainsystemresources– Revocationandre-grantingofpermissions
§ Fine-granularSecurityPolicies
– Comprehensibleforuser– Expressivefordeveloper
§ “Gracefuldegradation”
– Appsshouldnotcrashafteraccesstorestrictedresource
§ NochangetotheOS
– DeploymentasregularAndroidapp(no root)
![Page 11: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/11.jpg)
INLINE REFERENCE MONITORING
§ Goal:Mediatesecurity-relevantoperations
- Monitorprogrambehavioratcriticalpoints
- Instrumentprogramtoredirectcontrolflowtothemonitor
- Takeactionbasedonsecuritypolicy
• Terminateprogram
• Suppressoperation
§ Security-relevantoperations
- Functioncalls:JavaCoreAPI,AndroidAPI
- Controlflowredirectioneitheratcaller-site orcallee-site
§ Typicallybybytecodemodification
7. BWINF Forschungstage
![Page 12: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/12.jpg)
CALLER- VS.CALLEE-SITE REWRITING
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);u.openConnection();...
UntrustedApp
Application.main()
SystemLibrary
URL.openConnection()
...returnconnection;
7. BWINF Forschungstage
![Page 13: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/13.jpg)
2. CyberCrime Kongress 2013
CALLEE-SITE REWRITING
Monitor
Monitor.checkConnection(url)
if(!connectionAllowed(url)){System.exit();
}
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);u.openConnection();...
UntrustedApp
Application.main()
SystemLibrary
URL.openConnection()
...returnconnection;Monitor.checkConnection(this);...returnconnection;
7. BWINF Forschungstage
![Page 14: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/14.jpg)
CALLER-SITE REWRITING
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);Monitor.openConnection(u);...
UntrustedApp
Application.main()
SystemLibrary
URL.openConnection()
...returnconnection;
Monitor
Monitor.openConnection(url)
if(connectionAllowed(url)){returnurl.openConnection();
}else{System.exit();
}
7. BWINF Forschungstage
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);u.openConnection();...
![Page 15: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/15.jpg)
CALLER- VS.CALLEE-SIDE REWRITING
Caller-side
Manyplacestoinstrument
Dynamicallyloadedcode
Reflection
Possibleinpracticeforend-users
Callee-side
Fewplacestoinstrument
Dynamicallyloadedcode
Reflection
Impossibleinpracticeforend-users
![Page 16: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/16.jpg)
APPGUARD:REWRITER
§ Rewriter
- WorksdirectlyonDalvikexecutable(DEX)bytecode
- Generatesruntimemonitorfrompoliciesandmergesitintothetargetapp
- Identifiesinvocationsofsecurity-relevantmethodswithinthetargetapp‘sbytecode
- Rewritestargetapptocallintothemonitorrightbeforeeveryinvocationofasecurity-relevantmethod(caller-siterewriting)
- Additionaltry-catchblockallowsmonitortosuppressthesecurity-relevantmethodcallandreturnamockvalue
7. BWINF Forschungstage
![Page 17: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/17.jpg)
APPGUARD:REWRITER
URL url = new URL(loc);try {
url.openConnection();} catch (IOException) {
// handle IOException}
URL url = new URL(loc);try {
Monitor.checkConnection(url);url.openConnection();
} catch (IOException) {// handle IOException
} catch (MonitorException) {// no return value, ignore
}
TelephonyManager tm =getTelephonyManager();
String deviceId = tm.getDeviceId();
TelephonyManager tm =getTelephonyManager();
String deviceId;try {
Monitor.checkDeviceId(tm);deviceId = tm.getDeviceId();
} catch (MonitorException e) {deviceId = e.mockValue();
}
Original code After rewriting
7. BWINF Forschungstage
![Page 18: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/18.jpg)
DIFFERENT SOLUTIONS TO IRM
18
![Page 19: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/19.jpg)
APPGUARD – CONCEPTUAL OVERVIEW
Policies
Manage-mentRewriterUntrusted
App
Monitor
UntrustedApp
logging
config
Implemented as stand-alone app:
à easily deployable
![Page 20: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/20.jpg)
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
Forschungstage Informatik 2014
![Page 21: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/21.jpg)
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
Forschungstage Informatik 2014
![Page 22: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/22.jpg)
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
§ Policyconfigurationperapp
- Passedtotargetappviaworld-readableconfigfile
- Fine-grainedconfigurationsupported
Forschungstage Informatik 2014
![Page 23: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/23.jpg)
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
§ Policyconfigurationperapp
- Passedtotargetappviaworld-readableconfigfile
- Fine-grainedconfigurationsupported
Forschungstage Informatik 2014
![Page 24: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/24.jpg)
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
§ Policyconfigurationperapp
- Passedtotargetappviaworld-readableconfigfile
- Fine-grainedconfigurationsupported
§ Logofsecurity-relevantevents
- PushedviaIPCfrominlinedmonitor
Forschungstage Informatik 2014
![Page 25: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/25.jpg)
CASE STUDIES
§ Providesweatherinformation&forecast
§ Displaysadvertisements
§ Situation
- Retrievesweatherdatafromwetter.com
- RequestsINTERNET permissionforfullInternetaccess
§ Solution
- Selectivelyallowaccesstowetter.com serversonly
- Nomoreadvertisementsdisplayed
Wetter.com
Forschungstage Informatik 2014
![Page 26: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/26.jpg)
CASE STUDIES
§ Mobileclientforpopularmicro-bloggingservice
§ Situation
- AutomaticallytransferscontactdatatoTwitterserverswithoutuser‘sknowledgeorconsent
- PartofTwitter‘s„findfriends“feature
§ Solution
- Blockaccesstouser‘scontactdata
- Friendscanstillbeaddedmanually
Forschungstage Informatik 2014
![Page 27: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/27.jpg)
CASE STUDIES
§ Tracksyouroutdoorsportactivities(running,cycling,etc...)
§ Createspersonalsportsprofile
§ Situation
- LeaksauthenticationtokenviaHTTP
§ Solution
- InterceptHTTP connectionsandredirecttoencryptedHTTPS
EndomondoSportsTracker
Forschungstage Informatik 2014
![Page 28: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/28.jpg)
CASE STUDIES
§ Simpletimerapp
§ RequiresINTERNET permissiononly
§ Situation
- Uploadsuser‘spersonalphotostopublicphotosharingsite
- Nopermissionrequiredtoaccessphotosstorage
§ Solution
- Blockaccesstophotostorage
(Evil)TeaTimer
Forschungstage Informatik 2014
![Page 29: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/29.jpg)
APPGUARD:DISCUSSION
§ Practicalsolutiontoapressingsecurityproblem
- Negligibleruntimeoverhead(<6%)
- Reasonablerewritingtime(5-60seconds)
- Deployed&widelyadopted(~1milliondownloadsover8months)
§ Generalpurposelightweightruntimeinstrumentation
- Onlyminimalstaticrewriting(caller-site)necessary
Forschungstage Informatik 2014
![Page 30: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/30.jpg)
§ Inlined referencemonitorsharesthesameprocessspaceastheuntrustedmonitoredcode
§ Nostrongsecurityboundarybetweenmonitoringandmonitoredcode!
▶Maliciouscodecanattackanddisable/modifythereferencemonitor!
§ Rewritermustbeabletoidentifythecall-sites
▶MaliciouscodecanincludecustomimplementationsofSDKfunctionswithdifferentfunctionsignatures!
▶Nativecodenotcovered!
DRAWBACKS OF INLINED REFERENCE MONITORING
30
![Page 31: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/31.jpg)
§ Androidreliesonsame-originmodelforapplicationupdates
- Everyappiscryptographicallysignedbyitsdeveloper
- Digitalsignatureidentifiesorigin
- Appupdatesonlyallowediffromsameorigin(i.e.,havingsamesignatureasoriginalapp)
§ IRMbreakswiththesameoriginmodel,becauseapplicationcodehastobeinstrumentedwithinlined code
▶ Breaksthedigitalsignatureandhenceorigin!
DRAWBACKS OF INLINED REFERENCE MONITORING (2)
31
![Page 32: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/32.jpg)
32
Application-layer security extensions
App virtualization
![Page 33: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/33.jpg)
MOTIVATION
33
Cells[SOSP‘11]
Apex[ASIACCS‘10]
ASM[SEC‘15]
L4Android[SPSM‘11]
AppGuard[TACAS‘13]
TaintDroid[OSDI‘10]
CRePE[ISC‘10] TrustDroid
[SPSM‘11]
I-ARM-Droid[MoST‘12] DroidForce
[ARES‘14]
MOSES[SACMAT‘12]
AirBag[NDSS‘14]
Aurasium[SEC‘12]
FlaskDroid[SEC‘13]
RetroSkeleton[MobiSys‘13]
Dr. Android & Mr. Hide[SPSM‘12]
OS Extensions Application LayerSolutions
![Page 34: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/34.jpg)
ANDROID OSEXTENSIONS
34
SystemServices
LinuxKernelBinderIPC Syscall API
App App
Kernel Boundary
Process Boundary
![Page 35: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/35.jpg)
ANDROID OSEXTENSIONS
35
SystemServices
Linux KernelBinderIPC
Syscall API
App App
Monitor
Monitor
✔ Strongsecurity
✖ Hard to deploy
![Page 36: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/36.jpg)
APPLICATION LAYER SOLUTIONS
36
SystemServices
LinuxKernelBinderIPC Syscall API
App App
![Page 37: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/37.jpg)
APPLICATION LAYER SOLUTIONS
37
SystemServices
Linux KernelBinderIPC Syscall API
App AppMonitor
✔ Easyto deploy
✖ No app monitoring possible
![Page 38: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/38.jpg)
INLINED REFERENCE MONITORING
38
SystemServices
Linux KernelBinderIPC Syscall API
AppAppMonitor
✔ Easyto deploy
✖ Weak security
![Page 39: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/39.jpg)
GOAL OF APP VIRTUALIZATION
39
✖ Hard to deploy
OS Extensions ApplicationLayer Solutions
✔ Strong security
✔ Easy to deploy
✖ Weak security
![Page 40: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/40.jpg)
GOAL OF APP VIRTUALIZATION
40
✖ Hard to deploy
✔ Strong security
OS Extensions ApplicationLayer Solutions
✔ Easy to deploy
✖ Weak security
Our Goal
✔ Easy to deploy
✔ Strong security
![Page 41: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/41.jpg)
OBJECTIVES
Monitorand constrain untrusted applications
✔ Easyto deploy- No firmware modification /root- No application modification
✔ Strongsecurity- Protected reference monitor- Fail-safedefaults
41
![Page 42: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/42.jpg)
APPROACH (1)
42
Objective: Nofirmwaremodification/root
Solution: Regularuser-spaceapplication
SystemServices
Linux KernelBinderIPC Syscall API
App AppMonitor
![Page 43: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/43.jpg)
APPROACH (2)
43
SystemServices
Linux KernelBinderIPC Syscall API
AppAppMonitorSystemServices
Linux KernelBinderIPC Syscall API
App AppMonitor
Objective: Noapplicationmodification
![Page 44: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/44.jpg)
APPROACH (2)
44
Objective: Noapplicationmodification
Solution: Applicationvirtualization
SystemServices
Linux KernelBinderIPC Syscall API
MonitorAppApp
![Page 45: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/45.jpg)
APPROACH (3)
45
SystemServices
Linux KernelBinderIPC Syscall API
MonitorAppAppSystemServices
Linux KernelBinderIPC Syscall API
Monitor AppShimApp
Objective: Protectedreferencemonitor
Solution: Separateprocess
![Page 46: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/46.jpg)
APPROACH (4)
46
Objective: Fail-safedefaults
SystemServices
Linux KernelBinderIPC Syscall API
Monitor AppShimApp
![Page 47: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/47.jpg)
APPROACH (4)
47
Objective: Fail-safedefaults
SystemServices
Linux KernelBinderIPC Syscall API
Monitor AppShimApp
![Page 48: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/48.jpg)
APPROACH (4)
48
Objective: Fail-safedefaults
SystemServices
Linux KernelBinderIPC Syscall API
Monitor AppZeroPerm
App
![Page 49: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/49.jpg)
APPROACH (4)
49
Objective: Fail-safedefaults
Solution: Isolatedprocess
![Page 50: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/50.jpg)
ISOLATED PROCESS
§ Allowsservicecomponents torunisolatedfromtherestoftheapplication
§ Isolatedprocesses
- Havezeropermissions
- Havenoaccesstosystemservices
- Runwithadistinct,transientUID
- Cannotwritetothefilesystem
50
![Page 51: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/51.jpg)
APP VIRTUALIZATION ARCHITECTURE
51
Boxify
SystemServices
Linux KernelBinderIPC Syscall API
Monitor App
IsolatedProcessApp
![Page 52: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/52.jpg)
APP VIRTUALIZATION ARCHITECTURE
52
Boxify
SystemServices
Linux KernelBinderIPC Syscall API
Broker App
TargetApp
![Page 53: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/53.jpg)
TARGET
53
Broker
TargetApp
IPCShim Syscall ShimSandboxServiceIPCShim Syscall ShimSandboxService
Divert Binder IPC to BrokerDivert Syscalls to BrokerControl channel for loading/terminating apps
![Page 54: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/54.jpg)
LOADING AN APP
54
Broker Target
Context.bindService()
BinderSandboxService
SandboxService.prepare()
BinderApplicationThread
ApplicationThread.bindApplication()
Isolatedprocessiscreated
Shimsaresetup
Appisstarted
![Page 55: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/55.jpg)
BROKER
55
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
![Page 56: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/56.jpg)
APILAYER
56
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
Establish compatibility across Android versions
![Page 57: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/57.jpg)
CORE LOGIC LAYER
57
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
Baseline enforcement & virtual system services
ServicePEP
ServicePEP
SyscallPEP
CoreServices
![Page 58: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/58.jpg)
VIRTUALIZATION LAYER
58
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
Translate between Boxify and Android system
![Page 59: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/59.jpg)
VIRTUALIZATION LAYER
59
App
ActivityA ActivityB ServiceA ServiceB ReceiverA
Boxify
Activity1 ActivityN Service1… … Receiver1ServiceN …
startActivity(ActivityA)
startActivity(Activity1) scheduleLaunchActivity(Activity1)
scheduleLaunchActivity(ActivityA)
ActivityA
Activity1
![Page 60: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/60.jpg)
SYSTEM INTEGRATION
60
§ Launchingapps
- DedicatedActivity
- ShortcutsonHomeScreen
- VirtualizedLauncher
§ Installing/Updatingapps
- DirectlyviaAppStores
![Page 61: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/61.jpg)
DISCUSSION &LIMITATIONS
§ Cancels Android‘s own access control checks
§ Violates Principle of LeastPrivilege
§ Full kernel attack surface available
§ Presenceof Boxify detectable
61
![Page 62: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/62.jpg)
USE-CASES
§ InstantiateOSextensionsatapplicationlayer
- Fine-grainedaccesscontrol- Informationflowcontrol
- Dual-persona,BYOD
- Dynamicanalysis
- Automatedtesting
- Xposed- …
62
![Page 63: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/63.jpg)
63
Application-layer Security
Compiler-based instrumentation
![Page 64: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/64.jpg)
MOTIVATION AND RESEARCH QUESTIONS
§ AndroidRuntime(ART)supersedesDalvik VirtualMachine(DVM)- Movefrominterpretationtoahead-of-timeon-devicecompilation- BreakscompatibilitywithDVM-basedpriorwork(e.g.TaintDroid)
§ ARTyetuncharted- Onlyfewworksonthetopic- Securityimplicationsunclear- Potentiallyinterestingtargetforsecurityresearch
§ Thiswork:Understandingandutilizingthenovelruntime
- Researchingthenewon-devicecompiler
- Creatinganapp-instrumentationframework
- Provingitsapplicabilitybyimplementinguse-cases
64
![Page 65: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/65.jpg)
DVMVS ART
Dalvik VirtualMachine- DefaultruntimeuptoAndroid
5.0
- Pre-optimizationofbytecode
- Dalvik executablebytecodeformat(.dex)
- Interpretationandjust-in-timecompilation
- Repeatedfetch-executecycles
65
AndroidRuntime- DefaultruntimesinceAndroid5.0
- Compilationofbytecodetobinarycode
- ARTELFbinary(.oat)
- NativeexecutionintheAndroidRuntime
- Improvedperformanceandbatterylife
![Page 66: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/66.jpg)
THE ANDROID RUNTIME
§ Twomaincomponents:compilersuiteandruntime
§ Dex2oatCompiler:transformdex filesintooatfiles
- OatfollowstheELFformat
- Completedex codeisstoredalongwiththebinarycode
- Multiplecompilationbackends andcodegenerators
- Backends handleoptimizations
§ Runtime:loadandexecutecompiledapps
- Compensateformissingvirtualmachine
- Preloadframeworkcode
- Garbagecollection
- Debugginghooks
66
![Page 67: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/67.jpg)
DEX2OAT:OVERVIEW
67
![Page 68: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/68.jpg)
DEX2OAT:OPTIMIZING IR
§ Singleintermediaterepresentation
§ EnrichedmethodCFGs
§ SingleStaticAssignmentform
§ Def-usepairs
§ Nodescomparabletodex instructions
§ Inlined Javasemanticchecks
68
![Page 69: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/69.jpg)
INSTRUMENTATION POINTS
69
• Minimalinterferencewithdex2oat• Leavestransformationfromdex andcodegeneratorsintact• Supportforvisitorpattern• Lightweightstaticanalysispossible
![Page 70: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/70.jpg)
ARTIST:THE ARTINSTRUMENTATION AND SECURITY TOOLKIT
§ Injectionofwholelibraries- Supporttomergeadditionaldex files
- Implementedasapreprocessingstep
- Invocationsofthoseaddedmethodscanbeinjected
§ SimpleAPIforcodeinjection- Injectsmethodcalls
- Policy-driven:(target,method,parameters)
- UsedtoimplementsimpleIRMuse-case
§ SupportforModules- Implementedascustomoptimizationpassesoverthecode
- IntegratesneatlywithoptimizationsandotherModules
- FullaccesstomethodCFG:remove,addandreplacenodes
70
![Page 71: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/71.jpg)
ARTIST:DEPLOYMENT
§ Replacesystemdex2oat
§ Shipthecompilerasabinary
- RegularAndroidapp
- UItopickappforinstrumentation
- Recompilationgeneratesalternativeoatfile(oat’)
§ Trickandroidintoloadingoat’insteadofoat
- root:replaceoatwithoat’
- Noroot:usevirtualizationtechnique(Boxify,NJAS)
§ ApplicationLayer-onlysolution
- Leavessystembinaryuntouched
- Norootrequired
71
![Page 72: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/72.jpg)
POSSIBLE USE CASES
§ TaintTracking
- Trackingofprohibitedflowsfromprotectedsourcestoappsinks§ IRM
- Dynamicpermissionenforcement
§ Hot-patchingofvulnerabilities
- Detectandfixcommonvulnerabilitiesintroducedbydevelopers
§ Enforcedappcompartmentalization- Splitapplicationsintodistinctsecurityprincipals
§ DebuggingandProfiling
- Injectcustomdebugginghooksandbenchmarkingcode
§ …
72
![Page 73: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/73.jpg)
CASE STUDY:TAINT TRACKING WITH ARTIST
§ De-factostandardTaintDroid notapplicableanymoreonART
- Existingworksfocusondex rewriting(TaintMan,…)
§ Investigatewhethertainttrackingcanbeimplementedusingcompiler-basedinstrumentation
- Specificchallenges
- Compileroperatesonmethod-level
- Interplaywithoptimizations
§ Hybridanalysis
- Lightweightstaticanalysistosupporttargetedinstrumentation
- Nofullstatictaintanalysis!
- Dynamictainttrackinghappensatruntime
73
![Page 74: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/74.jpg)
CASE STUDY:INFORMATION FLOW ANALYSIS
§ Refiningthedefinitionsofsourcesandsinks
- Globalsource/sink:dataenters/leavesapplication- Localsource/sink:dataenters/leavescurrentmethod
§ Intra-methodtainttracking
- Staticallycomputebackwardslicesofglobalandlocalsinks
- Stopatmethodborder,i.e.localsources
§ Inter-methodtainttracking- Injectcodeatsourcesandsinkstoobtainandpropagatetaintinformation
- Thread-localtaintstackfortaintedargumentsandreturnvalues
- Createidentifierforobjectandstaticfieldsandstoreinmap- Addcodetochecktaintvalueatglobalsinks
74
![Page 75: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/75.jpg)
CASE STUDY:TAINT TRACKING EXAMPLE
75
![Page 76: Application-layer security extensions · 2016-09-15 · 1 Application-layer security extensions • InlinedReference Monitoring • App Virtualization • Compiler-based instrumentation](https://reader033.fdocuments.net/reader033/viewer/2022042309/5ed6cdbe583aff5dc44ac704/html5/thumbnails/76.jpg)
ONGOING WORK
§ IntegrateARTist withBoxify
- Currentimplementationrequiresroot
§ Combinewithstate-of-the-artstaticanalysis
- Evenmoretargetedinstrumentation
§ Multi-dex support
- Allowstoalsorecompilethelargestapps(Facebook,…)
- Moveadditionaldex mergingintothecompileritself
76