DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices Fall 2015 Instructor: Kun Sun,...
-
Upload
percival-myles-collins -
Category
Documents
-
view
218 -
download
0
Transcript of DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices Fall 2015 Instructor: Kun Sun,...
DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices
Fall 2015
Instructor: Kun Sun, Ph.D.
Roadmap Introduction
Overview
DeepDroid-Permission
DeepDroid-Behavior
Evaluation
Conclusion
Introduction Smartphones are increasingly adopted in
workspace “51% of end users rely on smartphones to perform daily
business activities.”——Cisco
However, Android devices are not easily managed for system design Permission: Coarse and not
configurable Device Administration API SEAndroid: legacy
phones(85.8%<version 4.3), inadequate MAC in middleware
Current Status Device OEMs add their own
management APIs Samsung SAFE & Knox HTC APIs 3LM APIs …
MDM vendors bustle about all these extended APIs
Current Research Customize system to enforce policies
Require tremendous modification to source code
Portability issue for Android branches and OEMs
Rewrite Android apps Intercept security sensitive APIs
from multiple layers Lack of isolation between App and
management code
Roadmap Introduction
Overview
DeepDroid-Permission
DeepDroid-Behavior
Evaluation
Conclusion
Overview
centralized controller system_server for middleware
permissions
client-server architecture system services, content
providers, etc.
Communication-Binder RPC to services/Callbacks Intent Content Providers Messengers Ashmem …
system_server
/system/bin/mediaserver
com.android.phone
android.process.acore
android.process.media
……
Overview (cont.)
Operations inside of process boundary
Based on Linux system calls Comply with Linux DAC
Linux privilege authorized right after process creation
setgroups/setresgid/setresuid
Activity Manager
Create process that can:• read/write sdcard• access network• use camera• read contacts
Our approach Dynamic memory instrumentation
/system/bin/mediaserver
com.android.phone
android.process.acore
android.process.media
……
system_server
behavior extraction & enforcement
flexible permission
Our approach (cont.) System call tracking
Tracking process creation for privilege authorization
Tracking process operations
Why our approach? Stable system architecture
permission mechanism, system services, binder realization, etc.
Reduce source code modification to configuration carry little burden on vendor
customization Central management
isolation transparent to apps
Roadmap Introduction
Overview
DeepDroid-Permission
DeepDroid-Behavior
Evaluation
Conclusion
DeepDroid-Permission system_server is the core of permission
mechanism. A few checking interfaces
Permission
Checkinter-process
Monitoring Code
Enterprise Policy Repository
system_server
Key: Java method redirection
DeepDroid-Permission
interpretor
V
byte code
classes.dex
…
…
dalvik-LinearAlloc
nativeFunc
insns
accessFlags
…
Method…
…
…
native code
libx.so
…
…
--runtime-init--setuid=10028--setgid=10028--setgroups=1015, 3003, 1006, 1007android.app.ActivityThread
DeepDroid-Permission Some permissions (user groups) are
checked in Kernel.
system_server
zygote app process
monitoring
fork
1: launch request
2: recognize app
3: reset groups &track until setuid
Roadmap Introduction
Overview
DeepDroid-Permission
DeepDroid-Behavior
Evaluation
Conclusion
DeepDroid-Behavior Interactions between apps and system services
ioctl(binderFd, BINDER_WRITE_READ, &bwr) By tampering Global Offset Table (GOT) of libbinder.so
access to servicescall-backsIntentContentProvidersMessengerashmem……
app
libc.so libc.so
system_server android.process.acore
libbinder.so libbinder.so
…
Behavior Enforcement
upperlayers
upperlayers
Binder driver
DeepDroid-Behavior Synchronous invocation
E.g., getLastKnownLocation(), getDeviceId()
return value
requests
system process
BR_TRANSACTION
BC_REPLY
pairwise within binder thread
interfaces defined in aidl& in .java
reflect on write buffer
DeepDroid-Behavior Asynchronous invocation
With oneway callback(e.g., onLocationChanged)
callback value
get a remote handle
system process
BC_TRANSACTION
reflect on write buffer
interfaces defined in aidl or in .java
counterpart recognization1) servicemanager
2) IBinder instances
DeepDroid-Behavior Parameter types
IBinder: map remote handles to uid/pid
ParcelFileDescriptor: shared memory (content provider, media, etc.)
Parcelable: rebuild objects with built-in CREATOR
Roadmap Introduction
Overview
DeepDroid-Permission
DeepDroid-Behavior
Evaluation
Conclusion
Tested ResourcesResource Permission Group PEP1 Process
IMEI READ_PHONE_STATE packagecom.android.phone
Phone # READ_PHONE_STATE package
location ACCESS_FINE_LOCATION package system_server
contacts READ_CONTACTS package android.process.acore
camera CAMERA camera package/PCG2 mediaserver
account GET_ACCOUNTS package system_server
logs READ_LOGS log PCG2
app processnetwork INTERNET inet package/PCG2
SMS SEND_SMS package com.android.phone
1PEP: permission enforcement point2PCG: Process Creation Guard
Tested Devices
Device Android OS
Nexus S(Samsung) Android OS 2.3.6
Sony LT29i Android OS 4.1.2Android OS 4.2.2
Galaxy Nexus(Samsung) Android OS 4.0
Samsung Galaxy Note II
Android OS 4.1
Samsung Galaxy Note 3 Android OS 4.3
Nexus 5(LG) Android OS 4.4
Meizu MX II Flyme 3.2(Android OS 4.2.1)
Huawei Honor 3c Android OS 4.2
Performance
Performance (cont.)
Performance (cont.)
Normal Quadrant
Traced Quadrant
NormalCaffeineMark
Trace CaffeineMark
MX II 2508.5 2507.6 6367.2 6207.5
LT29i 4653.8 4553.6 14125.5 13998.5
Nexus S 1750.0 1705.6 5982.8 5959.9
Benchmark Scores
Roadmap Introduction
Overview
DeepDroid-Permission
DeepDroid-Behavior
Evaluation
Conclusion
Conclusion We propose a framework to achieve a fine-
grained control on Android resources.
DeepDroid dynamically instruments and traces core processes of Android system. Based on stable structures across multiple OS versions, DeepDroid is easily ported.
DeepDroid requires little firmware configuration rather than customizing Android source code.