DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices

Fall 2015

Instructor: Kun Sun, Ph.D.

Roadmap Introduction

Overview

DeepDroid-Permission

DeepDroid-Behavior

Evaluation

Conclusion

Introduction Smartphones are increasingly adopted in

workspace “51% of end users rely on smartphones to perform daily

business activities.”——Cisco

However, Android devices are not easily managed for system design Permission: Coarse and not

configurable Device Administration API SEAndroid: legacy

phones(85.8%<version 4.3), inadequate MAC in middleware

Current Status Device OEMs add their own

management APIs Samsung SAFE & Knox HTC APIs 3LM APIs …

MDM vendors bustle about all these extended APIs

Current Research Customize system to enforce policies

Require tremendous modification to source code

Portability issue for Android branches and OEMs

Rewrite Android apps Intercept security sensitive APIs

from multiple layers Lack of isolation between App and

management code

Roadmap Introduction

Overview

DeepDroid-Permission

DeepDroid-Behavior

Evaluation

Conclusion

Overview

centralized controller system_server for middleware

permissions

client-server architecture system services, content

providers, etc.

Communication-Binder RPC to services/Callbacks Intent Content Providers Messengers Ashmem …

system_server

/system/bin/mediaserver

com.android.phone

android.process.acore

android.process.media

……

Overview (cont.)

Operations inside of process boundary

Based on Linux system calls Comply with Linux DAC

Linux privilege authorized right after process creation

setgroups/setresgid/setresuid

Activity Manager

Create process that can:• read/write sdcard• access network• use camera• read contacts

Our approach Dynamic memory instrumentation

/system/bin/mediaserver

com.android.phone

android.process.acore

android.process.media

……

system_server

behavior extraction & enforcement

flexible permission

Our approach (cont.) System call tracking

Tracking process creation for privilege authorization

Tracking process operations

Why our approach? Stable system architecture

permission mechanism, system services, binder realization, etc.

Reduce source code modification to configuration carry little burden on vendor

customization Central management

isolation transparent to apps

Roadmap Introduction

Overview

DeepDroid-Permission

DeepDroid-Behavior

Evaluation

Conclusion

DeepDroid-Permission system_server is the core of permission

mechanism. A few checking interfaces

Permission

Checkinter-process

Monitoring Code

Enterprise Policy Repository

system_server

Key: Java method redirection

DeepDroid-Permission

interpretor

V

byte code

classes.dex

…

…

dalvik-LinearAlloc

nativeFunc

insns

accessFlags

…

Method…

…

…

native code

libx.so

…

…

--runtime-init--setuid=10028--setgid=10028--setgroups=1015, 3003, 1006, 1007android.app.ActivityThread

DeepDroid-Permission Some permissions (user groups) are

checked in Kernel.

system_server

zygote app process

monitoring

fork

1: launch request

2: recognize app

3: reset groups &track until setuid

Roadmap Introduction

Overview

DeepDroid-Permission

DeepDroid-Behavior

Evaluation

Conclusion

DeepDroid-Behavior Interactions between apps and system services

ioctl(binderFd, BINDER_WRITE_READ, &bwr) By tampering Global Offset Table (GOT) of libbinder.so

access to servicescall-backsIntentContentProvidersMessengerashmem……

app

libc.so libc.so

system_server android.process.acore

libbinder.so libbinder.so

…

Behavior Enforcement

upperlayers

upperlayers

Binder driver

DeepDroid-Behavior Synchronous invocation

E.g., getLastKnownLocation(), getDeviceId()

return value

requests

system process

BR_TRANSACTION

BC_REPLY

pairwise within binder thread

interfaces defined in aidl& in .java

reflect on write buffer

DeepDroid-Behavior Asynchronous invocation

With oneway callback(e.g., onLocationChanged)

callback value

get a remote handle

system process

BC_TRANSACTION

reflect on write buffer

interfaces defined in aidl or in .java

counterpart recognization1) servicemanager

2) IBinder instances

DeepDroid-Behavior Parameter types

IBinder: map remote handles to uid/pid

ParcelFileDescriptor: shared memory (content provider, media, etc.)

Parcelable: rebuild objects with built-in CREATOR

Roadmap Introduction

Overview

DeepDroid-Permission

DeepDroid-Behavior

Evaluation

Conclusion

Tested ResourcesResource Permission Group PEP1 Process

IMEI READ_PHONE_STATE packagecom.android.phone

Phone # READ_PHONE_STATE package

location ACCESS_FINE_LOCATION package system_server

contacts READ_CONTACTS package android.process.acore

camera CAMERA camera package/PCG2 mediaserver

account GET_ACCOUNTS package system_server

logs READ_LOGS log PCG2

app processnetwork INTERNET inet package/PCG2

SMS SEND_SMS package com.android.phone

1PEP: permission enforcement point2PCG： Process Creation Guard

Tested Devices

Device Android OS

Nexus S(Samsung) Android OS 2.3.6

Sony LT29i Android OS 4.1.2Android OS 4.2.2

Galaxy Nexus(Samsung) Android OS 4.0

Samsung Galaxy Note II

Android OS 4.1

Samsung Galaxy Note 3 Android OS 4.3

Nexus 5(LG) Android OS 4.4

Meizu MX II Flyme 3.2(Android OS 4.2.1)

Huawei Honor 3c Android OS 4.2

Performance

Performance (cont.)

Performance (cont.)

Normal Quadrant

Traced Quadrant

NormalCaffeineMark

Trace CaffeineMark

MX II 2508.5 2507.6 6367.2 6207.5

LT29i 4653.8 4553.6 14125.5 13998.5

Nexus S 1750.0 1705.6 5982.8 5959.9

Benchmark Scores

Roadmap Introduction

Overview

DeepDroid-Permission

DeepDroid-Behavior

Evaluation

Conclusion

Conclusion We propose a framework to achieve a fine-

grained control on Android resources.

DeepDroid dynamically instruments and traces core processes of Android system. Based on stable structures across multiple OS versions, DeepDroid is easily ported.

DeepDroid requires little firmware configuration rather than customizing Android source code.