DELDroid:)Determination)&)Enforcement) of Least ......2017/03/22 · Bundle.2 432 468 379 287...
Transcript of DELDroid:)Determination)&)Enforcement) of Least ......2017/03/22 · Bundle.2 432 468 379 287...
-
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
Mahmoud HammadSoftware Engineering Ph.D. Candidate
Mahmoud Hammad, Hamid Bagheri, and Sam MalekIEEE International Conference on Software Architecture (ICSA 2017)Gothenburg, Sweden, April 2017. 3/22/2017
-
2
Android in the market
Source: International Data Corporation (IDC)
-
Source: Statista
Number of apps in Google Play store
3
-
Not as rosy as it may seem
Source: NOKIA Threat Intelligence Report 4
Android malware samples
-
Over-‐privileged resource access
5
Implicit Intent
ComposerSender
ListMsgs
Activity Service
FunGame
LevelUp
Messaging
Main
Explicit IntentL
egen
d
SMSpermission
Locationpermission
Privatecomponent
-
Over-‐privileged Inter-‐Component Communication
6
Implicit Intent
ComposerSender
ListMsgs
Activity Service
FunGame
LevelUp
Messaging
Main
Explicit IntentL
egen
d
SMSpermission
Locationpermission
Privatecomponent
-
Research problem
Components are over-‐privileged and violate the Least Privilege (LP) principle
7
-
LP in Android documentation
The Android system implements the principle of least privilege. That is, each app, by default, has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not given permission.
Android security mechanisms treat apps as the minimum security entities 8
-
Security Consequences
• Hard to comprehend the security posture of an Android system
• Increases the attack surface
• Cause many security vulnerabilities• Privilege escalation attack• Hidden Inter-‐Component Communication (ICC) attack
9
-
FunGame
Privilege Escalation Attack
10
ComposerSender
ListMsgs
LevelUp
Messaging
Main
Implicit Intent
Activity ServiceExplicit IntentL
egen
d ix
IntentSMS
permissionLocationpermission
i1
i2
i3
// If (checkCallingPermission("android.permission.SEND_SMS") == PackageManager.PERMISSION_GRANTED)
-
Hidden ICC Attack
11
ComposerSender
ListMsgs
FunGame
LevelUp
Messaging
Main
Implicit Intent
Dynamically Loaded Code
Activity ServiceExplicit Intent
ix
IntentSMS
permissionLocationpermission
i1i3
i2
PrivatecomponentLe
gend
-
Outline
Ø Approach
q Experimental Results
q Threats & Conclusion
12
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
Android apps
• Each Android app, APK file, includes• configuration file called manifest file• App’s bytecode
• The manifest file specifies:• principal components that constitute the app• provided interface, i.e., Intent Filters• required permissions• enforced permissions
• Bytecode contains among other things:• App’s business logic• Components communications• Enforced permissions
21
-
Step 1: Architectural Elements Extractor
ID AppComponent
Type ExportedIntent Permissions
IntentsName Filter Granted Used Enforced
1 Messaging ListMsgs Activity Yes {SMS}2 Messaging Composer Activity Yes {SMS} {i1}3 Messaging Sender Service Yes SEND_SMS {SMS} {SMS}4 FunGame LevelUp Service No {Location}5 FunGame Main Activity Yes MAIN {Location} {i2}
22
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
Multiple Domain Matrix (MDM)
• MDM models a complex system with multiple domains
• Each domain is modeled as a Design Structure Matrix (DSM)
• DSM and MDM are very effective in capturing and analyzing the architecture of a complex system
24
-
Multiple Domain Matrix (MDM)
Design Structure Matrix (DSM)
Task 1 Task 2
Task 3
A system with three tasks
Task 1 Task 2 Task 3
Task-‐to-‐person relationship
P1 P2
MDM captures the architecture
P1 P2
1
1 1
1
25
Task 1
Task2
Task 3
Task 1 1
Task 2 1
Task 3 1
Task 1
Task 2
Task 3
Task 1 1
Task 2 1
Task 3 1
-
The Original architecture
26
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
The LP architecture
28
-
Original vs. LP architectures
29
Original Architecture LP Architecture
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
• Let us assume LevelUp does not use dynamic class loading
Privilege escalation analysis
31
-
• DELDroidmarks 𝑐𝑜𝑚𝑚𝑢𝑛𝑖𝑐𝑎𝑡𝑒 𝐿𝑒𝑣𝑒𝑙𝑈𝑝 , 𝑆𝑒𝑛𝑑𝑒𝑟 as a potential privilege escalation attack
Privilege escalation analysis
32
LP Architecture
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
Communication ECA rule example
𝑬𝒗𝒆𝒏𝒕: 𝑖 ∈ 𝐼𝐶𝐶 𝑜𝑐𝑐𝑢𝑟𝑠𝑪𝒐𝒏𝒅𝒊𝒕𝒊𝒐𝒏: 𝑖. 𝑠𝑒𝑛𝑑𝑒𝑟𝑃𝑘𝑔 = 𝐹𝑢𝑛𝐺𝑎𝑚𝑒 ∧ 𝑖. 𝑠𝑒𝑛𝑑𝑒𝑟𝐶𝑜𝑚𝑝 = 𝐿𝑒𝑣𝑒𝑙𝑈𝑝 ∧ 𝑖. 𝑟𝑒𝑐𝑒𝑖𝑣𝑒𝑟𝑃𝑘𝑔 = 𝑀𝑒𝑠𝑠𝑎𝑔𝑖𝑛𝑔𝑨𝒄𝒕𝒊𝒐𝒏:𝑝𝑟𝑒𝑣𝑒𝑛𝑡
34
-
Resource access ECA rule example
𝑬𝒗𝒆𝒏𝒕:𝑟𝑒𝑠𝑜𝑢𝑟𝑐𝑒𝐴𝑐𝑐𝑒𝑠𝑠𝑅𝑒𝑞𝑢𝑒𝑠𝑡𝑪𝒐𝒏𝒅𝒊𝒕𝒊𝒐𝒏:𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑒𝑟 = 𝐿𝑒𝑣𝑒𝑙𝑈𝑝 ∧ 𝑠𝑒𝑟𝑣𝑖𝑐𝑒 =Context.LOCATION_SERVICE𝑨𝒄𝒕𝒊𝒐𝒏:𝑝𝑟𝑒𝑣𝑒𝑛𝑡
35
-
DELDroidDe
sign tim
e
ECA Rules
Original Architecture
LPArchitecture
Resource Monitor ICC Monitor
ArchitecturalElements
5. LP Enforcer
4. Security Analyzer
1. Architectural Elements Extractor
3. Privilege Reducer
Android Apps Layer
System Resources
2. Privilege Analyzer
~~~~~~~~~
~~~~~~~~~~~~~~
AnalysisResult
A,~~~B,~~~C,~~~
DELDroid Step
Resource requestICC
Repository
DELDroid transaction
Legend
APKs
Privilege Manager Layer
Run tim
e
-
Outline
q Approach
Ø Experimental Results
q Threats & Conclusion
37
-
Implementation details
• DELDRoid is a Java application • input : set of apps• output: LP architecture and ECA rules
• The enforcement mechanism implemented in the AOSP version 6 (Marshmallow)
• Privilege Manager introduced a new package in the Android runtime• This package does not affect the existing apps
• Other components are modified such as ActivityManager and ContextWrapper
• Installed on Android emulator and Nexus 5X phone38
-
Evaluation
• RQ1: How effective is DELDroid in reducing the attack surface?
• RQ2: How effective is DELDroid in detecting and preventing attacks in real-‐world apps?
• RQ3: What is the performance of DELDroid?
39
-
Evaluation setup
Dataset AppsBenign 370
Vulnerable 335Malicious 225
Malicious DatasetMalgenomeBrain TestAndroTotalContagio
Dataset Apps Distribution
40
Benign40%
Vulnerable 36%
Malicious24%
-
Bundle Apps ComponentsIntent Intent
Explicit Implicit FilterBundle 1 30 306 344 79 176Bundle 2 30 432 468 379 287Bundle 3 30 422 574 212 200Bundle 4 30 449 348 370 511Bundle 5 30 353 304 277 292Bundle 6 30 541 890 476 4919Bundle 7 30 562 412 38 324Bundle 8 30 362 417 267 242Bundle 9 30 265 180 98 166Bundle 10 30 421 322 1231 185Average 30 411.3 425.9 342.7 730.2
Avg. (per app) 13.7 14.2 11.4 24.3
RQ1: Attack surface reduction
41
-
Bundle ComponentsIntent Intent Communication Domain
Explicit Implicit Filter Original LP Reduction (%)Bundle 1 306 344 79 176 29,031 42 99.86Bundle 2 432 468 379 287 78,237 625 99.20Bundle 3 422 574 212 200 65,709 173 99.74Bundle 4 449 348 370 511 80,372 205 99.74Bundle 5 353 304 277 292 56,868 345 99.39Bundle 6 541 890 476 4919 85,556 661 99.23Bundle 7 562 412 38 324 82,863 137 99.83Bundle 8 362 417 267 242 50,208 250 99.50Bundle 9 265 180 98 166 25,817 129 99.50Bundle 10 421 322 1231 185 50,001 74 99.85Average 411.3 425.9 342.7 730.2 60,466.2 264.1 99.58
Avg. (per app) 13.7 14.2 11.4 24.3 2,015.5 8.8 99.56
RQ1: Attack surface reduction – communication
42
-
Bundle ComponentsIntent Intent Permission Granted Domain
Explicit Implicit Filter Original LP Reduction (%)Bundle 1 306 344 79 176 1,642 45 97.26Bundle 2 432 468 379 287 2,954 61 97.94Bundle 3 422 574 212 200 2,510 54 97.85Bundle 4 449 348 370 511 4,234 78 98.16Bundle 5 353 304 277 292 1,536 51 96.68Bundle 6 541 890 476 4919 4,461 181 95.94Bundle 7 562 412 38 324 1,577 58 96.32Bundle 8 362 417 267 242 1,946 24 98.77Bundle 9 265 180 98 166 1,568 30 98.09Bundle 10 421 322 1231 185 2,386 28 98.83Average 411.3 425.9 342.7 730.2 2,481.4 61.0 97.58
Avg. (per app) 13.7 14.2 11.4 24.3 82.7 2.0 97.54
RQ1: Attack surface reduction -‐ permission
43
-
Bundle ComponentsIntent Intent Priv. Esca. Security Analysis
Explicit Implicit Filter Original LPBundle 1 306 344 79 176 25,944 0Bundle 2 432 468 379 287 35,601 110Bundle 3 422 574 212 200 22,721 2Bundle 4 449 348 370 511 33,551 0Bundle 5 353 304 277 292 26,914 2Bundle 6 541 890 476 4919 24,745 2Bundle 7 562 412 38 324 15,503 1Bundle 8 362 417 267 242 27,663 14Bundle 9 265 180 98 166 19,428 8Bundle 10 421 322 1231 185 16,953 3Average 411.3 425.9 342.7 730.2 24,902.3 14.2
Avg. (per app) 13.7 14.2 11.4 24.3 498.0 0.3
RQ1: Attack surface reduction – potential attacks
44
-
RQ2: Attacks detection and prevention
• 54 malicious and vulnerable apps• The steps and inputs required to create the attacks are known
• The dataset contains• 18 privilege escalation attacks• 24 hidden ICC attacks through dynamic class loading
• Detection: DELDroid analyzes the derived LP architecture
• Prevention: manually exercise the apps to create the attacks
45
-
RQ2: Privilege escalation detection results
46
TPMalicious behavior
detected(18)
FPBenign behavior
detected(1)
FNMalicious behavior not
detected(0)
• 18 privilege escalation
Precision ( ) = 94.74% Recall ( ) = 100%
-
RQ2: Attacks prevention
47
TPMalicious behavior
prevented(42)
FPBenign behavior
prevented(1)
FNMalicious behavior allowed
(0)
• 18 privilege escalation • 24 hidden ICC attacks• 42 attacks
Precision ( ) = 97.76% Recall ( ) = 100%
-
• Execution time of running DELDroid on the 10 bundles, repeated 33 times
RQ3: Performance – design time
Recovery(min)
LP Determination(sec)
Analysis(sec)
ECA Rules(sec)
Average per bundle 69.5 ± 2.7 1.61 ± 0.69 0.002 ± 0.001 0.45 ± 0.99
48
-
• A script that sends 363 requests to an Android system
• Each request causes the system to perform an ICC transaction
• On average, DELDroid takes 25 ± 10 milliseconds to check an intercepted ICC
RQ3: Performance – run time
49
-
Outline
q Approach
q Experimental Results
Ø Threats & Conclusion
50
-
Threats to validity
• Not all hidden ICC communications are malicious• Previous study proposed a technique that check the integrity of the loaded code [1]
• Static analysis tools cannot effectively analyze obfuscated apps• integrating dynamic analysis techniques
[1] S. Poeplau et al. Execute this! analyzing unsafe and maliciousdynamic code loading in android applications. In NDSS, SanDiego, California, February 2014.51
-
Conclusion
• DELDroid is an automated approach for determining and enforcing the LP architecture for an Android system
• The LP architecture narrows the attack surface and thwarts certain security attacks
• Experimental results show • between 97% to 99% attack surface reduction• detecting and preventing security attacks (97% precision and 100% recall)• negligible runtime performance overhead
52