Towards a Trustworthy Android Ecosystem
description
Transcript of Towards a Trustworthy Android Ecosystem
![Page 1: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/1.jpg)
Towards a Trustworthy Android Ecosystem
1
Yan ChenLab of Internet and Security Technology
Northwestern University
![Page 2: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/2.jpg)
• Ubiquity - Smartphones and mobile devices– Smartphone sales already exceed PC sales– The growth will continue
• Performance better than PCs of last decade– Samsung Galaxy S4 1.6 GHz quad core, 2 G
memory
Smartphone Security
2
![Page 3: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/3.jpg)
Android Dominance
• Android world-wide market share ~ 70%
• Android market share in US ~50%
3
(Credit: Kantar Worldpanel ComTech)
![Page 4: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/4.jpg)
Android Threats
• Malware– The number is increasing consistently– Anti-malware ineffective at catching zero-day and
polymorphic malware• Information Leakage
– Users often have no way to even know what info is being leaked out of their device
– Even legitimate apps leak private info though the user may not be aware
4
flickr.com/photos/panda_security_france/
![Page 5: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/5.jpg)
New Challenges
• New operating systems– Different design → Different threats
• Different architecture– ARM (Advanced RISC Machines) vs x86– Dalvik vs Java (on Android)
• Constrained environment– CPU, memory– Battery– User perception
5
![Page 6: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/6.jpg)
Problems
• Malware detection– Offline– Real time, on phone
• Privacy leakage detection– Offline– Real time, on phone
• OS architecture or application vulnerabilities• System hardening
– Access control, ASLR, …
6
![Page 7: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/7.jpg)
Problems
• Malware detection– Offline– Real time, on phone
• Privacy leakage detection– Offline– Real time, on phone
• OS architecture or application vulnerabilities• System hardening
– Access control, ASLR, …
7
![Page 8: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/8.jpg)
Our Solutions
• AppsPlayground, CODASPY’13– Automatic, large-scale dynamic analysis of Android
apps• DroidChamelon, ASIACCS’13
– Evaluation of latest Android anti-malware tools• Uranine
– Real-time information-flow tracking enabled by offline static analysis
– With zero platform modification
8
![Page 9: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/9.jpg)
AppsPlayground
Automatic Security Analysis of Android Applications
9
![Page 10: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/10.jpg)
10
AppsPlayground
• A system for offline dynamic analysis– Includes multiple detection techniques for
dynamic analysis
• Challenges– Techniques must be light-weight– Automation requires good exploration techniques
![Page 11: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/11.jpg)
11
Architecture
Kernel-level monitoring
Taint tracking
API monitoring
Fuzzing
Intelligent input
Event triggering
Disguise techniques
Detection Techniques
Expl
orati
on Te
chni
ques
AppsPlayground
Virtualized Dynamic Analysis Environment
…
…
![Page 12: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/12.jpg)
12
Architecture
Intelligent input
Kernel-level monitoring
Taint tracking
API monitoring
Fuzzing
Event triggering
Disguise techniques
Detection Techniques
Expl
orati
on Te
chni
ques
AppsPlayground
Virtualized Dynamic Analysis Environment
…
…
Contributions
![Page 13: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/13.jpg)
13
Intelligent Input
• Fuzzing is good but has limitations• Another black-box GUI exploration technique• Capable of filling meaningful text by inferring
surrounding context– Automatically fill out zip codes, phone # and even
login credentials– Sometimes increases
coverage greatly
![Page 14: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/14.jpg)
14
Privacy Leakage Results
• AppsPlayground automates TaintDroid
• Large scale measurements - 3,968 apps from Android Market (Google Play)– 946 leak some info– 844 leak phone identifiers– 212 leak geographic location– Leaks to a number of ad and analytics domains
![Page 15: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/15.jpg)
15
Malware Detection
• Case studies on DroidDream, FakePlayer, and DroidKungfu
• AppsPlayground’s detection techniques are effective at detecting malicious functionality
• Exploration techniques can help discover more sophisticated malware
![Page 16: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/16.jpg)
DroidChameleon
Evaluating state-of-the-art Android anti-malware against transformation
attacks
16
![Page 17: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/17.jpg)
Introduction
Android malware – a real concern
Many Anti-malware offerings for Android• Many are very popular
17
Source: http://play.google.com/ | retrieved: 4/29/2013
![Page 18: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/18.jpg)
Objective
• Smartphone malware is evolving– Encrypted exploits, encrypted C&C information,
obfuscated class names, …– Polymorphic attacks already seen in the wild
• Technique: transform known malware
18
What is the resistance of Android anti-malware against malware obfuscations?
![Page 19: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/19.jpg)
19
Transformations: Three Types
• No code-level changes or changes to AndroidManifestTrivial
• Do not thwart detection by static analysis completely
Detectable by Static Analysis -
DSA
• Capable of thwarting all static analysis based detection
Not detectable by Static Analysis
– NSA
![Page 20: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/20.jpg)
20
Trivial Transformations
• Repacking– Unzip, rezip, re-sign– Changes signing key, checksum of whole app
package• Reassembling
– Disassemble bytecode, AndroidManifest, and resources and reassemble again
– Changes individual files
![Page 21: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/21.jpg)
21
DSA Transformations
• Changing package name• Identifier renaming• Data encryption• Encrypting payloads and native exploits• Call indirections• …
![Page 22: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/22.jpg)
Evaluation
• 10 Anti-malware products evaluated– AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky,
Trend Micro, ESTSoft (ALYac), Zoner, Webroot– Mostly million-figure installs; > 10M for three– All fully functional
• 6 Malware samples used– DroidDream, Geinimi, FakePlayer, BgServ,
BaseBridge, Plankton• Last done in February 2013.
22
![Page 23: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/23.jpg)
AVG Symantec Lookout ESET Dr. Web
Repack x
Reassemble x
Rename package x x
EncryptExploit (EE)
x
Rename identifiers (RI)
x x
Encrypt Data (ED) x
Call Indirection (CI) x
RI+EE x x x
EE+ED x
EE+Rename Files x
EE+CI x x
DroidDream Example
23
![Page 24: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/24.jpg)
Kasp. Trend M. ESTSoft Zoner Webroot
Repack
Reassemble x
Rename package x x
EncryptExploit (EE)
x
Rename identifiers (RI)
x x
Encrypt Data (ED) x
Call Indirection (CI) x
RI+EE x x
EE+ED x x
EE+Rename Files x x
EE+CI x
DroidDream Example
24
![Page 25: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/25.jpg)
Findings
• All the studied tools found vulnerable to common transformations
• At least 43% signatures are not based on code-level artifacts
• 90% signatures do not require static analysis of Bytecode. Only one tool (Dr. Web) found to be using static analysis
25
![Page 26: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/26.jpg)
Signature Evolution
• Study over one year (Feb 2012 – Feb 2013)• Key finding: Anti-malware tools have evolved
towards content-based signatures• Last year 45% of signatures were evaded by
trivial transformations compared to 16% this year
• Content-based signatures are still not sufficient
26
![Page 27: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/27.jpg)
Solutions
Content-based Signatures are not sufficient
Analyze semantics of malware
• Need platform support for that
Dynamic behavioral monitoring can help
27
![Page 28: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/28.jpg)
Takeaways
Anti-malware vendors
Need to have semantics-
based detection
Google and device
manufacturersNeed to
provide better platform
support for anti-malware
28
![Page 29: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/29.jpg)
Conclusion
• Developed a systematic framework for transforming malware
• Evaluated latest popular Android anti-malware products
• All products vulnerable to malware transformations
29
![Page 30: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/30.jpg)
Uranine
Real-time Privacy Leakage Detection without System Modification for
Android
30
![Page 31: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/31.jpg)
Motivation
• Android permissions are insufficient– User still does not know if some private
information will be leaked• Information leakage is more interesting
(dangerous) than information access– E.g. a camera app may legitimately access the
camera but sending video recordings out of the phone may be unacceptable to the user
31
![Page 32: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/32.jpg)
Previous Solutions
• Static analysis: not sufficient– It does not identify the conditions under which a leak
happens.• Such conditions may be legitimate or may not happen at
all at run time– Need real-time monitoring
• TaintDroid: real-time but not usable– Requires installing a custom Android ROM
• Not possible with some vendors• End-user does not have the skill-set
32
![Page 33: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/33.jpg)
Our Approach
• Give control to the user• Instead of modifying system, modify the
suspicious app to track privacy-sensitive flows• Advantages
– No system modification– No overhead for the rest of the system– High configurability – easily turn off monitoring for
an app or a trusted library in an app
33
![Page 34: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/34.jpg)
Comparison
Static Analysis TaintDroid Uranine
Accuracy Low (possibly High FP)
Good Good
Overhead None Low Acceptable
System modification
No Yes No
Configurability NA Very Low High
34
![Page 35: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/35.jpg)
Deployment A
35
By vendor or 3rd party service
![Page 36: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/36.jpg)
Deployment B
36
By Market
![Page 37: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/37.jpg)
Download Instrument
Reinstall Run Alert User
Unmodified Android MiddlewareAnd Libraries
Overall Scenario
37
![Page 38: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/38.jpg)
Challenges
• Framework code cannot be modified– Policy-based summarization of framework API
• Accounting for the effects of callbacks– Functions in app code invoked by framework code– Over-tainting techniques guarantee zero FN
38
![Page 39: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/39.jpg)
Challenges
• Accommodating reference semantics– Need to taint objects rather than variables– Not interfering with garbage collection
• Performance overhead– Path pruning with static analysis
39
![Page 40: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/40.jpg)
Instrumentation Workflow
40
![Page 41: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/41.jpg)
Preliminary Results
• Studied 20 apps• Results in general align with TaintDroid• Performance
– Runtime overhead is within 50% for 85% of the apps evaluated and with 100% for all apps
– Less than 20% instructions need to be instrumented in all apps evaluated
41
![Page 42: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/42.jpg)
Runtime Performance
42
![Page 43: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/43.jpg)
Fraction of InstructionsInstrumented
43
![Page 44: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/44.jpg)
Limitations
• Native code not handled• Method calls by reflection may sometimes
result in unsound behavior• App may refuse to run if their code is modified
– Currently, only one out of top one hundred Google Play apps did that
44
![Page 45: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/45.jpg)
Conclusion
• AppsPlayground, CODASPY’13– Detected privacy leakage on large scale– Capable of detecting malware
• DroidChamelon, ASIACCS’13– Several popular Android anti-malware tools shown vulnerable
• Uranine– Real-time information-flow tracking with zero platform
modification is possible• More info and tools
– http://list.cs.northwestern.edu/mobile/
45
![Page 46: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/46.jpg)
Kernel-level Monitoring
• Useful for malware detection• Most root-capable malware can be logged for
vulnerability conditions• Rage-against-the-cage
– Number of live processes for a user reaches a threshold
• Exploid / Gingerbreak– Netlink packets sent to system daemons
46
![Page 47: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/47.jpg)
Security in Software-defined Networks
Towards A Secure Controller Platform for OpenFlow Applications
47
![Page 48: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/48.jpg)
SDN Architecture
• SDN apps defines routing behavior through controller
• Current controllers assume full trust on apps, and do not check what apps send to switches
48
![Page 49: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/49.jpg)
Threat Model
• Two threat model– Exploit of existing benign-but-buggy apps– Distribution of malicious apps by attacker
• Plenty of potential attacks
49
![Page 50: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/50.jpg)
Challenges
• Network resources are architecturally distinctive– It is not obvious which resources are dangerous and which
ones are safe• Controller has limited control on SDN apps
– Only controller API calls go through controller, such as flow addition and statistics query
– OS system calls do not go through controller, so apps can write whatever they want to the network, storage, etc.
50
![Page 51: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/51.jpg)
Our Approach
• Permission Check + Isolation• Contributions
– Systematic Permission Set Design– Comprehensive App Sandboxing
51
Unprivileged Threads
UserAPP
UserAPP
KernelModule
API
KernelModule
API
Controller Kernel Threads
KernelModules
API
Kernel Call Queuein shared memory
Kernel ServiceDeputyReturn Values
AccessControl
Storage
Policy
PermissionRetrievalModule
API
Dispatcher
Shim LayerOperating System Kernel
Callback Events
AppThread Interface
AppThread Interface
Access Control
Original Controller Architecture
PermOF Architecture
![Page 52: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/52.jpg)
Backup
52
![Page 53: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/53.jpg)
Smartphone Security
• Lots of private data– Contacts, messages, call logs, location– Grayware applications, spyware applications– TaintDroid, PiOS, etc. found many leaks– Our independent study estimates about 1/4th
of apps to be leaking• Exploits could cause user money
– Dialing and texting to premium numbers– Malware such as FakePlayer already do this
53
![Page 54: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/54.jpg)
54
Android Threats
• Privacy leakage– Users often have no way to know if there are
privacy leaks– Even legitimate apps may leak private
information without informing user• Malware
– Number increasing consistently– Need to analyze new kinds
![Page 55: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/55.jpg)
55
Dynamic vs. Static
Dynamic Analysis
Static Analysis
Coverage Some code not executed
Mostly sound
Accuracy False negatives False positivesDynamic Aspects (reflection, dynamic loading)
Handled without additional effort
Possibly unsound for these
Execution context
Easily handled Difficult to handle
Performance Usually slower Usually faster
![Page 56: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/56.jpg)
56
Disguise Techniques
• Make the virtualized environment look like a real phone– Phone identifiers and properties– Data on phone, such as contacts, SMS, files– Data from sensors like GPS– Cannot be perfect
![Page 57: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/57.jpg)
57
Exploration Effectiveness
• Measured in terms of code coverage– 33% mean code coverage
• More than double than trivial• Black box technique• Some code may be dead code• Use symbolic execution in the future
• Fuzzing and intelligent input both important– Fuzzing helps when intelligent input can’t model GUI– Intelligent input could sign up automatically for 34
different services in large scale experiments
![Page 58: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/58.jpg)
58
Playground: Related Work
• Google Bouncer– Similar aims; closed system
• DroidScope, Usenix Security’12– Malware forensics– Mostly manual
• SmartDroid, SPSM’12– Uses static analysis to guide dynamic
exploration– Complementary to our approach
![Page 59: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/59.jpg)
Threat Mitigation at App level
• Offline analysis– Trustworthiness of app is known before use– Static analysis– Dynamic analysis
• Real-time monitoring– Often more accurate but with runtime
overhead– User has control over app’s actions in real-
time59
![Page 60: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/60.jpg)
Callback Example
The toString() method may be called by a framework API and the returned string used elsewhere.
60
![Page 61: Towards a Trustworthy Android Ecosystem](https://reader035.fdocuments.net/reader035/viewer/2022062521/5681677d550346895ddc81df/html5/thumbnails/61.jpg)
Potential Defenses against malicious app
• Server-side Security Check by Controller Vendor– Static analysis– Dynamic analysis
• Runtime Permission Check– Enforce the principle of least privilege on apps
• Principal Isolation• Anomaly-based Behavior Monitoring
61