Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi...
-
Upload
clarissa-payne -
Category
Documents
-
view
217 -
download
2
Transcript of Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi...
Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating
Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1
1Indiana University Bloomington2Microsoft Research
35th IEEE Symposium on Security and Privacy (Oakland'14)
左昌國2014/05/12 Seminar @ ADLab, CSIE, NCU
Introduction• Mobile OS Updating (Android)
• More complex• Sandboxed apps• Lots of sensitive user data• Updating live system
• More often• More files
• 15,525 files from
4.0.4 to 4.1.2
• Less steps (for user)• Press one button
3
Introduction• Android Updating
• Download upgrading image through OTA (Over the Air)• Reboot to recovery mode• Replace some system files, such as bootloader, Package Manager
Service (PMS), and APKs under /system directory• Reboot to the new OS• Update other components
4
Introduction• What PMS does when upgrading Android OS
• Install or reinstall all system apps under /system, and then 3rd-party apps under /data/app
• Register an app’s permissions, shared UID, activities, intent filters, ……
• Decide what to do when a conflict occurs (duplicated attr. or prop.)• Build a structure mSettings for existing apps, and include:
• mPackages• mUserIds• mSharedUsers• mPermissions• etc.
• Check the mSettings when installing a new system package• If having conflicts, decide case by case.
5
Introduction• What’s wrong with PMS?
• Conservative strategy• Avoid improperly replacing existing properties• Maintain old user data
• Same logic for both system upgrading and normal app installation• When conflict occurs upon upgrading…
• If PMS chooses wrong attributes or properties to keep…
6
Pileup Exploits• Adversary Model
• Malicious apps have been installed on the victim’s devices• Such malware can be uploaded to Google Play and 3rd-party
markets• The malware appears less dangerous than some legitimate apps
• No dangerous permissions needed
• The victim’s devices are going to be updated• Such updates come with new security-critical privileges and
capabilities
7
Pileup Exploits• Permission Harvesting and Preempting• Shared UID Grabbing• Data Contamination• Denial of Services
8
Pileup Exploits – Permission Harvesting and Preempting• Permission protection levels (link)
• normal• dangerous• signature• signatureOrSystem• system• development
• PMS problematically handles the permissions inherited from the old system
9
Pileup Exploits – Permission Harvesting and Preempting
10
Installedmalware
Beforeupdating
Claimed for permissions of new OS or apps
Updating to new OS
Installing System apps
Declare new permissions
Installing3rd-party apps
Automatically grant thepermissions
Old OS can not recognize these permissions
Reinstalling the old malware
Without user’sconsent
These permissionsare restricted below“dangerous” level
PMS PMS
No report
Pileup Exploits – Permission Harvesting and Preempting
11
Installedmalware
Beforeupdating
Declared and defined the permissions the same as those of new system apps
Updating to new OS
Building mSettings for old apps
Declare new permissions
Installing3rd-party apps
Automatically declare and grant permissions
Old OS lets the malware declare them
Reinstalling theold malware
Without user’sconsent
PMS PMS
InstallingSystem apps
PMS
mPermissions
check
Skip ifconflicts
“signature” - OK“system” - OKLower to “normal” – OKChange the description – OK
Example: CertInstallerGoogle Cloud Messaging Demo
Without user’s intervention
Pileup Exploits – Shared UID Grabbing
• Shared UID (android:sharedUserId) (link)• If 2 apps use the same sharedUserId, the OS will assign them
the same UID when being installed.• Application with the same user ID can access each other's data
and, if desired, run in the same process.
13
Pileup Exploits – Shared UID Grabbing
14
Installedmalware
Beforeupdating
Declared sharedUIDthe same as that of the new system app
Updating to new OS
Building mSettings for old apps
Cancel installing
Installing3rd-party apps
Download another app to replace the canceled system app
Signed by 3rd-party
Reinstalling theold malware
PMS PMS
InstallingSystem apps
PMS
mSettings
Check sharedUID
Cancel ifthe verification failed
pkgSetting
If equals, load the setting and verify the signature
Shared UID Grabbing: DEMO
Pileup Exploits – Data Contamination• Android keeps the data for both system and 3rd-party apps
under directory /data/data/<PackageName>• This directory is owned by a unique Linux UID
16
Pileup Exploits – Data Contamination
17
Installedmalware
Beforeupdating
Used package name the same as that of the new system app
Updating to new OS
Building mSettings for old apps
Installing3rd-party apps
SharedUID is empty
Cancel installing the
malware
PMS PMS
InstallingSystem apps
PMS
mSettings
Check <PackageName>
pkgSetting
If found the same<PackageName>,compare sharedUID
/data/data/<PackageName>Data of the malware
pkgSetting∵Both sharedUIDs are empty. Load the malware’s setting
SharedUID is empty
conflict
Data Contamination:Demo1 – inject scripts to cachesDemo2 – bookmark phishingDemo3 – Login CSRF
Pileup Exploits – Denial of Services• A permission typically can only be defined before an app
has been installed. exception: Permission Tree• Permission tree (link)
• An app can define a base name (root) of a tree of permissions.• Once declaring the tree, the app controls the whole name space
defined by the root.• During runtime, the app can add individual permission within the
tree.
18
Pileup Exploits – Denial of Services
19
Installedmalware
Beforeupdating
Declared permissiontreethat covers permissions of the new system app
Updating to new OS
Building mSettings for old apps
Installing3rd-party apps
Reinstalling theold malware
PMS PMS
InstallingSystem apps
PMS
mPermissio-ntrees
Check
Declare new permissions
If found covering, registration will fail
permission.ADD_VOICEMAIL
google.apps.permission.GOOGLE_AUTH google.apps.permission
Pileup Exploits – Denial of Services• Blocking Google Play Services
• From Android 2.3 to 4.0, after all apps’ installation complete, Google Play is then downloaded and installed as a 3rd-party app.
• A malware on 2.3.6 could use the same package name as Google Play, and blocks the installation of Google Play when upgrading to 4.0
• Many apps rely on Google Play Services
20
Finding Pileups• Detecting Update Flaws
• Manually built reference PMS (AOSP 4.0.4)• Every other version of PMS is compared to the reference PMS,
and is automatically annotated• Reuse when possible• Automatically create new annotation• Manual adjustments if needed
22
Finding Pileups• Assertions for pileup detection
• Generally, 2 security constraints for PMS:• A non-system app and its dynamic content should not gain any more
privileges on the new OS than they have on the old Android.• A non-system app should not compromise the integrity and the
availability of the new Android (e.g. changing the settings and data)
23
Finding Pileups• If Assertion (1) is FALSE and Assertion (2) is TRUE
• (Assertion (1) == FALSE) pkgSetting is originally from non-system app
• (Assertion (2) == TRUE) attribute in pkg is assigned to the original value of pkgSetting right after init
A non-system old app is affecting the new system app
24
Finding Pileups• If Assertion (3) is FALSE
1. ((bp.pkgFlags & 1) != 0) == FALSE non-system old app
2. (bp.sourcePkg.equals(pkg.pkgName)) == FALSE the old app name is NOT equal to the new system app name
If new permission name exists on old OS, and it is from non-system old app, and the <PackageName> is not equal
25
Finding Pileups• Finding Exploit Opportunities
• Different Android versions, manufacturers, device models, and carriers (Wireless Service Provider) are affected under different exploit opportunities.
Image scan• Compare system attributes and properties on 2 consecutive versions
from the same manufacturer, device model, region, and carrier.• Find out those newly added permissions or other attributes and props.
26
Finding Pileups• Pileup Scanner (Google Play)
• The app only asks for the INTERNET permission.
1. Gather information from android.os.Build2. Query the database for the exploit opportunites
3. Call API getInstalledPackages to get the names of installed packages, and use getPackageInfo to retrieve the information
27
Measurement and Evaluation• Android image collection
• 38 images for Google Nexus devices• Nexus7, Nexus10, Nexus Q, Galaxy Nexus, Nexus S• From 2.3.6 to 4.3
• 3,511 images for Samsung devices• 217 devices models, 267 carriers• From 2.3 to 4.3
• Source code of AOSP versions and customized versions• 1,522 from Samsung, 377 from LG, 1,593 from HTC
28
Measurement and Evaluation• Limitation
• Permission harvesting• Registration of non-system app’s property• Assertions do not cover
• Google Play Services DoS• Google Play is installed under the /data/app directory on Android 4.0.4• 3rd-party
29
Measurement and Evaluation• Measurement of Opportunities
• From the 38 Google and 3,511 Samsung images• 741 update instances
30
Measurement and Evaluation• Sensitive permissions at least dangerous protection level• Restrictive above dangerous
31
Measurement and Evaluation• Impacts of customizations
• Though Google and AOSP make the biggest system overhaul from 2.3.X to 4.0.X and show a trend of less aggressive updating afterwards, Samsung continues to bring in more new stuffs.
33
Measurement and Evaluation• 4.0 - 4.1
• DCM (Docomo), TMB (T-Mobile)
• 4.1 - 4.2• DBT (Deutsche Bundespost Telekom), INU, SER
34
Measurement and Evaluation• Evaluating Scanner
• Effectiveness: • Install top 100 free apps from Google Play• Install system apps that could be updated through Google Play• Install a set of attack apps• Update Android version one by one, until 4.3All malicious apps detected and no false positives
• Performance
35
Conclusion• Android update, in order to ensure the smooth process
without endangering user assets, becomes error-prone.• This paper reported the first systematic study of the
problem.• Revealed Pileup vulnerabilities• Performed large-scale measurement to confirm the presence of
such flaws in all Android versions.
• To mitigate the threat, this paper proposed SecUP to detect Pileup vulnerabilities.
36