CSE543 - Computer and Network Security Module: Android Security - PowerPoint PPT Presentation

�������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 - Computer and Network Security Module: Android Security Professor Trent Jaeger PhD Candidate Giuseppe Petracca 1 CSE543 - Introduction to Computer and Network Security Page

Classic Computer Systems The user was manually entering information from the outside world 2 CSE543 - Introduction to Computer and Network Security Page

Today’s Computer Systems Systems can measure and sense the physical world 3 CSE543 - Introduction to Computer and Network Security Page

Proof-of-Concept Attacks 4 CSE543 - Introduction to Computer and Network Security Page

Incidents in the Real World 5 CSE543 - Introduction to Computer and Network Security Page

Abuse of Sensors Demo: https://www.youtube.com/watch?v=ltA791RGvrM Stealthy pictures to recreate a 3D model of a victim’s environment 6 CSE543 - Introduction to Computer and Network Security Page

Permission-Based Systems Programs can access sensitive-sensors (cameras, microphones, and screen buffers) at any time after the user has authorized them at install time or at first use Install-Time First-Use Demo: https://www.youtube.com/watch?v=ltA791RGvrM Current systems are unable to enforce contextual use of privacy- sensitive sensors 7 CSE543 - Introduction to Computer and Network Security Page

Abuse of Authorizations The user grants the camera permission to a augmented reality game (Pokemon GO) to be able to enjoy the gaming experience 8 CSE543 - Introduction to Computer and Network Security Page

Abuse of Authorizations The user enjoys playing the game while catching more and more creatures! 9 CSE543 - Introduction to Computer and Network Security Page

Abuse of Authorizations The Pokemon GO app opens the camera without the user awareness and captures sensitive frames and send them to a remote server controlled by the adversary 10 CSE543 - Introduction to Computer and Network Security Page

Abuse of Authorizations What could we do to address this shortcoming? 11 CSE543 - Introduction to Computer and Network Security Page

Prior Work Input-Driven Access Control (IDAC) Every app request for access to a sensitive device must follow a user input event within a retrieved time window • Does the user know what is the operation associated with the input? • Does the user know what program is receiving the authorization? 12 CSE543 - Introduction to Computer and Network Security Page

Prior Work User-Driven Access Control (UDAC) Restricts apps to use trusted gadgets, aka Access Control Gadgets (ACGs) provided by the system • Does the user know what is the operation associated with the input? • Does the user know what program is receiving the authorization? 13 CSE543 - Introduction to Computer and Network Security Page

Limitations of Prior Work How would you attack such defense mechanisms? 14 CSE543 - Introduction to Computer and Network Security Page

GUI Attacks Previous defenses are subject to Graphical User Interface attacks. Programs may leverage the user as weak point to get authorizations unwanted by the user Operation Switching Bait-and-Switch Identity Spoofing Users may fail to: • Understand the operation granted by a particular gadget • Recognize subtle changes in the Graphical User Interface (GUI) • Identify the application requesting sensor access 15 CSE543 - Introduction to Computer and Network Security Page

Threat and Trust Model What are possible threats? What should be trusted? 16 CSE543 - Introduction to Computer and Network Security Page

Threat and Trust Model Threat Model • Applications (unknown source) can perform any of the UI attacks Trust Model • Linux kernel and Android OS booted securely (Secure Boot) • System services and system apps run approved code (shipped with OS) • SELinux running in Enforcing Mode 17 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses What security mechanism should be adopted? 18 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from changing the operation associated to a widget arbitrarily Window A x Insights: capturePhoto() • Bind each user input event (e) with the widget (w) displayed on the screen by the application (app) • Intercept the operation request (op) then bind it to the application identity (app) and the set of sensors (S) targeted by the operation • Request the user to authorize the operation request explicitly 19 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from changing the operation associated to a widget arbitrarily Requested Operation (op) Application ID (app) AWare Binding Request Allow Instagram to use the front Camera to take Pictures when Input Event (e) pressing ? Set of Sensors (S) Allow Deny Widget (w) Currently (First-Use) AWare’s Operation Request 20 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from changing the operation associated to a widget arbitrarily Window A x Effect: Enable the user to verify the association between the operation (op) being authorized and the widget (w) used to initiate the operation capturePhoto() Advantages: • Avoid authorizing an unwanted operation by a user input event (IDAC) • Apps are allowed to choose the widgets to associate with particular operations (UDAC) 21 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from changing the user interface configuration for a widget background window title Window A x widget’s position border Insights: widget’s size • Bind the operation request (op) with the user interface configuration (c) used to display the widget (w) • Define a display context as set of structural features of the most enclosing activity window containing the widget (w) 22 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from changing the user interface configuration for a widget Window A x Window A x Window A x Window A x Effects: Identify instance of the same window (i.e., display context) with a different widget Identify same widget presented in a different window (i.e., display context) Advantage: User does not need to check for subtle changes to the widgets or their display context (!= IDAC and UDAC). Changes detected and flagged by the system automatically. 23 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from replacing the foreground activity window of another program Window A x Window A x e 1 e 2 e 6 e 3 a_w 1 a_w 2 a_w 3 {w 1, ,w 2 } e 7 e 8 e 5 e 4 a_w 4 bg Activity Window Hijacking {w 3 } Insights: • Construct an Activity Window Call Graph (G) where nodes represent activity windows and edges represent enabled transitions (i.e., user inputs or system events) • Security messages showing app ID and ongoing operation detected and flagged by the system automatically. 24 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses Objective: Prevent programs from replacing the foreground activity window of another program Window A x Window A x Activity Window Hijacking Effects: • Activity Window Call Graph (G) built while the application runs • Record the relationships among windows used by a program and between programs Advantage: Identify and block activity window hijacking (!= IDAC and UDAC) 25 CSE543 - Introduction to Computer and Network Security Page

Designing Defenses What security mechanism does these insights recall? 26 CSE543 - Introduction to Computer and Network Security Page

Operation Binding Concept Objective: make access to privacy-sensitive sensors explicit to both the system and the user System’s View User’s View Instagram Previewing Camera (B) Operation Binding = <app,op, S, e, w, c> app = application ID AWare Binding Request op = operation being requested Allow Instagram to use the front Camera to S = set of sensors targeted by the request take Pictures when pressing ? e = user input event Allow Deny w = user interface widget c = user interface configuration containing the widget + activity window call graph (G) 27 CSE543 - Introduction to Computer and Network Security Page

Operation Binding Concept What security guarantees can it ensure? 28 CSE543 - Introduction to Computer and Network Security Page