F unctionality- A ware FA FASE: S ecurity E nforcement Petar - - PowerPoint PPT Presentation

f unctionality a ware
SMART_READER_LITE
LIVE PREVIEW

F unctionality- A ware FA FASE: S ecurity E nforcement Petar - - PowerPoint PPT Presentation

Nov 02, 2023 288 likes •553 views

F unctionality- A ware FA FASE: S ecurity E nforcement Petar Tsankov Marco Pistoia Omer Tripp Martin Vechev Pietro Ferrara ETH Zurich IBM T.J. Watson Google Inc. ETH Zurich Julia Research Center Information Flow Vulnerabilities in

slide-1
SLIDE 1

Petar Tsankov

ETH Zurich

Marco Pistoia

IBM T.J. Watson Research Center

Omer Tripp

Google Inc.

Martin Vechev

ETH Zurich

Pietro Ferrara

Julia

Functionality-Aware Security Enforcement FA FASE:

slide-2
SLIDE 2

Information Flow Vulnerabilities in Mobile Apps

2

Confidential data ‘ OR 1 = 1 Untrusted inputs

Manual analysis of information flow threats is challenging

App Attacker

slide-3
SLIDE 3

Existing Solutions

3

Sink Source

Detection

§ TaintDroid (dynamic) § FlowDroid (static)

Enforcement

§ AppFence (masking & blocking)

Raise an alarm when bad flow is detected Mask/block bad flows

slide-4
SLIDE 4

Existing Solutions

4

Sink Source

Detection

§ TaintDroid (dynamic) § FlowDroid (static)

Enforcement

§ AppFence (masking & blocking)

Mask/block bad flows

However, correct security enforcement depends on the app’s functionality

slide-5
SLIDE 5

The Lack of Functionality-Awareness

5

Normal Behavior App secured with AppFence

slide-6
SLIDE 6

The Lack of Functionality-Awareness

6

Normal Behavior App secured with AppFence What causes these side effects and crashes?

slide-7
SLIDE 7

7

Illus Illustr trativ tive e Exam ample ple

slide-8
SLIDE 8

Illustrative Example

8

String imsi = getSubscriberId(); // source // imsi ↦ "310152843957264" HttpGet request = new HttpGet("analytics.com?id=" + imsi); // request.uri ↦ "analytics.com?id=310152843957264" httpClient.execute(req); // sink

Source returns the International Mobile Subscriber Identity (IMSI) The IMSI flows into a sink as part of the URI

310152843957264

slide-9
SLIDE 9

Illustrative Example

9

String imsi = getSubscriberId(); // source // imsi ↦ "310152843957264" HttpGet request = new HttpGet("analytics.com?id=" + imsi); // request.uri ↦ "analytics.com?id=310152843957264" httpClient.execute(req); // sink

Source returns the International Mobile Subscriber Identity (IMSI)

310152843957264

How can we correctly anonymize the URI that contains the IMSI?

slide-10
SLIDE 10

Common Functionality Constraints

10

Generic constraint “Must abide URI format” Must not modify trusted parts App-specific constraint “Keep first six digits intact”

request.uri = "XYZ" request.uri = "analytics.com?id=000000000000000" request.uri = "analytics.com?id=310152000000000" request.uri ↦ "analytics.com?id=310152843957264"

Incorrect Correct Incorrect

request.uri = "xyz.com?id=XYZ"

Incorrect

slide-11
SLIDE 11

11

How can we enforce security y while satisfyi ying such functionality y constraints?

slide-12
SLIDE 12

Fine-grained Data Flow Tracking

Functionality-Aware Security Enforcement (FASE)

12

Sink Source Safe values synthesizer Functionality Constraints

Synthesize constraint- compliant value Capture generic and app-specific constraints

slide-13
SLIDE 13

Fine-grained Data Flow Tracking

Functionality-Aware Security Enforcement (FASE)

13

Sink Source Safe values synthesizer Functionality Constraints

Capture generic and app-specific constraints

App secured with FASE

slide-14
SLIDE 14

Fine-grained Data Flow Tracking

Functionality-Aware Security Enforcement (FASE)

14

Sink Source Functionality Constraints Safe values synthesizer

slide-15
SLIDE 15

Fine-Grained Data Flow Tracking

15

String imsi = getSubscriberId(); // source (IMSI) // imsi ↦ "310152843957264" HttpGet request = new HttpGet("analytics.com?id=" + imsi); // request.uri ↦ "analytics.com?id=310152843957264"

Character-level Tracking for Strings Value-based Tracking for Primitives

Each character is mapped to label a IMSI Location l = getLastKnownLocation(GPS); // l.lat ↦ 37.3876, l.lon ↦ 122.0575 Each value is mapped to label a Location

slide-16
SLIDE 16

Fine-grained Data Flow Tracking

Functionality-Aware Security Enforcement (FASE)

16

Sink Source Functionality Constraints Safe values synthesizer

slide-17
SLIDE 17

Two Kinds of Functionality Constraints

17

Generic

§ Specified once for all apps § Capture sink pre-conditions

Example: “URI strings must be valid”

<Uri> ::= “http” “s”? “://” <Chars> “.” <Dom> <Args> <Chars> ::= [a-zA-Z0-9]+ <Dom> ::= “com” | “net” | ...

Application-specific

§ Specified by developers § Captured in a designated DSL

Example: “First 6 chars of IMSI must be kept intact when sent to analytics.com”

if uri.startsWith(“analytics.com”) constrain uri< > to val.substr(0,6).[0-9]9 IMSI

slide-18
SLIDE 18

Fine-grained Data Flow Tracking

Functionality-Aware Security Enforcement (FASE)

18

Sink Source Functionality Constraints Safe values synthesizer

slide-19
SLIDE 19

Synthesizer

19

Generic constraint

<Uri> ::= [a-zA-Z0-9]+ . <Dom>

App-specific constraint

if uri.startsWith(“analytics.com”) constrain uri< > to val.substr(0,6).[0-9]9

Labeled string

"analytics.com?id= "

Derived regular expression

"analytics.com?id=310152".[0-9]9 310152843957264 IMSI

Constraint-compliant string

"analytics.com?id=31015200000000"

slide-20
SLIDE 20

20

Im Implem plemen entatio tion n & & Exper perim imen ents ts

slide-21
SLIDE 21

FASE System Implementation

21

Data Flow Tracking

§ Instruments Android Libraries (String, StringBuilder, ...) as well as sources and sinks (>10K) § Efficiency achieved by locality-aware memory allocation for labels

App-level Instrumentation

§ Rewrites source and sink calls to invoke synthesizer

Synthesizer

§ Uses the ACLA framework for analysis context-free and regular languages § Efficiency achieved by combination of caching and short-circuiting heuristics

slide-22
SLIDE 22

Experiments

22

Benchmark Applications

§ 20 apps used in prior studies § On average, these apps have 500 source/sink call sites and 10 security-relevant flows

Robustness

Can the FASE system secure apps while preserving functionality?

Overhead

What is the overhead caused by the FASE system?

slide-23
SLIDE 23

Robustness Experiment

23

Coarse Tracking No Constraints Generic Constraints FASE System Fine-grained Tracking Generic Constraints App-specific Constraints

slide-24
SLIDE 24

Robustness Experiment

24

Coarse Tracking No Constraints Generic Constraints FASE System

4 8 # of applications

Crash Major side effects Minor side effects

No crashes Only 1 app shows a minor side effect

The FASE system secures apps in a robust way

slide-25
SLIDE 25

25

Overhead Experiment

Applications

1 2 3

Task completion time (in seconds) Stock Android device With FASE

Roughly 10% overhead

slide-26
SLIDE 26

Summary

26

Existing enforcement solutions often break functionality

Data Flow Tracking Sink Source Safe values synthesizer Functionality Constraints

Functionality-aware security enforcement

Coarse Tracking FASE System

Robust security enforcement with low overhead