flexdroid enforcing in app privilege separa on in android
play

FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek - PowerPoint PPT Presentation

Nov 27, 2023 •283 likes •858 views

FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek Seo* , Daehyeok Kim*, Donghyun Cho*, Taesoo Kim, Insik shin* * KAIST Georgia Ins;tute of Technology 1 3 rd -party libraries become popular in Android Applica;on Host code

  1. FLEXDROID: Enforcing In-App Privilege Separa;on in Android Jaebaek Seo* , Daehyeok Kim*, Donghyun Cho*, Taesoo Kim†, Insik shin* * KAIST † Georgia Ins;tute of Technology 1

  2. 3 rd -party libraries become popular in Android Applica;on Host code 3rd-party libraries Ad, Analy;cs, Game engine, Billing, Social 2

  3. 3 rd -party libraries become popular in Android Applica;on How can we trust them? Host code 3rd-party libraries Ad, Analy;cs, Game engine, Billing, Social 3

  4. 4

  5. In NDSS 16 The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads What Mobile Ads Know About Mobile Users Free for All! Assessing User Data Exposure to Adver;sing Libraries on Android 5

  6. In NDSS 16 The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads Fundamental problem in Android’s permission system What Mobile Ads Know About Mobile Users Free for All! Assessing User Data Exposure to Adver;sing Libraries on Android 6

  7. Problem: Android Permission System • The unit of trust in Android: ApplicaDon Loca;on <uses-permission ... LocaDon > <uses-permission ... Contacts > App Contacts Denied Calendar 7

  8. Problem: Android Permission System • Third-party library : having the same access right as the host app <uses-permission ... LocaDon > <uses-permission ... Contacts > Loca;on App 3 rd -party lib Contacts (The unit of trust) 8

  9. Problem: Android Permission System • Third-party library : having the same access right as the host app A third-party library can abuse <uses-permission ... LocaDon > the permissions of its host app <uses-permission ... Contacts > Loca;on App 3 rd -party lib Contacts (The unit of trust) 9

  10. FLEXDROID Goal : In-app privilege separa;on between a host applica;on and its third-party libraries 10

  11. Overview of FLEXDROID Specifying the package name and its permissions in AndroidManifest.xml <uses-permission ... LocaDon > <uses-permission ... Contacts > Loca;on App com.ad.sdk com.ad.sdk Deny Contacts < flexdroid android:name=“ com.ad.sdk ” > <allow … LocaDon > < /flexdroid > 11

  12. Contributions 1. Report poten;al privacy threats of third-party libraries by analyzing 100,000 real-world Android apps 2. Provide an in-app privilege separa;on in Android – Suppor;ng JNI, reflec;on, and mul;-threading 3. Adopt a fault isola;on using ARM Memory Domain to sandbox na;ve code in Android 12

  13. Inves;ga;ng Real-world Threats • Inves;gate 100,000 Android apps from Google Play using a sta;c analysis Q1: How many third-party libraries use undocumented permissions? Q2: How many of them rely on dynamic code execu;on? 13

  14. Undocumented Permissions Required Op;onal Undocumented Facebook (Social) Flurry (Analy;cs) Paypal (Billing) InMobi (Ad) Chartboost (Ad) 14

  15. Undocumented Permissions Required Op;onal Undocumented From XXXBank: Your One-Time Facebook (Social) Password is Flurry (Analy;cs) 34819. Valid for 5 mins. Paypal (Billing) InMobi (Ad) Chartboost (Ad) 15

  16. Analysis of Real-World Apps • Control-flow and data dependency – Class Inheritance 71.5% • Dynamic run;me behavior – Java Na;ve Interface (JNI) 17.1% – Run;me class loading 27.9% – Reflec;on 49.6% 16

  17. Challenges • Control-flow and data dependency à Naïvely separa;ng third-party libraries from the host app is not applicable • Dynamic run;me behavior à Sta;cally or dynamically detec;ng malicious behaviors introduces low accuracy 17

  18. Threat Model • Poten;ally malicious third-party libraries – Obfuscated code and logic • Use of dynamic features (e.g., JNI, reflec;on, mul;-threading) • App developers specifying permissions of each third-party library 18

  19. SYSTEM DESIGN 19

  20. Key Idea Adjus;ng permissions dynamically whenever an app requests a resource 20

  21. Dynamic Permission Adjustment When execu;ng the host applicaDon’s code Permissions of host applica;on App Permissions • Loca;on • Contacts Permissions of third-party library • Loca;on 21

  22. Dynamic Permission Adjustment When execu;ng the 3 rd -party lib’s code Permissions of host applica;on • Loca;on • Contacts Permissions of third-party library App Permissions • Loca;on 22

  23. Iden;fica;on of Executed Code 1. Iden;fy the principal using stack inspec;on 2. Apply the stack inspec;on to Android 3. Protect the integrity of call stack informa;on against asacks via: – JNI – Reflec;on – Mul;-threading 23

  24. Stack Inspec;on in Security Context Process of determining the permissions allowed to the current thread according to principals shown in the call stack P Call stack Perm = Perm(A) ê A com.A.func;onA ∩ Perm(B) B com.B.func;onB ∩ Perm(C) C com.C.func;onC 24

  25. Inter-process Stack Inspec;on Permission Checker Loca;on App PM Manager Dalvik Dalvik Dalvik User Space Kernel Space SD Card File Sysm Internet Permission Checker 25

  26. Inter-process Stack Inspec;on Permission Checker Loca;on App PM Manager Stack Dalvik Dalvik Dalvik Tracer User Space Kernel Space SD Card File Sysm Internet Stack Transmission Channel 26

  27. Poten;al Asack Surface Reflection Multi-threading Loca;on App PM Manager JNI Stack Dalvik Dalvik Dalvik Tracer User Space Kernel Space Stack Transmission Channel 27

  28. Poten;al Asack Surface • Compromising stack tracer JNI • Manipula;ng Dalvik call stack JNI, Reflection, Multi-threading • Hijacking the control data e.g., code injec;on on Dalvik JNI func;ons, manipula;ng code pointers 28

  29. Protec;ng Integrity of Call Stack • JNI Sandbox • JNI Sandbox • Defense mechanism against asacks via • Defense mechanism against asacks via reflec;on reflec;on • Defense mechanism against asacks via • Defense mechanism against asacks via mul;-threading mul;-threading 29

  30. JNI Sandbox • Inspired by ARMlock (CCS’14), applying Fault Isola5on using ARM Memory Domain to Android • Key Idea – Regard JNI code of 3 rd -party libraries as poten;ally malicious code – Run JNI in an isolated and restricted memory domain 30

  31. Fault Isola;on using ARM Memory Domain App address space libc.so libdvm.so Heap Stack Thread Local Storage (TLS) … Java domain 31

  32. Fault Isola;on using ARM Memory Domain App address space libc.so libdvm.so Heap Stack Thread Local Storage (TLS) … Java domain JNI domain 32

  33. Fault Isola;on using ARM Memory Domain App address space FLEXDROID allows Dalvik VM to access both memory domains Dalvik VM Java domain JNI domain 33

  34. Fault Isola;on using ARM Memory Domain App address space by setting Domain Access Control Register of each thread JNI code Java domain JNI domain 34

  35. Fault Isola;on using ARM Memory Domain App address space Domain JNI code Fault Java domain JNI domain 35

  36. Memory and Shared Libraries for JNI App address space libc.so Heap Stack TLS … Stay in Java domain!! Java domain JNI domain 36

  37. Memory and Shared Libraries for JNI • Shared libraries (e.g., libc.so), heap, stack and TLS are in Java domain – JNI cannot access them à FLEXDROID provides JNI with independent shared libraries, heap, stack and TLS 37

  38. Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on 38

  39. Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on package com.malicious.lib P Call stack class A method launch_attack ê H com.host.C.runCallback generateClass(“com.host.B”) L com.host.B.malFunc generateClass(“com.host.B”, “malFunction”) loadClass(“com.host.B”) com.host.C.setCallback(new com.host.B()) end method end class 39

  40. Defense against Reflec;on • Problem : A third-party library can dynamically generate a class with the package name of its host applica;on package com.malicious.lib P Call stack class A method launch_attack ê H com.host.C.runCallback generateClass(“com.host.B”) L com.host.B.malFunc generateClass(“com.host.B”, “malFunction”) loadClass(“com.host.B”) com.malicious.lib com.host.C.setCallback(new com.host.B()) end method FLEXDROID maintains end class the informa;on of class loader 40

  41. Implementa;on • Android 4.4.4 Kitkat / Linux 3.4.0 # of Files InserDon (LoC) DeleDon (LoC) Kernel 28 1831 25 Android Framework 46 1466 77 Dalvik VM 24 6081 22 Bionic 23 2827 70 Others 12 95 24 Total 133 12300 218 41

  42. EVALUATION 42

  43. Overview • How effec;ve is FLEXDROID’s policy to restrict third-party libraries? • How easy is it to adopt FLEXDROID’s policy to exis;ng Android apps? • How much performance overhead does FLEXDROID impose when adopted? 43

  44. Blocking Permissions with FLEXDROID • Choosing 8 third-party libraries from real-world apps • Repackaging their host applica;ons with FLEXDROID policy – No permission given to third-party libraries à Denying all accesses to resources from third-party libraries 44

  45. Blocking Permissions with FLEXDROID • Choosing 8 third-party libraries from real-world apps • Repackaging their host applica;ons with FLEXDROID can block FLEXDROID policy permission abuses of 3 rd -party libs – No permission given to third-party libraries à Denying all accesses to resources from third-party libraries 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun Cho, T aesoo Kim, Insik Shin (NDSS 16) Presented by Shivansh Chandnani CS 563 (Fall 2018) 3 rd party libraries are very popular in Android

1.12k views • 28 slides
Introduc)on EECS1022 M OBILE C OMPUTING Abstrac)on &amp; Separa)on of Concerns The SoCware

Introduc)on EECS1022 M OBILE C OMPUTING Abstrac)on &amp; Separa)on of Concerns The SoCware

Introduc)on EECS1022 M OBILE C OMPUTING Abstrac)on &amp; Separa)on of Concerns The SoCware Development Cycle Object Oriented Programming [OOP] Data structures and Algorithms Android App Development User Interface [UI] Design The

405 views • 8 slides
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

735 views • 25 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&amp;A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
A rela'onal Model for Confined Separa'on Logic Palwasha

A rela'onal Model for Confined Separa'on Logic Palwasha

A rela'onal Model for Confined Separa'on Logic Palwasha Afsar MAP-i Doctoral Student Outline The Problem Aim of the Paper PF transform

432 views • 26 slides
Separa&amp;ng Fact from Fic&amp;on Kushagra Vaid Principal Architect,

Separa&amp;ng Fact from Fic&amp;on Kushagra Vaid Principal Architect,

Datacenter Power Efficiency: Separa&amp;ng Fact from Fic&amp;on Kushagra Vaid Principal Architect, Datacenter Infrastructure Microso&gt; Online Services Division

490 views • 35 slides
Beyond 2D representa/ons: track/shower separa/on in 3D Ji Won Park Kazu Terao 11/14/17 SLAC

Beyond 2D representa/ons: track/shower separa/on in 3D Ji Won Park Kazu Terao 11/14/17 SLAC

Beyond 2D representa/ons: track/shower separa/on in 3D Ji Won Park Kazu Terao 11/14/17 SLAC Na/onal Accelerator Laboratory 1 INTRODUCTION 2 Mo/va/ons and goals Long-term mission: build a full 3D reconstruc/on chain for LArTPC data using

520 views • 28 slides
Clinical Controversies in Perioperative Medicine Hugo Quinny Cheng, MD Division of Hospital

Clinical Controversies in Perioperative Medicine Hugo Quinny Cheng, MD Division of Hospital

Clinical Controversies in Perioperative Medicine Hugo Quinny Cheng, MD Division of Hospital Medicine University of California, San Francisco Predicting &amp; Managing Cardiac Risk A 70-y.o. man with progressive weakness due to cervical

617 views • 36 slides
Referencing Academic Skills and ANU Library Overview Who we are Using a style guide to

Referencing Academic Skills and ANU Library Overview Who we are Using a style guide to

Referencing Academic Skills and ANU Library Overview Who we are Using a style guide to reference Finding the information ANU Academic Skills Correct the mistakes Using Endnote to reference The ANU Library... Connects you

803 views • 31 slides
PostgreSQL Foreign Data Wrappers Ibrar Ahmed Senior Database Architect - Percona LLC May 2019

PostgreSQL Foreign Data Wrappers Ibrar Ahmed Senior Database Architect - Percona LLC May 2019

Join Heterogeneous Databases Using PostgreSQL Foreign Data Wrappers Ibrar Ahmed Senior Database Architect - Percona LLC May 2019 Why? Accessing Data From Multiple Sources SELECT * from multiple Database Engines and generate results?

446 views • 21 slides
#PeekskillPride Thank You, PTO! #PeekskillPride Virtual Saturday Academy w/ Ossining Schools

#PeekskillPride Thank You, PTO! #PeekskillPride Virtual Saturday Academy w/ Ossining Schools

#PeekskillPride Thank You, PTO! #PeekskillPride Virtual Saturday Academy w/ Ossining Schools #PeekskillPride Congratulations to our PKMS Student Writing Contest Winners Commitment to Character Collage Sadika Clarke Coordinator of Student

629 views • 20 slides
HOW TO GET OPEN DATA IN THE HANDS OF ACTIVISTS Aslam Khan @aslamkhn Activism Open Data Aslam

HOW TO GET OPEN DATA IN THE HANDS OF ACTIVISTS Aslam Khan @aslamkhn Activism Open Data Aslam

HOW TO GET OPEN DATA IN THE HANDS OF ACTIVISTS Aslam Khan @aslamkhn Activism Open Data Aslam Khan / @aslamkhn Activist by default if you lived on the receiving end of apartheid in South Africa 1977 1985 1986 1988 1993 8y 16 17 19

545 views • 51 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999&gt;'

744 views • 73 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

818 views • 49 slides
Towards a more expressive and introspectable QEMU command line Markus Armbruster

Towards a more expressive and introspectable QEMU command line Markus Armbruster

Towards a more expressive and introspectable QEMU command line Markus Armbruster &lt;armbru@redhat.com&gt; KVM Forum 2017 Part I Things we want from the command line A simple example You could run QEMU like this: $ qemu -s -machine

953 views • 83 slides

More recommend