QuantDroid: Quantitative Approach towards Mitigating Privilege - PowerPoint PPT Presentation

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013 - Communications and Informations Systems Security Symposium 1/ 14

Motivation Android popularity → increasing Privacy under attack! → Soundcomber (NDSS, 2011), PlaceRaider (NDSS, 2013), … Permission model → confusing & inflexible Source: PlaceRaider [2] 2/ 14

Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured Android Security & Communication System Security Common Linux security High-level permissions Sandbox for apps ↓ High-level IPC Source: Programming Android [3] 3/ 14

Android Security & Communication Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured System Security Common Linux security High-level permissions Sandbox for apps ↓ High-level IPC Source: Programming Android [3] 3/ 14

Objective Identifying privilege escalation Detecting illegal information flow ◮ Dishonest/Colluding apps ◮ Abused apps → Prevent mobile privacy invasion → Using information flow analysis 4/ 14

IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended Merely message independent interface-level permission control. Related Work XManDroid (NDSS, 2012) Graph based App permissions Direct & indirect communication Source: XManDroid [4] 5/ 14

Related Work XManDroid (NDSS, 2012) Graph based IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended App permissions Direct & indirect communication Merely message independent interface-level permission control. Source: XManDroid [4] 5/ 14

FlowGraphService Real-time collection Communication graph Containing all running apps Quantitative data flow Limit enforcement Monitoring Characteristics Enforce data flow limits Sender (PID, UID) Based on taint tags Receiver (PID, UID) Countermeasures Size Kill app Taint Tag ( , , , , …) Block IPC message IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection 6/ 14

FlowGraphService Real-time collection Communication graph Containing all running apps Quantitative data flow Limit enforcement Enforce data flow limits Based on taint tags Countermeasures Kill app Block IPC message IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) 6/ 14

Limit enforcement Enforce data flow limits Based on taint tags Countermeasures Kill app Block IPC message IPC Monitoring with FlowGraphService IPC Monitoring FlowGraphService At IPC boundary Real-time collection High-level communication Communication graph methods ◮ Containing all running apps ◮ Quantitative data flow Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) 6/ 14

IPC Monitoring with FlowGraphService IPC Monitoring FlowGraphService At IPC boundary Real-time collection High-level communication Communication graph methods ◮ Containing all running apps ◮ Quantitative data flow Forwarding data collection Limit enforcement Monitoring Characteristics Enforce data flow limits Sender (PID, UID) Based on taint tags Receiver (PID, UID) Countermeasures Size ◮ Kill app ◮ Block IPC message Taint Tag ( , , , , …) 6/ 14

Taint Tagged IPC Interpreted Code ted Code Trusted A pplication U ntrusted A ppli Interpreted Code Trusted A pplication Untrusted A pplication TrustedApplication Trusted A pplication UntrustedApplication U ntrusted A pplicatio Interpreted Code (8) (8) Interpre (8) Taint Source Taint Source Taint Source Taint Source (1) (1) Tai Ta (1) (1) Trusted Library Taint Sink (9) (9) (7) (3) (9) (2) Userspace Userspace (3) (3) (7) rspace (3) (7) (6) Userspace (4) (6) (4) (6) (4) (4) (6) (2) (5) (2) (5) (2) (5) Dalvik VM Dalvik VM Use Virtual Taint Map Virtual Taint Map Interpreter Interpreter Virtual Taint Map Virtual Taint Virtual Taint Map Virtual Virtual Taint Map Virtual Taint M DV M Intepreter DV M Int DV M Intepreter DV Binder IPC Library Binder Hook Binder Hook Binder IPC Library DV M Intepreter DV M Inte (5) K ernel Binder K ernel M odule K ernel l Kernel rne Binder K ernel M odule Binder Kernel M odule Binder K ernel M odule K e Utilising Dynamic Taint Tagging TaintDroid (OSDI, 2010) Dynamic taint tagging Tag = data source Dalvik VM only, no native code Across IPC − → Source: TaintDroid [6] 7/ 14

Utilising Dynamic Taint Tagging Taint Tagged IPC Interpreted Code ted Code Trusted A pplication U ntrusted A ppli Interpreted Code Trusted A pplication Untrusted A pplication TrustedApplication UntrustedApplication Interpreted Code Trusted A pplication U ntrusted A pplicatio TaintDroid (OSDI, 2010) (8) (8) Interpre (8) Taint Source Taint Source Taint Source Dynamic taint tagging Taint Source (1) (1) Tai Ta (1) (1) Trusted Library Taint Sink (9) (9) Tag = data source (7) (3) (9) (2) Dalvik VM only, Userspace Userspace (3) (3) (7) rspace (3) (7) (6) Userspace (4) (6) (4) (6) (4) (4) (6) (2) (5) (2) (5) no native code (2) (5) Dalvik VM Dalvik VM Use Virtual Taint Map Virtual Taint Map Interpreter Interpreter Virtual Taint Map Virtual Taint Virtual Taint Map Virtual Virtual Taint Map Virtual Taint M Across IPC − → DV M Intepreter DV M Int DV M Intepreter DV Binder IPC Library Binder Hook Binder Hook Binder IPC Library DV M Intepreter DV M Inte (5) K ernel Binder K ernel M odule K ernel l Kernel rne Binder K ernel M odule Binder Kernel M odule Binder K ernel M odule K e Source: TaintDroid [6] 7/ 14

Visualisation Current graph via custom fgdump -tool Graphviz for rendering Example Snapshot UID 10012 UID 10014 Tag: IMEI Tag: CONTACTS Tag: CONTACTS Throughput: 1664 Bytes/min Throughput: 1664 Bytes/min Throughput: 3968 Bytes/min android.process.media com.example.servicecomreceiver UID 10008 com.example.servicecomsender 8/ 14

Evaluation Cirteria Privilege escalation − → sensitive data propagates across apps Works with standard Android SDK APIs Test Scenarios i) Conspiring apps ii) Confused-deputy 9/ 14

Scenario: Conspiring apps Setup Attack scenario: conspiring apps Start Activity Intent <<component>> <<component>> WeatherEntryActivity MappingActivity Service Call Service Reply Service Call Activity Result <<component>> <<component>> WeatherReporterService WeatherWidget Service Reply Objective Innocent looking apps siphoning off contact data to send it off-site. 10/ 14

Scenario: Conspiring apps Execution T 1 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID 10041 com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

Scenario: Conspiring apps Execution T 2 UID 10042 216 bytes ≈ 1 contact com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

Scenario: Conspiring apps Execution T 3 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

Scenario: Conspiring apps Execution T 3 to T 4 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min X com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget 11/ 14

Scenario: Conspiring apps Execution T 4 UID 10042 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID 10041 com.example.snr_a.weatherreporter 11/ 14

Scenario: Confused-deputy Attack scenario: confused-deputy Service Call Service Reply <<component>> EvilSMSBrowser <<component>> Activity NiceSMSBrowser <<component>> Activity SMSFormatterService Service Reply Service Call Objective SMS theft due to insecure/open API. Execution See our paper. 12/ 14

Outlook Analyse apps from Play Store Investigating data flow threshold heuristics Conclusion & Outlook Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets 13/ 14

Conclusion & Outlook Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets Outlook Analyse apps from Play Store Investigating data flow threshold heuristics 13/ 14

QuantDroid: Quantitative Approach towards Mitigating Privilege - PowerPoint PPT Presentation

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

An Across-The-Curriculum Approach to Quantitative Literacy in Environmental Studies Ben Steele,

Mitigating Information Leakage in Image Representations: A Maximum Entropy Approach Proteek Roy

Mitigating a legacy of liability for Alberta: A novel approach to the orphaned well challenge

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella,

AN INTEGRATED APPROACH TO MODELING AND MITIGATING SOFC FAILURE Andrei Fedorov, Comas Haynes,

Quantitative Ethics Victor Piercey Joint Math Meetings 2015 San Antonio, TX Quantitative Reasoning

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition

The Hare and the Tortoise 2)Describe mitigating strategies 3)Understand why Ive chosen this

Towards a Quantitative Approach to Attack Response Response Herv Debar Using work performed

Positive identification by hand X-rays superimposition: a quantitative approach Silvio Giancola,

Memory Hierarchy Y. K. Malaiya Acknowledgements Computer Architecture, Quantitative Approach -

Empirical Methods Empirical Methods t= a +b Research Landscape Quantitative =

A Quantitative Cross-System Approach to Spectrum Efficiency William Kozma Jr, Michael Cotton,

Quantitative Viability Analysis of Electricity Generation Robert Riebolge/David Lenton

A Collaborative Approach to Assessing Quantitative Literacy within Carnegies Quantway Pathway

Diplomata Belgica Analysing medieval charter texts ( dictamen ) through a quantitative approach

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Organiza)onal Privilege & Organiza)onal Insiders

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and

QuantDroid: Quantitative Approach towards Mitigating Privilege - PowerPoint PPT Presentation

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

An Across-The-Curriculum Approach to Quantitative Literacy in Environmental Studies Ben Steele,

Mitigating Information Leakage in Image Representations: A Maximum Entropy Approach Proteek Roy

Mitigating a legacy of liability for Alberta: A novel approach to the orphaned well challenge

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella,

AN INTEGRATED APPROACH TO MODELING AND MITIGATING SOFC FAILURE Andrei Fedorov, Comas Haynes,

Quantitative Ethics Victor Piercey Joint Math Meetings 2015 San Antonio, TX Quantitative Reasoning

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition

The Hare and the Tortoise 2)Describe mitigating strategies 3)Understand why Ive chosen this

Towards a Quantitative Approach to Attack Response Response Herv Debar Using work performed

Positive identification by hand X-rays superimposition: a quantitative approach Silvio Giancola,

Memory Hierarchy Y. K. Malaiya Acknowledgements Computer Architecture, Quantitative Approach -

Empirical Methods Empirical Methods t= a +b Research Landscape Quantitative =

A Quantitative Cross-System Approach to Spectrum Efficiency William Kozma Jr, Michael Cotton,

Quantitative Viability Analysis of Electricity Generation Robert Riebolge/David Lenton

A Collaborative Approach to Assessing Quantitative Literacy within Carnegies Quantway Pathway

Diplomata Belgica Analysing medieval charter texts ( dictamen ) through a quantitative approach

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Organiza)onal Privilege &amp; Organiza)onal Insiders

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and

Organiza)onal Privilege & Organiza)onal Insiders