QuantDroid: Quantitative Approach towards Mitigating Privilege - - PowerPoint PPT Presentation

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation

• n Android

Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3

1HAW Hamburg, Germany 2NEC Laboratories Europe, Heidelberg, Germany 3HFU Furtwangen, Germany

IEEE ICC 2013 - Communications and Informations Systems Security Symposium

1/ 14

Motivation

Android popularity → increasing Privacy under attack! → Soundcomber (NDSS, 2011), PlaceRaider (NDSS, 2013), … Permission model → confusing & inflexible

2/ 14

Source: PlaceRaider [2]

Android Security & Communication

System Security Common Linux security High-level permissions Sandbox for apps ↓ High-level IPC Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured

3/ 14

Source: Programming Android [3]

Android Security & Communication

System Security Common Linux security High-level permissions Sandbox for apps ↓ High-level IPC Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured

3/ 14

Source: Programming Android [3]

Objective

Identifying privilege escalation Detecting illegal information flow

◮ Dishonest/Colluding apps ◮ Abused apps

→ Prevent mobile privacy invasion → Using information flow analysis

4/ 14

Related Work

XManDroid (NDSS, 2012) Graph based App permissions Direct & indirect communication IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended Merely message independent interface-level permission control.

5/ 14

Source: XManDroid [4]

Related Work

XManDroid (NDSS, 2012) Graph based App permissions Direct & indirect communication IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended Merely message independent interface-level permission control.

5/ 14

Source: XManDroid [4]

IPC Monitoring with FlowGraphService

IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) FlowGraphService Real-time collection Communication graph

Containing all running apps Quantitative data flow

Limit enforcement Enforce data flow limits Based on taint tags Countermeasures

Kill app Block IPC message

6/ 14

IPC Monitoring with FlowGraphService

IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) FlowGraphService Real-time collection Communication graph

Containing all running apps Quantitative data flow

Limit enforcement Enforce data flow limits Based on taint tags Countermeasures

Kill app Block IPC message

6/ 14

IPC Monitoring with FlowGraphService

IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) FlowGraphService Real-time collection Communication graph

◮ Containing all running apps ◮ Quantitative data flow

Limit enforcement Enforce data flow limits Based on taint tags Countermeasures

Kill app Block IPC message

6/ 14

IPC Monitoring with FlowGraphService

IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag ( , , , , …) FlowGraphService Real-time collection Communication graph

◮ Containing all running apps ◮ Quantitative data flow

Limit enforcement Enforce data flow limits Based on taint tags Countermeasures

◮ Kill app ◮ Block IPC message 6/ 14

Utilising Dynamic Taint Tagging

TaintDroid (OSDI, 2010) Dynamic taint tagging Tag = data source Dalvik VM only, no native code Across IPC − → Taint Tagged IPC

Dalvik VM Interpreter TrustedApplication UntrustedApplication

Trusted Library Virtual Taint Map Taint Source Taint Sink Binder IPC Library Binder Hook

Binder Kernel M

• dule

Dalvik VM Interpreter

Virtual Taint Map Binder IPC Library Binder Hook (1) (2) (3) (4) (5) (6) (7) (8) (9)

Trusted A pplication U ntrusted A pplicatio DV M Int DV M Intepreter Binder K ernel M odule Virtual Taint Map Virtual Taint

Ta (1) (2) (3) (4) (5) (6) (7) (8) (9) Interpreted Code Userspace K ernel Taint Source

Trusted A pplication Untrusted A pplication DV M Inte DV M Intepreter Binder K ernel M odule Virtual Taint Map Virtual Taint M

Tai (1) (2) (3) (4) (5) (6) (7) (8) (9) Interpre ted Code Use rspace K e rne l Taint Source

Trusted A pplication U ntrusted A ppli DV DV M Intepreter Binder K ernel M odule Virtual Taint Map Virtual

(1) (2) (3) (4) (5) (6) Interpreted Code Userspace K ernel Taint Source

Interpreted Code Userspace Kernel

7/ 14

Source: TaintDroid [6]

Utilising Dynamic Taint Tagging

TaintDroid (OSDI, 2010) Dynamic taint tagging Tag = data source Dalvik VM only, no native code Across IPC − → Taint Tagged IPC

Dalvik VM Interpreter TrustedApplication UntrustedApplication

Trusted Library Virtual Taint Map Taint Source Taint Sink Binder IPC Library Binder Hook

Binder Kernel M

• dule

Dalvik VM Interpreter

Virtual Taint Map Binder IPC Library Binder Hook (1) (2) (3) (4) (5) (6) (7) (8) (9)

Trusted A pplication U ntrusted A pplicatio DV M Int DV M Intepreter Binder K ernel M odule Virtual Taint Map Virtual Taint

Ta (1) (2) (3) (4) (5) (6) (7) (8) (9) Interpreted Code Userspace K ernel Taint Source

Trusted A pplication Untrusted A pplication DV M Inte DV M Intepreter Binder K ernel M odule Virtual Taint Map Virtual Taint M

Tai (1) (2) (3) (4) (5) (6) (7) (8) (9) Interpre ted Code Use rspace K e rne l Taint Source

Trusted A pplication U ntrusted A ppli DV DV M Intepreter Binder K ernel M odule Virtual Taint Map Virtual

(1) (2) (3) (4) (5) (6) Interpreted Code Userspace K ernel Taint Source

Interpreted Code Userspace Kernel

7/ 14

Source: TaintDroid [6]

Visualisation

Current graph via custom fgdump-tool Graphviz for rendering Example Snapshot

UID 10012 android.process.media UID 10014 com.example.servicecomreceiver UID 10008 Tag: IMEI Throughput: 1664 Bytes/min Tag: CONTACTS Throughput: 1664 Bytes/min Tag: CONTACTS Throughput: 3968 Bytes/min com.example.servicecomsender

8/ 14

Evaluation

Cirteria Privilege escalation − → sensitive data propagates across apps Works with standard Android SDK APIs Test Scenarios i) Conspiring apps ii) Confused-deputy

9/ 14

Scenario: Conspiring apps

Setup

Attack scenario: conspiring apps

<<component>> WeatherWidget <<component>> MappingActivity <<component>> WeatherEntryActivity <<component>> WeatherReporterService Service Call Service Reply Activity Result Start Activity Intent Service Reply Service Call

Objective Innocent looking apps siphoning off contact data to send it off-site.

10/ 14

Scenario: Conspiring apps

Execution

T1

UID 10042 com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.weatherreporter UID 10040 com.example.snr_a.weatherwidget

11/ 14

Scenario: Conspiring apps

Execution

T2

216 bytes ≈ 1 contact

UID 10042 com.example.snr_a.custommapping UID 10041 com.example.snr_a.weatherreporter UID 10040 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherwidget

11/ 14

Scenario: Conspiring apps

Execution

T3

UID 10042 com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.weatherreporter UID 10040 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherwidget

11/ 14

Scenario: Conspiring apps

Execution

T3 to T4

UID 10042 com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.weatherreporter UID 10040 Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherwidget

X

11/ 14

Scenario: Conspiring apps

Execution

T4

UID 10042 com.example.snr_a.custommapping UID 10041 Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.weatherreporter

11/ 14

Scenario: Confused-deputy

Attack scenario: confused-deputy

<<component>> EvilSMSBrowser Activity <<component>> NiceSMSBrowser Activity <<component>> SMSFormatterService Service Reply Service Call Service Reply Service Call

Objective SMS theft due to insecure/open API. Execution See our paper.

12/ 14

Conclusion & Outlook

Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets Outlook Analyse apps from Play Store Investigating data flow threshold heuristics

13/ 14

Conclusion & Outlook

Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets Outlook Analyse apps from Play Store Investigating data flow threshold heuristics

13/ 14

Questions?

Tobias Markmann Department of Computer Science HAW Hamburg tobias.markmann@haw-hamburg.de

[1] R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang, “Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones,” in NDSS, The Internet Society, 2011. [2] R. Templeman, Z. Rahman, D. J. Crandall, and A. Kapadia, “PlaceRaider: Virtual Theft in Physical Spaces with Smartphones,” CoRR, vol. abs/1209.5982, 2012. [3] Z. R. Mednieks et al., Programming Android: Java programming for the new generation of mobile

• devices. O’Reilly & Associates, Inc., second ed., 2012.

[4] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, “XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks,” Technical Report TR-2011-04, Technische Universität Darmstadt, Apr. 2011. [5] A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, “Permission re-delegation: attacks and defenses,” in Proceedings of the 20th USENIX conference on Security, SEC’11, (Berkeley, CA, USA), pp. 22–22, USENIX Association, 2011. [6] W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” in OSDI (R. H. Arpaci-Dusseau and B. Chen, eds.), pp. 393–407, USENIX Association, 2010.

14/ 14