scandroid automated side channel analysis of android apis
play

SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael - PowerPoint PPT Presentation

Sep 01, 2022 •534 likes •723 views

S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018,

  1. S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018, Stockholm, Sweden, 20th June 2018 www.iaik.tugraz.at

  2. Paper A inferred app starts via /proc/vmstat. Paper A inferred app starts via /proc/vmstat. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper B inferred keyboard input via /proc/interrupts. Paper C inferred browsing behavior via the TrafficStats API. Motivation and Contribution Side-channel attacks on mobile devices allow inferring lot’s of sensitive information. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper C inferred browsing behavior via the TrafficStats API. Paper D - So - this is all based on manual analysis? Yeah!? Dude, wouldn’t it be easier to automate this analysis?

  3. www.iaik.tugraz.at Cat and Mouse Game? Manual analysis of resource Countermeasure Exploitation (restrict access) of resource Spreitzer, Palfinger, Mangard 3 WiSec 2018, Stockholm, Sweden, 20th June 2018

  4. (3) Trigger event (5) Fetch data (4) Log (1) Fetch (2) Parse packages (6) Analyze www.iaik.tugraz.at SCAnDroid Android Developers Website Backend (3) Trigger event SCAn- Analyzer Parser Controller Droid (5) Fetch data (4) Log Package Index (1) Fetch (2) Parse . packages (6) Analyze . . Spreitzer, Palfinger, Mangard 4 WiSec 2018, Stockholm, Sweden, 20th June 2018

  5. www.iaik.tugraz.at Analysis Dynamic time warping (DTW) Compare time series X = ( x 1 , ..., x n ) Y = ( y 1 , ..., y m ) No background information No human interaction Ignoring misaligned, stretched, or compressed traces time X Y Spreitzer, Palfinger, Mangard 5 WiSec 2018, Stockholm, Sweden, 20th June 2018

  6. www.iaik.tugraz.at Classification DTW-based approach (template attacks) Training data: T = { ( e i , X i ) } Test sample s = ( e j , X ) : i = argmin DTW ( X , Y i ) ⇒ two time series result from the same event if they yield a low distance to each other K-fold cross validation Accuracy better than random guessing? ⇒ information leak identified Spreitzer, Palfinger, Mangard 6 WiSec 2018, Stockholm, Sweden, 20th June 2018

  7. www.iaik.tugraz.at Coverage of Analyzed Methods Methods # % Documented in the Android API 36339 Relevant (get, is, has, query) 12012 100% In abstract classes or interfaces 2860 23.8% Removed (crashed, missing constructors, etc) 5075 42.3% Theoretically to be profiled 4077 33.9% Actually profiled 5046 42.1% Methods that “react” to events 36 Spreitzer, Palfinger, Mangard 7 WiSec 2018, Stockholm, Sweden, 20th June 2018

  8. www.iaik.tugraz.at Case Study: Website Inference Correlations between website launches and API calls amazon.com reddit.com Time series 1 6 · 10 5 3 · 10 5 Time series 2 File.getFreeSpace() File.getFreeSpace() Time series 3 4 · 10 5 2 · 10 5 1 · 10 5 2 · 10 5 Time series 1 Time series 2 0 Time series 3 0 0 2 4 6 8 10 0 2 4 6 8 10 Time [s] Time [s] Spreitzer, Palfinger, Mangard 8 WiSec 2018, Stockholm, Sweden, 20th June 2018

  9. www.iaik.tugraz.at Website Inference on Android 8 20 websites, 8 samples, 10 seconds API Accuracy android.net.TrafficStats.getMobileTxBytes() 89.4 % android.net.TrafficStats.getTotalTxBytes() 88.8 % android.net.TrafficStats.getMobileTxPackets() 86.2 % android.net.TrafficStats.getTotalRxPackets() 85.6 % android.net.TrafficStats.getTotalTxPackets() 85.0 % android.net.TrafficStats.getMobileRxPackets() 83.1 % android.net.TrafficStats.getTotalRxBytes() 79.4 % android.net.TrafficStats.getMobileRxBytes() 76.2 % android.app.usage.StorageStatsManager. 46.9 % getFreeBytes(java.util.UUID) java.io.File.getUsableSpace() 39.4 % java.io.File.getFreeSpace() 38.1 % android.os.storage.StorageManager. 36.2 % getAllocatableBytes(java.util.UUID) android.os.Process.getElapsedCpuTime() 21.9 % Spreitzer, Palfinger, Mangard 9 WiSec 2018, Stockholm, Sweden, 20th June 2018

  10. www.iaik.tugraz.at Case Study: Website Inference on Android 8 1 0.8 TrafficStats.getMobileTxBytes() 0.6 Accuracy TrafficStats.getMobileRxBytes() File.getUsableSpace() 0.4 Random guessing 0.2 0 1 2 3 4 5 6 7 8 9 10 Top N results Spreitzer, Palfinger, Mangard 11 WiSec 2018, Stockholm, Sweden, 20th June 2018

  11. www.iaik.tugraz.at Case Study: Google Maps Search Inference Correlations between Google Maps search queries and API calls Eiffel Tower The Great Wall TrafficStats.getMobileRxBytes() TrafficStats.getMobileRxBytes() 2 , 5 · 10 5 3 · 10 5 Time series 1 Time series 2 Time series 3 2 · 10 5 1 , 5 · 10 5 1 · 10 5 Time series 1 50000 Time series 2 Time series 3 0 0 1,000 5,000 10,000 15,000 1,000 5,000 10,000 15,000 Time [ms] Time [ms] Spreitzer, Palfinger, Mangard 12 WiSec 2018, Stockholm, Sweden, 20th June 2018

  12. www.iaik.tugraz.at Google Maps Search Inference on Android 8 20 POIs, 8 samples, 15 seconds API Accuracy android.net.TrafficStats.getTotalRxBytes() 87.5 % android.net.TrafficStats.getMobileRxBytes() 83.8 % android.net.TrafficStats.getMobileRxPackets() 76.2 % android.net.TrafficStats.getTotalRxPackets() 73.1 % android.net.TrafficStats.getTotalTxPackets() 68.1 % android.net.TrafficStats.getMobileTxPackets() 66.9 % android.net.TrafficStats.getTotalTxBytes() 49.4 % android.net.TrafficStats.getMobileTxBytes() 48.8 % android.app.usage.StorageStatsManager. 16.2 % getFreeBytes(java.util.UUID) android.os.storage.StorageManager. 13.1 % getAllocatableBytes(java.util.UUID) android.os.Process.getElapsedCpuTime() 13.1 % java.io.File.getFreeSpace() 11.9 % java.io.File.getUsableSpace() 10.6 % Spreitzer, Palfinger, Mangard 13 WiSec 2018, Stockholm, Sweden, 20th June 2018

  13. www.iaik.tugraz.at Discussion Limitation: false negatives No leaks identified → secure? More specialized features Timing side channels not considered iOS: fileExistsAtPath API [ZWB + 18] Countermeasures Restrict access to APIs SCAnDroid could be used to eliminate side channels in upcoming Android versions (before they are released) Spreitzer, Palfinger, Mangard 14 WiSec 2018, Stockholm, Sweden, 20th June 2018

  14. www.iaik.tugraz.at Take-Home Message Manual analysis of side-channel leaks Tedious and error-prone SCAnDroid Framework to scan the Java-based Android APIs automatically Identified several side-channel leaks Available at https://github.com/IAIK/SCAnDroid Spreitzer, Palfinger, Mangard 15 WiSec 2018, Stockholm, Sweden, 20th June 2018

  15. S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018, Stockholm, Sweden, 20th June 2018 www.iaik.tugraz.at

  16. www.iaik.tugraz.at Disclaimer The xkcd comic, in particular the stick figures, and the plots have been drawn based on StackExchange [sta12] and the xkcd comic “Teaching Physics” [xkc11]. Spreitzer, Palfinger, Mangard 17 WiSec 2018, Stockholm, Sweden, 20th June 2018

  17. www.iaik.tugraz.at Bibliography [sta12] StackExchange: Create xkcd style diagram in TeX. https://tex.stackexchange.com/questions/74878/create-xkcd-style-diagram-in-tex/74881#74881 , 2012. Accessed: May 31, 2018. [xkc11] xkcd Comic: Teaching Physics. https://xkcd.com/895/ , 2011. Accessed: May 31, 2018. [ZWB + 18] Xiaokuan Zhang, Xueqiang Wang, Xiaolong Bai, Yinqian Zhang, and XiaoFeng Wang. OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS. In Network and Distributed System Security Symposium − NDSS 2018, 2018. Spreitzer, Palfinger, Mangard 18 WiSec 2018, Stockholm, Sweden, 20th June 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015 Q3 Market Share Android iOS

774 views • 26 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
Proposal & Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

Proposal & Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

CS 528 Mobile and Ubiquitous Computing Lecture 6a: Other Android UbiComp Components, Tech Talk, Final Project Proposal & Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for Mobile/ubicomp? Speaking to Android

887 views • 50 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA,

879 views • 75 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
Android For Game Developoers Ove verview Limited APIs Window Management Input

Android For Game Developoers Ove verview Limited APIs Window Management Input

Android For Game Developoers Ove verview Limited APIs Window Management Input File I/O Audio Graphics Define a e an n Android A App pplication Activities Services Content providers Intents

305 views • 9 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Alex Rinehart, Brigitte Felix-Kludt, Ethan Mamer, Stacy Timmons and Cathryn Pokorny. NM Bureau of

Alex Rinehart, Brigitte Felix-Kludt, Ethan Mamer, Stacy Timmons and Cathryn Pokorny. NM Bureau of

Alex Rinehart, Brigitte Felix-Kludt, Ethan Mamer, Stacy Timmons and Cathryn Pokorny. NM Bureau of Geology. In collaboration with Nathan Myers and Matt Ely (USGS), and Mike Johnson (NMOSE) 1 January 2015, Quarterly Report Groundwater Storage

416 views • 3 slides
Stream Monitoring under the Time Warping Distance Yasushi Sakurai (NTT Cyber Space Labs)

Stream Monitoring under the Time Warping Distance Yasushi Sakurai (NTT Cyber Space Labs)

Stream Monitoring under the Time Warping Distance Yasushi Sakurai (NTT Cyber Space Labs) Christos Faloutsos (Carnegie Mellon Univ.) Masashi Yamamuro (NTT Cyber Space Labs) Introduction n Data-stream applications q Network analysis q Sensor

497 views • 47 slides
3d Geometry for Computer Graphics Lesson 1: Basics & PCA 3d geometry 3d geometry 3d

3d Geometry for Computer Graphics Lesson 1: Basics & PCA 3d geometry 3d geometry 3d

3d Geometry for Computer Graphics Lesson 1: Basics & PCA 3d geometry 3d geometry 3d geometry Why?? We represent objects using mainly linear primitives: points lines, segments planes, polygons Need to know how to

913 views • 52 slides
1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

Goals Goals Foundations of Computer Graphics Foundations of Computer Graphics Systems: Write complex 3D graphics programs (Spring 2010) (Spring 2010) (real-time in OpenGL, offline raytracer, animation) CS 184, Lecture 1: Overview and

176 views • 5 slides
uWave: Accelerometer-based Personalized Gesture Recognition and Its Applications Recognition and

uWave: Accelerometer-based Personalized Gesture Recognition and Its Applications Recognition and

uWave: Accelerometer-based Personalized Gesture Recognition and Its Applications Recognition and Its Applications Jiayang Liu, Zhen Wang, and Lin Zhong y g , g, g Jehan Wickramasuriya and Venu Vasudevan y Department. Of Electrical

955 views • 27 slides
Learning Distance for Sequences by Learning a Ground Metric Bing Su Ying Wu

Learning Distance for Sequences by Learning a Ground Metric Bing Su Ying Wu

ICML | 2019 Learning Distance for Sequences by Learning a Ground Metric Bing Su Ying Wu Motivation Distance between sequences depends on temporal alignment to eliminate the local temporal discrepancies. indicates whether

153 views • 11 slides
Insight Power Smart Outlet Team 15 || Advisor : David Irwin Brendon Burke Mark Chisholm Garrett

Insight Power Smart Outlet Team 15 || Advisor : David Irwin Brendon Burke Mark Chisholm Garrett

Insight Power Smart Outlet Team 15 || Advisor : David Irwin Brendon Burke Mark Chisholm Garrett Olson Kriss Strikis 1 Problem statement Current State of the Market Problems with smart outlets Benefits of smart outlets Tedious to set up

449 views • 19 slides
Music Synchronization Meinard Mller International Audio Laboratories Erlangen

Music Synchronization Meinard Mller International Audio Laboratories Erlangen

Lecture Music Processing Music Synchronization Meinard Mller International Audio Laboratories Erlangen meinard.mueller@audiolabs-erlangen.de Book: Fundamentals of Music Processing Meinard Mller Fundamentals of Music Processing Audio,

1.05k views • 101 slides

More recommend