SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael - - PowerPoint PPT Presentation

S C I E N C E P A S S I O N T E C H N O L O G Y www.iaik.tugraz.at

SCAnDroid: Automated Side-Channel Analysis of Android APIs

Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018, Stockholm, Sweden, 20th June 2018

Motivation and Contribution

Side-channel attacks on mobile devices allow inferring lot’s of sensitive information. Paper A inferred app starts via /proc/vmstat. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper C inferred browsing behavior via the TrafficStats API. Paper A inferred app starts via /proc/vmstat. Paper B inferred keyboard input via /proc/interrupts. Paper C inferred browsing behavior via the TrafficStats API. Paper D - Yeah!? So - this is all based on manual analysis? Dude, wouldn’t it be easier to automate this analysis?

www.iaik.tugraz.at

Cat and Mouse Game?

Manual analysis

• f resource

Exploitation

• f resource

Countermeasure (restrict access)

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 3

www.iaik.tugraz.at

SCAnDroid

Android Developers Website Package Index . . .

SCAn- Droid

(1) Fetch packages (1) Fetch packages

Backend

Parser Analyzer Controller

(2) Parse (2) Parse (3) Trigger event (3) Trigger event (4) Log (4) Log (5) Fetch data (5) Fetch data (6) Analyze (6) Analyze

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 4

www.iaik.tugraz.at

Analysis

Dynamic time warping (DTW)

Compare time series X = (x1, ..., xn) Y = (y1, ..., ym) No background information No human interaction Ignoring misaligned, stretched, or compressed traces

time X Y

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 5

www.iaik.tugraz.at

Classification

DTW-based approach (template attacks)

Training data: T = {(ei, Xi)} Test sample s = (ej, X): i = argmin DTW(X, Yi) ⇒ two time series result from the same event if they yield a low distance to each other

K-fold cross validation

Accuracy better than random guessing? ⇒ information leak identified

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 6

www.iaik.tugraz.at

Coverage of Analyzed Methods

Methods # % Documented in the Android API 36339 Relevant (get, is, has, query) 12012 100% In abstract classes or interfaces 2860 23.8% Removed (crashed, missing constructors, etc) 5075 42.3% Theoretically to be profiled 4077 33.9% Actually profiled 5046 42.1% Methods that “react” to events 36

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 7

www.iaik.tugraz.at

Case Study: Website Inference

Correlations between website launches and API calls

2 4 6 8 10 1 · 105 2 · 105 3 · 105 Time [s] File.getFreeSpace() amazon.com Time series 1 Time series 2 Time series 3 2 4 6 8 10 2 · 105 4 · 105 6 · 105 Time [s] File.getFreeSpace() reddit.com Time series 1 Time series 2 Time series 3

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 8

www.iaik.tugraz.at

Website Inference on Android 8

20 websites, 8 samples, 10 seconds

API Accuracy android.net.TrafficStats.getMobileTxBytes() 89.4 % android.net.TrafficStats.getTotalTxBytes() 88.8 % android.net.TrafficStats.getMobileTxPackets() 86.2 % android.net.TrafficStats.getTotalRxPackets() 85.6 % android.net.TrafficStats.getTotalTxPackets() 85.0 % android.net.TrafficStats.getMobileRxPackets() 83.1 % android.net.TrafficStats.getTotalRxBytes() 79.4 % android.net.TrafficStats.getMobileRxBytes() 76.2 % android.app.usage.StorageStatsManager. getFreeBytes(java.util.UUID) 46.9 % java.io.File.getUsableSpace() 39.4 % java.io.File.getFreeSpace() 38.1 % android.os.storage.StorageManager. getAllocatableBytes(java.util.UUID) 36.2 % android.os.Process.getElapsedCpuTime() 21.9 %

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 9

www.iaik.tugraz.at

Case Study: Website Inference on Android 8

1 2 3 4 5 6 7 8 9 10 0.2 0.4 0.6 0.8 1 Top N results Accuracy TrafficStats.getMobileTxBytes() TrafficStats.getMobileRxBytes() File.getUsableSpace() Random guessing

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 11

www.iaik.tugraz.at

Case Study: Google Maps Search Inference

Correlations between Google Maps search queries and API calls

1,000 5,000 10,000 15,000 1 · 105 2 · 105 3 · 105 Time [ms] TrafficStats.getMobileRxBytes() Eiffel Tower Time series 1 Time series 2 Time series 3 1,000 5,000 10,000 15,000 50000 1, 5 · 105 2, 5 · 105 Time [ms] TrafficStats.getMobileRxBytes() The Great Wall Time series 1 Time series 2 Time series 3

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 12

www.iaik.tugraz.at

Google Maps Search Inference on Android 8

20 POIs, 8 samples, 15 seconds

API Accuracy android.net.TrafficStats.getTotalRxBytes() 87.5 % android.net.TrafficStats.getMobileRxBytes() 83.8 % android.net.TrafficStats.getMobileRxPackets() 76.2 % android.net.TrafficStats.getTotalRxPackets() 73.1 % android.net.TrafficStats.getTotalTxPackets() 68.1 % android.net.TrafficStats.getMobileTxPackets() 66.9 % android.net.TrafficStats.getTotalTxBytes() 49.4 % android.net.TrafficStats.getMobileTxBytes() 48.8 % android.app.usage.StorageStatsManager. getFreeBytes(java.util.UUID) 16.2 % android.os.storage.StorageManager. getAllocatableBytes(java.util.UUID) 13.1 % android.os.Process.getElapsedCpuTime() 13.1 % java.io.File.getFreeSpace() 11.9 % java.io.File.getUsableSpace() 10.6 %

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 13

www.iaik.tugraz.at

Discussion

Limitation: false negatives

No leaks identified → secure? More specialized features Timing side channels not considered iOS: fileExistsAtPath API [ZWB+18]

Countermeasures

Restrict access to APIs SCAnDroid could be used to eliminate side channels in upcoming Android versions (before they are released)

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 14

www.iaik.tugraz.at

Take-Home Message

Manual analysis of side-channel leaks

Tedious and error-prone

SCAnDroid

Framework to scan the Java-based Android APIs automatically Identified several side-channel leaks Available at https://github.com/IAIK/SCAnDroid

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 15

S C I E N C E P A S S I O N T E C H N O L O G Y www.iaik.tugraz.at

SCAnDroid: Automated Side-Channel Analysis of Android APIs

Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018, Stockholm, Sweden, 20th June 2018

www.iaik.tugraz.at

Disclaimer

The xkcd comic, in particular the stick figures, and the plots have been drawn based on StackExchange [sta12] and the xkcd comic “Teaching Physics” [xkc11].

Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018 17

www.iaik.tugraz.at

Bibliography

[sta12] StackExchange: Create xkcd style diagram in TeX. https://tex.stackexchange.com/questions/74878/create-xkcd-style-diagram-in-tex/74881#74881, 2012. Accessed: May 31, 2018. [xkc11] xkcd Comic: Teaching Physics. https://xkcd.com/895/, 2011. Accessed: May 31, 2018. [ZWB+18] Xiaokuan Zhang, Xueqiang Wang, Xiaolong Bai, Yinqian Zhang, and XiaoFeng Wang. OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS. In Network and Distributed System Security Symposium − NDSS 2018, 2018. Spreitzer, Palfinger, Mangard WiSec 2018, Stockholm, Sweden, 20th June 2018

18