static detection and automatic
play

Static Detection and Automatic Exploitation of Intent Message - PowerPoint PPT Presentation

May 09, 2023 •319 likes •566 views

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

  1. Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero

  2. Android Message Passing Mechanism Android apps are composed of different components Intents carry messages among components and applications Components declare the types of intents they are willing to receive Intents can be sent explicitly or implicitly

  3. Motivation Problem : Android Components have no message origin Activity Activity verification capabilities An attacker can spoof legitimate intents and send malicious input Questions - Could we check if applications validate input? - If so, can we automatically generate exploit opportunities?

  4. Contributions • Static analysis method to automatically detect data flows leading to sensitive operations – Formulation of the problem as an IFDS problem • Method for automatically generating exploits that trigger malicious behavior • Results – Automatically generated exploits for 26 applications and showed they are vulnerable to user interface spoofing attacks

  5. Outline • Problem Statement • Approach • Implementation • Results

  6. Problem Statement String host = intent.getStringExtra("hostname"); String file = intent.getStringExtra("filename"); String url="http://www.example.com"; if (host.contains("example.com")) url = "http://" + host + "/"; if (file.contains("..")) file = file.replace("..", ""); String httpPar = toBase64(file); . . . DefaultHttpClient httpC = new DefaultHttpClient(); HttpGet get = new HttpGet(url+httpPar); . . . httpC.execute(get);

  7. Problem Statement String host = intent.getStringExtra("hostname"); Source String file = intent.getStringExtra("filename"); String url="http://www.example.com"; if (host.contains("example.com")) url = "http://" + host + "/"; if (file.contains("..")) file = file.replace("..", ""); String httpPar = toBase64(file); . . . DefaultHttpClient httpC = new DefaultHttpClient(); HttpGet get = new HttpGet(url+httpPar); . . . httpC.execute(get);

  8. Problem Statement String host = intent.getStringExtra("hostname"); Source String file = intent.getStringExtra("filename"); String url="http://www.example.com"; if (host.contains("example.com")) url = "http://" + host + "/"; if (file.contains("..")) file = file.replace("..", ""); String httpPar = toBase64(file); . . . DefaultHttpClient httpC = new DefaultHttpClient(); Sink HttpGet get = new HttpGet(url+httpPar); . . . httpC.execute(get);

  9. Problem Statement String host = intent.getStringExtra("hostname"); Source String file = intent.getStringExtra("filename"); String url="http://www.example.com"; • Finding paths from sources to sinks is not if (host.contains("example.com")) url = "http://" + host + "/"; sufficient if (file.contains("..")) file = file.replace("..", ""); • Question: Are those paths feasible for an String httpPar = toBase64(file); . . . attack? DefaultHttpClient httpC = new DefaultHttpClient(); Sink HttpGet get = new HttpGet(url+httpPar); . . . httpC.execute(get);

  10. Approach • Input state: V I V i = {( v 1 , c 1 ), …,( v n , c n )} = F(V e ) Source • Exploit state(s): V e Value patterns related to sinks • Find relationship F between V I and V e, such that V i =F(V e ) V e = {( v e1 , c e1 ), …,( v em , c em )} Sink

  11. Approach Overview Source Sink

  12. Approach Overview • Path Computation – Find all paths from sources to sinks Source Sink

  13. Approach Overview • Path Computation – Find all paths from sources to sinks C 1 Source • Symbolic Execution C 1  C 2 – Generate a symbolic formula F p C 1  C 2  C 3 = F p Sink

  14. Approach Overview • Path Computation – Find all paths from sources to sinks C 1 Source • Symbolic Execution C 1  C 2 – Generate a symbolic formula F p C 1  C 2  C 3 = F p • Exploit generation – Solve F p  V e  V I Sink F p  V e

  15. Path Computation • Supergraph contains CFGs of all the functions • Taint Propagation – Identifies statements that can be influenced by attacker – Reduces size of the problem

  16. Implementation (Background) • Path Computation: IFDS framework (Soot&Heros) – Transforms dataflow problems into graph reachability problems – Framework user defines a fact – Framework user defines update rules for a fact • Exploit Generation: Kaluza – Efficient string solver – Native support for many string operations

  17. Implementation • Path Computation – A fact contains path and taint information for every node – Different rules update the fact information during graph traversal • Exploit Generation – Translate F p  V e into a Kaluza formula – Additional string operations modeled using the Kaluza language E.g.,: a.contains (“test”)  a \in CapturedBrack(/.*test.*/);

  18. Results Overview • 64 applications of different sizes – 26 exploits generated and manually verified • Sink statements: GUI operations • V e chosen to change apps GUIs (phishing) • Different GUI targets – Entire screen change – Alerts screen change – User input fields – Other Components

  19. Results App Attack Mint Display an arbitrary web page inside an Entire Screen Activity GoSMS Prompt to the user notification about a new message with arbitrary sender and SMS content GoSMS Prompt notification about a new message received with arbitrary sender and receiver User Input Yelp Modify venue review draft screen and enter review on behalf of the user Poste Pay Modify and show the application prompt Alert Screen alerts with arbitrary messages Craigslist Change the Action Bar title, compromising Other Components the interface integrity

  20. Results Min Max Avg Per-application execution time 2.4 min 33.2 min 12.3 min Per-application components 3 31 24.5 Per-application vulnerable paths 2 19 4.2 Per-path statements 5 81 17.2 Per-path if-statements 0 3 0.98 • Very few validation checks present – Mostly null pointers • 31% of the String library functions approximated with Kaluza

  21. Limitations • Untainted variables contribute to application state. May introduce false positives • Solver approximations. May introduce false positives

  22. Conclusions • Conclusions – We present an automatic method to discuver vulnerable paths inside Android application components – Our method is modelled as an IFDS problem – We provide proofs for the vulnerabilities under the form of actual exploits, generated automatically.

  23. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani Rigel Gjomemo, V.N. Venkatakrishnan Stefano Zanero University of Illinois at Chicago University of Illinois at Chicago

419 views • 11 slides
static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class means variable persists through static allocation: for globals and any static the life of the program variables in functions automatic storage

569 views • 9 slides
Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party

Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party

German Research Center for Artificial Intelligence GmbH Automatic Disfluency Automatic Disfluency Detection in Multi-party Detection in Multi-party www.amiproject.org Conversations Conversations Feast, 30th September 2009 , 30th September

322 views • 28 slides
Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection

Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection

Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection Horizontal Techniques Specification-checking Techniques Mining-based Techniques Mining Repositories Mining Traces Mining Source Code Mining

683 views • 44 slides
Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 19: Search,

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 19: Search,

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 19: Search, Decoding and La tu ices Instructor: Preethi Jyothi Mar 27, 2017 Recap: Static and Dynamic Networks Static network: Build compact decoding graph

350 views • 21 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Automatic Key Detection Computer Music Seminar Leon Wittwer June 28, 2017 Table of Contents

Automatic Key Detection Computer Music Seminar Leon Wittwer June 28, 2017 Table of Contents

Automatic Key Detection Computer Music Seminar Leon Wittwer June 28, 2017 Table of Contents Introduction Theory of Tonality and Key Key Detection Symbolic key detection Audio Key Detection Approach in Thesis Music Playing Conclusion 1

380 views • 36 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
Timing Behavior Anomaly Detection for Automatic Failure Detection and Diagnosis Research visit at

Timing Behavior Anomaly Detection for Automatic Failure Detection and Diagnosis Research visit at

Timing Behavior Anomaly Detection for Automatic Failure Detection and Diagnosis Research visit at Charles Univerity Prague Matthias Rohr matthias.rohr@informatik.uni-oldenburg.de Graduate School TrustSoft, Software Engineering Group Department

969 views • 82 slides
How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1 Static Bug Detection Error Prone 2 Static Bug Detection Error Prone General framework Scalable

804 views • 49 slides
Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work with Sam Blackshear, Peter OHearn, Nikos Gorogiannis Key Messages Static analyses for concurrency can be made scalable and precise . Unsound

827 views • 80 slides
Seminar: Medical Image Processing A robust approach for automatic detection and segmentation of

Seminar: Medical Image Processing A robust approach for automatic detection and segmentation of

Introduction Morphology Linear filters Detection Evaluation Summary Seminar: Medical Image Processing A robust approach for automatic detection and segmentation of cracks in underground pipeline images Tim Niemueller < tim@niemueller.de

2.1k views • 165 slides
Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun

Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun

Computer Security Laboratory Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun Zuo, Haohuang Wen , Zhiqiang Lin, and Yinqian Zhang Department of Computer Science and Engineering The Ohio State

1.19k views • 73 slides
Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Introduction Static State Versioning Version Computation Conclusion Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming Languages and Compilers Institute of Software Technology University of

577 views • 28 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
A Model-Based System Supporting Automatic Self-Regeneration of Critical Software Paul Robertson

A Model-Based System Supporting Automatic Self-Regeneration of Critical Software Paul Robertson

A Model-Based System Supporting Automatic Self-Regeneration of Critical Software Paul Robertson & Brian Williams Model-Based and Embedded Robotic Systems http://mers.mit.edu MIT Computer Science and Artificial Intelligence Laboratory

418 views • 30 slides
Distributed motion coordination of robotic networks or how to get global behavior out of

Distributed motion coordination of robotic networks or how to get global behavior out of

Distributed motion coordination of robotic networks or how to get global behavior out of local interactions Jorge Cort es Applied Mathematics and Statistics Baskin School of Engineering University of California at Santa Cruz

962 views • 58 slides
2019-2020 Provider Orientation South Carolina Department of Disabilities and Special Needs June

2019-2020 Provider Orientation South Carolina Department of Disabilities and Special Needs June

2019-2020 Provider Orientation South Carolina Department of Disabilities and Special Needs June 17 and 18, 2019 Presenter: Monica Owens, Alliant ASO Contract Compliance Review Process Why Do We Review Providers? The South Carolina Department

971 views • 74 slides
Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming

Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming

Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming Andersen Intel IAG FMCAD 2009 1 Introduction Standard approach to FV of HW protocols Develop high level model (HLM) in guarded-command-

473 views • 25 slides
to Understand Parallel Program Behaviors LAI WEI , JOHN MELLOR-CRUMMEY RICE UNIVERSITY HOUSTON,

to Understand Parallel Program Behaviors LAI WEI , JOHN MELLOR-CRUMMEY RICE UNIVERSITY HOUSTON,

Automated Analysis of Time Series Data to Understand Parallel Program Behaviors LAI WEI , JOHN MELLOR-CRUMMEY RICE UNIVERSITY HOUSTON, TX, USA Background Parallel computers of increasing scale Support scientific simulations of increasing

1.15k views • 93 slides
Automatic Synthesis of High-Speed Processor Simulators Martin Burtscher and Ilya Ganusov

Automatic Synthesis of High-Speed Processor Simulators Martin Burtscher and Ilya Ganusov

Automatic Synthesis of High-Speed Processor Simulators Martin Burtscher and Ilya Ganusov Computer Systems Laboratory Cornell University Motivation Processor simulators are invaluable tools They allow us to cheaply and quickly test ideas

187 views • 17 slides
Statistics, Big Data and small data Pierre Lebrun, Arlenda SA / Pharmalex

Statistics, Big Data and small data Pierre Lebrun, Arlenda SA / Pharmalex

Statistics, Big Data and small data Pierre Lebrun, Arlenda SA / Pharmalex pierre.lebrun@arlenda.com QPRC2017, UCONN, Storrs Disclaimer n I am not a big data analyst, merely a statistician working as a consultant for companies

780 views • 21 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides

More recommend