application-layer security extensions · 2016-09-15 · 1 application-layer security extensions •...
TRANSCRIPT
1
Application-layer security extensions
• Inlined Reference Monitoring• App Virtualization• Compiler-based instrumentation
GOALS &USE-CASES
§ Deploysecuritysolutionsindependentlyfromthedevice/OSvendororappdevelopers
- Endusershouldempowered
§ Ifpossibleabstainfromescalatedprivileges,i.e.,fromroot
§ Providestrongestpossiblesecurityguarantees
2
POSSIBLE APPLICATION-LAYER SOLUTIONS
§ Variousapplicationareas,suchas:
- Privacyprotection• E.g.,AppGuard [99],Aurasium [100],I-ARM-Droid[101],RetroSkeleton [102],DroidForce [103]
- Deployingthird-partysecuritypatches• E.g.,AppSealer [104],Capper[105]
- Enforcingenterprisepolicies• E.g.,DeepDroid [106]
- PatchingAndroidvulnerabilities• E.g.,PatchDroid [107]
- Appvirtualization• E.g.,Boxify [108],NJAS[109]
3
4
Application-layer security extensions
Inlined Reference Monitoring
MOTIVATION
Existingpermissionsystem Understandanappsbehavior Enforceadesiredlevelofprivacy
How to enforce such dynamic permissions?
PROBLEM DESCRIPTION
§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!
UntrustedApp
OperatingSystem
Monitor
PROBLEM DESCRIPTION
§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!
§ Androidisolatesappprocesses:“allappsarecreatedequal”à Monitornotprivilegedenough!
Untr.App
OperatingSystem
MonitorApp
PROBLEM DESCRIPTION
§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!
§ Androidisolatesappprocesses:“allappsarecreatedequal”à Monitornotprivilegedenough!
§ Solution: Combinemonitorandappinto“self-monitoring”app
OperatingSystem
Monitor
UntrustedApp
INLINE REFERENCE MONITORING
§ DynamicAccessControl
– Preventappsfromaccessingcertainsystemresources– Revocationandre-grantingofpermissions
§ Fine-granularSecurityPolicies
– Comprehensibleforuser– Expressivefordeveloper
§ “Gracefuldegradation”
– Appsshouldnotcrashafteraccesstorestrictedresource
§ NochangetotheOS
– DeploymentasregularAndroidapp(no root)
INLINE REFERENCE MONITORING
§ Goal:Mediatesecurity-relevantoperations
- Monitorprogrambehavioratcriticalpoints
- Instrumentprogramtoredirectcontrolflowtothemonitor
- Takeactionbasedonsecuritypolicy
• Terminateprogram
• Suppressoperation
§ Security-relevantoperations
- Functioncalls:JavaCoreAPI,AndroidAPI
- Controlflowredirectioneitheratcaller-site orcallee-site
§ Typicallybybytecodemodification
7. BWINF Forschungstage
CALLER- VS.CALLEE-SITE REWRITING
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);u.openConnection();...
UntrustedApp
Application.main()
SystemLibrary
URL.openConnection()
...returnconnection;
7. BWINF Forschungstage
2. CyberCrime Kongress 2013
CALLEE-SITE REWRITING
Monitor
Monitor.checkConnection(url)
if(!connectionAllowed(url)){System.exit();
}
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);u.openConnection();...
UntrustedApp
Application.main()
SystemLibrary
URL.openConnection()
...returnconnection;Monitor.checkConnection(this);...returnconnection;
7. BWINF Forschungstage
CALLER-SITE REWRITING
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);Monitor.openConnection(u);...
UntrustedApp
Application.main()
SystemLibrary
URL.openConnection()
...returnconnection;
Monitor
Monitor.openConnection(url)
if(connectionAllowed(url)){returnurl.openConnection();
}else{System.exit();
}
7. BWINF Forschungstage
Strings;URLu;
s=“http://attacker.com/“;u=newURL(s);u.openConnection();...
CALLER- VS.CALLEE-SIDE REWRITING
Caller-side
Manyplacestoinstrument
Dynamicallyloadedcode
Reflection
Possibleinpracticeforend-users
Callee-side
Fewplacestoinstrument
Dynamicallyloadedcode
Reflection
Impossibleinpracticeforend-users
APPGUARD:REWRITER
§ Rewriter
- WorksdirectlyonDalvikexecutable(DEX)bytecode
- Generatesruntimemonitorfrompoliciesandmergesitintothetargetapp
- Identifiesinvocationsofsecurity-relevantmethodswithinthetargetapp‘sbytecode
- Rewritestargetapptocallintothemonitorrightbeforeeveryinvocationofasecurity-relevantmethod(caller-siterewriting)
- Additionaltry-catchblockallowsmonitortosuppressthesecurity-relevantmethodcallandreturnamockvalue
7. BWINF Forschungstage
APPGUARD:REWRITER
URL url = new URL(loc);try {
url.openConnection();} catch (IOException) {
// handle IOException}
URL url = new URL(loc);try {
Monitor.checkConnection(url);url.openConnection();
} catch (IOException) {// handle IOException
} catch (MonitorException) {// no return value, ignore
}
TelephonyManager tm =getTelephonyManager();
String deviceId = tm.getDeviceId();
TelephonyManager tm =getTelephonyManager();
String deviceId;try {
Monitor.checkDeviceId(tm);deviceId = tm.getDeviceId();
} catch (MonitorException e) {deviceId = e.mockValue();
}
Original code After rewriting
7. BWINF Forschungstage
DIFFERENT SOLUTIONS TO IRM
18
APPGUARD – CONCEPTUAL OVERVIEW
Policies
Manage-mentRewriterUntrusted
App
Monitor
UntrustedApp
logging
config
Implemented as stand-alone app:
à easily deployable
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
Forschungstage Informatik 2014
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
Forschungstage Informatik 2014
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
§ Policyconfigurationperapp
- Passedtotargetappviaworld-readableconfigfile
- Fine-grainedconfigurationsupported
Forschungstage Informatik 2014
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
§ Policyconfigurationperapp
- Passedtotargetappviaworld-readableconfigfile
- Fine-grainedconfigurationsupported
Forschungstage Informatik 2014
APPGUARD:MANAGEMENT
§ UIforrewritingappsonthephone
§ Policyconfigurationperapp
- Passedtotargetappviaworld-readableconfigfile
- Fine-grainedconfigurationsupported
§ Logofsecurity-relevantevents
- PushedviaIPCfrominlinedmonitor
Forschungstage Informatik 2014
CASE STUDIES
§ Providesweatherinformation&forecast
§ Displaysadvertisements
§ Situation
- Retrievesweatherdatafromwetter.com
- RequestsINTERNET permissionforfullInternetaccess
§ Solution
- Selectivelyallowaccesstowetter.com serversonly
- Nomoreadvertisementsdisplayed
Wetter.com
Forschungstage Informatik 2014
CASE STUDIES
§ Mobileclientforpopularmicro-bloggingservice
§ Situation
- AutomaticallytransferscontactdatatoTwitterserverswithoutuser‘sknowledgeorconsent
- PartofTwitter‘s„findfriends“feature
§ Solution
- Blockaccesstouser‘scontactdata
- Friendscanstillbeaddedmanually
Forschungstage Informatik 2014
CASE STUDIES
§ Tracksyouroutdoorsportactivities(running,cycling,etc...)
§ Createspersonalsportsprofile
§ Situation
- LeaksauthenticationtokenviaHTTP
§ Solution
- InterceptHTTP connectionsandredirecttoencryptedHTTPS
EndomondoSportsTracker
Forschungstage Informatik 2014
CASE STUDIES
§ Simpletimerapp
§ RequiresINTERNET permissiononly
§ Situation
- Uploadsuser‘spersonalphotostopublicphotosharingsite
- Nopermissionrequiredtoaccessphotosstorage
§ Solution
- Blockaccesstophotostorage
(Evil)TeaTimer
Forschungstage Informatik 2014
APPGUARD:DISCUSSION
§ Practicalsolutiontoapressingsecurityproblem
- Negligibleruntimeoverhead(<6%)
- Reasonablerewritingtime(5-60seconds)
- Deployed&widelyadopted(~1milliondownloadsover8months)
§ Generalpurposelightweightruntimeinstrumentation
- Onlyminimalstaticrewriting(caller-site)necessary
Forschungstage Informatik 2014
§ Inlined referencemonitorsharesthesameprocessspaceastheuntrustedmonitoredcode
§ Nostrongsecurityboundarybetweenmonitoringandmonitoredcode!
▶Maliciouscodecanattackanddisable/modifythereferencemonitor!
§ Rewritermustbeabletoidentifythecall-sites
▶MaliciouscodecanincludecustomimplementationsofSDKfunctionswithdifferentfunctionsignatures!
▶Nativecodenotcovered!
DRAWBACKS OF INLINED REFERENCE MONITORING
30
§ Androidreliesonsame-originmodelforapplicationupdates
- Everyappiscryptographicallysignedbyitsdeveloper
- Digitalsignatureidentifiesorigin
- Appupdatesonlyallowediffromsameorigin(i.e.,havingsamesignatureasoriginalapp)
§ IRMbreakswiththesameoriginmodel,becauseapplicationcodehastobeinstrumentedwithinlined code
▶ Breaksthedigitalsignatureandhenceorigin!
DRAWBACKS OF INLINED REFERENCE MONITORING (2)
31
32
Application-layer security extensions
App virtualization
MOTIVATION
33
Cells[SOSP‘11]
Apex[ASIACCS‘10]
ASM[SEC‘15]
L4Android[SPSM‘11]
AppGuard[TACAS‘13]
TaintDroid[OSDI‘10]
CRePE[ISC‘10] TrustDroid
[SPSM‘11]
I-ARM-Droid[MoST‘12] DroidForce
[ARES‘14]
MOSES[SACMAT‘12]
AirBag[NDSS‘14]
Aurasium[SEC‘12]
FlaskDroid[SEC‘13]
RetroSkeleton[MobiSys‘13]
Dr. Android & Mr. Hide[SPSM‘12]
OS Extensions Application LayerSolutions
ANDROID OSEXTENSIONS
34
SystemServices
LinuxKernelBinderIPC Syscall API
App App
Kernel Boundary
Process Boundary
ANDROID OSEXTENSIONS
35
SystemServices
Linux KernelBinderIPC
Syscall API
App App
Monitor
Monitor
✔ Strongsecurity
✖ Hard to deploy
APPLICATION LAYER SOLUTIONS
36
SystemServices
LinuxKernelBinderIPC Syscall API
App App
APPLICATION LAYER SOLUTIONS
37
SystemServices
Linux KernelBinderIPC Syscall API
App AppMonitor
✔ Easyto deploy
✖ No app monitoring possible
INLINED REFERENCE MONITORING
38
SystemServices
Linux KernelBinderIPC Syscall API
AppAppMonitor
✔ Easyto deploy
✖ Weak security
GOAL OF APP VIRTUALIZATION
39
✖ Hard to deploy
OS Extensions ApplicationLayer Solutions
✔ Strong security
✔ Easy to deploy
✖ Weak security
GOAL OF APP VIRTUALIZATION
40
✖ Hard to deploy
✔ Strong security
OS Extensions ApplicationLayer Solutions
✔ Easy to deploy
✖ Weak security
Our Goal
✔ Easy to deploy
✔ Strong security
OBJECTIVES
Monitorand constrain untrusted applications
✔ Easyto deploy- No firmware modification /root- No application modification
✔ Strongsecurity- Protected reference monitor- Fail-safedefaults
41
APPROACH (1)
42
Objective: Nofirmwaremodification/root
Solution: Regularuser-spaceapplication
SystemServices
Linux KernelBinderIPC Syscall API
App AppMonitor
APPROACH (2)
43
SystemServices
Linux KernelBinderIPC Syscall API
AppAppMonitorSystemServices
Linux KernelBinderIPC Syscall API
App AppMonitor
Objective: Noapplicationmodification
APPROACH (2)
44
Objective: Noapplicationmodification
Solution: Applicationvirtualization
SystemServices
Linux KernelBinderIPC Syscall API
MonitorAppApp
APPROACH (3)
45
SystemServices
Linux KernelBinderIPC Syscall API
MonitorAppAppSystemServices
Linux KernelBinderIPC Syscall API
Monitor AppShimApp
Objective: Protectedreferencemonitor
Solution: Separateprocess
APPROACH (4)
46
Objective: Fail-safedefaults
SystemServices
Linux KernelBinderIPC Syscall API
Monitor AppShimApp
APPROACH (4)
47
Objective: Fail-safedefaults
SystemServices
Linux KernelBinderIPC Syscall API
Monitor AppShimApp
APPROACH (4)
48
Objective: Fail-safedefaults
SystemServices
Linux KernelBinderIPC Syscall API
Monitor AppZeroPerm
App
APPROACH (4)
49
Objective: Fail-safedefaults
Solution: Isolatedprocess
ISOLATED PROCESS
§ Allowsservicecomponents torunisolatedfromtherestoftheapplication
§ Isolatedprocesses
- Havezeropermissions
- Havenoaccesstosystemservices
- Runwithadistinct,transientUID
- Cannotwritetothefilesystem
50
APP VIRTUALIZATION ARCHITECTURE
51
Boxify
SystemServices
Linux KernelBinderIPC Syscall API
Monitor App
IsolatedProcessApp
APP VIRTUALIZATION ARCHITECTURE
52
Boxify
SystemServices
Linux KernelBinderIPC Syscall API
Broker App
TargetApp
TARGET
53
Broker
TargetApp
IPCShim Syscall ShimSandboxServiceIPCShim Syscall ShimSandboxService
Divert Binder IPC to BrokerDivert Syscalls to BrokerControl channel for loading/terminating apps
LOADING AN APP
54
Broker Target
Context.bindService()
BinderSandboxService
SandboxService.prepare()
BinderApplicationThread
ApplicationThread.bindApplication()
Isolatedprocessiscreated
Shimsaresetup
Appisstarted
BROKER
55
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
APILAYER
56
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
Establish compatibility across Android versions
CORE LOGIC LAYER
57
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
Baseline enforcement & virtual system services
ServicePEP
ServicePEP
SyscallPEP
CoreServices
VIRTUALIZATION LAYER
58
APILayer
Target
IPCReceiver SyscallReceiver
CoreLogicLayer
VirtualizationLayer
Srv Stub Srv Stub
ServicePEP
ServicePEP
CoreServices
SyscallPEP
ComponentBroker
…
…
Translate between Boxify and Android system
VIRTUALIZATION LAYER
59
App
ActivityA ActivityB ServiceA ServiceB ReceiverA
Boxify
Activity1 ActivityN Service1… … Receiver1ServiceN …
startActivity(ActivityA)
startActivity(Activity1) scheduleLaunchActivity(Activity1)
scheduleLaunchActivity(ActivityA)
ActivityA
Activity1
SYSTEM INTEGRATION
60
§ Launchingapps
- DedicatedActivity
- ShortcutsonHomeScreen
- VirtualizedLauncher
§ Installing/Updatingapps
- DirectlyviaAppStores
DISCUSSION &LIMITATIONS
§ Cancels Android‘s own access control checks
§ Violates Principle of LeastPrivilege
§ Full kernel attack surface available
§ Presenceof Boxify detectable
61
USE-CASES
§ InstantiateOSextensionsatapplicationlayer
- Fine-grainedaccesscontrol- Informationflowcontrol
- Dual-persona,BYOD
- Dynamicanalysis
- Automatedtesting
- Xposed- …
62
63
Application-layer Security
Compiler-based instrumentation
MOTIVATION AND RESEARCH QUESTIONS
§ AndroidRuntime(ART)supersedesDalvik VirtualMachine(DVM)- Movefrominterpretationtoahead-of-timeon-devicecompilation- BreakscompatibilitywithDVM-basedpriorwork(e.g.TaintDroid)
§ ARTyetuncharted- Onlyfewworksonthetopic- Securityimplicationsunclear- Potentiallyinterestingtargetforsecurityresearch
§ Thiswork:Understandingandutilizingthenovelruntime
- Researchingthenewon-devicecompiler
- Creatinganapp-instrumentationframework
- Provingitsapplicabilitybyimplementinguse-cases
64
DVMVS ART
Dalvik VirtualMachine- DefaultruntimeuptoAndroid
5.0
- Pre-optimizationofbytecode
- Dalvik executablebytecodeformat(.dex)
- Interpretationandjust-in-timecompilation
- Repeatedfetch-executecycles
65
AndroidRuntime- DefaultruntimesinceAndroid5.0
- Compilationofbytecodetobinarycode
- ARTELFbinary(.oat)
- NativeexecutionintheAndroidRuntime
- Improvedperformanceandbatterylife
THE ANDROID RUNTIME
§ Twomaincomponents:compilersuiteandruntime
§ Dex2oatCompiler:transformdex filesintooatfiles
- OatfollowstheELFformat
- Completedex codeisstoredalongwiththebinarycode
- Multiplecompilationbackends andcodegenerators
- Backends handleoptimizations
§ Runtime:loadandexecutecompiledapps
- Compensateformissingvirtualmachine
- Preloadframeworkcode
- Garbagecollection
- Debugginghooks
66
DEX2OAT:OVERVIEW
67
DEX2OAT:OPTIMIZING IR
§ Singleintermediaterepresentation
§ EnrichedmethodCFGs
§ SingleStaticAssignmentform
§ Def-usepairs
§ Nodescomparabletodex instructions
§ Inlined Javasemanticchecks
68
INSTRUMENTATION POINTS
69
• Minimalinterferencewithdex2oat• Leavestransformationfromdex andcodegeneratorsintact• Supportforvisitorpattern• Lightweightstaticanalysispossible
ARTIST:THE ARTINSTRUMENTATION AND SECURITY TOOLKIT
§ Injectionofwholelibraries- Supporttomergeadditionaldex files
- Implementedasapreprocessingstep
- Invocationsofthoseaddedmethodscanbeinjected
§ SimpleAPIforcodeinjection- Injectsmethodcalls
- Policy-driven:(target,method,parameters)
- UsedtoimplementsimpleIRMuse-case
§ SupportforModules- Implementedascustomoptimizationpassesoverthecode
- IntegratesneatlywithoptimizationsandotherModules
- FullaccesstomethodCFG:remove,addandreplacenodes
70
ARTIST:DEPLOYMENT
§ Replacesystemdex2oat
§ Shipthecompilerasabinary
- RegularAndroidapp
- UItopickappforinstrumentation
- Recompilationgeneratesalternativeoatfile(oat’)
§ Trickandroidintoloadingoat’insteadofoat
- root:replaceoatwithoat’
- Noroot:usevirtualizationtechnique(Boxify,NJAS)
§ ApplicationLayer-onlysolution
- Leavessystembinaryuntouched
- Norootrequired
71
POSSIBLE USE CASES
§ TaintTracking
- Trackingofprohibitedflowsfromprotectedsourcestoappsinks§ IRM
- Dynamicpermissionenforcement
§ Hot-patchingofvulnerabilities
- Detectandfixcommonvulnerabilitiesintroducedbydevelopers
§ Enforcedappcompartmentalization- Splitapplicationsintodistinctsecurityprincipals
§ DebuggingandProfiling
- Injectcustomdebugginghooksandbenchmarkingcode
§ …
72
CASE STUDY:TAINT TRACKING WITH ARTIST
§ De-factostandardTaintDroid notapplicableanymoreonART
- Existingworksfocusondex rewriting(TaintMan,…)
§ Investigatewhethertainttrackingcanbeimplementedusingcompiler-basedinstrumentation
- Specificchallenges
- Compileroperatesonmethod-level
- Interplaywithoptimizations
§ Hybridanalysis
- Lightweightstaticanalysistosupporttargetedinstrumentation
- Nofullstatictaintanalysis!
- Dynamictainttrackinghappensatruntime
73
CASE STUDY:INFORMATION FLOW ANALYSIS
§ Refiningthedefinitionsofsourcesandsinks
- Globalsource/sink:dataenters/leavesapplication- Localsource/sink:dataenters/leavescurrentmethod
§ Intra-methodtainttracking
- Staticallycomputebackwardslicesofglobalandlocalsinks
- Stopatmethodborder,i.e.localsources
§ Inter-methodtainttracking- Injectcodeatsourcesandsinkstoobtainandpropagatetaintinformation
- Thread-localtaintstackfortaintedargumentsandreturnvalues
- Createidentifierforobjectandstaticfieldsandstoreinmap- Addcodetochecktaintvalueatglobalsinks
74
CASE STUDY:TAINT TRACKING EXAMPLE
75
ONGOING WORK
§ IntegrateARTist withBoxify
- Currentimplementationrequiresroot
§ Combinewithstate-of-the-artstaticanalysis
- Evenmoretargetedinstrumentation
§ Multi-dex support
- Allowstoalsorecompilethelargestapps(Facebook,…)
- Moveadditionaldex mergingintothecompileritself
76