happy may the 4 !!!!1! - university of...
TRANSCRIPT
HappyMaythe4th!!!!1!
AndroidSecurity
CS642
DrewDavidson
SomeSlidestakenfromJohnMitchell
LectureRoadmap
• WhatisAndroid?– History
– Design
• Exploits– SystemDefenses
• OtherAttacks– Threats
– Defenses
WhatisAndroid?
• Alotofthingstodifferentpeople– ThefabledgPhone
• InvitescomparisontotheiPhone
– Aninternetofthings(IoT)platform– Anoperatingsystemforyourcar?
• Toobigtoexplaininthislecture– We’llintroducesomesecurityfeaturesasneeded
– Moretolearn
(Ancient)HistoryofAndroid
• 2003:AndyRubincofoundsAndroidInctobuildaweb-connectedsmartphone
• 2005:GoogleacquiresAndroidInc
• 2007:iPhoneGenIreleased
• 2008:HTCDream(G1)released
AndroidDesign
• MorethananOperatingSystem– AspecializedLinuxdistro,atthelowestlevel
– AframeworkforrunningAndroid“apps”
– Anentireecosystemforsmartphoneusers
} AndroidOpenSourceProject
} AppsAppStore(GooglePlay)DevelopmenttoolsClosed-SourceComponents
FromGoogletoYou
Google OEM
ServiceProvider
Users
AndroidExploits
WhatisanAndroidExploit?
• Workingdefinition:AnactionthatoccursincontraventionofthesecuritymodelofanArchitecture
• Examples:– PrivilegeEscalation:Usercoderunsasroot
– DataExfiltration:Appstealsanother’sdata
– DOS:Apprendersdeviceunusable
Multi-LayeredArchitecture
ApplicationDesign
• EachapprunswithinanindependentinstanceoftheDalvikVirtualMachine(DVM)– Appslargelyrunbytecode
– Eachapprunsasitsownuser,i.e.thereisaseparateUIDforeachapp
AppDeployment
Intra-ApplicationSecurity
• Signedcode– Preventsout-of-bandrewrites
• Java-styleSandboxprotections– Bytecodeverifierpreventsill-formedprograms– Runtimechecksagainstbufferoverflows,etc.– Couldusethesecuritymanagerforpolicies
• AndroidLifecycle,AppKiller– Systemmaypauseanapp– Systemmaykillanappwithtoomanyresources
Inter-ApplicationSecurity
• OSlevelprotections– SeparateUIDsgiveappsdistinctprivileges
– Minimizesprivilegeescalation
• BinderIPC– Kernelmediatescommunicationbetweenapps
– Receivingappmustregisterforincomingmessages
OSProtection
• ASLR– Makesitstatisticallyimpossible/improbabletoknowifyou’resmashingthestackeffectively
• Dlmalloc– Makesitmuchhardertospraytheheap
GooglePlay(Store)
• Largestdistributionchannelforapps– Killswitch
– GoogleBouncer
– “Wisdom”ofthecrowds
ExploitsStillHappen
• Confuseddeputy– Stagefright
• Dataexfiltration– Sensorside-channels
• Microphone,Gyroscope
– Appmisconfiguration• FacebookDebuglog
• DenialofService– Exceptionloops– Batterydrain
OtherThreats
ShadyCode
• Thepreviousdefinitionofexploitwassomewhatweak– Whathappenswhenthesecuritymodelisinsufficient?
• Enable“PIIattacks”– Broadly,attacksthatleverageyourpersonallyidentifiableinformation
ShadyCodeDefenses
• AndroidPermissions– Install-timepermissions
ShadyCodeDefenses
• AndroidPermissions– Runtime
– Update-Time
Category Permission Description
YourAccounts AUTHENTICATE_ACCOUNTS Actasanaccountauthenticator
MANAGE_ACCOUNTS Manageaccountslist
USE_CREDENTIALS Useauthenticationcredentials
NetworkCommunication INTERNET FullInternetaccess
ACCESS_NETWORK_STATE Viewnetworkstate
YourPersonalInformation READ_CONTACTS Readcontactdata
WRITE_CONTACTS Writecontactdata
SystemTools WRITE_SETTINGS Modifyglobalsystemsettings
WRITE_SYNC_SETTINGS Writesyncsettings(e.g.Contactsync)
READ_SYNC_SETTINGS Readwhethersyncisenabled
READ_SYNC_STATS Readhistoryofsyncs
YourAccounts GET_ACCOUNTS Discoverknownaccounts
Extra/Custom WRITE_SECURE_SETTINGS Modifysecuresystemsettings
What’stheProblemwithPermissions?
• Admittedly,astepupovertheDesktop– Arguably,tablestakesforsuchapersonaldevice
• “Permissionentanglement”– Youmaycontrolwhenapermissionisused,butnothow
• Permissionsareper-appthussharedwithlibraries
• Asinglepermissionmaybeusedinvariousways
• Compositeeffectofpermissionsexceedsum
FixingShadyCode
• Fewereasyanswers– Oneperson’sprivacyviolationisanother’sfeature
• Location-awareadvertising?
NowEnteringtheRealmofResearch
• Whatfollowsisadiscussionofresearchprototypes– Unlikeabove,thereareoccasionallyobviousreasonsNOTtodothesethings
Dataflowanalysis
• Labeltheusesofpermissionsintheprogram– Sources:producesensitiveinformation
– Sinks:interactwithuntrustedentities
• We’dliketoknowhowtheseendpointsinteract
• Tools– FlowDroid
– Stamp
ExampleEndpointpermissions
SinksSources• Accountdata• Audio• Calendar• Calllog• Camera• Contacts• DeviceId• Location• Photos(Geotags)• SDcarddata• SMS
• Internet(socket)
• SMS
• SystemLogs
• Webview/Browser
• FileSystem
• BroadcastMessage
PossibleFlows
Sources Sinks
INTERNETREAD_CONTACTS
WRITE_SETTINGSREAD_SYNC_SETTINGS
WRITE_CONTACTSREAD_SYNC_STATS
GET_ACCOUNTS WRITE_SECURE_SETTINGS
WRITE_SETTINGSINTERNET
ImplementingDataflowAnalysis
• Identifywhatmethodsusewhichpermissions– Nocanonicalmap!
• Identifywhatpermissionsactuallydo– Isitasource?Sink?BOTH?
• ViewtheprogramasaProgramDependenceGraph– Edgesrepresentflowsofcontrolordata
– Nodesrepresentabstractregionsofcode
– Requiresaprogramsemantics/abstraction
DataflowAnalysisExample
FB API
Write Conta
cts
Send Internet
Source: FB_Data
Sink: Contact_Book
Sink: InternetRead Conta
ctsSource: Contacts
LimitationsofDataflowAnalysis
• Technical– Over-approximate
– Requiresdeepknowledgeofthesystem• Impracticalwithoutsomemanualmodelling,atleastonAndroid
• Practical …ideas?
(Dynamic)TaintTracking
• Notthemostmedia-savvyname
• Extendthesystemtorecordtheprovenanceofdata– Isittaintedbyaninputsource?
• Tools– TaintDroid
LimitationsofDynamicTaintTracking
• Technicallimitations– Missescontroldependencies
• Practicallimitations– Slowsexecution
• Coulduseitsolelyasanofflineanalysis
AppRewriting
• Changethebehavioroftheapp– Reverseengineerit
– Makesomechanges
– Recompileit
DroidWeave
• Totheboard!
Conclusion
• GoodluckonFinals!
• Ifyou’regraduating,goodluckinlife!