HappyMaythe4th!!!!1!

AndroidSecurity

CS642

DrewDavidson

SomeSlidestakenfromJohnMitchell

LectureRoadmap

• WhatisAndroid?– History

– Design

• Exploits– SystemDefenses

• OtherAttacks– Threats

– Defenses

WhatisAndroid?

• Alotofthingstodifferentpeople– ThefabledgPhone

• InvitescomparisontotheiPhone

– Aninternetofthings(IoT)platform– Anoperatingsystemforyourcar?

• Toobigtoexplaininthislecture– We’llintroducesomesecurityfeaturesasneeded

– Moretolearn

(Ancient)HistoryofAndroid

• 2003:AndyRubincofoundsAndroidInctobuildaweb-connectedsmartphone

• 2005:GoogleacquiresAndroidInc

• 2007:iPhoneGenIreleased

• 2008:HTCDream(G1)released

AndroidDesign

• MorethananOperatingSystem– AspecializedLinuxdistro,atthelowestlevel

– AframeworkforrunningAndroid“apps”

– Anentireecosystemforsmartphoneusers

} AndroidOpenSourceProject

} AppsAppStore(GooglePlay)DevelopmenttoolsClosed-SourceComponents

FromGoogletoYou

Google OEM

ServiceProvider

Users

AndroidExploits

WhatisanAndroidExploit?

• Workingdefinition:AnactionthatoccursincontraventionofthesecuritymodelofanArchitecture

• Examples:– PrivilegeEscalation:Usercoderunsasroot

– DataExfiltration:Appstealsanother’sdata

– DOS:Apprendersdeviceunusable

Multi-LayeredArchitecture

ApplicationDesign

• EachapprunswithinanindependentinstanceoftheDalvikVirtualMachine(DVM)– Appslargelyrunbytecode

– Eachapprunsasitsownuser,i.e.thereisaseparateUIDforeachapp

AppDeployment

Intra-ApplicationSecurity

• Signedcode– Preventsout-of-bandrewrites

• Java-styleSandboxprotections– Bytecodeverifierpreventsill-formedprograms– Runtimechecksagainstbufferoverflows,etc.– Couldusethesecuritymanagerforpolicies

• AndroidLifecycle,AppKiller– Systemmaypauseanapp– Systemmaykillanappwithtoomanyresources

Inter-ApplicationSecurity

• OSlevelprotections– SeparateUIDsgiveappsdistinctprivileges

– Minimizesprivilegeescalation

• BinderIPC– Kernelmediatescommunicationbetweenapps

– Receivingappmustregisterforincomingmessages

OSProtection

• ASLR– Makesitstatisticallyimpossible/improbabletoknowifyou’resmashingthestackeffectively

• Dlmalloc– Makesitmuchhardertospraytheheap

GooglePlay(Store)

• Largestdistributionchannelforapps– Killswitch

– GoogleBouncer

– “Wisdom”ofthecrowds

ExploitsStillHappen

• Confuseddeputy– Stagefright

• Dataexfiltration– Sensorside-channels

• Microphone,Gyroscope

– Appmisconfiguration• FacebookDebuglog

• DenialofService– Exceptionloops– Batterydrain

OtherThreats

ShadyCode

• Thepreviousdefinitionofexploitwassomewhatweak– Whathappenswhenthesecuritymodelisinsufficient?

• Enable“PIIattacks”– Broadly,attacksthatleverageyourpersonallyidentifiableinformation

ShadyCodeDefenses

• AndroidPermissions– Install-timepermissions

ShadyCodeDefenses

• AndroidPermissions– Runtime

– Update-Time

Category Permission Description

YourAccounts AUTHENTICATE_ACCOUNTS Actasanaccountauthenticator

MANAGE_ACCOUNTS Manageaccountslist

USE_CREDENTIALS Useauthenticationcredentials

NetworkCommunication INTERNET FullInternetaccess

ACCESS_NETWORK_STATE Viewnetworkstate

YourPersonalInformation READ_CONTACTS Readcontactdata

WRITE_CONTACTS Writecontactdata

SystemTools WRITE_SETTINGS Modifyglobalsystemsettings

WRITE_SYNC_SETTINGS Writesyncsettings(e.g.Contactsync)

READ_SYNC_SETTINGS Readwhethersyncisenabled

READ_SYNC_STATS Readhistoryofsyncs

YourAccounts GET_ACCOUNTS Discoverknownaccounts

Extra/Custom WRITE_SECURE_SETTINGS Modifysecuresystemsettings

What’stheProblemwithPermissions?

• Admittedly,astepupovertheDesktop– Arguably,tablestakesforsuchapersonaldevice

• “Permissionentanglement”– Youmaycontrolwhenapermissionisused,butnothow

• Permissionsareper-appthussharedwithlibraries

• Asinglepermissionmaybeusedinvariousways

• Compositeeffectofpermissionsexceedsum

FixingShadyCode

• Fewereasyanswers– Oneperson’sprivacyviolationisanother’sfeature

• Location-awareadvertising?

NowEnteringtheRealmofResearch

• Whatfollowsisadiscussionofresearchprototypes– Unlikeabove,thereareoccasionallyobviousreasonsNOTtodothesethings

Dataflowanalysis

• Labeltheusesofpermissionsintheprogram– Sources:producesensitiveinformation

– Sinks:interactwithuntrustedentities

• We’dliketoknowhowtheseendpointsinteract

• Tools– FlowDroid

– Stamp

ExampleEndpointpermissions

SinksSources• Accountdata• Audio• Calendar• Calllog• Camera• Contacts• DeviceId• Location• Photos(Geotags)• SDcarddata• SMS

• Internet(socket)

• SMS

• Email

• SystemLogs

• Webview/Browser

• FileSystem

• BroadcastMessage

PossibleFlows

Sources Sinks

INTERNETREAD_CONTACTS

WRITE_SETTINGSREAD_SYNC_SETTINGS

WRITE_CONTACTSREAD_SYNC_STATS

GET_ACCOUNTS WRITE_SECURE_SETTINGS

WRITE_SETTINGSINTERNET

ImplementingDataflowAnalysis

• Identifywhatmethodsusewhichpermissions– Nocanonicalmap!

• Identifywhatpermissionsactuallydo– Isitasource?Sink?BOTH?

• ViewtheprogramasaProgramDependenceGraph– Edgesrepresentflowsofcontrolordata

– Nodesrepresentabstractregionsofcode

– Requiresaprogramsemantics/abstraction

DataflowAnalysisExample

FB API

Write Conta

cts

Send Internet

Source: FB_Data

Sink: Contact_Book

Sink: InternetRead Conta

ctsSource: Contacts

LimitationsofDataflowAnalysis

• Technical– Over-approximate

– Requiresdeepknowledgeofthesystem• Impracticalwithoutsomemanualmodelling,atleastonAndroid

• Practical …ideas?

(Dynamic)TaintTracking

• Notthemostmedia-savvyname

• Extendthesystemtorecordtheprovenanceofdata– Isittaintedbyaninputsource?

• Tools– TaintDroid

LimitationsofDynamicTaintTracking

• Technicallimitations– Missescontroldependencies

• Practicallimitations– Slowsexecution

• Coulduseitsolelyasanofflineanalysis

AppRewriting

• Changethebehavioroftheapp– Reverseengineerit

– Makesomechanges

– Recompileit

DroidWeave

• Totheboard!

Conclusion

• GoodluckonFinals!

• Ifyou’regraduating,goodluckinlife!