os-level side channels without procfs: exploring cross-app ... · • device: jailbroken iphone 7...
TRANSCRIPT
![Page 1: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/1.jpg)
OS-level Side Channels without Procfs: Exploring Cross-App Information
Leakage on iOS
Xiaokuan Zhang1, Xueqiang Wang2, Xiaolong Bai3, Yinqian Zhang1 and XiaoFeng Wang2
1The Ohio State University, 2Indiana University Bloomington, 3Tsinghua University
![Page 2: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/2.jpg)
Mobile Side-Channel Attacks
Sensor-basedSideChannels
CacheSideChannels
OS-levelSideChannels
2
• Side-channelAttack:makeuseofseeminglyharmlessinformationtoinfersensitiveinformation
![Page 3: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/3.jpg)
OS-level Side-Channel Attacks on Android
• Maliciousapprunninginthebackground,callingAPIs
• Procfs:systemstatistics• virtual/physicalmemory,networktraffic,CPUusageinfo,…
3
![Page 4: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/4.jpg)
• NoProcfsprovidingsystemstat
• Nounauthorizedcross-appquery
OS-level Side-Channel Attacks on iOS
IsitpossibletoconductOS-levelside-channelattacksoniOS?
4
![Page 5: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/5.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
5
![Page 6: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/6.jpg)
Threat Model
• Monitoringapp:• UserdownloadsitfromAppStore• Audioplayer
6
![Page 7: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/7.jpg)
New Attack Vectors
• Host_statistics64():Globalusageofmemoryresources• Getifaddrs():Globalnetworkresources
• [NSFileManagerfileExistsAtPath:]:Theexistenceofafile/directory
7
![Page 8: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/8.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
8
![Page 9: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/9.jpg)
Classifying User Activities --- Example Trace
• CallingAPIstogettimeseriesA• Host_statistics64()• Getifaddrs()
• Plottingdiffseries:A[i]–A[i-1]
Timeseriesleakinformation!!!
9
VM
Network
![Page 10: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/10.jpg)
Classifying User Activities --- Example Trace
10
Howtocombinemultipletimeseriestoperforminferenceattacks?
VM
Network
![Page 11: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/11.jpg)
Classifying User Activities --- Example Trace
Howtocombinemultipletimeseriestoperforminferenceattacks?
11
• Requirements:• Combiningmultipletimeseries• Reducingthedimension
• Majorcomponents:• SAX(Keoghetal.,2002)• BOP(Linetal.,2009)• LibSVM(Changetal.,2011)
VM
Network
![Page 12: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/12.jpg)
Classifying User Activities --- Case Studies • Device:jailbrokeniPhone7withiOS10.1.1
• AutomatedusingCycript • Monitoringapp:
• runninginthebackground• callingAPIsatarateof1000/s
12
![Page 13: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/13.jpg)
Classifying User Activities --- Case Studies • ForegroundApps:
• 100appsfromTopCharts+20pre-installedapps• TopNaccuracy:thepercentageofthetestsamplesbeingcorrectlylabeledbyoneofthetopNpredictedclassesbytheclassifier
97.5%89.2%
13
![Page 14: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/14.jpg)
Classifying User Activities --- Case Studies
• SafariWebsites
84.5%
14
![Page 15: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/15.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
15
![Page 16: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/16.jpg)
Detecting Sensitive In-App Activities
16
Blockchain.info
![Page 17: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/17.jpg)
Detecting Sensitive In-App Activities --- Attack Methods
• Identifycriticalevents
• Correlateswithpublicrecords
17
![Page 18: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/18.jpg)
Detecting Sensitive In-App Activities --- Case Studies
• Target:BlockchainWalletApp
• Goal:identifypaymentevent(idx:0)
18
![Page 19: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/19.jpg)
Detecting Sensitive In-App Activities --- Case Studies
• Target:BlockchainWalletApp
• Goal:identifypaymentevent(idx:0)
• Normalizethedistanceperrow usingcell(i,i)asthebase(diagonal)
19
![Page 20: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/20.jpg)
Detecting Sensitive In-App Activities --- Case Studies
Transaction Set
Transaction Set
Transaction Set
20
![Page 21: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/21.jpg)
Detecting Sensitive In-App Activities --- Case Studies
Asent0.0035BTCtoB(1EwB…),TherestwenttoC(1Fbr…)
Csent0.001BTCtoE(1yNT…),TherestwenttoD(1ANE…)
Dsent0.0028BTCtoF(1CeN…),TherestwenttoG(16rU…)21
![Page 22: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/22.jpg)
Detecting Sensitive In-App Activities --- Case Studies
• OtherTargets:Venmo/Twitter
22
![Page 23: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/23.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
23
![Page 24: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/24.jpg)
Bypassing Sandbox Restrictions --- Attack Methods
• Device:non-jailbrokeniPhone7withiOS10.2.1
• ExecutiontimeofFileExistAtPath
HugeDifference!!!
24
![Page 25: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/25.jpg)
Bypassing Sandbox Restrictions --- Case Studies
• Detectwhetheranapphasbeeninstalled
DivorceForce AsthmaMD Pregnancy+ SugarSense
25
![Page 26: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/26.jpg)
Bypassing Sandbox Restrictions --- Case Studies • Pushnotifications:
• .pushstorefilewiththebundleidentifierasitsnamewillbecreatedinaspecificdirectory
• (/var/mobile/Library/SpringBoard/PushStore/com.google.Gmail.pushstorefortheGmailapp)
• Dynamicallyregisteredhomescreenquickactions:• .plistfilewiththebundleidentifierasitsnamewillbecreatedinaspecificdirectory(/var/mobile/Library/SpringBoard/ApplicationShortcuts/com.google.Gmail.plistfortheGmailapp)
• Top150appsinAppStore’s“TopCharts”(Aug.2017):
• Pushnotification:67(44.7%)• dynamicallyregisteredhomescreenquickactions:44(31.3%)
26
![Page 27: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/27.jpg)
• Othercases:numberofphotos/memos
• Genericapproachtodetectfiles
27
Bypassing Sandbox Restrictions --- Case Studies
![Page 28: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/28.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
28
![Page 29: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/29.jpg)
Practical Issues • AppStoreVetting
• DisguisedasanAudioPlayer• Passedthevetting
• PowerConsumption• Device:jailbrokeniPhone7withiOS10.1.1• 60min:5%batterywasconsumed
29
![Page 30: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/30.jpg)
Practical Issues --- Cross-device Attack Feasibility
trainingdevice:DeviceAiOS10.1.1
testingdevice:DeviceBNon-jailbrokeniOS10.2.1
30
![Page 31: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/31.jpg)
• Testset:Randomlyselect20third-partyapps • RedoForegroundAppsExperiment
91.5%
Practical Issues --- Cross-device Attack Feasibility
80.5%
31
![Page 32: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/32.jpg)
• Target:BlockchainWallet
Practical Issues --- Cross-device Attack Feasibility
32
![Page 33: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/33.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
33
![Page 34: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/34.jpg)
Countermeasures
• RateLimiting:limitthesamplingrate• Filterthedataandonlykeepevery(1000/N)thdatapoint• Re-evaluatetheforegroundappclassification
ImplementediniOS11.1forhost_statistics64():2/s
34
![Page 35: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/35.jpg)
Countermeasures
• Coarse-grainedreturnvalues:maskingthedigitsofreturnvalues• Mask1/2/3digitsofall6features• Re-evaluatetheforegroundappclassification
1230Mask1digit:
1200Mask2digits:
1000Mask3digits:
1234Original:
35
![Page 36: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/36.jpg)
Countermeasures
• Coarse-grainedreturnvalues:maskingthedigitsofreturnvalues• Mask1/2/3digitsofall6features• Re-evaluatetheforegroundappclassification
ImplementediniOS11forgetifaddrs():Roundto1KB 36
![Page 37: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/37.jpg)
Countermeasures
• Eliminatingtheattackvectors
• Runtimedetection
• Privacy-preservingstatisticsreporting
• RemovingthefileExistsAtPathtimingchannelfileExistsAtPathtimingchannelhasbeeneliminatediniOS11
37
![Page 38: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/38.jpg)
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
38
![Page 39: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/39.jpg)
Conclusion
• FirstexplorationofOS-levelsidechannelsoniOS
• Threecategoriesofside-channelattacks
• ProposedcountermeasuresintegratediniOSandMacOS
39
![Page 41: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/41.jpg)
41
![Page 42: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/42.jpg)
Detecting Sensitive In-App Activities --- Attack Methods
• Timeisshort(<0.5s)
• Differenceissubtle
42
![Page 43: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/43.jpg)
Detecting Sensitive In-App Activities --- Attack Methods
• PatternMatching:comparetwomulti-dimensionaldatatraces• Sample:• Signature:• Goal:measurethedistance• ExtendedDTW(DTW_I):(wk:normalizationfactor)
43
![Page 44: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/44.jpg)
iOS Attacks
44
![Page 45: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/45.jpg)
Paper Vector ImpactChenetal.,Security’14
/proc/pid/statm
UIinferenceattacks(stealinglogincredentials,photos)
Diaoetal.,Oakland’16
/proc/interrupts
Interrupttiminganalysis(crackingunlockpatterns)
45
![Page 46: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/46.jpg)
Classifying User Activities --- Attack Methods • Requirements:
• Combiningmultipletimeseries
• Reducingthedimension
• Majorcomponents:• SymbolicAggregateapproXimation(SAX)(Keoghetal.,2002)
• Bag-of-Patterns(BOP)representation(Linetal.,2009)
• SupportVectorMachine(LibSVM)(Changetal.,2011)
{cbb:1,bbc:1,bcc:1,ccc:1,ccb:1,cba:1,baa:1,aaa:1} 46
![Page 47: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/47.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
47
![Page 48: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/48.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
48
![Page 49: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/49.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Top1Accuracy:3/5=60%
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
49
![Page 50: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/50.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
50
![Page 51: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/51.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Top2Accuracy:(3+1)/5=80%
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
51
![Page 52: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/52.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
52
![Page 53: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/53.jpg)
Classifying User Activities --- Case Studies • TopNAccuracyExample
Top3Accuracy:(2+1+2)/5=100%
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
53
![Page 54: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/54.jpg)
Detecting Sensitive In-App Activities
54
![Page 55: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/55.jpg)
Detecting Sensitive In-App Activities --- Attack Methods
• Identifycriticalevents
• Correlateswithpublicrecords
55
![Page 56: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/56.jpg)
Detecting Sensitive In-App Activities
56
![Page 57: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/57.jpg)
Classifying User Activities --- Case Studies
• Device:jailbrokeniPhone7withiOS10.1.1 • AutomatedusingCycript
57
![Page 58: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/58.jpg)
Why global stat can work?
• iOSitselfsuspendsappswhentheyruninthebackground,unlesstheappspeciallyrequestsbackgroundpermissions
• iOSisrelativelyquieterthanAndroid,whichgreatlyfacilitatesside-channelattacks
58
![Page 59: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/59.jpg)
Run Background Apps on iOS • AUDIObackgroundmode
• [NSTimerscheduledTimerWithTimeInterval:target:selector:userInfo:repeats:]
59
![Page 60: OS-level Side Channels without Procfs: Exploring Cross-App ... · • Device: jailbroken iPhone 7 with iOS 10.1.1 • 60 min: 5% battery was consumed 29 Practical Issues --- Cross-device](https://reader033.vdocument.in/reader033/viewer/2022050307/5f6fda3014c4ec1e4a017f76/html5/thumbnails/60.jpg)
Detecting Sensitive In-App Activities
60