Static Verification of Android Security

Size: px

Start display at page:

Download "Static Verification of Android Security"

Beatrix Wright
6 years ago
Views:

1 Static Verification of Android Security Michele Bugliesi based on work with Stefano Calzavara and Alvise Spanò appeared at FORTE/FMOODS Int. Conf Università Ca Foscari Venezia Dipartimento di Scienze Ambientali, Informatica e Statistica ISACA VENICE

2 Mobile Devices All Over Smartphones have become pervasive Increasingly widespread and involved in a variety of contexts: Web browsing and social networking Multimedia and entertainment Navigation and Location Based Services On-line payments... Smartphone security and robustness have therefore become critical M. Bugliesi (UNIVE) LINTENT / 24

3 Mobile/Smartphone Security A variety of attack surfaces Apple s IOS Closed platform: secret vetting process for new applications Largely (?) protected against malware and design flaws Privacy concerns arising from closed nature of the platform Google s Android An open platform: loose control on flawed applications Interesting case study for security research Lots of design flaws and security attacks found over the last few years M. Bugliesi (UNIVE) LINTENT / 24

4 Android Security Main attack surfaces Information flow leaks Privilege escalation Coarse permissioning ICC mismatches Countermeasures Data-flow analysis Runtime reference monitors OS enhancements Exception handling We focus on priviledge escalation and ICC mismatches Language-based security approach: static verification, based on security typing enforce certified secure design practices assist robust application development Also effective for validation of existing applications M. Bugliesi (UNIVE) LINTENT / 24

5 Android Architecture in 1 slide Applications consist of separate components Activities: associated with user interfaces Services: performing long-running background computations Broadcast receivers: acting as forwarders of system-wide broadcast messages to specific application components. Content providers: managing persistent application data. M. Bugliesi (UNIVE) LINTENT / 24

6 Android Architecture in 1 slide Applications consist of separate components Activities: associated with user interfaces Services: performing long-running background computations Broadcast receivers: acting as forwarders of system-wide broadcast messages to specific application components. Content providers: managing persistent application data. Components communicate with intents explicit: directed to a specific component implicit: directed to any component supporting associated action exchanged asynchronously M. Bugliesi (UNIVE) LINTENT / 24

7 Android Security Model in 1 slide Sandboxing Applications mutually distrusted Application assigned unique IDs Applications may only access resources they own, or resources owned by others that are made publicly available M. Bugliesi (UNIVE) LINTENT / 24

8 Android Security Model in 1 slide Sandboxing Applications mutually distrusted Application assigned unique IDs Applications may only access resources they own, or resources owned by others that are made publicly available Permission system Sensitive components protected by permissions PHONE CALL, INTERNET, BLUETOOTH,... Permissions required to run an application defined in the application s manifest, and granted upon installation Runtime reference monitor to check permissions upon ICC calls Delegation via pending intents M. Bugliesi (UNIVE) LINTENT / 24

9 Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P M. Bugliesi (UNIVE) LINTENT / 24

10 Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P App A Granted: - Requires: - yes App B Granted: P Requires: - yes App C Granted: P Requires: P no M. Bugliesi (UNIVE) LINTENT / 24

11 Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P App A Granted: - Requires: - yes App B Granted: P Requires: - yes App C Granted: P Requires: P no Security flaws in Android protection system Unprivileged caller may invoke a privileged callee, transitively acquiring privileges Pending intents may be employed to transfer permissions to unprivileged components M. Bugliesi (UNIVE) LINTENT / 24

12 Android insecurities Privilege escalation A realistic threat [Felt et. al 2011] More than a third of the 872 surveyed Android applications request permissions for sensitive resources and also expose public interfaces; they are therefore at risk of privilege escalation Found 15 permission redelegation vulnerabilities in 5 core system applications A. Porter Felt, H-J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. USENIX Security Symposium, M. Bugliesi (UNIVE) LINTENT / 24

13 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee M. Bugliesi (UNIVE) LINTENT / 24

14 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - App B Granted: P Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24

15 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24

16 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24

17 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - no App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24

18 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - no App C Granted: P Requires: P Our approach is different we opt for static, certified verification by typing M. Bugliesi (UNIVE) LINTENT / 24

19 LINTENT Android source code analyzer Implemented as an Android Lint plugin Full Eclipse integration Detects Android API usage Component classes SDK method calls Special calling patterns Helps developers write robust code Type errors, warnings and hints on the code A second-tier Java type-checker M. Bugliesi (UNIVE) LINTENT / 24

20 LINTENT Security checking Analyzes Application permissions (manifest) IPC permissions used in source code Secrecy level of objects to track pending intents Detects Attack surfaces for privilege escalation Over-privileged applications Runtime failures due to under-privilege M. Bugliesi (UNIVE) LINTENT / 24

21 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24

22 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24

23 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24

24 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent: secrecy(i2) = PUBLIC Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24

25 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent: secrecy(i2) = PUBLIC Intent i2 = new Intent("ACT_STRING"); // inject p into i2: TYPE ERROR! secrecy(p) > secrecy(i2) i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24

26 LINTENT Inter-component communication Analyzes Component classes Inter-component dataflow in message passing (within intents) Detects Mismatches in inter-component communication Undisciplined programming practices M. Bugliesi (UNIVE) LINTENT / 24

27 LINTENT Inter-component communication A real problem [Maji et. al. 2011] Extensive testing, based on randomly generated intents sent to 450+ components in Android 4.0 builtin applications, and 5 most popular applications on Google Play. Around 5% - 8% ICC crashes, depending on component type, due to uncaught exceptions. Corresponding to a total of 641 crashes in Android 4.0, 152 in Google Play apps A. K. Maji, F A. Arshad, S. Bagchi and J. S. Rellermeyer. An empirical study of the robustness of Inter-component Communication in Android Dependable Systems and Networks, DSN 2011 M. Bugliesi (UNIVE) LINTENT / 24

28 LINTENT Tracing message passing class SenderActivity extends Activity protected void oncreate(bundle savedinstancestate)... // create an explicit intent Intent i = new Intent(this, ReceiverActivity.class); // populate with primitive and user-defined i.putextra("k1", 3); i.putextra("k2", true); i.putextra("k3", new SomeSerializable()); // start receiver startactivity(i); M. Bugliesi (UNIVE) LINTENT / 24

29 LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component String v1 = i.getstringextra("k1"); // retreive third extra component WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT / 24

30 LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component TYPE ERROR - k1: int String v1 = i.getstringextra("k1"); // retreive third extra component WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT / 24

31 LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component TYPE ERROR - k1: int String v1 = i.getstringextra("k1"); // retreive third extra component TYPE ERROR - k3: SomeSerializable WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT / 24

32 LINTENT Architecture Our implementation is an ADT Lint plugin Android source code parse Lint Plugin Lombok AST spawn process AST pipe LINTENT Engine warn pipe M. Bugliesi (UNIVE) LINTENT / 24

33 LINTENT Features Full supports for Java 1.6 Third-party libraries (external JARs) inspection Dataflow for intents, pending intents and bundles Support for recursive nesting Pending intents injected within intents and viceversa M. Bugliesi (UNIVE) LINTENT / 24

34 LINTENT First experiments Type-checked existing apps from Google Play store APN-Switch Any application can send an intent to turn the network on/off Wifi-Fixer Any application can send an intent to turn the wifi on/off difficult to notice by manual inspection not ideal for a fixer, ain t it? Both flaws uncovered by LINTENT and then verified manually M. Bugliesi (UNIVE) LINTENT / 24

35 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation M. Bugliesi (UNIVE) LINTENT / 24

36 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping M. Bugliesi (UNIVE) LINTENT / 24

37 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping Among Service-based apps over 95% intents are implicit LINTENT cannot help much with these M. Bugliesi (UNIVE) LINTENT / 24

38 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping Among Service-based apps over 95% intents are implicit LINTENT cannot help much with these Among apps that use permissions 30% are over-privileged 10% accidentally incur privile escalation via PendingIntent within an Intent 25% are under-privileged based on Broadcast Receivers M. Bugliesi (UNIVE) LINTENT / 24

39 DEMO

40 Conclusions Enhancing the Android development process highly desired type-based analysis is possible and useful, though demanding certified security is still far away, but LINTENT is a first step in that direction M. Bugliesi (UNIVE) LINTENT / 24

41 Conclusions Enhancing the Android development process highly desired type-based analysis is possible and useful, though demanding certified security is still far away, but LINTENT is a first step in that direction What s next continue engineering of prototype, extensive testing integrate a front-end to a decompiler re-target to DALVIK code support for robust declassification/endorsement M. Bugliesi (UNIVE) LINTENT / 24

42 Thanks

43 References M. Bugliesi, S. Calzavara, A. Spanò. Lintent: Towards Security Type-Checking of Android Applications. Joint IFIP International Conference, FMOODS/FORTE A. K. Maji, F A. Arshad, S. Bagchi and J. S. Rellermeyer. An empirical study of the robustness of Inter-component Communication in Android. Dependable Systems and Networks, DSN Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy, Privilege escalation attacks on Android, ISC Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey, Modeling and enhancing Android s permission system, ESORICS Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin, Permission re-delegation: Attacks and defenses, USENIX Security Symposium, M. Bugliesi (UNIVE) LINTENT / 24

Lintent: Towards Security Type-Checking of Android Applications

Lintent: Towards Security Type-Checking of Android Applications Michele Bugliesi, Stefano Calzavara, and Alvise Spanò Università Ca Foscari Venezia Abstract. The widespread adoption of Android devices