QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android

Transcription

1 QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC Communications and Informations Systems Security Symposium 1/ 14

2 Motivation Android popularity increasing Privacy under attack! Soundcomber (NDSS, 2011), PlaceRaider (NDSS, 2013), Permission model confusing & inflexible 2/ 14 Source: PlaceRaider [2]

3 Android Security & Communication System Security Common Linux security High-level permissions Sandbox for apps High-level IPC 3/ 14 Source: Programming Android [3]

4 Android Security & Communication System Security Common Linux security High-level permissions Sandbox for apps High-level IPC Communication High-level Middleware Unicast, Broadcast & RPC Poorly secured 3/ 14 Source: Programming Android [3]

5 Objective Identifying privilege escalation Detecting illegal information flow Dishonest/Colluding apps Abused apps Prevent mobile privacy invasion Using information flow analysis 4/ 14

6 Related Work XManDroid (NDSS, 2012) Graph based App permissions Direct & indirect communication 5/ 14 Source: XManDroid [4]

7 Related Work XManDroid (NDSS, 2012) Graph based App permissions Direct & indirect communication IPC Inspection (USENIX Sec., 2011) Focus on permission redelegation Adjust IPC callee permissions Only reduced, never extended Merely message independent interface-level permission control. 5/ 14 Source: XManDroid [4]

8 IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection 6/ 14

9 IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag (,,,, ) 6/ 14

10 IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag (,,,, ) FlowGraphService Real-time collection Communication graph Containing all running apps Quantitative data flow 6/ 14

11 IPC Monitoring with FlowGraphService IPC Monitoring At IPC boundary High-level communication methods Forwarding data collection FlowGraphService Real-time collection Communication graph Containing all running apps Quantitative data flow Monitoring Characteristics Sender (PID, UID) Receiver (PID, UID) Size Taint Tag (,,,, ) Limit enforcement Enforce data flow limits Based on taint tags Countermeasures Kill app Block IPC message 6/ 14

12 Utilising Dynamic Taint Tagging TaintDroid (OSDI, 2010) Dynamic taint tagging Tag = data source Dalvik VM only, no native code Across IPC 7/ 14 Source: TaintDroid [6]

13 Utilising Dynamic Taint Tagging Taint Tagged IPC TaintDroid (OSDI, 2010) Dynamic taint tagging Interpreted Code Trusted Application Taint Source (1) Untrusted Application Trusted Library (8) Taint Sink Tag = data source Dalvik VM only, no native code Across IPC Userspace (2) Dalvik VM Interpreter Binder IPC Library (3) (4) Virtual Taint Map Binder Hook (5) (6) Virtual Taint Map Binder Hook (7) (9) Dalvik VM Interpreter Binder IPC Library Kernel BinderKernel Module 7/ 14 Source: TaintDroid [6]

14 Visualisation Current graph via custom fgdump-tool Graphviz for rendering Example Snapshot UID UID Tag: IMEI Throughput: 1664 Bytes/min Tag: CONTACTS Throughput: 1664 Bytes/min Tag: CONTACTS Throughput: 3968 Bytes/min android.process.media com.example.servicecomreceiver UID com.example.servicecomsender 8/ 14

15 Evaluation Cirteria Privilege escalation sensitive data propagates across apps Works with standard Android SDK APIs Test Scenarios i) Conspiring apps ii) Confused-deputy 9/ 14

16 Scenario: Conspiring apps Setup Attack scenario: conspiring apps Start Activity Intent <<component>> WeatherEntryActivity <<component>> MappingActivity Service Call Service Reply Service Call Activity Result <<component>> WeatherWidget <<component>> WeatherReporterService Service Reply Objective Innocent looking apps siphoning off contact data to send it off-site. 10/ 14

17 Scenario: Conspiring apps Execution T 1 UID Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID com.example.snr_a.weatherreporter UID com.example.snr_a.weatherwidget 11/ 14

18 Scenario: Conspiring apps Execution T 2 UID com.example.snr_a.custommapping UID bytes 1 contact Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID com.example.snr_a.weatherwidget 11/ 14

19 Scenario: Conspiring apps Execution T 3 UID Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID Tag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID com.example.snr_a.weatherwidget 11/ 14

20 Scenario: Conspiring apps Execution T 3 to T 4 UID Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID XTag: CONTACTS Throughput: 216 Bytes/min com.example.snr_a.weatherreporter UID com.example.snr_a.weatherwidget 11/ 14

21 Scenario: Conspiring apps Execution T 4 UID Tag: CONTACTS Throughput: 828 Bytes/min com.example.snr_a.custommapping UID com.example.snr_a.weatherreporter 11/ 14

22 Scenario: Confused-deputy Attack scenario: confused-deputy <<component>> EvilSMSBrowser Activity Service Call <<component>> SMSFormatterService Service Reply <<component>> NiceSMSBrowser Activity Service Reply Service Call Objective SMS theft due to insecure/open API. Execution See our paper. 12/ 14

23 Conclusion & Outlook Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets 13/ 14

24 Conclusion & Outlook Conclusion Mitigate privilege escalation Quantitative IPC monitoring Limitation: Not monitoring IP-/UNIX-sockets Outlook Analyse apps from Play Store Investigating data flow threshold heuristics 13/ 14

25 Questions? Tobias Markmann Department of Computer Science HAW Hamburg [1] R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang, Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones, in NDSS, The Internet Society, [2] R. Templeman, Z. Rahman, D. J. Crandall, and A. Kapadia, PlaceRaider: Virtual Theft in Physical Spaces with Smartphones, CoRR, vol. abs/ , [3] Z. R. Mednieks et al., Programming Android: Java programming for the new generation of mobile devices. O Reilly & Associates, Inc., second ed., [4] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks, Technical Report TR , Technische Universität Darmstadt, Apr [5] A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, Permission re-delegation: attacks and defenses, in Proceedings of the 20th USENIX conference on Security, SEC 11, (Berkeley, CA, USA), pp , USENIX Association, [6] W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth, TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, in OSDI (R. H. Arpaci-Dusseau and B. Chen, eds.), pp , USENIX Association, / 14