Static Verification of Android Security

Similar documents
Lintent: Towards Security Type-Checking of Android Applications

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android

Lecture 08. Android Permissions Demystified. Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner. Operating Systems Practical

Security Philosophy. Humans have difficulty understanding risk

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions

STUDY OF PRIVILEGE ESCALATION ATTACK ON ANDROID AND ITS COUNTERMEASURES

An Effective Access Control Scheme for Preventing Permission Leak in Android

Mobile Device and Platform Security Part II

Lecture Embedded System Security

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

Ariadnima - Android Component Flow Reconstruction and Visualization

Mobile development initiation

Lecture 3 MOBILE PLATFORM SECURITY

Lecture 9. PSiOS: Bring Your Own Privacy & Security to ios Devices. Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz

C1: Define Security Requirements

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Introduction to Android

Android System Architecture. Android Application Fundamentals. Applications in Android. Apps in the Android OS. Program Model 8/31/2015

VirtualSwindle: An Automated Attack Against In-App Billing on Android

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Introduction to Android

Network and Distributed System Security Symposium (NDSS) San Diego, USA, Februrary 9, 2015

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Lecture 1 Introduction to Android. App Development for Mobile Devices. App Development for Mobile Devices. Announcement.

Android Online Training

ANDROID APPS (NOW WITH JELLY BEANS!) Jordan Jozwiak November 11, 2012

Syllabus- Java + Android. Java Fundamentals

Multiple Activities. Many apps have multiple activities

The Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter

Android. Mobile operating system developed by Google A complete stack. Based on the Linux kernel Open source under the Apache 2 license

Modeling the Android Platform

1. Implementation of Inheritance with objects, methods. 2. Implementing Interface in a simple java class. 3. To create java class with polymorphism

Mobile Security Fall 2011

Towards a Systematic Study of the Covert Channel Attacks in Smartphones

COSC 3P97 Mobile Computing

ANDROID SYLLABUS. Advanced Android

Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications. Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, & Gang Wang

Applications Mobiles et Internet des Objets Introduction a l architecture d Android

Android framework. How to use it and extend it

Android Malware: they divide, we conquer

Android App Development. Muhammad Sharjeel COMSATS Institute of Information Technology, Lahore

Security and privacy in the smartphone ecosystem: Final progress report

Understanding and Automatically Preventing Injection Attacks on Node.js

Android. Operating System and Architecture. Android. Screens. Main features

Formal Security Analysis of Android Apps

Mobile Application Development - Android

Helping Developers Construct Secure Mobile Applications. Erika Michelle Chin

Relay Attacks on Secure Elementenabled

Permission Analysis of Health and Fitness Apps in IoT Programming Frameworks

Real-Time Embedded Systems

Android App Development

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Scippa: System-Centric IPC Provenance on Android

Adaptive Android Kernel Live Patching

Programming with Android: Intents. Luca Bedogni. Dipartimento di Scienze dell Informazione Università di Bologna

Programming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna

SECURITY ANALYSIS OF EMERGING SMART HOME APPLICATIONS

Google on BeyondCorp: Empowering employees with security for the cloud era

Dynamic Detection of Inter- Application Communication Vulnerabilities in Android. Daniel Barton

Developer s overview of the Android platform

Programming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna

MARS AREA SCHOOL DISTRICT Curriculum TECHNOLOGY EDUCATION

Access Control for Plugins in Cordova-based Hybrid Applications

RUNTIME PERMISSIONS IN ANDROID 6.0 Lecture 10a

ANDROID DEVELOPMENT. Course Details

MC Android Programming

Understanding Application

PaddyFrog: systematically detecting confused deputy vulnerability in Android applications

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

Understanding and Detecting Wake Lock Misuses for Android Applications

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Modeling and Enhancing Android's Permission System

ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation

Android Analysis Tools. Yuan Tian

Android Overview. Most of the material in this section comes from

Android App Development

Practical Attack Scenarios on Secure Element-enabled Mobile Devices

IBM Datacap Mobile SDK Developer s Guide

OS Security Rethinking Permission Granting in Modern Operating Systems

Android Programming (5 Days)

Security, Privacy, & User Expectations:

Sandboxing untrusted code: policies and mechanisms

Understanding and Detecting Wake Lock Misuses for Android Applications

Link-OS SDK for Xamarin README

Configuring the Android Manifest File

1. GOALS and MOTIVATION

PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices

Mobile Devices prioritize User Experience

Introduction To Android

Why using intents. Activity. Screen1 Screen 2

Mobile Computing. Introduction to Android

Tongbo Luo Cong Zheng Zhi Xu Xin Ouyang ANTI-PLUGIN: DON T LET YOUR APP PLAY AS AN ANDROID PLUGIN

Android Programmierung leichtgemacht. Lars Vogel

Detecting Advanced Android Malware by Data Flow Analysis Engine. Xu Hao & pll

Secure Element APIs and Practical Attacks on Secure Element-enabled Mobile Devices

Embedded Systems Programming - PA8001

Looking Forward: Challenges in Mobile Security. John Mitchell Stanford University

Mandatory Access Control for the Android Dalvik VM

Android App Development. Ahmad Tayeb

Transcription:

Static Verification of Android Security Michele Bugliesi based on work with Stefano Calzavara and Alvise Spanò appeared at FORTE/FMOODS Int. Conf. 2013 Università Ca Foscari Venezia Dipartimento di Scienze Ambientali, Informatica e Statistica ISACA VENICE 27.9.2013

Mobile Devices All Over Smartphones have become pervasive Increasingly widespread and involved in a variety of contexts: Web browsing and social networking Multimedia and entertainment Navigation and Location Based Services On-line payments... Smartphone security and robustness have therefore become critical M. Bugliesi (UNIVE) LINTENT 27.9.2013 2 / 24

Mobile/Smartphone Security A variety of attack surfaces Apple s IOS Closed platform: secret vetting process for new applications Largely (?) protected against malware and design flaws Privacy concerns arising from closed nature of the platform Google s Android An open platform: loose control on flawed applications Interesting case study for security research Lots of design flaws and security attacks found over the last few years M. Bugliesi (UNIVE) LINTENT 27.9.2013 3 / 24

Android Security Main attack surfaces Information flow leaks Privilege escalation Coarse permissioning ICC mismatches Countermeasures Data-flow analysis Runtime reference monitors OS enhancements Exception handling We focus on priviledge escalation and ICC mismatches Language-based security approach: static verification, based on security typing enforce certified secure design practices assist robust application development Also effective for validation of existing applications M. Bugliesi (UNIVE) LINTENT 27.9.2013 4 / 24

Android Architecture in 1 slide Applications consist of separate components Activities: associated with user interfaces Services: performing long-running background computations Broadcast receivers: acting as forwarders of system-wide broadcast messages to specific application components. Content providers: managing persistent application data. M. Bugliesi (UNIVE) LINTENT 27.9.2013 5 / 24

Android Architecture in 1 slide Applications consist of separate components Activities: associated with user interfaces Services: performing long-running background computations Broadcast receivers: acting as forwarders of system-wide broadcast messages to specific application components. Content providers: managing persistent application data. Components communicate with intents explicit: directed to a specific component implicit: directed to any component supporting associated action exchanged asynchronously M. Bugliesi (UNIVE) LINTENT 27.9.2013 5 / 24

Android Security Model in 1 slide Sandboxing Applications mutually distrusted Application assigned unique IDs Applications may only access resources they own, or resources owned by others that are made publicly available M. Bugliesi (UNIVE) LINTENT 27.9.2013 6 / 24

Android Security Model in 1 slide Sandboxing Applications mutually distrusted Application assigned unique IDs Applications may only access resources they own, or resources owned by others that are made publicly available Permission system Sensitive components protected by permissions PHONE CALL, INTERNET, BLUETOOTH,... Permissions required to run an application defined in the application s manifest, and granted upon installation Runtime reference monitor to check permissions upon ICC calls Delegation via pending intents M. Bugliesi (UNIVE) LINTENT 27.9.2013 6 / 24

Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P M. Bugliesi (UNIVE) LINTENT 27.9.2013 7 / 24

Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P App A Granted: - Requires: - yes App B Granted: P Requires: - yes App C Granted: P Requires: P no M. Bugliesi (UNIVE) LINTENT 27.9.2013 7 / 24

Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P App A Granted: - Requires: - yes App B Granted: P Requires: - yes App C Granted: P Requires: P no Security flaws in Android protection system Unprivileged caller may invoke a privileged callee, transitively acquiring privileges Pending intents may be employed to transfer permissions to unprivileged components M. Bugliesi (UNIVE) LINTENT 27.9.2013 7 / 24

Android insecurities Privilege escalation A realistic threat [Felt et. al 2011] More than a third of the 872 surveyed Android applications request permissions for sensitive resources and also expose public interfaces; they are therefore at risk of privilege escalation Found 15 permission redelegation vulnerabilities in 5 core system applications A. Porter Felt, H-J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. USENIX Security Symposium, 2011. M. Bugliesi (UNIVE) LINTENT 27.9.2013 8 / 24

Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee M. Bugliesi (UNIVE) LINTENT 27.9.2013 9 / 24

Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - App B Granted: P Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT 27.9.2013 9 / 24

Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT 27.9.2013 9 / 24

Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT 27.9.2013 9 / 24

Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - no App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT 27.9.2013 9 / 24

Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - no App C Granted: P Requires: P Our approach is different we opt for static, certified verification by typing M. Bugliesi (UNIVE) LINTENT 27.9.2013 9 / 24

LINTENT Android source code analyzer Implemented as an Android Lint plugin Full Eclipse integration Detects Android API usage Component classes SDK method calls Special calling patterns Helps developers write robust code Type errors, warnings and hints on the code A second-tier Java type-checker M. Bugliesi (UNIVE) LINTENT 27.9.2013 10 / 24

LINTENT Security checking Analyzes Application permissions (manifest) IPC permissions used in source code Secrecy level of objects to track pending intents Detects Attack surfaces for privilege escalation Over-privileged applications Runtime failures due to under-privilege M. Bugliesi (UNIVE) LINTENT 27.9.2013 11 / 24

LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT 27.9.2013 12 / 24

LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT 27.9.2013 12 / 24

LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT 27.9.2013 12 / 24

LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent: secrecy(i2) = PUBLIC Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT 27.9.2013 12 / 24

LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent: secrecy(i2) = PUBLIC Intent i2 = new Intent("ACT_STRING"); // inject p into i2: TYPE ERROR! secrecy(p) > secrecy(i2) i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT 27.9.2013 12 / 24

LINTENT Inter-component communication Analyzes Component classes Inter-component dataflow in message passing (within intents) Detects Mismatches in inter-component communication Undisciplined programming practices M. Bugliesi (UNIVE) LINTENT 27.9.2013 13 / 24

LINTENT Inter-component communication A real problem [Maji et. al. 2011] Extensive testing, based on 9000+ randomly generated intents sent to 450+ components in Android 4.0 builtin applications, and 5 most popular applications on Google Play. Around 5% - 8% ICC crashes, depending on component type, due to uncaught exceptions. Corresponding to a total of 641 crashes in Android 4.0, 152 in Google Play apps A. K. Maji, F A. Arshad, S. Bagchi and J. S. Rellermeyer. An empirical study of the robustness of Inter-component Communication in Android Dependable Systems and Networks, DSN 2011 M. Bugliesi (UNIVE) LINTENT 27.9.2013 14 / 24

LINTENT Tracing message passing class SenderActivity extends Activity protected void oncreate(bundle savedinstancestate)... // create an explicit intent Intent i = new Intent(this, ReceiverActivity.class); // populate with primitive and user-defined i.putextra("k1", 3); i.putextra("k2", true); i.putextra("k3", new SomeSerializable()); // start receiver startactivity(i); M. Bugliesi (UNIVE) LINTENT 27.9.2013 15 / 24

LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component String v1 = i.getstringextra("k1"); // retreive third extra component WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT 27.9.2013 16 / 24

LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component TYPE ERROR - k1: int String v1 = i.getstringextra("k1"); // retreive third extra component WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT 27.9.2013 16 / 24

LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component TYPE ERROR - k1: int String v1 = i.getstringextra("k1"); // retreive third extra component TYPE ERROR - k3: SomeSerializable WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT 27.9.2013 16 / 24

LINTENT Architecture Our implementation is an ADT Lint plugin Android source code parse Lint Plugin Lombok AST spawn process AST pipe LINTENT Engine warn pipe M. Bugliesi (UNIVE) LINTENT 27.9.2013 17 / 24

LINTENT Features Full supports for Java 1.6 Third-party libraries (external JARs) inspection Dataflow for intents, pending intents and bundles Support for recursive nesting Pending intents injected within intents and viceversa M. Bugliesi (UNIVE) LINTENT 27.9.2013 18 / 24

LINTENT First experiments Type-checked existing apps from Google Play store APN-Switch Any application can send an intent to turn the network on/off Wifi-Fixer Any application can send an intent to turn the wifi on/off difficult to notice by manual inspection not ideal for a fixer, ain t it? Both flaws uncovered by LINTENT and then verified manually M. Bugliesi (UNIVE) LINTENT 27.9.2013 19 / 24

LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation M. Bugliesi (UNIVE) LINTENT 27.9.2013 20 / 24

LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping M. Bugliesi (UNIVE) LINTENT 27.9.2013 20 / 24

LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping Among Service-based apps over 95% intents are implicit LINTENT cannot help much with these M. Bugliesi (UNIVE) LINTENT 27.9.2013 20 / 24

LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping Among Service-based apps over 95% intents are implicit LINTENT cannot help much with these Among apps that use permissions 30% are over-privileged 10% accidentally incur privile escalation via PendingIntent within an Intent 25% are under-privileged based on Broadcast Receivers M. Bugliesi (UNIVE) LINTENT 27.9.2013 20 / 24

DEMO

Conclusions Enhancing the Android development process highly desired type-based analysis is possible and useful, though demanding certified security is still far away, but LINTENT is a first step in that direction M. Bugliesi (UNIVE) LINTENT 27.9.2013 22 / 24

Conclusions Enhancing the Android development process highly desired type-based analysis is possible and useful, though demanding certified security is still far away, but LINTENT is a first step in that direction What s next continue engineering of prototype, extensive testing integrate a front-end to a decompiler re-target to DALVIK code support for robust declassification/endorsement M. Bugliesi (UNIVE) LINTENT 27.9.2013 22 / 24

Thanks

References M. Bugliesi, S. Calzavara, A. Spanò. Lintent: Towards Security Type-Checking of Android Applications. Joint IFIP International Conference, FMOODS/FORTE 2013. A. K. Maji, F A. Arshad, S. Bagchi and J. S. Rellermeyer. An empirical study of the robustness of Inter-component Communication in Android. Dependable Systems and Networks, DSN 2011. Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy, Privilege escalation attacks on Android, ISC 2010. Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey, Modeling and enhancing Android s permission system, ESORICS 2012. Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin, Permission re-delegation: Attacks and defenses, USENIX Security Symposium, 2011. M. Bugliesi (UNIVE) LINTENT 27.9.2013 24 / 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback