COMPSCI 702 DeepDroid Dynamically Enforcing Enterprise Policy on Android Devices Presenter: Jie Yuan (Jeff)

Agenda  Introduction  DeepDroid-Overview  DeepDroid-Implementations  DeepDroid-Evaluation  Criticisms

Introduction  Smartphones are increasingly adopted in workspace  “51% of end users rely on smartphones to perform daily business activities.”——Cisco 2013  Android dominates the smartphone market  Android took 84.6% smartphone share in Q3 2015”——Gartner 3

But Android devices are not easily managed  Permission:  Coarse-grained  All-or-nothing  Lack of run-time configuration  SEAndroid  Brings flexible MAC to Android (kernel)  No middleware layer MAC support yet 4

Introduction - Current status  OEM vendors usually implement their own management APIs  Samsung Knox  Customize system to enforce policies  Require tremendous modification on source code  Portability issue for Android branches and OEMs  Rewrite Android apps  Intercept security sensitive APIs from multiple layers  Lack of isolation between App and monitoring code

DeepDroid Overview  A dynamic enterprise security policy enforcement scheme.  The Approaches to enforce policy:  Dynamic memory instrumentation to hook the permission check inside DVM for java code  Tracing (ptrace) system calls to monitor native code  Tracing process creation (fork) in zygote for privilege authorization  Tracking process operations in binder 6

7 DeepDroid Overview - Components DeepDroid On-device Device Monitor Monitors the mobile device Communicates to Enterprise Policy Center Privilege Enforcement Authorises access privilege to apps Permission Configurator from Android middleware Process Creation Guard monitoring native code Context Enforcement Monitor resource access Trace system calls to regulate app operations Policy Engine Maintains policy rules Enterprise Policy Center Authenticates mobile devices Distributes enterprise policies Monitors mobile devices

DeepDroid Implementation - Permission Configurator  Intercepts system_sever to enforce runtime permission policies for standard java applications  Leveraging ptrace system-call to control and manipulate the target process

DeepDroid Implementation - Process Creation Guard  Traces zygote to monitor new process creation from native code 9

DeepDroid Implementation - Context Enforcement  Introduces binder wrapper to intercept and regulate the service provision procedure  An exception may arouse suspicion that the user is at some a secret location  return a fake location to the app instead of an exception 10

Context Enforcement – Binder Interception 11  Binder interception  Libbinder.so provide the interfaces for app based on binder driver (mainly ioctl)  The ioctl system call was intercepted by binder interception module to a wrapper in libwrapper.so by modifying GOT (Global Offset Table) of libbinder.so  By doing so, all system calls into binder driver was captured

Context Enforcement – Content Parsing  The raw data is packaged into a binder_write_read buffer  The parser converts the buffer into readable information like Descriptor of Service and Code for better understanding. 12

Context Enforcement – Transaction regulating 13  Thread #1 as the initiator  Thread #2 as the service provider  2 type of processing are supported, pre and post  E.g. a SMS to a suspicious number should be stopped before the operation.

Context Enforcement – Native Code Context Enforcement  A supplement to the Process Creation Guard to provide fine grained control on native operations  For instance, instead of disconnecting an app completely from the Internet, the app may be allowed to access some specific trusted web servers. Therefore, besides configuring inet group, we develop a native code context enforcement module to regulate network accessing operations by confining the context of socket calls, such as connect, recvfrom and sendto.  This is more likely a future plan which has not been tested or even implemented, since the overhead will be quite high to trace data packet operations especially for network intensive apps. 14

Evaluated Resources ResourcePermissionGroupPEP 1 Process IMEI READ_PHONE_STATE package com.android.phone Phone # READ_PHONE_STATE package location ACCESS_FINE_LOCATION packagesystem_server contacts READ_CONTACTS packageandroid.process.acore camera CAMERA camerapackage/ PCG 2 mediaserver account GET_ACCOUNTS packagesystem_server logs READ_LOGS log PCG 2 app process network INTERNET inetpackage/ PCG 2 SMS SEND_SMS package com.android.phone 1 PEP: permission enforcement point 2 PCG ： Process Creation Guard 15

Evaluated Devices DeviceAndroid OS Nexus S(Samsung)Android OS Sony LT29iAndroid OS Android OS Galaxy Nexus(Samsung)Android OS 4.0 Samsung Galaxy Note IIAndroid OS 4.1 Samsung Galaxy Note 3Android OS 4.3 Nexus 5(LG)Android OS 4.4 Meizu MX IIFlyme 3.2 (Android OS 4.2.1) Huawei Honor 3cAndroid OS

Performance

Performance (cont.)

Normal Quadrant Traced QuadrantNormal CaffeineMark Trace CaffeineMark MX II LT29i Nexus S Benchmark Scores 19

Criticisms:  Needs root privilege to instrument system components and trace zygote and binder, which is very dangerous to users, everything on this phone is monitored, supervised, no personal app was suggested.  Highly rely on the central policy center, if it is compromised by attackers, all smartphones are endangered as the counterpart is running as root.  The central policy center may become the bottleneck of the system and bring single point failure.  Needs to communicate to the policy center time to time, highly rely on network.  Doesn’t have an efficient support on image or voice recognition which limits its usage on high volume media-related resources like camera and audio.  A spelling error exists even in the published version, “course-grained” in page 9 should be “coarse-grained” 20

References  dynamically-enforcing-enterprise-policy-android-devices   pDroid.slide.pdf  ntation02_4.pdf   21

Questions? 22

Backup 23

DeepDroid – Summary  Portable on almost all Android devices  Based on Dynamic code instrumentation and process tracing  Fine-grained access control policy  Both permission and behaviour level  By hooking and tracing critical Android components  Minimal impacts  On both user experience and Android system  Reduce the work on system customization 24

DeepDroid – Overview  Centralized controller  system_server for middleware permissions  client-server architecture  system services, content providers, etc.  Communication-Binder  RPC to services  Intent  Content Providers  Operations inside of process boundary  Based on Linux system calls  Comply with Linux DAC  Linux privilege authorized right after process creation  setgroups/setresgid/setresuid 25

DeepDroid – check point  Intercepts system_sever from the application side and zygote from linux side to enforce runtime permission policies 26