MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.

Slides:



Advertisements
Similar presentations
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Advertisements

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Android architecture overview
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
OPERATING SYSTEMS AND SYSTEMS SOFTWARE. SYSTEMS SOFTWARE Systems software consists of the programs that control the operations of the computer and its.
Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.
University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,
Effective Real-time Android Application Auditing
MAPLD Reconfigurable Computing Birds-of-a-Feather Programming Tools Jeffrey S. Vetter M. C. Smith, P. C. Roth O. O. Storaasli, S. R. Alam
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Wireless and Mobile Security
Testing in Android. Methods Unit Testing Integration Testing System Testing Regression Testing Compatibility Testing Black Box (Functional) White Box.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Processes and Threads.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
Better Performance Through Thread-local Emulation Ali Razeen, Valentin Pistol, Alexander Meijer, and Landon P. Cox Duke University.
PINTOS: An Execution Phase Based Optimization and Simulation Tool) PINTOS: An Execution Phase Based Optimization and Simulation Tool) Wei Hsu, Jinpyo Kim,
Windows App Studio Windows App Studio is the tool that makes it fast and easy to build Windows 10 apps. It’s accessible from any device with a browser.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Chapter 2 Operating System Overview Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.
The Holmes Platform and Applications
Introduction to threads
Joshua Garcia Institute for Software Research
Android Mobile Application Development
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
More Security and Programming Language Work on SmartPhones
Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.
Security and Programming Language Work on SmartPhones
Adaptive Android Kernel Live Patching
Architecture of Android
Chapter 2: Operating-System Structures
CASE STUDY 1: Linux and Android
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
Process Management Presented By Aditya Gupta Assistant Professor
Secure Software Development: Theory and Practice
Exam Review.
Understanding and Defending Binder Attack Surface in Android
Binder Attack Surface in Android
Taint tracking Suman Jana.
CMPE419 Mobile Application Development
Linternals SysInternals for Linux
Database Performance Tuning and Query Optimization
State your reasons or how to keep proofs while optimizing code
Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley
CHANGE MANAGEMENT FOR WINDOWS OS
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Operating Systems : Overview
Operating Systems : Overview
Chapter 11 Database Performance Tuning and Query Optimization
Reverse engineering through full system simulations
Operating Systems : Overview
CSC-682 Advanced Computer Security
Mobile Programming Dr. Mohsin Ali Memon.
Paul Ammann & Jeff Offutt
CMPE419 Mobile Application Development
Sampling Dynamic Dataflow Analyses
Presentation transcript:

MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan Luo, Chen Cao, Kai Chen, Jian Liu, Limin Liu, Neng Gao, Min Yang, Xinyu Xing, and Peng Liu

Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Android Architecture

… … Android Framework App Android Framework Libraries & Runtime Location Manager Service App Window Manager Service Activity Manager Service Package Manager Service Telephony Manager Service Senor Manager Service … … Android Framework Libraries & Runtime Linux Kernel

Android Framework is Vulnerable

Threats Caused by Framework Vulnerabilities Vulnerabilities in Android Framework affect EACH android device Stealing user passwords Taking pictures in the background Tampering with user data … … …

Android Security Research Most focus on Android apps Very few techniques and tools for analyzing Android Framework No tool available for automatically discovering vulnerabilities in Android Framework

Background: Symbolic Execution Symbolic execution refers to execution of a program or function with symbols as parameters Systematically exploring all paths of a program Much powerful than fuzzing Conventional vulnerability discovery uses Fuzzing, where inputs are randomly generated and path exploration is non-systematic Symbolic execution is the state of the art in vulnerability discovery

int foo (int x) { if (x < 0) return -1; assert (x != 0xFFF0000); x is symbolic input x >= 0 return -1 x < 0 int foo (int x) { if (x < 0) return -1; assert (x != 0xFFF0000); return x/2; } Symbolic branch x == -1 if (x != 0xFFF0000) Symbolic branch return x/2 flaw detected! (x != 0xfff0000)∧(x >= 0) (x == 0xfff0000)∧(x >= 0) x == 1 x == 0xfff0000

PoC exploit generation Vulnerability discovery Proving the vulnerability is exploitable The first tool for symbolic execution of Android Framework Symbolic Execution

How to Exploit a Framework Vulnerability An exploit is a piece of code (or inputs) that takes advantage of a vulnerability in order to cause unintended behavior System service call Resources AndroidManifest.xml Dalvik bytecode App App a1 a0 API Android Framework Libraries & Runtime Linux Kernel a1 a0 Access An exploit is part of a malicious app Symbolic inputs Parameters of API 2) Variables storing configuration values of the malicious app Symbolic inputs???

Very complex ! main () { forking system service threads; parsing all apps’ information; storing app information into memory; … … } Very complex ! The main thread first initializes Android Framework Android Framework Start here? Main Thread App System Service Thread 1 System Service Thread n … … Path explosion! API API Symbolic execution starts here! memory

… … Challenge A: State space explosion Solution: Skipping initialization phase of Android Framework Challenge B: Execution context is missing Challenge B Solution: Phased Concrete-to-Symbolic Execution (PC2SE) Challenge C: Identifying variables derived from malicious app Challenge C Solution: Slim tainting System Service Thread 1 System Service Thread n … … Android Framework memory M Main Thread API Symbolic inputs Parameters of API Variables storing configuration values of the malicious app

Phased Concrete-to-Symbolic Execution (PC2SE)

Decoupled architecture Migrating execution context App Symbolic executor Context query server Symbolic executor Context query client Android Framework Libraries & Runtime Linux Kernel Heap memory snapshot Symbolic executor cannot obtain execution context?

Architecture of our system Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Architecture of our system

Instrumenting bytecode instructions for heap migration Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Instrumenting bytecode instructions for heap migration

Example of a test driver Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Example of a test driver

Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Migrating heap

Slim Tainting

Scattered!!! Access pattern Array-based Hash-table-based index Android Framework Memory M Array-based Hash-table-based Access pattern index Package name UID App Taint sinks Taint propagation Taint sources key

Tainting propagation (uid%100, 000 − 10, 000) Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Tainting propagation (uid%100, 000 − 10, 000)

Evaluation Effectiveness Efficiency 7 vulnerability instances 6 instances of Inconsistent security policy enforcement 1 instances of Task hijacking Efficiency

List of Vulnerability Instances & Analysis Statistics New vulnerability instances

An Example of an Exploit A set of concrete values Configuration An exploit System service call

https://github.com/Android-Framewrok-Symbolic-Executor/Centaur Code is open source! https://github.com/Android-Framewrok-Symbolic-Executor/Centaur

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.