2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

Slides:



Advertisements
Similar presentations
Bruce Scharlau, University of Aberdeen, 2012 Data storage options for mobiles Mobile Computing.
Advertisements

Syracuse University, New York, USA
L.C.Smith College of Engineering and Computer Science AppSealer : Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking.
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability Chao Shi CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities.
Dynamic Self-Checking Techniques for Improved Tamper Resistance Bill Horne, Lesley Matheson, Casey Sheehan, Robert E. Tarjan STAR Lab, InterTrust Technologies.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Introducing Computer and Network Security
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Protection of Agent Teamwork By Jeremy Hall. Agent Teamwork Overview ● Mobile agent framework  AgentTeamwork 2 is a mobile-agent based middleware system.
Shallow Versus Deep Copy and Pointers Shallow copy: when two or more pointers of the same types point to the same memory – They point to the same data.
Introduction to Network Defense
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Introducing the Sudoku Example
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
L.C.Smith College of Engineering and Computer Science Efficient, Context-Aware Privacy Leakage Confinement for Android Applications without Firmware Modding.
REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.
Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
Harvesting Developer Credentials in Android Apps
TAJ: Effective Taint Analysis of Web Applications
Arpit Jain Mtech1. Outline Introduction Dalvik VM Java VM Examples Comparisons Experimental Evaluation.
Operator Precedence First the contents of all parentheses are evaluated beginning with the innermost set of parenthesis. Second all multiplications, divisions,
File Processing - Database Overview MVNC1 DATABASE SYSTEMS Overview.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
CS200 Algorithms and Data StructuresColorado State University Part 4. Advanced Java Topics Instructor: Sangmi Pallickara
Android Boot Camp for Developers Using Java, 3E
Identification and Protection of Security-Critical Data Nora Sovarel University of Virginia Computer Science June 6, 2006 MCS Project Presentation.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Chapters 1-5 Review C++ Class. Chapter 1 – the big picture Objects Class Inheritance Reusability Polymorphism and Overloading.
Introduction to Java Chapter 7 - Classes & Object-oriented Programming1 Chapter 7 Classes and Object-Oriented Programming.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Dynamic Self-checking Techniques for Improved Tamper Resistance Bill Horne Lesley Matheson Casey Sheehan Robert E.Tarjan Presented by YAN MIN (Jasmine)
1 Classes II Chapter 7 2 Introduction Continued study of –classes –data abstraction Prepare for operator overloading in next chapter Work with strings.
Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1.
Banaras Hindu University. A Course on Software Reuse by Design Patterns and Frameworks.
Lecture 12 Implementation Issues with Polymorphism.
Preocedures A closer look at procedures. Outline Procedures Procedure call mechanism Passing parameters Local variable storage C-Style procedures Recursion.
 Description of Inheritance  Base Class Object  Subclass, Subtype, and Substitutability  Forms of Inheritance  Modifiers and Inheritance  The Benefits.
UMass Lowell Computer Science Java and Distributed Computing Prof. Karen Daniels Fall, 2000 Lecture 10 Java Fundamentals Objects/ClassesMethods.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
Authors: William Enck & Patrick McDaniel In collaboration with: Duke University and Intel Labs Presentation: Ed Novak 1.
More Security and Programming Language Work on SmartPhones
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Security and Programming Language Work on SmartPhones
Understanding Android Security
Efficient Multi-User Indexing for Secure Keyword Search
Friend Class Friend Class A friend class can access private and protected members of other class in which it is declared as friend. It is sometimes useful.
Java Primer 1: Types, Classes and Operators
Chapter 3: Using Methods, Classes, and Objects
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Taint tracking Suman Jana.
WEB API.
CIS 199 Final Review.
Understanding Android Security
CSE P 501 – Compilers SSA Hal Perkins Autumn /31/2019
Presentation transcript:

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android Application Mu Zhang, Heng Yin Syracuse University 林良軒 Advanced Defense Lab Seminar, NCU

Outline Introduction Component Hijacking Attack ImplementationEvaluationConclusionReference 1

Introduction Component Hijacking Attack : A class of attacks that seek to gain unauthorized access (read/write or combined) to protected or private resources through exported components in vulnerable apps. Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities (CCS 2012) 2

3 Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities

4 Component hijacking attacks Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities Contact Manager App EnumeratorService Enumerator Service Returns the address book upon request Accepts unauthorized requests READ Contacts Android Framework Unauthorized access to protected resources

Component hijacking attacks Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities Setting Update Receiver Accepts external updates App Internal DB is not permission protected Write to critical area Unauthorized access to private resources Contact Manager App Android Framework Setting Update Receiver Private Storage Private Storage KeyValue VoIP_Prefix“1234” Is_App_Lisencedfalse 5

AppSealer as a Security Service 6 1. No source code access 2. Vulnerability-specific patching 3. Minimal performance overhead 4. Minimal impact on usability

[ VulActivity ] onCreate() onStart() – getLocation() onDestroy() – post(addr, location) getLocation() – getLastKnownLocation() crypt() post() – HttpURLConnection – outputStrem 7

8

9

10

11

Workflow 12 (1)IR Translation (2)Slice Computation (3)Patch Statement Placement (4)Patch Statement Optimization (5)Bytecode Generation

Taint Slice Computation A. A.Forward Dataflow Analysis 1. 1.Basic Algorithm : use Def-use chain 2. 2.Special Considerations a. a.Static field b. b.Instance field c. c.Intent d. d.Class inheritance e. e.Thread B. B.Backward Dependency Analysis 13

14 Slice 1 Slice 2

15

Slice 1 16

Slice 1 17

Slice 1 18

Slice 1 19

Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 20

Patch Statement Placement B. B.Shadow Variables 1. 1.Local Variables 21

Patch Statement Placement B. B.Shadow Variables 2. Static/Instance Fields 22

Patch Statement Placement B. B.Shadow Variables 3. Parameters and Return Value 23

Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 24

Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 25

Patch Statement Placement D. D.Instrumenting Taint Propagation 1. 1.Simple Assignments 26

Patch Statement Placement D. D.Instrumenting Taint Propagation 2. Function Calls 27

Patch Statement Placement D. D.Instrumenting Taint Propagation 3. 3.API Calls 1. 1.getString(), toString() 2. 2.Android.widget.TextView,setText() 3. 3.Vector.add(Object) 4. 4.Android.content.ContentValues.put(String key, Byte value) 4. 4.Tracking References If one of the references is tainted, all other references should also be tainted. 28

Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 29

Patch Statement Placement E. E.Cleaning the Taint To properly clean the taint, for each variable appearing in the def-use chain inside the slice, we need to find all its definitions. For the definitions outside the slice, we need to insert a statement after that definition to set its shadow variable to 0(non-tainted) 30

Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 31

Patch Statement Placement F. F.Instrumenting the Sink If they are tainted by certain sources, we can raise a pop-up dialog to the user, asking for decision. - -Restart - -Continue 32

Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers Copy propagation and dead assignment elimination O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations 33

Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters 34

Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code Inlining the body of small function into its callers, the function call overhead can be avoided. 35

Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations 36

Workflow 37 (1)IR Translation (2)Slice Computation (3)Patch Statement Placement (4)Patch Statement Optimization (5)Bytecode Generation

38

39

40

41

42

43

Evaluation 44

Evaluation 45

Evaluation 46

Evaluation 47

Conclution A.Automatically generate patch B.Shadow mechanism C.Optimization 48