Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.

Slides:



Advertisements
Similar presentations
New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.
Advertisements

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Dissecting Android Malware : Characterization and Evolution
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Introduction to Android Platform Overview
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Introduction to Mobile Malware
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
DroidKungFu and AnserverBot
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Presented By: Steven Zittrower William Enck ( Penn St) (Duke)
PrivacyShield: Real-time Monitoring and Detection of Android Privacy Leakage Review and Discussion Yan Chen Lab of Internet and Security Technology Northwestern.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.
University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Effective Real-time Android Application Auditing
Leave Me Alone: App-level Protection Against
AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,
Android Security Auditing Slides and projects at samsclass.info.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.
Leave Me Alone: App- level Protection Against Runtime Information Gathering on Android NAN ZHANG, KAN YUAN, MUHAMMAD NAVEED†, XIAOYONG ZHOU AND XIAOFENG.
Microsoft Management Seminar Series SMS 2003 Change Management.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Hui Xu, Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R. Lyu
Wireless and Mobile Security
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
Android Permissions Demystified
VMM Based Rootkit Detection on Android
Role Of Network IDS in Network Perimeter Defense.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Android and IOS Permissions Why are they here and what do they want from me?
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
Accelerometer based motion gestures for mobile devices Presented by – Neel Parikh Advisor Committee members Dr. Chris Pollett Dr. Robert Chun Dr. Mark.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.
Module 51 (Mobile Device Fundamentals - Android)
Containers as a Service with Docker to Extend an Open Platform
Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.
Security and Programming Language Work on SmartPhones
University of Maryland College Park
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Android System Security
Architecture of Android
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
Presented by Xiaohui (Amy) Lin
AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,
MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
University of California, Santa Barbara
Suwen Zhu, Long Lu, Kapil Singh
Emerging Mobile Threats and Our Defense
Presentation transcript:

Towards a Trustworthy Android Ecosystem 1 Yan Chen Lab of Internet and Security Technology Northwestern University

Ubiquity - Smartphones and mobile devices – Smartphone sales already exceed PC sales – The growth will continue Performance better than PCs of last decade – Samsung Galaxy S4 1.6 GHz quad core, 2 G memory Smartphone Security 2

Android Dominance Android world-wide market share ~ 70% Android market share in US ~50% 3 (Credit: Kantar Worldpanel ComTech)

Android Threats Malware – The number is increasing consistently – Anti-malware ineffective at catching zero-day and polymorphic malware Information Leakage – Users often have no way to even know what info is being leaked out of their device – Even legitimate apps leak private info though the user may not be aware 4 flickr.com/photos/panda_security_france/

New Challenges New operating systems – Different design → Different threats Different architecture – ARM (Advanced RISC Machines) vs x86 – Dalvik vs Java (on Android) Constrained environment – CPU, memory – Battery – User perception 5

Problems Malware detection – Offline – Real time, on phone Privacy leakage detection – Offline – Real time, on phone OS architecture or application vulnerabilities System hardening – Access control, ASLR, … 6

Problems Malware detection – Offline – Real time, on phone Privacy leakage detection – Offline – Real time, on phone OS architecture or application vulnerabilities System hardening – Access control, ASLR, … 7

Our Solutions AppsPlayground, CODASPY’13 – Automatic, large-scale dynamic analysis of Android apps DroidChamelon, ASIACCS’13 – Evaluation of latest Android anti-malware tools Uranine – Real-time information-flow tracking enabled by offline static analysis – With zero platform modification 8

AppsPlayground Automatic Security Analysis of Android Applications 9

AppsPlayground 10 A system for offline dynamic analysis – Includes multiple detection techniques for dynamic analysis Challenges – Techniques must be light-weight – Automation requires good exploration techniques

Architecture 11 Kernel-level monitoring Taint tracking API monitoring Fuzzing Intelligent input Event triggering Disguise techniques Detection Techniques Exploration Techniques AppsPlayground Virtualized Dynamic Analysis Environment AppsPlayground Virtualized Dynamic Analysis Environment … …

Architecture 12 Intelligent input Kernel-level monitoring Taint tracking API monitoring Fuzzing Event triggering Disguise techniques Detection Techniques Exploration Techniques AppsPlayground Virtualized Dynamic Analysis Environment AppsPlayground Virtualized Dynamic Analysis Environment … … Contributions

Intelligent Input Fuzzing is good but has limitations Another black-box GUI exploration technique Capable of filling meaningful text by inferring surrounding context – Automatically fill out zip codes, phone # and even login credentials – Sometimes increases coverage greatly 13

Privacy Leakage Results AppsPlayground automates TaintDroid Large scale measurements - 3,968 apps from Android Market (Google Play) – 946 leak some info – 844 leak phone identifiers – 212 leak geographic location – Leaks to a number of ad and analytics domains 14

Malware Detection Case studies on DroidDream, FakePlayer, and DroidKungfu AppsPlayground’s detection techniques are effective at detecting malicious functionality Exploration techniques can help discover more sophisticated malware 15

DroidChameleon Evaluating state-of-the-art Android anti-malware against transformation attacks 16

Introduction Android malware – a real concern Many Anti-malware offerings for Android Many are very popular 17 Source: | retrieved: 4/29/2013

Objective Smartphone malware is evolving – Encrypted exploits, encrypted C&C information, obfuscated class names, … – Polymorphic attacks already seen in the wild Technique: transform known malware 18 What is the resistance of Android anti-malware against malware obfuscations?

Transformations: Three Types No code-level changes or changes to AndroidManifest Trivial Do not thwart detection by static analysis completely Detectable by Static Analysis - DSA Ca pab le of thw arti ng all stat ic ana lysi s bas ed det ecti on Not detectable by Static Analysis – NSA 19

Trivial Transformations Repacking – Unzip, rezip, re-sign – Changes signing key, checksum of whole app package Reassembling – Disassemble bytecode, AndroidManifest, and resources and reassemble again – Changes individual files 20

DSA Transformations Changing package name Identifier renaming Data encryption Encrypting payloads and native exploits Call indirections … 21

Evaluation 10 Anti-malware products evaluated – AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft (ALYac), Zoner, Webroot – Mostly million-figure installs; > 10M for three – All fully functional 6 Malware samples used – DroidDream, Geinimi, FakePlayer, BgServ, BaseBridge, Plankton Last done in February

AVGSymantecLookoutESETDr. Web Repackx Reassemblex Rename packagexx Encrypt Exploit (EE) x Rename identifiers (RI) xx Encrypt Data (ED)x Call Indirection (CI)x RI+EExxx EE+EDx EE+Rename Filesx EE+CIxx DroidDream Example 23

Kasp.Trend M.ESTSoftZonerWebroot Repack Reassemblex Rename packagexx Encrypt Exploit (EE) x Rename identifiers (RI) xx Encrypt Data (ED)x Call Indirection (CI)x RI+EExx EE+EDxx EE+Rename Filesxx EE+CIx DroidDream Example 24

Findings All the studied tools found vulnerable to common transformations At least 43% signatures are not based on code-level artifacts 90% signatures do not require static analysis of Bytecode. Only one tool (Dr. Web) found to be using static analysis 25

Signature Evolution Study over one year (Feb 2012 – Feb 2013) Key finding: Anti-malware tools have evolved towards content-based signatures Last year 45% of signatures were evaded by trivial transformations compared to 16% this year Content-based signatures are still not sufficient 26

Solutions Content-based Signatures are not sufficient Analyze semantics of malware Need platform support for that Dynamic behavioral monitoring can help 27

Takeaways Anti-malware vendors Need to have semantics- based detection Google and device manufacturers Need to provide better platform support for anti-malware 28

Conclusion Developed a systematic framework for transforming malware Evaluated latest popular Android anti-malware products All products vulnerable to malware transformations 29

Uranine Real-time Privacy Leakage Detection without System Modification for Android 30

Motivation Android permissions are insufficient – User still does not know if some private information will be leaked Information leakage is more interesting (dangerous) than information access – E.g. a camera app may legitimately access the camera but sending video recordings out of the phone may be unacceptable to the user 31

Previous Solutions Static analysis: not sufficient – It does not identify the conditions under which a leak happens. Such conditions may be legitimate or may not happen at all at run time – Need real-time monitoring TaintDroid: real-time but not usable – Requires installing a custom Android ROM Not possible with some vendors End-user does not have the skill-set 32

Our Approach Give control to the user Instead of modifying system, modify the suspicious app to track privacy-sensitive flows Advantages – No system modification – No overhead for the rest of the system – High configurability – easily turn off monitoring for an app or a trusted library in an app 33

Comparison Static AnalysisTaintDroidUranine AccuracyLow (possibly High FP) Good OverheadNoneLowAcceptable System modification NoYesNo ConfigurabilityNAVery LowHigh 34

Deployment A 35 By vendor or 3 rd party service

Deployment B 36 By Market

Download Instrument Reinstall Run Alert User Unmodified Android Middleware And Libraries Overall Scenario 37

Challenges Framework code cannot be modified – Policy-based summarization of framework API Accounting for the effects of callbacks – Functions in app code invoked by framework code – Over-tainting techniques guarantee zero FN 38

Challenges Accommodating reference semantics – Need to taint objects rather than variables – Not interfering with garbage collection Performance overhead – Path pruning with static analysis 39

Instrumentation Workflow 40

Preliminary Results Studied 20 apps Results in general align with TaintDroid Performance – Runtime overhead is within 50% for 85% of the apps evaluated and with 100% for all apps – Less than 20% instructions need to be instrumented in all apps evaluated 41

Runtime Performance 42

Fraction of Instructions Instrumented 43

Limitations Native code not handled Method calls by reflection may sometimes result in unsound behavior App may refuse to run if their code is modified – Currently, only one out of top one hundred Google Play apps did that 44

Conclusion AppsPlayground, CODASPY’13 – Detected privacy leakage on large scale – Capable of detecting malware DroidChamelon, ASIACCS’13 – Several popular Android anti-malware tools shown vulnerable Uranine – Real-time information-flow tracking with zero platform modification is possible More info and tools – 45

Kernel-level Monitoring Useful for malware detection Most root-capable malware can be logged for vulnerability conditions Rage-against-the-cage – Number of live processes for a user reaches a threshold Exploid / Gingerbreak – Netlink packets sent to system daemons 46

Security in Software-defined Networks Towards A Secure Controller Platform for OpenFlow Applications 47

SDN Architecture SDN apps defines routing behavior through controller Current controllers assume full trust on apps, and do not check what apps send to switches 48

Threat Model Two threat model –Exploit of existing benign-but-buggy apps –Distribution of malicious apps by attacker Plenty of potential attacks 49

Challenges Network resources are architecturally distinctive –It is not obvious which resources are dangerous and which ones are safe Controller has limited control on SDN apps –Only controller API calls go through controller, such as flow addition and statistics query –OS system calls do not go through controller, so apps can write whatever they want to the network, storage, etc. 50

Our Approach Permission Check + Isolation Contributions –Systematic Permission Set Design –Comprehensive App Sandboxing 51 Original Controller Architecture PermOF Architecture

Backup 52

Smartphone Security Lots of private data –Contacts, messages, call logs, location –Grayware applications, spyware applications –TaintDroid, PiOS, etc. found many leaks –Our independent study estimates about 1/4 th of apps to be leaking Exploits could cause user money –Dialing and texting to premium numbers –Malware such as FakePlayer already do this 53

Android Threats Privacy leakage –Users often have no way to know if there are privacy leaks –Even legitimate apps may leak private information without informing user Malware –Number increasing consistently –Need to analyze new kinds 54

Dynamic vs. Static Dynamic Analysis Static Analysis CoverageSome code not executed Mostly sound AccuracyFalse negativesFalse positives Dynamic Aspects (reflection, dynamic loading) Handled without additional effort Possibly unsound for these Execution context Easily handledDifficult to handle PerformanceUsually slowerUsually faster 55

Disguise Techniques Make the virtualized environment look like a real phone –Phone identifiers and properties –Data on phone, such as contacts, SMS, files –Data from sensors like GPS –Cannot be perfect 56

Exploration Effectiveness Measured in terms of code coverage –33% mean code coverage More than double than trivial Black box technique Some code may be dead code Use symbolic execution in the future Fuzzing and intelligent input both important –Fuzzing helps when intelligent input can’t model GUI –Intelligent input could sign up automatically for 34 different services in large scale experiments 57

Playground: Related Work Google Bouncer –Similar aims; closed system DroidScope, Usenix Security’12 –Malware forensics –Mostly manual SmartDroid, SPSM’12 –Uses static analysis to guide dynamic exploration –Complementary to our approach 58

Threat Mitigation at App level Offline analysis –Trustworthiness of app is known before use –Static analysis –Dynamic analysis Real-time monitoring –Often more accurate but with runtime overhead –User has control over app’s actions in real- time 59

Callback Example The toString() method may be called by a framework API and the returned string used elsewhere. 60

Potential Defenses against malicious app Server-side Security Check by Controller Vendor –Static analysis –Dynamic analysis Runtime Permission Check –Enforce the principle of least privilege on apps Principal Isolation Anomaly-based Behavior Monitoring 61