Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Slides:

Advertisements

Similar presentations

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Advertisements

Syracuse University, New York, USA

PScout: Analyzing the Android Permission Specification

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

Dissecting Android Malware : Characterization and Evolution

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability Chao Shi CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability.

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,

VB in Context Michael B. Spring Department of Information Science and Telecommunications University of Pittsburgh Pittsburgh, Pa 15260

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

Harvesting Developer Credentials in Android Apps

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

RiskRanker: Scalable and Accurate Zero‐day Android Malware Detection.

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

Permission Evolution in the Android Ecosystem Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos Department of Computer Science and Engineering.

DATA DYNAMICS AND PUBLIC VERIFIABILITY CHECKING WITHOUT THIRD PARTY AUDITOR GUIDED BY PROJECT MEMBERS: Ms. V.JAYANTHI M.E Assistant Professor V.KARTHIKEYAN.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

A NDROID P ERMISSIONS D EMYSTIFIED Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner University of California ACM CCS /09/20.

University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,

AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,

SCALABLE EVOLUTION OF HIGHLY AVAILABLE SYSTEMS BY ABHISHEK ASOKAN 8/6/2004.

Android Security Extensions. Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until.

CompSci 725 RiskRanker Authors Michael Grace - North Carolina State University, Raleigh, NC, USA & NQ Mobile Security Research Center, Beijing, China Yajin.

Checking More Alerting Less PRESENTED BY: AMIN ROIS SINUNG NUGROHO.

S. A. Shonola & M. S. Joy Security Framework for Mobile Learning Environments.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

An Analysis of the Mozilla Jetpack Extension Framework Rezwana Karim, Mohan Dhawan, Vinod Ganapathy Computer Science, Rutgers University Chung-cheih Shan.

Android Permissions Demystified

Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1.

Android Root and its Providers: A double-edged sword Presented by: Peter Huang Paper written by: Hang Zhang, Dongdong She, Zhiyun Qian.

THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.

Joshua Garcia Institute for Software Research

More Security and Programming Language Work on SmartPhones

SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Security and Programming Language Work on SmartPhones

Understanding Android Security

Android System Security

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Systematic Detection of capability leaks in stock android smartphones

Internet of Things Vulnerabilities

Analyzing WebView Vulnerabilities in Android Applications

Ransomware in Web Apps OWASP Singapore.

Mobile App Advertisements

Towards Obfuscation Resilient Software Plagiarism Detection

Understanding Android Security

Autonomous Network Alerting Systems and Programmable Networks

Presentation transcript:

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013

 Introduction  Design Provenance Analysis Permission Usage Analysis Vulnerability Analysis  Reachability Analysis  Re ﬂ ection Analysis

 Implementation and evaluation Provenance Analysis Permission Usage Analysis Vulnerability Analysis  Discussion  Related work  Conclusion

 Ten representative stock Android images  Five popular smartphone vendors  To assess the extent of security issues

 million sold in the Q4 of % global market share  Android open source project (AOSP)  Vendor customizations  Third party apps: vendors or carriers  Three stage process Stock images: provenance analysis permission usages of pre-load apps: unnecessary permission request Pre-load apps vulnerabilities analysis: permission re-delegation attack and private information leakage

 SEFA: Security Evaluation Framework for Android  Evaluation result: worrisome 81.78% pre-load apps are from vendor customizations 85.78% pre-load apps are over privileged, majority of them are from vendor customizations ? 64.71% to 85.00% vulnerabilities are from vendor customization(Samsung, HTC, LG, except for Sony). Current HTC is more secure than before.

 Architecture of SEFA

 Provenance Analysis AOSP app: Android open source project.  Original apps of Android Vendor app: identified by signatures  Apps developed by venders. Third-party app: identified by signatures  Apps developed by third-parties.  Exceptions AOSP app may be modified by venders.  SONY Conversation app vs AOSP Mms app

 SEFA determines AOSP procedure: By matching app and package names By matching component names in the manifest file. By calculating the similarity between paths and apps.  Path: sequence of methods from entry point into a sink  Sink: operation requiring dangerous and sensitive permissions  Static analysis Baksmali Firmware release and update information

 Permission overprivilege Initial permission set of apps Step1  To generate the complete requested permission set: R- set  Initial requested permission set from manifest files of apps  To include shared permission set: SharedUserId Step2  To calculate the used permission set: U-set  Used by API invocations  Used by Intents  Used by content providers Step3:  The overprivilege set: R–U

 Algorithm 1 Initial R set To generate the complete R set To generate the U set To generate the permission overprivilege set

 Vulnerabilities: Permission re-delegation attack  Aims at using for dangerous actions Passive content leak: world readable content provider Content pollution: world writable content provider  Aims at serious content leak  Find the paths From open entrypoints to sinks  Sensitive-sinks: APIs to sensitive permissions  Bridge-sinks: invocations indirectly another components  In-component: reachability analysis  Cross-component: reflection analysis

 To determine the feasible paths from the entrypoint set of all Android components.  Step1: intra-procedural reachability analysis building the call graphs and resolve it by using def- use analysisdef- use analysis The resolution starts rom the initial state to seek for a fix point of state changes with iteration The result of states of variables and fields is named as a “summary”  Step2: inter-procedural reachability analysis Propagate the states among different methods Re-issue step1 if the summary is changed.  Feasible path: execution flow

 Algorithm Appendix Execution flow Check the summary of each callee c is modified or not invoking inter-analysis related to c (????) ????

 Reflection attack: ExampleExample  Vulnerability paths in-component: reachability analysis  From unprotected component to a sink located in the same component cross-component: none  From unprotected component to a sink located in the different component but in the same app cross-app: none  From unprotected component to a sink located in the different component in the different app  Reflection analysis: to find all possible connections among components/apps

 Algorithm 2: reflection analysis For current component and visited component list:  If current component is visited, return with V  Or append current component into visited component list.  If this current component is vulnerable, add to V For all other components able to start current component  Do reflection analysis among them Return V Add to V if c is vulnerable

 SEFA was written in Java and Python  Processing time of each image:70 min avg.  Manual verify of vulnerabilities  Baksmali

 Devices

 Permission Usage Analysis % of Overprivilege apps  87.96% -> 83.61%: avg.: 85.78%

 Vulnerabilities % of vulnerable apps  Worst in %: HTC wildfire S, LG Optimus P880

 Vulnerabilities: customizations Customizations: vender and third- parties % of vulnerable apps of customizations

 Vulnerabilities Inherited: from previous product Introduced: new found in the new product

 Vulnerabilities Critical vulnerabilities Other: vendor- or model- specific

 Vulnerabilities: cross-app vulnerabilities Difficult to detect % of cross-app vulnerabilities

 Reflection attack sample  Pre-load app: Keystring_misc Protected component:PhoneUtilReceiver Permission: com.sec.android.app.phoneutil.permission systemOrSignature level  Another app: FactoryTest Feasible path: able to start this component of Keystring_misc Cross app vulnerability path Two hard-coded local socket: FactoryClientRecv FactoryClientSend Able to receive command from local socket Protected

 sCloudBackupProvider app Four content providers in the app with package name:  Com.sec.android.sCloudBackupProvider Exposing access interfaces to databases  Calllogs.db, sms.db, mms.db, settings.db Interfaces are protected by two normal-level permissions Able to be accessed by any third-party app

 Software development policies Sony HTC  Popular product vs poor security level Samsung S3  Limitations Not cover customization of system level code High false positive rate of analysis  Manually verify avg. 300 paths per device It would be better to use dynamic analyzer

 Provenance Analysis SMIT: malware database DroidMOSS, DNADroid, PiggyApp: detecting repackaging app in markets.  Permission Usage Analysis Pscout: overprivilege apps  Vulnerability Analysis DroidRanger: detect malicious app in markets TaintDroid, MockDroid, TISSA: privacy leaks ComDroid, Woodpecker, CHEX: in-component vulnerability detection

 Evaluate the security impact of vender customizations  Overprivilege app analysis  Static reachability and reflection analysis