Presentation is loading. Please wait.

Presentation is loading. Please wait.

Systematic Detection of capability leaks in stock android smartphones

Published byVictor Landry Modified over 6 years ago

Similar presentations

Presentation on theme: "Systematic Detection of capability leaks in stock android smartphones"— Presentation transcript:

1 Systematic Detection of capability leaks in stock android smartphones
2018/9/20 Systematic Detection of capability leaks in stock android smartphones Michael Grace, Yajin Zhou, Zhi Wang, Xuxian Jiang North Carolina State University NDSS 2012

2 Outline Introduction System Design Implementation Evaluation
2018/9/20 Outline Introduction System Design Implementation Evaluation Discussion Related Work Conclusions

3 2018/9/20 Introduction Wookpecker systematically analyzes each app on the phone to explore the reachability of a dangerous permission from a public, unguarded interface.

4 Introduction Explicit Capability Leaks Implicit Capability Leaks
2018/9/20 Introduction Explicit Capability Leaks Allow an app to successfully access certain permissions by exploiting some publicly-accessible interfaces or services without actually requesting these permissions by itself Implicit Capability Leaks Allow the same, but instead of exploiting some public interfaces or services, permit an app to acquire or “inherit” permissions from another app with the same signing key (presumably by the same author)

5 2018/9/20 Introduction Focus on 13 representative privileged permissions that protect sensitive user data or phone features Among these 13 privileged permissions, 11 were explicitly leaked, with individual phones leaking up to eight permissions

6 2018/9/20 System Design Focus on those permissions used by the pre-loaded apps as part of an Android phone’s firmware, since the firmware has access to some permissions that are too privileged to be granted to third-party apps

7 2018/9/20 System Design Starting from some public interface, there exists an execution path that can reach some use of the capability If this public interface is not guarded by a permission requirement, and the execution path does not have sanity checking in place to prevent it from being invoked by another unrelated app, we consider the capability leaked.

8 2018/9/20 System Design Implicit capability leaks arise from the abuse of an optional attribute in the manifest file, i.e.,“sharedUserId” As permissions are granted to user identifiers, this causes all the apps sharing the same identifier to be granted the union of all the permissions requested by each app.

9 System Design - Explicit Capability Leak Detection
2018/9/20 System Design - Explicit Capability Leak Detection First: possible-path identification Extract a pre-loaded app’s Dalvik bytecode, then build a CFG to locate possible execution paths Issue 1: object references Issue 2: extensive use of callbacks

10 System Design - Explicit Capability Leak Detection
2018/9/20 System Design - Explicit Capability Leak Detection Second: feasible path refinement Symbolic path simulation Many potential paths exist Most are either impossible or uninteresting Must prune these uninteresting paths Explicit permission checks are “infeasible paths”

11 System Design - Implicit Capability Leak Detection
2018/9/20 System Design - Implicit Capability Leak Detection If an app has a sharedUserId in its manifest but does not request a certain (dangerous) permission, we also need to investigate the possibility of an implicit capability leak

12 System Design - Implicit Capability Leak Detection
2018/9/20 System Design - Implicit Capability Leak Detection We consider a capability to have been implicitly leaked if there is any way to exercise it, which is different from explicit capability leak detection

13 Implementation Using baksmali disassembler tool Using adb to obtain
2018/9/20 Implementation Using baksmali disassembler tool Using adb to obtain /system/app and /system/framework AndroidManifest.xml sharedUserId attribute Compute the actual set of permissions granted to each pre-loaded app classes.dex or odex

14 Implementation Control-Flow Graph Construction Entry Point AIDL
2018/9/20 Implementation Control-Flow Graph Construction Entry Point AIDL Binder.onTransact() Callbacks EX: Thread().start()  run() onTransact() 是 Service 收到 request 的處理函數

15 2018/9/20 Implementation Cover 13 permissions:

16 Implementation Capability Leak Detection
2018/9/20 Implementation Capability Leak Detection List the related APIs that might exercise the permissions The available API documentation is incomplete about which APIs a permission grants access to “android.permission.MASTER_CLEAR” – for factory reset Explicit If a state exists that contains a dangerous-call field modification and does not have the corresponding permission-check flag set

17 2018/9/20 Evaluation Eight studied Android smartphones:

18 2018/9/20 Evaluation Capability leak results

19 2018/9/20 Evaluation Smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks Nexus One / Nexus S com.svox.pico defines which can be tricked to remove another app, com.svox.pico.langpack.installer by any other third-party app

20 Evaluation – Case Study
2018/9/20 Evaluation – Case Study Explicit Capability Leaks (without Arguments) Samsung Epic 4G com.sec.android.app.SelectiveReset app Intent android.intent.action.SELECTIVE_RESETIntent SelectiveResetService Intent SelectiveResetReceiver SelectiveResetApp masterClear()

21 Evaluation – Case Study
2018/9/20 Evaluation – Case Study Explicit Capability Leaks (without Arguments) HTC EVO 4G REBOOT and SHUTDOWN FREESE

22 Evaluation – Case Study
2018/9/20 Evaluation – Case Study Explicit Capability Leaks (with Arguments) HTC com.android.mms  com.htc.messaging.service.SmsSenderService Intent with Extras

23 Evaluation – Case Study
2018/9/20 Evaluation – Case Study Explicit Capability Leaks (with Arguments) Samsung Epic 4G CALL_PHONE Technical assistance HTC RECORD_AUDIO

24 Evaluation – Case Study
2018/9/20 Evaluation – Case Study Implicit Capability Leaks HTC Wildfire S com.android.MessageTab Use CALL_PRIVILEGED w/o declaring it in manifest file sharedUserId: “android.uid.shared” com.android.MessageTab.ContactDetailMessageActivity2 android.mms.ui.MessageUtils.getMakeCallDirectlyIntent()

25 2018/9/20 Evaluation Performance – processing time

26 Discussion Confused deputy attack Avoid unsafely exposing capabilities
2018/9/20 Discussion Confused deputy attack Inter-app interactions are usually application-specific, so it’s hard for Android framework to infer the associated semantics Avoid unsafely exposing capabilities Develop a validator tool releasing w/ Android SDK App-defined permissions 3rd-party capability leaks

27 Related Work Problems with Permissions Information Leak Detection
2018/9/20 Related Work Problems with Permissions Kirin, Soundcomber, Guess Who’s Texting You Information Leak Detection TaintDroid Market Issue DroidRanger

28 2018/9/20 Conclusions Capability leaks present a tangible threat to security and privacy on existing Android smartphones We present a system, Woodpecker, to detect these capability leaks

Download ppt "Systematic Detection of capability leaks in stock android smartphones"

Similar presentations

Syracuse University, New York, USA

Syracuse University, New York, USA
PScout: Analyzing the Android Permission Specification

PScout: Analyzing the Android Permission Specification
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability Chao Shi CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities.

CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability Chao Shi CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.

6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
2015. 4. 28 박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Similar presentations

Ads by Google