Presentation is loading. Please wait.

Presentation is loading. Please wait.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

Published byGrant Winn Modified over 9 years ago

Similar presentations

Presentation on theme: "2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking."— Presentation transcript:

1 2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android Application Mu Zhang, Heng Yin Syracuse University 林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU Email : linliang258369@gmail.com

2 Outline Introduction Component Hijacking Attack ImplementationEvaluationConclusionReference 1

3 Introduction Component Hijacking Attack : A class of attacks that seek to gain unauthorized access (read/write or combined) to protected or private resources through exported components in vulnerable apps. Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities (CCS 2012) 2

4 3 Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities

5 4 Component hijacking attacks Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities Contact Manager App EnumeratorService Enumerator Service Returns the address book upon request Accepts unauthorized requests READ Contacts Android Framework Unauthorized access to protected resources

6 Component hijacking attacks Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities Setting Update Receiver Accepts external updates App Internal DB is not permission protected Write to critical area Unauthorized access to private resources Contact Manager App Android Framework Setting Update Receiver Private Storage Private Storage KeyValue VoIP_Prefix“1234” Is_App_Lisencedfalse 5

7 AppSealer as a Security Service 6 1. No source code access 2. Vulnerability-specific patching 3. Minimal performance overhead 4. Minimal impact on usability

8 [ VulActivity ] onCreate() onStart() – getLocation() onDestroy() – post(addr, location) getLocation() – getLastKnownLocation() crypt() post() – HttpURLConnection – outputStrem 7

9 8

10 9

11 10

12 11

13 Workflow 12 (1)IR Translation (2)Slice Computation (3)Patch Statement Placement (4)Patch Statement Optimization (5)Bytecode Generation

14 Taint Slice Computation A. A.Forward Dataflow Analysis 1. 1.Basic Algorithm : use Def-use chain 2. 2.Special Considerations a. a.Static field b. b.Instance field c. c.Intent d. d.Class inheritance e. e.Thread B. B.Backward Dependency Analysis 13

15 14 Slice 1 Slice 2

16 15

17 Slice 1 16

18 Slice 1 17

19 Slice 1 18

20 Slice 1 19

21 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 20

22 Patch Statement Placement B. B.Shadow Variables 1. 1.Local Variables 21

23 Patch Statement Placement B. B.Shadow Variables 2. Static/Instance Fields 22

24 Patch Statement Placement B. B.Shadow Variables 3. Parameters and Return Value 23

25 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 24

26 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 25

27 Patch Statement Placement D. D.Instrumenting Taint Propagation 1. 1.Simple Assignments 26

28 Patch Statement Placement D. D.Instrumenting Taint Propagation 2. Function Calls 27

29 Patch Statement Placement D. D.Instrumenting Taint Propagation 3. 3.API Calls 1. 1.getString(), toString() 2. 2.Android.widget.TextView,setText() 3. 3.Vector.add(Object) 4. 4.Android.content.ContentValues.put(String key, Byte value) 4. 4.Tracking References If one of the references is tainted, all other references should also be tainted. 28

30 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 29

31 Patch Statement Placement E. E.Cleaning the Taint To properly clean the taint, for each variable appearing in the def-use chain inside the slice, we need to find all its definitions. For the definitions outside the slice, we need to insert a statement after that definition to set its shadow variable to 0(non-tainted) 30

32 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 31

33 Patch Statement Placement F. F.Instrumenting the Sink If they are tainted by certain sources, we can raise a pop-up dialog to the user, asking for decision. - -Restart - -Continue 32

34 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers Copy propagation and dead assignment elimination O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations 33

35 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters 34

36 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code Inlining the body of small function into its callers, the function call overhead can be avoided. 35

37 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations 36

38 Workflow 37 (1)IR Translation (2)Slice Computation (3)Patch Statement Placement (4)Patch Statement Optimization (5)Bytecode Generation

39 38

40 39

41 40

42 41

43 42

44 43

45 Evaluation 44

46 Evaluation 45

47 Evaluation 46

48 Evaluation 47

49 Conclution A.Automatically generate patch B.Shadow mechanism C.Optimization 48

Download ppt "2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking."

Similar presentations

Bruce Scharlau, University of Aberdeen, 2012 Data storage options for mobiles Mobile Computing.

Bruce Scharlau, University of Aberdeen, 2012 Data storage options for mobiles Mobile Computing.
Syracuse University, New York, USA

Syracuse University, New York, USA
L.C.Smith College of Engineering and Computer Science AppSealer : Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking.

L.C.Smith College of Engineering and Computer Science AppSealer : Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking.
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.

Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability Chao Shi CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities.

CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability Chao Shi CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities.
Dynamic Self-Checking Techniques for Improved Tamper Resistance Bill Horne, Lesley Matheson, Casey Sheehan, Robert E. Tarjan STAR Lab, InterTrust Technologies.

Dynamic Self-Checking Techniques for Improved Tamper Resistance Bill Horne, Lesley Matheson, Casey Sheehan, Robert E. Tarjan STAR Lab, InterTrust Technologies.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability.

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Introducing Computer and Network Security

Introducing Computer and Network Security
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.

Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Similar presentations

Ads by Google