Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.

Published byBarnard Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan."— Presentation transcript:

1 Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan Capkun 1 1 Institute of Information Security, ETH Zurich 2 Networking and Security Group, Eurecom Annual Computer Security Applications Conference (ACSAC) 2012 左昌國 10/29, 2012, Seminar @ ADLab, NCU

2 Introduction Channels Classification Channels Overt Channels in Android Covert Channels in Android Communication Channel with External Agents Results of the Analysis Existing Tools TaintDroid XManDroid Mitigation Techniques Conclusion Outline 2

3 Permission-based security models Assumption: Apps can be independently restricted in accessing resources and then safely composed on a single platform Collusion Attacks SoundComber (link)link Introduction 3 channel

4 This paper… demonstrates the practicality of application collusion attacks on Android measures the throughput of these attacks confirms that TaintDroid and XManDroid still fail to detect several of the implemented channels proposes countermeasures which limit the throughput Introduction 4

5 Application API: Android’s Java API, Windows Phone 7 C# / Silverlight APIs, iOS’s Object-C API OS Native calls Hardware Exploiting hardware functionalities Channels Classification 5

6 Shared Preferences (Application) The sink app uses an API to create an Android preference XML file World-readable and world-writable The source app writes ASCII data to it Internal Storage (Application) The source app writes a world-readable file to the internal storage The sink app reads it External Storage (Application) WRITE_EXTERNAL_STORAGE Overt Channels in Android 6

7 Broadcast Intents (Application) The source app adds private data as extra payload to a broadcast message The sink app registers itself to receive the message System Log (Application) The source writes a specially-crafted message to the system log The sink reads to extract the information READ_LOGS 4000 characters limit Overt Channels in Android 7

8 UNIX Socket Communication (OS) The source sends the data through a UNIX socket that the sink app opened Overt Channels in Android 8

9 Single and Multiple Settings (Application) The source modifies a general setting on the phone and the sink reads it SoundComber Multiple settings can be changed at the same time to achieve higher throughput Most settings can be changed without permissions Type of Intents (Application) The source sends a broadcast message to the sink and encodes the data into the type of the intent Flags, action, particular extra data Covert Channels in Android 9

10 Automatic Intents (Application/OS) The source modifies particular settings that trigger automatic broadcasts by the system to registered apps The vibration setting in SoundComber Ex: vibration on = 1; vibration off = 0 Threads Enumeration (OS) The source spawns a number of threads and the sink reads how many threads are currently active for the source app /proc filesystem Covert Channels in Android 10

11 UNIX Socket Discovery (OS) The source uses 2 sockets, a synchronization socket and a communication socket The sink checks if the source communication socket is open, and infer the transferred bit The synchronization socket is open if the communication socket can be checked Covert Channels in Android 11

12 Free Space on Filesystem (OS) The source app writes or deletes data on the disk to encode the information Ex: the source allocates 3 blocks to encode a ‘1’ and clears 3 blocks to encode a ‘0’ The sink checks the available blocks at predefined time intervals 75ms for Nexus One; 100ms for Galaxy S Bit-errors percentages 0.01% (Nexus One) 0.03% (Galaxy S) Covert Channels in Android 12

13 Reading /proc/stat (OS) The source app performs some computations, while the sink monitors the processor usage statistics Covert Channels in Android 13

14 Timing Channel (Hardware) The source runs CPU-intensive tasks as to send bit ‘1’ The sink continuously runs computation-intensive operations and records the time required to complete them An initial learning period is used to benchmark the system behavior Majority vote(out of 5) to eliminate noise Transmitting time interval: 6ms (Nexus One) Bit-errors percentages 0.10% (Nexus One) 0.05% (Galaxy S) Covert Channels in Android 14

15 Processor Frequency (Hardware) Similar to Timing Channel Improving the throughput and reducing the synchronization time Dynamic Frequency Scaling Source: the same as in the case of Timing Channel The sink monitors the trend of the processor frequency and decodes the current bit Afterward, the source waits for the CPU to “slow down” before the next transmission Bit-errors percentages 0.14% (Nexus One) 4.67% (Galaxy S) Covert Channels in Android 15

16 Covert Channels in Android 16

17 Similar to Processor Frequency covert channel The source either tries to increase the processor frequency or sleeps The sink measures how many dummy RC4 operations it can perform in a fix time period 1.29 bps (Nexus One) Communication Channel With External Agents 17

18 Low throughput: Timing channel (3.70 bps) GPS coordinates: 19.4 sec 135 byte contacts: 304.9 sec Processor Frequency (4.88 bps) GPS coordinates: 14.8 sec 135 byte contacts: 231.1 sec High throughput: Type of Intents or UNIX Socket Discovery Less than a second Results of the Analysis 18

19 Overt Channels Internal Storage and Broadcast Intents … ok External Storage The external storage uses the FAT filesystem w/o extended attributes Shared Preferences System Log TaintDroid is not currently capable to extend tagging to native code Removing the taint from tainted variables n-way Switch Statement: 27.65 Mbps Java Exception Handling: 107.42 kbps File-based: 680 bps Timing-based: 98 bps Existing Tools: TaintDroid 19

20 Policy enforcement Modifying the Android reference monitor to check for direct IPC calls at runtime indirect communication through Android system components The prototype successfully detected all Overt Channels except the System Log channel XManDroid would be able to detect the System Log channel Covert Channels Type of Intents and UNIX Socket Discovery … ok Reading /proc/stat and Threads Enumeration … ok Free Space on Filesystem, Processor Frequency, and Timing Channel Existing Tools: XManDroid 20

21 General Purpose Techniques User control on private data access Limiting APIs Limiting Multitasking Application Review Policy-Based Installation Strategy Application-Level Channels Operating-System-Level Channels Hardware-Level Channels REQUIRE_PRECISE_TIMING Mitigation Techniques 21

22 Collusion attacks against the permission-based mechanisms are a serious threat Covert channels with low throughput are sufficient to leak private data Current solutions do not provide a complete solution Conclusion 22

Download ppt "Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Section 6.2. Record data by magnetizing the binary code on the surface of a disk. Data area is reusable Allows for both sequential and direct access file.

Section 6.2. Record data by magnetizing the binary code on the surface of a disk. Data area is reusable Allows for both sequential and direct access file.
Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.
Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Location Cheating: A Security Challenge to Location- based Social Network Services Wenbo He 1, Xue Liu 2, Mai Ren 1 1 University of Nebraska-Lincoln 2.

Location Cheating: A Security Challenge to Location- based Social Network Services Wenbo He 1, Xue Liu 2, Mai Ren 1 1 University of Nebraska-Lincoln 2.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Intraship Integration Control Instructor: TV Prabakar.

Intraship Integration Control Instructor: TV Prabakar.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Introduction to Systems Architecture Kieran Mathieson.

Introduction to Systems Architecture Kieran Mathieson.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.

2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
1 Chapter 4 Threads Threads: Resource ownership and execution.

1 Chapter 4 Threads Threads: Resource ownership and execution.
Input/Output and Communication

Input/Output and Communication
Introduction. Why Study OS? Understand model of operation –Easier to see how to use the system –Enables you to write efficient code Learn to design an.

Introduction. Why Study OS? Understand model of operation –Easier to see how to use the system –Enables you to write efficient code Learn to design an.
SIMULATING ERRORS IN WEB SERVICES International Journal of Simulation: Systems, Sciences and Technology 2004 Nik Looker, Malcolm Munro and Jie Xu.

SIMULATING ERRORS IN WEB SERVICES International Journal of Simulation: Systems, Sciences and Technology 2004 Nik Looker, Malcolm Munro and Jie Xu.

Similar presentations

Ads by Google