Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective Real-time Android Application Auditing

Published byWilfrid Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "Effective Real-time Android Application Auditing"— Presentation transcript:

1 Effective Real-time Android Application Auditing
Presented by Lihua Ren

2 Personal data in mobile devices
1

3 Problem Definition Abuses of personal data Data leaks
Tamper user privacy Abandon apps Harming app developers Harming app market intentionally e.g. for improper advertising revenue unintentionally e.g. exposing there data in plain-text over public networks 2

4 Existing work Analyze and identify data-leaking apps based on static program analysis: AppIntent Pios Flowdroid Merits : comprehensively examine program data flows comprehensively reveal data-leaking code paths Limitation : inefficient (time- and memory -consuming) produces false alarms 3

5 Outline Problem definition Prior work Evaluation Discussion
AppAudit (new idea) Design overview Efficient Static API Analysis Approximated Execution Evaluation Discussion 4

6 Approach of this study Approach:
AppAudit: a program analysis framework that can analyze apps efficiently and effectively. In real-time Report actual data leaks 5

7 AppAudit: Use cases integrated into IDEs to check apps for developers before release identify problematic 3rd-party modules deployed as an automatic app auditing service at app markets wipe out human involvement in validating analysis results installed on mobile devices to check apps before installation protect users against data-leaking apps from untrusted sources or app markets that lack auditing service 6

8 AppAudit: Design overview
Goal: tackle analysis efficiency and false positives Idea: 2 steps start with a very lightweight static API analysis rely on a dynamic analysis to prune its false positives 7

9 Tackle false positives
Static analysis solutions (existing work) VS AppAudit Static analysis solutions: explore all code paths AppAudit: only explores code paths that could happen in real -> few false positives Challenge of AppAudit When dynamic analysis meets unknowns, it can hardly explore deeply into code paths, which will cause false negatives. Approach of AppAudit design a novel object model to represent and propagate unknowns design several execution mechanisms to increase the depth of our analysis and avoid false negatives 8

10 Step 1: Efficient Static API Analysis
Goal: Efficiently find functions that can potentially cause data leaks Essential conditions for data leak Reach a Source API to retrieve personal data Reach a Sink API to transmit data out of the device Finding data leak 〓 Finding one path from the function to a source API and another to a sink API 9

11 Step 1: Efficient Static API Analysis (CONT)
API Usage Analysis Firstly ,build a standard call graph from program bytecode Then extend it Finally, perform a breadth-first search to mark all suspicious functions Why extend? how to extend? 10

12 Call Graph Extensions Traditional call graph
Missing paths: Dynamic Java language features, Android programming model AppAudit: Call Graph Extensions Java Virtual Calls and Reflection Calls Assume virtual calls can reach any matching method from all inherited classes while a reflection call will directly be marked suspicious Static Fields as Intermediates Android Life Cycle Methods Multi-threading GUI Event Callbacks Android Remote Procedure Call (RPC) 11

13 Call Graph Extensions(CONT)
12

14 Call Graph Extensions(CONT)
13

15 Step 2: Approximated execution
Definition A dynamic analysis that executes the bytecode instructions of a suspicious function and reports when data leak happens Component typical register set a program counter (pc) a call stack as its execution context 3 working modes “execution (exec)” mode: interpret bytecodes and perform operations “check” mode: check the parameters for the sink API “approximation (approx)” mode: facing unknown -> switch to this mode for approximations to continue the execution. 14

16 Approximated Executor State Machine
exec: Tainted objects propagate with the execution and taint any object derived from them check: Tainted objects are found, report and terminate (“end” final state); otherwise, revert back approx: If fail, enter “leap” final state leap: terminate current execution and start executing one of its caller function 15

17 Object Representation
Type: i.e. int, long, string object kind: concrete object (CON): created during the execution process prior unknown (PU): exist prior to the execution process and contain unknown values derived unknown (DU): a prior unknown but is changed during the execution process store the known value(s) of the object i.e. Unknown value 16

18 Execution Rules (Table Ⅱ)
17

19 Taint Taint representation: Tainting rules
Personal data is marked as tainted. Taints propagate along with the object. If a sink API meets a tainted object, report a leak. 18

20 Approximation Mode When to change to approximation mode:
a conditional jump instruction meets unknown values Unknown Branching Approximation Idea: skip unknown loop as these loops cannot provide useful known information from unknowns. 19

21 Unknown Branching Approximation
Choose not to take the conditional branch to skip these loops 20

22 Unknown Branching Approximation
Cannot distinguish ifs and loops -> Only explore the “then” branch for unknown if-else structures This bias is benign 21

23 x, y are correlated but it always produce untainted y
Accuracy Analysis Execution mode: faithfully reproduce the actual path of the real execution Approximation mode: only misses non-leaking paths and is benign to the overall accuracy Limitations of Taint Analysis Taint Sanitization: only add and propagate taints but never remove them -> inaccuracy and false positives. (i.e ) Array Indexing: i.e , will be tainted if is tainted. -> over-taints -> false positives Control Flow Dependent Taints : x, y are correlated but it always produce untainted y 22

24 Outline Problem definition Prior work Evaluation Discussion
AppAudit (new idea) Design overview Efficient Static API Analysis Approximated Execution Evaluation Discussion 23

25 Evaluation Methodology: Evaluation datasets:
Completeness of Static API Analysis: by micro-benchmark Detection Accuracy: by malware samples Usability: by real-word apps Characterization of Data Leaks in Real Apps: to provide guidance Evaluation datasets: 24

26 Completeness of Static API Analysis
FlowDroid: a state-of-the-art pure static analysis tool False negatives: When: particular user inputs happen in a particular order Why: AppAudit cannot model infinite possibility of user input orderings Explanation: Some particular ordering of user inputs might imply user awareness of the data leak, so a detection tool should not report such leaks. 25

27 Detection Accuracy 19

28 Detection Accuracy 19

29 Usability 19

30 Characterization of Data Leaks in Real Apps
19

31 Characterization of Data Leaks in Real Apps
19

32 Questions Question 1: AppAudit adopts a two-stage design. What are the two stages and their responsibilities? Question 2: what might lead to approximation failure? Question 3: Unknown branching approximation Only explores the “then” branch for unknown if-else structures, but this bias is benign. Why? 44

33 Thanks!

Download ppt "Effective Real-time Android Application Auditing"

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.

P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Yoshi

Yoshi
Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.

Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.
Sim-alpha: A Validated, Execution-Driven Alpha 21264 Simulator Rajagopalan Desikan, Doug Burger, Stephen Keckler, Todd Austin.

Sim-alpha: A Validated, Execution-Driven Alpha Simulator Rajagopalan Desikan, Doug Burger, Stephen Keckler, Todd Austin.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.

Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.
CS 536 Spring 20011 Intermediate Code. Local Optimizations. Lecture 22.

CS 536 Spring Intermediate Code. Local Optimizations. Lecture 22.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Introduction & Overview CS4533 from Cooper & Torczon.

Introduction & Overview CS4533 from Cooper & Torczon.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.

CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.

Similar presentations

Ads by Google