Embed Size (px)
DESCRIPTION
Annual Computer Security Applications Conference (ACSAC) 2012. Analysis of the Communication between Colluding Applications on Modern Smartphones. Claudio Marforio 1 , Hubert Ritzdorf 1 , Aurélien Francillon 2 , Srdjan Capkun 1 1 Institute of Information Security, ETH Zurich - PowerPoint PPT Presentation
Citation preview
Analysis of the Communication between Colluding Applications on Modern SmartphonesClaudio Marforio1, Hubert Ritzdorf1, Aurélien Francillon2, Srdjan Capkun1
1Institute of Information Security, ETH Zurich2Networking and Security Group, Eurecom
Annual Computer Security Applications Conference (ACSAC) 2012
左昌國10/29, 2012, Seminar @ ADLab, NCU
• Introduction• Channels Classification• Channels
• Overt Channels in Android• Covert Channels in Android• Communication Channel with External Agents
• Results of the Analysis• Existing Tools
• TaintDroid• XManDroid
• Mitigation Techniques• Conclusion
Outline
2
• Permission-based security models• Assumption: Apps can be independently restricted in accessing
resources and then safely composed on a single platform • Collusion Attacks
• SoundComber (link)
Introduction
3
channel
• This paper…• demonstrates the practicality of application collusion attacks on
Android• measures the throughput of these attacks• confirms that TaintDroid and XManDroid still fail to detect several of
the implemented channels• proposes countermeasures which limit the throughput
Introduction
4
• Application• API: Android’s Java API, Windows Phone 7 C# / Silverlight APIs,
iOS’s Object-C API• OS
• Native calls• Hardware
• Exploiting hardware functionalities
Channels Classification
5
• Shared Preferences (Application)• The sink app uses an API to create an Android preference XML file
• World-readable and world-writable• The source app writes ASCII data to it
• Internal Storage (Application)• The source app writes a world-readable file to the internal storage• The sink app reads it• External Storage (Application)
• WRITE_EXTERNAL_STORAGE
Overt Channels in Android
6
• Broadcast Intents (Application)• The source app adds private data as extra payload to a broadcast
message• The sink app registers itself to receive the message
• System Log (Application)• The source writes a specially-crafted message to the system log• The sink reads to extract the information• READ_LOGS• 4000 characters limit
Overt Channels in Android
7
• UNIX Socket Communication (OS)• The source sends the data through a UNIX socket that the sink app
opened
Overt Channels in Android
8
• Single and Multiple Settings (Application)• The source modifies a general setting on the phone and the sink
reads it• SoundComber
• Multiple settings can be changed at the same time to achieve higher throughput
• Most settings can be changed without permissions
• Type of Intents (Application)• The source sends a broadcast message to the sink and encodes
the data into the type of the intent• Flags, action, particular extra data
Covert Channels in Android
9
• Automatic Intents (Application/OS)• The source modifies particular settings that trigger automatic
broadcasts by the system to registered apps• The vibration setting in SoundComber• Ex: vibration on = 1; vibration off = 0
• Threads Enumeration (OS)• The source spawns a number of threads and the sink reads how
many threads are currently active for the source app• /proc filesystem
Covert Channels in Android
10
• UNIX Socket Discovery (OS)• The source uses 2 sockets, a synchronization socket and a
communication socket• The sink checks if the source communication socket is open, and
infer the transferred bit• The synchronization socket is open if the communication socket
can be checked
Covert Channels in Android
11
• Free Space on Filesystem (OS)• The source app writes or deletes data on the disk to encode the
information• Ex: the source allocates 3 blocks to encode a ‘1’ and clears 3 blocks to
encode a ‘0’• The sink checks the available blocks at predefined time intervals
• 75ms for Nexus One; 100ms for Galaxy S• Bit-errors percentages
• 0.01% (Nexus One)• 0.03% (Galaxy S)
Covert Channels in Android
12
• Reading /proc/stat (OS)• The source app performs some computations, while the sink
monitors the processor usage statistics
Covert Channels in Android
13
• Timing Channel (Hardware)• The source runs CPU-intensive tasks as to send bit ‘1’• The sink continuously runs computation-intensive operations and
records the time required to complete them• An initial learning period is used to benchmark the system behavior
• Majority vote(out of 5) to eliminate noise• Transmitting time interval: 6ms (Nexus One)• Bit-errors percentages
• 0.10% (Nexus One)• 0.05% (Galaxy S)
Covert Channels in Android
14
• Processor Frequency (Hardware)• Similar to Timing Channel• Improving the throughput and reducing the synchronization time
• Dynamic Frequency Scaling• Source: the same as in the case of Timing Channel• The sink monitors the trend of the processor frequency and
decodes the current bit• Afterward, the source waits for the CPU to “slow down” before the
next transmission• Bit-errors percentages
• 0.14% (Nexus One)• 4.67% (Galaxy S)
Covert Channels in Android
15
Covert Channels in Android
16
• Similar to Processor Frequency covert channel• The source either tries to increase the processor frequency or
sleeps• The sink measures how many dummy RC4 operations it can
perform in a fix time period• 1.29 bps (Nexus One)
Communication Channel With External Agents
17
• Low throughput: • Timing channel (3.70 bps)
• GPS coordinates: 19.4 sec• 135 byte contacts: 304.9 sec
• Processor Frequency (4.88 bps)• GPS coordinates: 14.8 sec• 135 byte contacts: 231.1 sec
• High throughput:• Type of Intents or UNIX Socket Discovery
• Less than a second
Results of the Analysis
18
• Overt Channels• Internal Storage and Broadcast Intents … ok• External Storage
• The external storage uses the FAT filesystem w/o extended attributes• Shared Preferences • System Log
• TaintDroid is not currently capable to extend tagging to native code
• Removing the taint from tainted variables• n-way Switch Statement: 27.65 Mbps• Java Exception Handling: 107.42 kbps• File-based: 680 bps• Timing-based: 98 bps
Existing Tools: TaintDroid
19
• Policy enforcement• Modifying the Android reference monitor to check for
• direct IPC calls at runtime• indirect communication through Android system components
• The prototype successfully detected all Overt Channels• except the System Log channel• XManDroid would be able to detect the System Log channel
• Covert Channels• Type of Intents and UNIX Socket Discovery … ok• Reading /proc/stat and Threads Enumeration … ok• Free Space on Filesystem, Processor Frequency, and Timing
Channel
Existing Tools: XManDroid
20
• General Purpose Techniques• User control on private data access• Limiting APIs• Limiting Multitasking• Application Review• Policy-Based Installation Strategy
• Application-Level Channels• Operating-System-Level Channels• Hardware-Level Channels
• REQUIRE_PRECISE_TIMING
Mitigation Techniques
21
• Collusion attacks against the permission-based mechanisms are a serious threat
• Covert channels with low throughput are sufficient to leak private data
• Current solutions do not provide a complete solution
Conclusion
22
![Quantifying Benefits of Lossless Compression …milenka/docs/aadam_icccn15.pdfQuantifying Benefits of Lossless Compression Utilities on Modern Smartphones ... the year 2000 [4].](https://img.dokumen.tips/doc/110x75/5acaf2f67f8b9a40728e9d1d/quantifying-benefits-of-lossless-compression-milenkadocsaadam-benefits-of.jpg)
