Embed Size (px)
Citation preview
Petar TsankovETHZurich
MarcoPistoiaIBMT.J.WatsonResearchCenter
OmerTrippGoogleInc.
MartinVechevETHZurich
PietroFerraraJulia
Functionality-AwareSecurityEnforcement
FASE:
InformationFlowVulnerabilitiesinMobileApps
2
Confidentialdata
‘ OR 1 = 1
Untrustedinputs
Manualanalysisofinformationflowthreatsischallenging
AppAttacker
ExistingSolutions
3
Sink
SourceDetection§ TaintDroid(dynamic)§ FlowDroid(static)
Enforcement§ AppFence(masking&blocking)
Raiseanalarmwhenbadflowisdetected
Mask/blockbadflows
ExistingSolutions
4
Sink
SourceDetection§ TaintDroid(dynamic)§ FlowDroid(static)
Enforcement§ AppFence(masking&blocking)
Mask/blockbadflows
However,correct securityenforcementdependsontheapp’sfunctionality
TheLackofFunctionality-Awareness
5
NormalBehavior AppsecuredwithAppFence
TheLackofFunctionality-Awareness
6
NormalBehavior AppsecuredwithAppFence
Whatcausesthesesideeffectsandcrashes?
7
IllustrativeExample
IllustrativeExample
8
String imsi = getSubscriberId(); // source
// imsi↦"310152843957264"
HttpGet request = new HttpGet("analytics.com?id=" + imsi);
// request.uri↦"analytics.com?id=310152843957264"
httpClient.execute(req); // sink
SourcereturnstheInternationalMobile
SubscriberIdentity(IMSI)
TheIMSIflowsintoasink aspartoftheURI
310152843957264
IllustrativeExample
9
String imsi = getSubscriberId(); // source
// imsi↦"310152843957264"
HttpGet request = new HttpGet("analytics.com?id=" + imsi);
// request.uri↦"analytics.com?id=310152843957264"
httpClient.execute(req); // sink
SourcereturnstheInternationalMobile
SubscriberIdentity(IMSI)
310152843957264
HowcanwecorrectlyanonymizetheURIthatcontainstheIMSI?
CommonFunctionalityConstraints
10
Genericconstraint“MustabideURIformat”
Mustnotmodifytrustedparts
App-specificconstraint“Keepfirstsixdigitsintact”
request.uri = "XYZ"
request.uri = "analytics.com?id=000000000000000"
request.uri = "analytics.com?id=310152000000000"
request.uri↦"analytics.com?id=310152843957264"
Incorrect
CorrectIncorrect
request.uri = "xyz.com?id=XYZ" Incorrect
11
Howcanweenforcesecuritywhilesatisfyingsuchfunctionalityconstraints?
Fine-grainedDataFlowTracking
Functionality-AwareSecurityEnforcement(FASE)
12
Sink
Source
Safevaluessynthesizer
FunctionalityConstraints
Synthesizeconstraint-compliantvalue
Capturegenericandapp-specificconstraints
Fine-grainedDataFlowTracking
Functionality-AwareSecurityEnforcement(FASE)
13
Sink
Source
Safevaluessynthesizer
FunctionalityConstraints
Capturegenericandapp-specificconstraints
AppsecuredwithFASE
Fine-grainedDataFlowTracking
Functionality-AwareSecurityEnforcement(FASE)
14
Sink
Source FunctionalityConstraints
Safevaluessynthesizer
Fine-GrainedDataFlowTracking
15
String imsi = getSubscriberId(); // source (IMSI)// imsi↦"310152843957264"HttpGet request = new HttpGet("analytics.com?id=" + imsi);// request.uri↦"analytics.com?id=310152843957264"
Character-levelTrackingforStrings
Value-basedTrackingforPrimitives EachcharacterismappedtolabelaIMSILocation l = getLastKnownLocation(GPS);
// l.lat↦37.3876, l.lon↦122.0575EachvalueismappedtolabelaLocation
Fine-grainedDataFlowTracking
Functionality-AwareSecurityEnforcement(FASE)
16
Sink
Source FunctionalityConstraints
Safevaluessynthesizer
TwoKindsofFunctionalityConstraints
17
Generic§ Specifiedonceforallapps§ Capturesinkpre-conditions
Example:“URIstringsmustbevalid”<Uri> ::= “http” “s”? “://”
<Chars> “.” <Dom> <Args><Chars> ::= [a-zA-Z0-9]+
<Dom> ::= “com” | “net” | ...
Application-specific§ Specifiedbydevelopers§ CapturedinadesignatedDSL
Example:“First6charsofIMSImustbekeptintactwhensenttoanalytics.com”
if uri.startsWith(“analytics.com”)constrain uri< > to val.substr(0,6).[0-9]9
IMSI
Fine-grainedDataFlowTracking
Functionality-AwareSecurityEnforcement(FASE)
18
Sink
Source FunctionalityConstraints
Safevaluessynthesizer
Synthesizer
19
Genericconstraint<Uri> ::= [a-zA-Z0-9]+ . <Dom>
App-specificconstraintif uri.startsWith(“analytics.com”)constrain uri< > to val.substr(0,6).[0-9]9
Labeledstring"analytics.com?id= "
Derivedregularexpression"analytics.com?id=310152".[0-9]9
310152843957264
IMSI
Constraint-compliantstring"analytics.com?id=31015200000000"
20
Implementation&Experiments
FASESystemImplementation
21
DataFlowTracking§ InstrumentsAndroidLibraries(String,StringBuilder,...)aswellas
sourcesandsinks(>10K)§ Efficiencyachievedbylocality-awarememoryallocationforlabels
App-levelInstrumentation§ Rewritessourceandsinkcallstoinvokesynthesizer
Synthesizer§ UsestheACLAframeworkforanalysiscontext-freeandregular
languages§ Efficiencyachievedbycombinationofcachingandshort-circuiting
heuristics
Experiments
22
BenchmarkApplications§ 20appsusedinpriorstudies§ Onaverage,theseappshave500source/sinkcallsitesand10security-relevantflows
RobustnessCantheFASEsystemsecureappswhilepreservingfunctionality?
OverheadWhatistheoverheadcausedbytheFASEsystem?
RobustnessExperiment
23
CoarseTracking
NoConstraints
GenericConstraints
FASESystem
Fine-grainedTracking
GenericConstraints
App-specificConstraints
RobustnessExperiment
24
CoarseTracking
NoConstraints
GenericConstraints
FASESystem
0
4
8
#ofapplications
Crash
Majorsideeffects
Minorsideeffects
NocrashesOnly1appshowsaminorsideeffect
TheFASEsystemsecuresappsinarobustway
25
OverheadExperiment
Applications0
1
2
3
Taskcompletiontime(inseconds)StockAndroiddevice
WithFASE
Roughly10%overhead
Summary
26
Existingenforcementsolutionsoftenbreak
functionality
DataFlowTracking
Sink
Source
Safevaluessynthesizer
FunctionalityConstraints
Functionality-awaresecurityenforcement
CoarseTracking
FASESystem
Robust securityenforcementwithlowoverhead
