PRIVEXEC: Private Execution as an Operating System Service

2014 Network and Distributed System Security Symposium
AppSealer:
Automatic Generation of Vulnerability-Specific
Patches for Preventing Component Hijecking
Attacks in Android Application
Mu Zhang, Heng Yin
Syracuse University
林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU
Email : linliang258369@gmail.com
Outline
Introduction
Component Hijacking Attack
Implementation
Evaluation
Conclusion
Reference
1
Introduction
Component Hijacking Attack :
A class of attacks that seek to
gain unauthorized access (read/write or combined) to
protected or private resources
through exported components in vulnerable apps.
Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities (CCS 2012)
2
Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
3
Component hijacking attacks
Unauthorized access to protected resources
Enumerator
Service
Enumerator Service
Contact Manager App
Returns the
address book upon
request
Accepts
unauthorized
requests
READ
Android Framework
Contacts
Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
4
Component hijacking attacks
Unauthorized access to private resources
Setting Update
Receiver
Private
Storage
Android Framework
Key
Value
VoIP_Prefix
“1234”
Is_App_Lisenced
false
Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Setting Update Receiver
Contact Manager App
Accepts external
updates
App Internal DB is
not permission
protected
Write to critical
area
5
AppSealer as a Security Service
1. No source code access
2. Vulnerability-specific patching
3. Minimal performance overhead
4. Minimal impact on usability
6
[ VulActivity ]
onCreate()
onStart()
– getLocation()
onDestroy()
– post(addr, location)
getLocation()
– getLastKnownLocation()
crypt()
post()
– HttpURLConnection
– outputStrem
7
8
9
10
11
Workflow
(1)IR Translation
(2)Slice Computation
(3)Patch Statement Placement
(4)Patch Statement Optimization
(5)Bytecode Generation
12
Taint Slice Computation
A. Forward Dataflow Analysis
1. Basic Algorithm : use Def-use chain
2. Special Considerations
a.
Static field
b.
Instance field
c.
Intent
d.
Class inheritance
e.
Thread
B. Backward Dependency Analysis
13
Slice 1
Slice 2
14
Slice 2
15
Slice 1
16
Slice 1
17
Slice 1
18
Slice 1
19
Patch Statement Placement
A. Tainting Policy
1.
Directly modifies the bytecode to keep track of selected tainted
information
2.
Each single local variable, field, etc.
- Have a shadow variable
B. Creating Shadow Variables
C.
D.
E.
F.
1.
Local Variables
2.
Static/Instance Fields
3.
Parameters and Return Value
Instrumenting the Source
Instrumenting Taint Propagation
Cleaning the Taint
Instrumenting the Sink
20
Patch Statement Placement
B. Shadow Variables
1. Local Variables
21
Patch Statement Placement
B. Shadow Variables
2. Static/Instance Fields
22
Patch Statement Placement
B. Shadow Variables
3. Parameters and Return Value
23
Patch Statement Placement
A. Tainting Policy
1.
Directly modifies the bytecode to keep track of selected tainted
information
2.
Each single local variable, field, etc.
- Have a shadow variable
B. Creating Shadow Variables
C.
D.
E.
F.
1.
Local Variables
2.
Static/Instance Fields
3.
Parameters and Return Value
Instrumenting the Source
Instrumenting Taint Propagation
Cleaning the Taint
Instrumenting the Sink
24
Patch Statement Placement
A. Tainting Policy
1.
Directly modifies the bytecode to keep track of selected tainted
information
2.
Each single local variable, field, etc.
- Have a shadow variable
B. Creating Shadow Variables
C.
D.
E.
F.
1.
Local Variables
2.
Static/Instance Fields
3.
Parameters and Return Value
Instrumenting the Source
Instrumenting Taint Propagation
Cleaning the Taint
Instrumenting the Sink
25
Patch Statement Placement
D. Instrumenting Taint Propagation
1. Simple Assignments
26
Patch Statement Placement
D. Instrumenting Taint Propagation
2. Function Calls
27
Patch Statement Placement
D. Instrumenting Taint Propagation
3. API Calls
1. getString(), toString()
2. Android.widget.TextView,setText()
3. Vector.add(Object)
4. Android.content.ContentValues.put(String key, Byte value)
4. Tracking References
If one of the references is tainted, all other references should also be
tainted.
28
Patch Statement Placement
A. Tainting Policy
1.
Directly modifies the bytecode to keep track of selected tainted
information
2.
Each single local variable, field, etc.
- Have a shadow variable
B. Creating Shadow Variables
C.
D.
E.
F.
1.
Local Variables
2.
Static/Instance Fields
3.
Parameters and Return Value
Instrumenting the Source
Instrumenting Taint Propagation
Cleaning the Taint
Instrumenting the Sink
29
Patch Statement Placement
E. Cleaning the Taint
To properly clean the taint, for each variable appearing in the def-use chain
inside the slice, we need to find all its definitions.
For the definitions outside the slice, we need to insert a statement after that
definition to set its shadow variable to 0(non-tainted)
30
Patch Statement Placement
A. Tainting Policy
1.
Directly modifies the bytecode to keep track of selected tainted
information
2.
Each single local variable, field, etc.
- Have a shadow variable
B. Creating Shadow Variables
C.
D.
E.
F.
1.
Local Variables
2.
Static/Instance Fields
3.
Parameters and Return Value
Instrumenting the Source
Instrumenting Taint Propagation
Cleaning the Taint
Instrumenting the Sink
31
Patch Statement Placement
F. Instrumenting the Sink
If they are tainted by certain sources, we can raise a pop-up dialog to the
user, asking for decision.
-
Restart
-
Continue
32
Patch Optimization
In order to reduce the amount of patch statements
O1. Removing Redundant BoolWrappers

Copy propagation and dead assignment elimination
O2. Removing Redundant Function Parameters
O3. Inlining Instrumentation Code
O4. Soot’s Build-in Optimizations
33
Patch Optimization
In order to reduce the amount of patch statements
O1. Removing Redundant BoolWrappers
O2. Removing Redundant Function Parameters
34
Patch Optimization
In order to reduce the amount of patch statements
O1. Removing Redundant BoolWrappers
O2. Removing Redundant Function Parameters
O3. Inlining Instrumentation Code

Inlining the body of small function into its callers, the function call overhead can be avoided.
35
Patch Optimization
In order to reduce the amount of patch statements
O1. Removing Redundant BoolWrappers
O2. Removing Redundant Function Parameters
O3. Inlining Instrumentation Code
O4. Soot’s Build-in Optimizations
36
Workflow
(1)IR Translation
(2)Slice Computation
(3)Patch Statement Placement
(4)Patch Statement Optimization
(5)Bytecode Generation
37
38
39
40
41
42
43
Evaluation
44
Evaluation
45
Evaluation
46
Evaluation
47
Conclution
A. Automatically generate patch
B. Shadow mechanism
C. Optimization
48