Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Literature
  3. English Literature

Soundminer *

advertisement 
Soundcomber :A Stealthy and
Context-Aware Sound Trojan for
Smartphones
Roman Schlegel
City University of Hong Kong
Kehuan Zhang
Xiaoyong Zhou
Mehool Intwala
Apu Kapadia
X i a o F e n g Wa n g
Indiana University Bloomington
N D S S S Y M P O S I U M 2 0 11
報告人:張逸文
Outline
2
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Introduction(1/2)
3
 Full-fledged computing platforms
 The plague of data-stealing malware
 Sensory malware, ex:video camera, microphone
 Security protections
 Java virtual machines on Android
 Anti-virus
 Control installing un-trusted software
 Tow new observations
 Context of phone conversation is predictable and fingerprinted
 Built-in covert channel
Introduction(2/2)
4
 Main goal:

Extract a small amount of high-value private data from phone
conversations and transmit it to a malicious party
 Major contributions:
Targeted, context-aware information discovery from sound
recordings
 Stealthy data transmission
 Implementation and evaluation
 Defensive architecture

Outline
5
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Overview(1/2)
6
 Assumptions
 work under limited privileges
 Architectural overview
Overview(2/2)
7
 Video Demo.
4392 2588 8888 8888
Outline
8
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Context-Aware Information Collection
(1/7)
9
 monitor the phone state
 identify, record, analysis, extract
1. Audio recording
2. Audio processing
3. Targeted data extraction
using profiles
Context-Aware Information Collection(2/7)
10
1. Audio recording
 When to record

Whenever the user initiates a phone call
Recording in the background
 Determining the number called

intercept outgoing phone calls / read contact data
 the first segment compare with keywords in database
 relevant, non-overlapping keywords
 minimize necessary permissions

Context-Aware Information Collection
(3/7)
11
2. Audio processing
 decode file
 speech/tone recognition
 speech/tone extraction
Context-Aware Information Collection(4/7)
12
a)
tone recognition

DTMF(dual-tone multi-frequency)
signaling channel to inform mobile phone network of the pressed key
 aural feedback leaks to side-channel
 Goertzel’s algorithm

Context-Aware Information Collection
(5/7)
13
Speech recognition
b.
Google service:speech recognition functionality
 PocketSphinx
 Segmentation --- contain speech

ns
2
1
k   x j 
ns j 0
1 nf
Recording   k
nf k  0
k  thr
silence
k  thr
sound
thr    Recording
Context-Aware Information Collection(6/7)
14
3. Targeted data extraction using profiles
 focus on IVRs (Interactive Voice Response system)


Phone menus
based on predetermined profiles
Context-Aware Information Collection(7/7)
15

general profiles
Speech signatures
 Sequence detection
 Speech characteristics

Outline
16
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Stealthy Data Transmission
17
 Processing centrally isn’t ideal
 No local processing on 1 minute recording → 94KB
 Credit card number → 16 bytes
 Legitimate, existing application with network access
 A paired Trojan application with network access and
communication through covert channel
Leveraging third-party applications
18
 Permission mechanism only restricts individual
application

Ex:using browser open URL http : // target ? number=N
 drawback:more noticeable due to “foreground”
 Ads to cover
Covert channels with paired Trojans(1/4)
19
 paired Trojans:Soundminer, Deliverer
 Installation of paired Trojan applications
 Pop-up ad.
 Packaged app.
 Covert channels on the smartphone




Vibration settings
Volume settings
Screen
File locks
Covert channels with paired Trojans(2/4)
20

Vibration settings
any application can change the vibration settings
 communication channel:every time the setting is changed, the system
sends a notification to interested applications
 saving and restoring original settings at opportune times
 no permissions needed
 not leave any traces

Covert channels with paired Trojans(3/4)
21

Volume settings
not automatically broadcasted
 set and check the volume alternatively
 3 bits per iteration


 1000m s

 Sending at times ts  k  ti
, k  0,......,
 1



Reading at times

miss a window
 2
ts  k  t i  t i
Screen
invisible visible channel
 covert channel:screen settings
 prevent the screen from actually turning on
 permission WAKE_LOCK



ti


Covert channels with paired Trojans(4/4)
22

File locks
exchange information through competing for a file lock
 signaling files, S1,……,Sm
 one data file
 S1~Sm/2 for Soundminer , Sm/2+1~Sm for Deliverer

Outline
23
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Defense Architecture
24
 add a context-sensitive reference monitor to control the
AudioFinger service
 block all applications from accessing the audio data
when a sensitive call is in progress
 Reference Service RIL(radio interface layer)

enter/leave a sensitive state
 Controller
 Embedded in the AudioFinger service
 Exclusive Mode / Non-Exclusive Mode
Outline
25
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Evaluation(1/2)
26
 Experiment settings
 Environment
 Service hotline detection
 Tone recognition
 Speech recognition --- getrusage()
 Profile-based data discovery --- extracted high-value information
 Cover channel study --- bandwidth in bits per second
 Reference monitor
Evaluation(2/2)
27
 Experiment results
 Effectiveness
Service hotline detection
 Tone/speech recognition
 Detection by anti-virus applications


Performance
Outline
28
 Introduction
 Overview
 Context-Aware Information Collection
 Stealthy Data Transmission
 Defense Architecture
 Evaluation
 Discussion
 Conclusion
Discussion
29
 Improvements on attack
 Defenses
Conclusion
30
 Soundminer, innocuous permissions
 Defense on sensor data stealing
 Highlighted the threat of stealthy sensory malware
31
Thanks ~
Goertzel’s algorithm
32
Performance
33
Related documents
Context management
Context management
A Conceptual Framework for Provisioning Context
A Conceptual Framework for Provisioning Context
Context-Aware Computing Applications, Bill Schilit, Norman Adams
Context-Aware Computing Applications, Bill Schilit, Norman Adams
Understanding and Using Context - College of Computing
Understanding and Using Context - College of Computing
Research Journal of Applied Sciences, Engineering and Technology 4(18): 3368-3374,... ISSN: 2040-7467
Research Journal of Applied Sciences, Engineering and Technology 4(18): 3368-3374,... ISSN: 2040-7467
PPT
PPT
Ph.D Defense: Ms.Beatrice Sabana
Ph.D Defense: Ms.Beatrice Sabana
Context-Aware Ranking Principles
Context-Aware Ranking Principles
Oral Defense Suggestions - Center for Research Quality
Oral Defense Suggestions - Center for Research Quality
Writing Your Own Food Defense Plan
Writing Your Own Food Defense Plan
Context-Awareness on Mobile Devices * the Hydrogen Approach
Context-Awareness on Mobile Devices * the Hydrogen Approach
Proceedings Template
Proceedings Template
A Survey of Context
A Survey of Context
A Survey of Context-Aware Mobile Computing Research
A Survey of Context-Aware Mobile Computing Research
Download
advertisement