Georgios Portokalidis Philip Homeburg Kostas Anagnostakis Herbert Bos Columbia University Vrije Universiteit Niometris R&D Vrije Universiteit PARANOID ANDROID: VERSATILE PROTECTION FOR SMARTPHONES 2010/11/30 1 Paranoid Android? Click this album to play this song … 2010/11/30 2 Outline Introduction Architecture Implementation Evaluation Related Work Conclusion 2010/11/30 3 Introduction Recently, iPhone and Android platform have shown to be susceptible to remote exploits Obama’s blackberry 2010/11/30 4 Introduction Using a file scanner or antivirus, like ClamAV Time-consuming (30 minutes) Battery problem (2% battery capacity) Is 11.8x slower than running it on single-core VM We argue for a different security model that completely devolves attack detection from the phone Key: Cloud ! 2010/11/30 5 Introduction Antivirus file scanning Zero-days? Remote exploits? Memory-resident attacks? Smartphone APIs Android: Java Dalvik VM But also provide native APIs May be vulnerable to these attacks 2010/11/30 6 Introduction Contributions: Multiple security checks simultaneously without overburdening the device Execution recording and replaying framework for Android Transparent backup of all user data in the cloud Replication mechanism Application transparent recording and replaying 2010/11/30 7 Architecture Tracer Record all info needed to accurately replay its execution Replayer Receive the trace and faithfully replays the execution within the emulator Proxy Intercept and temporarily store inbound traffic The replayer can access the proxy to retrieve the data needed for replaying 2010/11/30 8 Architecture 2010/11/30 9 Architecture Assumptions The replay server will not be compromised Attackers cannot break the encryption The device is able to contact the server safely, to create an initial replica, and setup the tracer The servers have out-of-band channels to notify users about problems and a way to restore the image 2010/11/30 10 Architecture Tracer Nondeterministic inputs and events Mostly pass through the system calls Record all data transferred from kernel to user space through system calls 2010/11/30 11 Architecture Replayer Use the recorded values when replaying the system calls on replica Including IPC using system calls Only replay process and not kernel execution May not be able to detect an attack against the kernel But most kernel vulnerabilities are only exploitable locally Shared memory: repeatable deterministic task scheduler 2010/11/30 12 Architecture Synchronisation Loose Synchronisation Transmit the trace only when the device is awake and connected to the Internet User is most likely to be attacked while surfing the web Support extremely sychronisation Only sync when recharging 2010/11/30 13 Architecture Synchronisation Tamper-Evident Secure Storage HMAC: Hash-based Message Authentication Code HMAC = Hash( K xor opad, Hash(K xor ipad, text)) STORE(message + HMAC(key, message)) key’ = Hash(key) key = key’ If sync error, the device is treated as potentially compromised 2010/11/30 14 Architecture Security Methods Dynamic analysis in emulator Antivirus software Memory scan System call detection P.S. only implement the first two 2010/11/30 15 Architecture Proxy and Server Location User Notification and Recovery Handling Data Generated On the Device Bulk downloads Incremental downloads 2010/11/30 16 Implementation Need a new boot image! Linux ptrace PTRACE_SYSCALL 2010/11/30 17 Implementation Starting The Tracer Init starts tracer first Next, init starts the exec stubs The stub writes its pid to tracer’s FIFO and pauses Then tracer attaches to the process, and continues the stub Exec 2010/11/30 18 Implementation Scheduling And Shared Memory User space Scheduler Ensuring no two threads that share a memory object can ever run concurrently Triggered by system call Spinlock and mutexes Future work CREW protocol (concurrent-read-exclusive-write) To track all reads from memory 2010/11/30 19 Implementation Ioctls An interface between user and kernel space /dev/binder Handles about 200 ioctl commands 2010/11/30 20 Implementation Execution Trace Compression Record only system calls that introduce nondeterminism Use a network proxy so that inbound data are not logged in the trace Compress data using three algorithms Delta encoding Huffman encoding DEFLATE algorithm (gzip) 2010/11/30 21 Implementation Attack Detection Mechanisms Virus Scanner ClamAV Dynamic Taint Analysis Overhead imposed is high Only on replica 2010/11/30 22 Evaluation HTC G1 with tracer Modified QEMU for replayer 2010/11/30 23 Evaluation 2010/11/30 24 Evaluation Data Volume: 5 hours of audio playback 22.5 MB 64B/s 121B/s 2010/11/30 25 Evaluation CPU loading 15% higher Browsing may consume up to 30% more energy 2010/11/30 26 Evaluation Server Scalability Dual-Core NB 2.26GHz P8400 + 4G RAM Quad-Core 2.40GHz Q6600 + 8G RAM Amazon EC2 2010/11/30 27 Evaluation Dynamic Taint Analysis X2-x2.5 slowdown If DTA applied to all replica Only roughly half of the instances reported in Figure5 2010/11/30 28 Evaluation Overhead Imposed By Ptrace Compression (deflate_slow) consumes only 7.62% 65% is spent in ptrace and waitpid Solution: move to kernel 2010/11/30 29 Evaluation 2010/11/30 30 Related Work Malkhi et al. Secure execution of java applets using a remote playground Ripley: automatically securing web 2.0 applications through replicated execution CloudCloud Acceleration SmartSiren Antivirus in smartphones 2010/11/30 31 Related Work VirusMeter Kirin 2010/11/30 32 Conclusion Attack detection on a remote server in the cloud No limit on the number of attack detection techniques Transmission overhead is kept below 2.5KiBps 2010/11/30 33