1 / 103

Cellular Networks and Mobile Computing COMS 6998- 10, Spring 2013

Cellular Networks and Mobile Computing COMS 6998- 10, Spring 2013. Instructor: Li Erran Li ( lel2139@columbia.edu ) http://www.cs.columbia.edu/ ~lierranli/coms6998- 10Spring2013/ Lecture 12: Mobile Platform Security: Attacks and Defenses. Mobile Security Attacks and Defenses.

binta
Download Presentation

Cellular Networks and Mobile Computing COMS 6998- 10, Spring 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cellular Networks and Mobile ComputingCOMS 6998-10, Spring 2013 Instructor: Li Erran Li (lel2139@columbia.edu) http://www.cs.columbia.edu/~lierranli/coms6998-10Spring2013/ Lecture 12: Mobile Platform Security: Attacks and Defenses

  2. Mobile Security Attacks and Defenses • Inter application communication related attacks (LianhaoQu and Joseph Orilogbon on QUIRE and Akhila on XManDroid) • Permission re-delegation (confused deputy attacks) • Collusion attacks • System vulnerability based attacks (Ying-Chi Meng and SichangLi on MoCFI) • Control flow attacks (code injection attacks) • Root exploits (e.g. adbd bug used by DroidKungfu malware) • Application specific attacks (Jill Jermyn and SnigdhaChalla on texting apps) Cellular Networks and Mobile Computing (COMS 6998-10)

  3. 19thAnnualNetwork&DistributedSystemSecuritySymposium TowardsTamingPrivilegeEscalation AttacksonAndroid AlexandraDmitrienko FraunhoferInstituteforSecureInformationTechnology,Darmstadt,Germany Ahmad-RezaSadeghi,BhargavaShastry FraunhoferSIT/CASED, Darmstadt,Germany SvenBugiel,LucasDavi TUDarmstadt/CASED, Germany ThomasFischer Ruhr-University Bochum Cellular Networks and Mobile Computing (COMS 6998-10) @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  4. AppInstallationinAndroid AndroidMarket MoviePlayer DownloadApp Permissions Install Requested permissionsare reasonable User Cellular Networks and Mobile Computing (COMS 6998-10) @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  5. Canappsgobeyondtheirprivileges? YES Privilegeescalationattacks Cellular Networks and Mobile Computing (COMS 6998-10) 3 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  6. ConfusedDeputyAttack Donothavearightpermission?Askyourneighbor! Malware Privileges:none Benignapp Privileges:P1 AndroidOS AndroidMiddleware 1)Invokebrowsertodownloadmaliciousfiles(Lineberryetal.,BlackHat 2010) 2)InvokePhoneapptoperformaphonecall(Encketal.,TechReport2008) 3)InvokeAndroidScriptingEnvironmenttosendSMSmessages(Davietal., ISC’2010) Cellular Networks and Mobile Computing (COMS 6998-10) 4 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  7. CollusionAttack Two(ormore)appscolludetolaunchtheattack Benignapp Privileges:P2 Malware Privileges:P1 Android SystemApp AndroidOS 1)Appscommunicatedirectly Example:ClaudioMarforioet.al,TechReportETHZurich Cellular Networks and Mobile Computing (COMS 6998-10) 5 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  8. CollusionAttack Two(ormore)appscolludetolaunchtheattack Benignapp Privileges:P2 Malware Privileges:P1 Android SystemApp AndroidOS 2)Appscommunicateviacovert(e.g.,volumesettings)orovert(e.g., contentproviders)channelsinAndroidSystemcomponents Example:Soundcomber(Schlegeletal.,NDSS’2011) Cellular Networks and Mobile Computing (COMS 6998-10) 6 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  9. Inter-ApplicationCommunication Inter-processcommunication(IPC) Intentsandremoteprocedurecalls Filesystem(files,Unixdomainsockets) Networksockets AppA AppB Applicationlayer Middleware Linuxkernel Reference Monitor Discretionary accesscontrol ofLinux IPC FileSystem Network Sockets Cellular Networks and Mobile Computing (COMS 6998-10) 7 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  10. RelatedWork AppA Perm.P1 AppB Perm.P2Perm.P3 Sensitive Data Installer Saint DalvikVM TaintDroid ReferenceMonitor Saint AppFence Porscha Mediator Paranoid Android Apex CRePE IPCInspection QUIRE TrustDroid Apex Kirin Permission Database StaticandOffline AnalysisTools ded ComDroid Stowaway AndroidMiddleware QUIRE TrustDroid LinuxKernel SELinux Cellular Networks and Mobile Computing (COMS 6998-10) 8 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  11. XManDroid: eXtendedMonitoringonAndroid Monitorsallcommunicationchannelsbetweenapps Validatesiftherequestedcommunicationlinkcompliestoasystem- centricsecuritypolicy AppA AppB Applicationlayer Middleware Linuxkernel Reference Monitor Discretionary accesscontrol ofLinux IPC FileSystem Network Sockets XManDroid Cellular Networks and Mobile Computing (COMS 6998-10) 9 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  12. XManDroidArchitecture AppB AppA Android Permissions System View Applicationlayer Read/WriteFile/Socket Reference Monitor Decision Maker CreateFile/Socket AndroidMiddleware Middlewarelayer Kernellayer LinuxDiscretionaryAccessControl XManDroidMandatoryAccessControl FileSystem/InternetSockets Cellular Networks and Mobile Computing (COMS 6998-10) 10 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  13. XManDroid’sSystemView: Graph-basedRepresentation Android Core SystemComponents Applicationsandboxes Files IPCcalls Accesstofiles Socketconnections Internetsockets 11 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER Cellular Networks and Mobile Computing (COMS 6998-10)

  14. XManDroid:SimplifiedExample Android Core C P1 P2 B A PolicyRule: SandboxA:permissionP1,noP2 SandboxB:permissionP2,noP1 Communicationtype:Direct Decision:Deny 12 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER Cellular Networks and Mobile Computing (COMS 6998-10)

  15. XManDroid:SimplifiedExample Android Core C P1 P2 B A PolicyRule: SandboxA:permissionP1,noP2 SandboxB:permissionP2,noP1 Communicationtype:Indirect Decision:Deny 13 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER Cellular Networks and Mobile Computing (COMS 6998-10)

  16. Contributions Design Ageneral framework towardstaming privilege escalationattacks System-centric policy enforcement Implementation Kernel-level mandatoryaccess controlbasedon TOMOYO Callbackchannel betweenkernel- levelandthe middleware System-centric IPCcallchain trackingfor Intents(inspired byQUIRE) Tests Evaluation Studyoninter- application communication Cellular Networks and Mobile Computing (COMS 6998-10) 14 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  17. Evaluation 1 2 3 Effectiveness(attackprevention) Performance Rateoffalselydeniedcommunications Cellular Networks and Mobile Computing (COMS 6998-10) 15 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  18. StudyonApplicationCommunication Patterns Cellular Networks and Mobile Computing (COMS 6998-10) 16 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  19. IPC-basedApplicationCommunication Cellular Networks and Mobile Computing (COMS 6998-10) 17 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  20. FileandSocket-basedApplication Communication Cellular Networks and Mobile Computing (COMS 6998-10) 18 @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER

  21. ConclusionandFutureWork Firstgeneralapproachtowardstacklingprivilegeescalation attacks(atapplicationlevel) Runtimemonitoring,butquiteefficient Nofalsenegatives Nofalsepositives,butconceptuallytheyarepossible Currentwork     Largescaleevaluation Automaticpolicyengineering FullIPCcallchaintracking ApplyingXManDroidframework fordomainisolationonAndroid @FraunhoferSIT/CASED2012AlexandraDmitrienko,NDSS2012DONOTDISTRIBUTEFURTHER BizzTrust Cellular Networks and Mobile Computing (COMS 6998-10) 19

  22. Cellular Networks and Mobile Computing (COMS 6998-10) 1 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  23. Cellular Networks and Mobile Computing (COMS 6998-10) 2 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  24. Cellular Networks and Mobile Computing (COMS 6998-10) 3 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  25. Cellular Networks and Mobile Computing (COMS 6998-10) 4 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  26. Cellular Networks and Mobile Computing (COMS 6998-10) 5 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  27. BBL3 entry ins,ins,ins,… exit BBL5 entry ins,ins,ins,… exit BBL1 entry ins,ins,ins,… exit BBL2 entry ins,ins,ins,… exit BBL4 entry ins,ins,ins,… exit Entry:Anyinstructionthatistargetofabranch(e.g.,firstinstructionofafunction) Exit: Anybranch(e.g.,indirectordirectjumpandcall,return) Cellular Networks and Mobile Computing (COMS 6998-10) 6 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  28. BBL3 BBL1 entry ins,ins,ins,… exit entry ins,ins,ins,… exit MaliciousCode Shellcode BBL2 1 CodeInjection entry ins,ins,ins,… exit LibraryCode InstructionSequences LibraryFunctions 2ROP;ret2libc BBL4 entry ins,ins,ins,… exit BBL5 entry ins,ins,ins,… exit Entry:Anyinstructionthatistargetofabranch(e.g.,firstinstructionofafunction) Exit: Anybranch(e.g.,indirectordirectjumpandcall,return) Cellular Networks and Mobile Computing (COMS 6998-10) 7 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  29. Cellular Networks and Mobile Computing (COMS 6998-10) 8 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  30. BBL3 label_3 entry ins,ins,ins,… exit BBL1 label_1 entry ins,ins,ins,… exit BBL2 label_2 entry 1. InsertLABELinstructions(that serveasnopinstructions)atthe beginningofeachBBL ins,ins,ins,… exit BBL4 label_4 entry ins,ins,ins,… exit BBL5 label_5 entry ins,ins,ins,… exit Cellular Networks and Mobile Computing (COMS 6998-10) 9 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  31. BBL3 label_3 entry ins,ins,ins,… exit BBL1 label_1 entry ins,ins,ins,… exit BBL2 label_2 entry ins,ins,ins,… exit 2. Rewriteallexitinstructionswith acontrol-flowcheck BBL4 label_4 entry ins,ins,ins,… exit BBL5 label_5 entry ins,ins,ins,… exit CFICheck: *BBL3[exit]==label_5 Cellular Networks and Mobile Computing (COMS 6998-10) 10 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  32. BBL3 BBL1 label_3 entry ins,ins,ins,… exit 1 2 BBL5 label_5 entry ins,ins,ins,… exit label_1 entry ins,ins,ins,… exit BBL2 label_2 entry ins,ins,ins,… exit BBL4 label_4 entry ins,ins,ins,… exit MaliciousCode Shellcode LibraryCode InstructionSequences LibraryFunctions CFICheck: *BBL3[exit]==label_5 Cellular Networks and Mobile Computing (COMS 6998-10) 11 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  33. Cellular Networks and Mobile Computing (COMS 6998-10) 12 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  34. Intelx86Approach [Abadietal.,CCS2005] ARM •Notcompatibletoapplication signing •Requiressophisticatedbinary instrumentationframework(Vulcan) anddebugginginformation •Programcounterdirectlyaccessible •Nodedicatedreturninstructions •Side-Effectsofcontrol-flow instructions,e.g.,POP{r4-r7,pc} •ARMsupportstwoinstructionsets (ARM/THUMB) Smartphones •ApplicationSigning •ApplicationEncryption •Typically,noaccesstosourcecode Cellular Networks and Mobile Computing (COMS 6998-10) 13 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  35. Contributions Firstcontrol-flowintegrityframeworkfor smartphoneplatforms Wepresentrewritingtechniquesthattackle uniquechallengesofsmartphones OurprototypeforiOSrequiresnosourcecode andefficientlyperformsCFIatruntime 1 3 2 Cellular Networks and Mobile Computing (COMS 6998-10) 14 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  36. 10011… 01100… Unprotectedand encryptediOSBinary 1 Preprocessor Decryption Disassembling 2 Unprotectedplain iOSBinary 3 GenerateRewriting Information StaticAnalysis Patchfile RuntimeEnforcement Instructions… callFunc_A 4 Control-FlowGraph Generator Control-Flow Graph Cellular Networks and Mobile Computing (COMS 6998-10) 15 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  37. 10011… 01100… Unprotectedand encryptediOSBinary 1 Preprocessor Decryption Disassembling StaticAnalysis RuntimeEnforcement MoCFILibrary Load-TimeModuleRuntimeModule BinaryRewritingCFIEnforcement 6 CFIProtected iOSBinary 2 Unprotectedplain iOSBinary 3 GenerateRewriting Information 5 Instructions… callFunc_A Patchfile 4 Control-FlowGraph Generator Control-Flow Graph Cellular Networks and Mobile Computing (COMS 6998-10) 16 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  38. 10011… 01100… Unprotectedand encryptediOSBinary 1 Preprocessor Decryption Disassembling StaticAnalysis RuntimeEnforcement MoCFILibrary Load-TimeModuleRuntimeModule BinaryRewritingCFIEnforcement 6 2 Unprotectedplain iOSBinary 3 5 Instructions… callFunc_A Instructions… callCFI_Library GenerateRewriting Information CFIProtected iOSBinary Patchfile 7 4 Control-FlowGraph Generator Control-Flow Graph Cellular Networks and Mobile Computing (COMS 6998-10) 17 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  39. Cellular Networks and Mobile Computing (COMS 6998-10) 18 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  40. 4Byte THUMB Instruction! OriginaliOSBinary Header Code Instruction Instruction,… CALLFunction Instruction Load-TimeModule–BinaryRewriting Control-Flow Graph Shadow Stacks MoCFI Runtime Module Instruction,… INDIRECTJUMP Instruction BBLEntry RETURN Data “BBLEntry”referstoaninstructionthatistargetofotherbranch instructionsintheprogram Cellular Networks and Mobile Computing (COMS 6998-10) 19 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  41. Load-TimeModule–BinaryRewriting Control-Flow Graph Shadow Stacks MoCFI Runtime Module Trampoline_1 SaveRegisters JUMP Runtime_Module ResetRegisters JUMPFunction OriginaliOSBinary Header Code Instruction Instruction,… CALLFunction Instruction RewritteniOSBinary Header Code Instruction Instruction,… CALL Trampoline_1 Instruction,… INDIRECTJUMP Instruction BBLEntry RETURN Data Data “BBLEntry”referstoaninstructionthatistargetofotherbranch instructionsintheprogram Cellular Networks and Mobile Computing (COMS 6998-10) 20 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  42. Load-TimeModule–BinaryRewriting Control-Flow Graph Shadow Stacks MoCFI Runtime Module Trampoline_1 SaveRegisters JUMP Runtime_Module ResetRegisters JUMPFunction Trampoline_2 PreviousInstruction SaveRegisters JUMP Runtime_Module ResetRegisters INDIRECTJUMP OriginaliOSBinary Header Code Instruction Instruction,… CALLFunction Instruction Instruction,… INDIRECTJUMP Instruction BBLEntry RETURN Data RewritteniOSBinary Header Code Instruction Instruction,… CALL Trampoline_1 Instruction JUMP Trampoline_2 Data “BBLEntry”referstoaninstructionthatistargetofotherbranch instructionsintheprogram Cellular Networks and Mobile Computing (COMS 6998-10) 21 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  43. Load-TimeModule–BinaryRewriting Control-Flow Graph Shadow Stacks MoCFI Runtime Module Trampoline_1 SaveRegisters JUMP Runtime_Module ResetRegisters JUMPFunction Trampoline_2 PreviousInstruction SaveRegisters JUMP Runtime_Module ResetRegisters INDIRECTJUMP OriginaliOSBinary Header Code Instruction Instruction,… CALLFunction Instruction Instruction,… INDIRECTJUMP Instruction BBLEntry RETURN Data RewritteniOSBinary Header Code Instruction Instruction,… CALL Trampoline_1 Instruction JUMP Trampoline_2 Instruction BBLEntry #ILLEGALINS Data ExceptionHandler “BBLEntry”referstoaninstructionthatistargetofotherbranch instructionsintheprogram Cellular Networks and Mobile Computing (COMS 6998-10) 22 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  44. LibraryInjection OurMoCFIlibraryisinjectedintotheprocessofthe applicationbysettingDYLD_INSERT_LIBRARIES Jailbreak? Werequireajailbreakforsettingoneenvironment variableandinstallingourlibrary Inordertoperformbinaryrewriting,werequirethe dynamiccode-signingentitlement Cellular Networks and Mobile Computing (COMS 6998-10) 23 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  45. PerformanceMeasurements Worst-CaseScenario:quicksort applicationthatfrequentlydemandsa CFIcheck PerformanceMeasurementsforquicksort FactorWithoutMoCFIWithMoCFI n=1000.047ms0.432ms Averageoverheadmeasurementwith gensystek n=1,000 n=10,000 0.473ms 6.725ms 6.186ms 81.163ms 100 withMoCFI withoutMoCFI 80 60 40 20 0 TimeinSeconds FPU/ALU 4,87 PICalc 3,85 MD5Calc 1,19 ScrShot 1,02 RAM 5,00 Disk 1,21 Quartz2D 1,03 ResizeIMG 1,01 Trans3D 1,09 BenchmarksandSlowdownFactorforgensystek AppliedMoCFItopopulariOSapps(e.g.,Facebook,Texas Holdem,Minesweeper) Cellular Networks and Mobile Computing (COMS 6998-10) 24 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  46. FirstCFIframeworkforsmartphoneplatforms ItperformsCFIenforcementon-the-flyatruntime Compatibletoapplicationsigning/encryptionand memoryrandomization(e.g.,ASLR) Requiresnoaccesstosourcecode OngoingWork CFIfornativeiOSlibraries FormalAnalysis CFIforAndroid Cellular Networks and Mobile Computing (COMS 6998-10) 25 @TUDarmstadt/CASED2012 LucasDavi,NDSS2012 DONOTDISTRIBUTEFURTHER

  47. Guess Who’s Texting You? • Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser Cellular Networks and Mobile Computing (COMS 6998-10)

  48. Smartphone Messaging • Aim at replacing traditional text messaging (SMS) and GSM/CDMA/3G calls • Free phone calls and text messages over the Internet • Novel authentication concept • Phone number used as single authenticating identifier Cellular Networks and Mobile Computing (COMS 6998-10)

  49. Internet Telecom infrastructure Cellular Networks and Mobile Computing (COMS 6998-10)

  50. Motivation Cellular Networks and Mobile Computing (COMS 6998-10)

More Related