1 / 12

Mu Zhang Heng Yin

Efficient, Context-Aware Privacy Leakage Confinement for Android Applications without Firmware Modding. Mu Zhang Heng Yin. Department of EECS, Syracuse University. Motivation: We need a practical solution for privacy leakage confinement in Android. What does a practical solution mean?

ivor-davis
Download Presentation

Mu Zhang Heng Yin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient, Context-Aware Privacy Leakage Confinement for Android Applications without Firmware Modding Mu Zhang Heng Yin Department of EECS, Syracuse University

  2. Motivation: We need a practical solution for privacy leakage confinement in Android • What does a practical solution mean? • Information-flow based security • Most of existing solutions are end-point solutions • Context-aware policy enforcement • Existing solutions are all-or-nothing protection • No firmware modding • All existing solutions require firmware modding • Low runtime overhead • Taint tracking is slow!

  3. Capper:Context-Aware Privacy Policy Enforcement with Re-writing • Key Techniques • BytecodeRewriting for Information Flow Tracking and Control • Context-aware Policy Enforcement

  4. BRIFT: Bytecode Rewriting for Information Flow Tracking and Control • Key: to place minimally required code into a bytecode program to accurately keep track of privacy leakage. Android App New App Resources Resources Translation Static Analysis Static Instrumentation Optimization Code Generation DEX DEX’ IR Slices New IR Optimized IR

  5. BRIFT: Some Technical Details • Static Data-flow Analysis • Similar to CHEX[Lu et al. CCS’12] • Discover entry points, compute program splits, and perform permutation on the splits • Static Instrumentation • Create shadow variables • Insert taint propagation statements • Pass shadow parameters across function boundary • Optimization • Remove unnecessary shadow parameters • Lift taint propagation logic into the function caller • Other built-in optimizations, such as constant propagation, dead code elimination, etc.

  6. BRIFT: A Running Example 1 publicclassLeakage extendsActivity{ • 2 privatebytekey= DEFAULT_KEY; • 3 private String addr= DEFAULT_ADDR; • 4 privatestatic String deviceId; 5 6 public String getIMEI(){ 7 TelephonyManager manager = (TelephonyManager) • getSystemService(“phone”); 8 Stringimei = manager.getDeviceId(); 9 if(imei==null){ 10 imei = “”; • 11 }else{ 12 imei = manager.getDeviceId(); 13 } 14 returnimei; 15 } 16 • 17 publicbytecrypt(byte plain){ • 18 return (byte)(plain ^ key); 19 } 20 • 21 publicvoidpost(String addr, byte[] bytes){ • 22 OutputStream output = conn.getOutputStream(); • 23 output.write(bytes, 0, bytes.length); • ... • } • 26 • 27 publicvoidtoastIMEI(String imei){ • 28 Context app = getApplicationContext(); • 29 String text = “Your IMEI is ” + imei; • 30 int duration = Toast.LENGTH_SHORT; • 31 Toast toast = Toast.makeText(app, text, duration); • toast.show(); • 33 } • 34 • 35 publicvoidonStart(){ • 36 Leakage.deviceId = getIMEI(); • 37 } • 38 • 39 publicvoidonResume(){ • 40 toastIMEI(Leakage.deviceId); • 41 } • 42 • 43 publicvoidonDestroy(){ • 44 String imei = Leakage.deviceId; • 45 byte[] bytes = location.getBytes(); • 46 for(inti=0; i<bytes.length; i++) • 47 bytes[i] = crypt(bytes[i]); • 48 } • 49 post(addr, bytes); • 50 } • }

  7. BRIFT: the Rewritten Program 1publicclass Leakage extends Activity{ ... 4 privatestatic String deviceId; Ipublicstaticboolean deviceId_s0_t; ... 6publicString getIMEI(BoolWrapper ret_s0_wrapper){ ... 8 String imei = manager.getDeviceId(); 9if(imei==null){ 10 imei = “”; I imei_s0_t = false; • }else{ • imei = manager.getDeviceId(); • I imei_s0_t = true; • } • I ret_s0_wrapper.status = imei_s0_t; 14 returnimei; 15 } • ... • 21 publicvoid post(String addr, byte[] bytes, • BoolWrapper bytes_s0_w){ • I boolean bytes_s0_t = bytes_s0_wrapper.status; • OutputStream output = conn.getOutputStream(); • I booleanisAllow = false; • I if(bytes_s0_t == true) • I isAllow = queryPolicyService(0, 0, addr); • I if(isAllow) • output.write(bytes, 0, bytes.length);} • I else{...} • ... • } • ... • 35 publicvoidonStart(){ • I BoolWrapper ret_s0_wrapper = new BoolWrapper(); • I ret_s0_wrapper.status = false; • Leakage.deviceId = getIMEI(ret_s0_wrapper); • I Leakage.deviceId_s0_t = ret_s0_wrapper.status; • 37 } • ... • 43 publicvoidonDestroy(){ • 44 String imei = Leakage.deviceId; • 45 byte[] bytes = imei.getBytes(); • I boolean bytes_s0_t = Leakage.deviceId_s0_t; • 46 for(inti=0,; i< bytes.length; i++){ • 47 bytes[i] = crypt(bytes[i]); • I bytes_s0_t = bytes_s0_t || false; • 48 } • I BoolWrapper bytes_s0_wrapper = newBoolWrapper(); • I bytes_s0_wrapper.status = bytes_s0_t; • P BoolWrapper url_s0_w = newBoolWrapper(); • 49 post(addr, bytes, bytes_s0_wrapper); • 50 } • 51 } See more details in our NDSS’14 paper

  8. Context-Aware Policy: How to model the context of an information flow • Taint Propagation Trace • Heavy-weight • Overly precise • Source and Sink Call-sites • Light-weight • Mimicry attack? • Parameterized Source and Sink Pairs

  9. Evaluation: Overview • 4723 apps real-world apps evaluated • 1414 (33%) are risky (may leak information) • Increase of Program Size • Runtime Performance of Analysis and Rewriting • Runtime Overhead • Effectiveness

  10. Related Work • Extend install-time constraints • Kirin, CCS’09;Saint, ACSAC’09 • Enforce finer-grained/flexible permissions • MockDroid, HotMobile’11; CRePE, ISC’10; Apex, ASIACCS’10; TISSA, TRUST’11 • Improve isolations • Cells, SOSP’11; SPSM’11; AdSplit, Usenix Security’12 • Ask for user approval • Livshits and Jung, Usenix Security’13;Aurasium, Usenix Security’12 • Information flow based solution • TaintDroid, OSDI’10; AppFence, CCS’11

  11. Conclusion: We achieved four goals • G1: Information-flow based security • Yes, we track sensitive information flow by rewriting • G2: Context-aware policy enforcement • Yes, we model the context of an information flow, and bind this context with user’s decision • G3: No firmware modding • Yes, we only rewrite apps and install a policy service • G4: Low runtime overhead • Yes, we only insert a minimal amount of code to keep track of sensitive information flow

  12. Questions?

More Related