Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Android is widely used for the development and deployment of autonomous and smart systems, including software targeted for IoT and mobile devices. Security of such systems is an increasingly important concern.
Android relies on a permission model to secure the system's resources and apps. In Android, since the permissions are granted at the granularity of apps, and all components in an app inherit those permissions, an app's components are over-privileged, i.e., components are granted more privileges than they actually need. Systematic violation of least-privilege principle in Android is the root cause of many security vulnerabilities. To mitigate this issue, we have developed DELDroid, an automated system for determination of least privilege architecture in Android and its enforcement at runtime. A key contribution of DELDroid is the ability to limit the privileges granted to apps without modifying them. DELDroid utilizes static analysis techniques to extract the exact privileges each component needs. A Multiple-Domain Matrix representation of the system's architecture is then used to automatically analyze the security posture of the system and derive its least-privilege architecture. Our experiments on hundreds of real-world apps corroborate DELDroid's ability in effectively establishing the least-privilege architecture and its benefits in alleviating the security threats.

Mahmoud Hammad

June 01, 2018
Tweet

More Decks by Mahmoud Hammad

Other Decks in Research

Transcript

  1. DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

    Mahmoud Hammad Software Engineering Ph.D. Candidate Mahmoud Hammad, Hamid Bagheri, and Sam Malek IEEE International Conference on Software Architecture (ICSA 2017) Gothenburg, Sweden, April 2017.
  2. Not as rosy as it may seem Source: NOKIA Threat

    Intelligence Report 4 Android malware samples
  3. Over-privileged resource access 5 Implicit Intent Composer Sender ListMsgs Activity

    Service FunGame LevelUp Messaging Main Explicit Intent Legend SMS permission Location permission Private component <<Android system>>
  4. Over-privileged Inter-Component Communication 6 Implicit Intent Composer Sender ListMsgs Activity

    Service FunGame LevelUp Messaging Main Explicit Intent Legend SMS permission Location permission Private component <<Android system>>
  5. LP in Android documentation The Android system implements the principle

    of least privilege. That is, each app, by default, has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not given permission. Android security mechanisms treat apps as the minimum security entities 8
  6. Security Consequences • Hard to comprehend the security posture of

    an Android system • Increases the attack surface • Cause many security vulnerabilities • Privilege escalation attack • Hidden Inter-Component Communication (ICC) attack 9
  7. FunGame Privilege Escalation Attack 10 Composer Sender ListMsgs LevelUp Messaging

    Main Implicit Intent Activity Service Explicit Intent Legend ix Intent SMS permission Location permission i1 i2 i3 // If (checkCallingPermission ("android.permission.SEND_SMS") == PackageManager.PERMISSION_GRANTED)
  8. Hidden ICC Attack 11 Composer Sender ListMsgs FunGame LevelUp Messaging

    Main Implicit Intent Dynamically Loaded Code Activity Service Explicit Intent ix Intent SMS permission Location permission <<external>> i1 i3 i2 Private component Legend
  9. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  10. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  11. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  12. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  13. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  14. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  15. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  16. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  17. Android apps • Each Android app, APK file, includes •

    configuration file called manifest file • App’s bytecode • The manifest file specifies: • principal components that constitute the app • provided interface, i.e., Intent Filters • required permissions • enforced permissions • Bytecode contains among other things: • App’s business logic • Components communications • Enforced permissions 21
  18. Step 1: Architectural Elements Extractor ID App Component Type Exported

    Intent Permissions Intents Name Filter Granted Used Enforced 1 Messaging ListMsgs Activity Yes {SMS} 2 Messaging Composer Activity Yes {SMS} {i1} 3 Messaging Sender Service Yes SEND_SMS {SMS} {SMS} 4 FunGame LevelUp Service No {Location} 5 FunGame Main Activity Yes MAIN {Location} {i2} 22
  19. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  20. Multiple Domain Matrix (MDM) • MDM models a complex system

    with multiple domains • Each domain is modeled as a Design Structure Matrix (DSM) • DSM and MDM are very effective in capturing and analyzing the architecture of a complex system 24
  21. Multiple Domain Matrix (MDM) Design Structure Matrix (DSM) Task 1

    Task 2 Task 3 A system with three tasks Task 1 Task 2 Task 3 Task-to-person relationship P1 P2 MDM captures the architecture P1 P2 1 1 1 1 25 Task 1 Task 2 Task 3 Task 1 1 Task 2 1 Task 3 1 Task 1 Task 2 Task 3 Task 1 1 Task 2 1 Task 3 1
  22. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  23. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  24. • Let us assume LevelUp does not use dynamic class

    loading Privilege escalation analysis 31
  25. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  26. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time
  27. Implementation details • DELDRoid is a Java application • input

    : set of apps • output: LP architecture and ECA rules • The enforcement mechanism implemented in the AOSP version 6 (Marshmallow) • Privilege Manager introduced a new package in the Android runtime • This package does not affect the existing apps • Other components are modified such as ActivityManager and ContextWrapper • Installed on Android emulator and Nexus 5X phone 38
  28. Evaluation • RQ1: How effective is DELDroid in reducing the

    attack surface? • RQ2: How effective is DELDroid in detecting and preventing attacks in real-world apps? • RQ3: What is the performance of DELDroid? 39
  29. Evaluation setup Dataset Apps Benign 370 Vulnerable 335 Malicious 225

    Malicious Dataset Malgenome Brain Test AndroTotal Contagio Dataset Apps Distribution 40 Benign 40% Vulnerable 36% Malicious 24%
  30. Bundle Apps Components Intent Intent Explicit Implicit Filter Bundle 1

    30 306 344 79 176 Bundle 2 30 432 468 379 287 Bundle 3 30 422 574 212 200 Bundle 4 30 449 348 370 511 Bundle 5 30 353 304 277 292 Bundle 6 30 541 890 476 4919 Bundle 7 30 562 412 38 324 Bundle 8 30 362 417 267 242 Bundle 9 30 265 180 98 166 Bundle 10 30 421 322 1231 185 Average 30 411.3 425.9 342.7 730.2 Avg. (per app) 13.7 14.2 11.4 24.3 RQ1: Attack surface reduction 41
  31. Bundle Components Intent Intent Communication Domain Explicit Implicit Filter Original

    LP Reduction (%) Bundle 1 306 344 79 176 29,031 42 99.86 Bundle 2 432 468 379 287 78,237 625 99.20 Bundle 3 422 574 212 200 65,709 173 99.74 Bundle 4 449 348 370 511 80,372 205 99.74 Bundle 5 353 304 277 292 56,868 345 99.39 Bundle 6 541 890 476 4919 85,556 661 99.23 Bundle 7 562 412 38 324 82,863 137 99.83 Bundle 8 362 417 267 242 50,208 250 99.50 Bundle 9 265 180 98 166 25,817 129 99.50 Bundle 10 421 322 1231 185 50,001 74 99.85 Average 411.3 425.9 342.7 730.2 60,466.2 264.1 99.58 Avg. (per app) 13.7 14.2 11.4 24.3 2,015.5 8.8 99.56 RQ1: Attack surface reduction – communication 42
  32. Bundle Components Intent Intent Permission Granted Domain Explicit Implicit Filter

    Original LP Reduction (%) Bundle 1 306 344 79 176 1,642 45 97.26 Bundle 2 432 468 379 287 2,954 61 97.94 Bundle 3 422 574 212 200 2,510 54 97.85 Bundle 4 449 348 370 511 4,234 78 98.16 Bundle 5 353 304 277 292 1,536 51 96.68 Bundle 6 541 890 476 4919 4,461 181 95.94 Bundle 7 562 412 38 324 1,577 58 96.32 Bundle 8 362 417 267 242 1,946 24 98.77 Bundle 9 265 180 98 166 1,568 30 98.09 Bundle 10 421 322 1231 185 2,386 28 98.83 Average 411.3 425.9 342.7 730.2 2,481.4 61.0 97.58 Avg. (per app) 13.7 14.2 11.4 24.3 82.7 2.0 97.54 RQ1: Attack surface reduction - permission 43
  33. Bundle Components Intent Intent Priv. Esca. Security Analysis Explicit Implicit

    Filter Original LP Bundle 1 306 344 79 176 25,944 0 Bundle 2 432 468 379 287 35,601 110 Bundle 3 422 574 212 200 22,721 2 Bundle 4 449 348 370 511 33,551 0 Bundle 5 353 304 277 292 26,914 2 Bundle 6 541 890 476 4919 24,745 2 Bundle 7 562 412 38 324 15,503 1 Bundle 8 362 417 267 242 27,663 14 Bundle 9 265 180 98 166 19,428 8 Bundle 10 421 322 1231 185 16,953 3 Average 411.3 425.9 342.7 730.2 24,902.3 14.2 Avg. (per app) 13.7 14.2 11.4 24.3 498.0 0.3 RQ1: Attack surface reduction – potential attacks 44
  34. RQ2: Attacks detection and prevention • 54 malicious and vulnerable

    apps • The steps and inputs required to create the attacks are known • The dataset contains • 18 privilege escalation attacks • 24 hidden ICC attacks through dynamic class loading • Detection: DELDroid analyzes the derived LP architecture • Prevention: manually exercise the apps to create the attacks 45
  35. RQ2: Privilege escalation detection results 46 TP Malicious behavior detected

    (18) FP Benign behavior detected (1) FN Malicious behavior not detected (0) • 18 privilege escalation Precision ( ) = 94.74% Recall ( ) = 100%
  36. RQ2: Attacks prevention 47 TP Malicious behavior prevented (42) FP

    Benign behavior prevented (1) FN Malicious behavior allowed (0) • 18 privilege escalation • 24 hidden ICC attacks • 42 attacks Precision ( ) = 97.76% Recall ( ) = 100%
  37. • Execution time of running DELDroid on the 10 bundles,

    repeated 33 times RQ3: Performance – design time Recovery (min) LP Determination (sec) Analysis (sec) ECA Rules (sec) Average per bundle 69.5 ± 2.7 1.61 ± 0.69 0.002 ± 0.001 0.45 ± 0.99 48
  38. • A script that sends 363 requests to an Android

    system • Each request causes the system to perform an ICC transaction • On average, DELDroid takes 25 ± 10 milliseconds to check an intercepted ICC RQ3: Performance – run time 49
  39. Threats to validity • Not all hidden ICC communications are

    malicious • Previous study proposed a technique that check the integrity of the loaded code [1] • Static analysis tools cannot effectively analyze obfuscated apps • integrating dynamic analysis techniques [1] S. Poeplau et al. Execute this! analyzing unsafe and maliciousdynamic code loading in android applications. In NDSS, SanDiego, California, February 2014. 51
  40. Conclusion • DELDroid is an automated approach for determining and

    enforcing the LP architecture for an Android system • The LP architecture narrows the attack surface and thwarts certain security attacks • Experimental results show • between 97% to 99% attack surface reduction • detecting and preventing security attacks (97% precision and 100% recall) • negligible runtime performance overhead 52