DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Transcript

1. DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

   Mahmoud Hammad Software Engineering Ph.D. Candidate Mahmoud Hammad, Hamid Bagheri, and Sam Malek IEEE International Conference on Software Architecture (ICSA 2017) Gothenburg, Sweden, April 2017.

2. 2 Android in the market Source: International Data Corporation (IDC)

3. Source: Statista Number of apps in Google Play store 3

4. Not as rosy as it may seem Source: NOKIA Threat

   Intelligence Report 4 Android malware samples

5. Over-privileged resource access 5 Implicit Intent Composer Sender ListMsgs Activity

   Service FunGame LevelUp Messaging Main Explicit Intent Legend SMS permission Location permission Private component <<Android system>>

6. Over-privileged Inter-Component Communication 6 Implicit Intent Composer Sender ListMsgs Activity

   Service FunGame LevelUp Messaging Main Explicit Intent Legend SMS permission Location permission Private component <<Android system>>

7. Research problem Components are over-privileged and violate the Least Privilege

   (LP) principle 7

8. LP in Android documentation The Android system implements the principle

   of least privilege. That is, each app, by default, has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not given permission. Android security mechanisms treat apps as the minimum security entities 8

9. Security Consequences • Hard to comprehend the security posture of

   an Android system • Increases the attack surface • Cause many security vulnerabilities • Privilege escalation attack • Hidden Inter-Component Communication (ICC) attack 9

10. FunGame Privilege Escalation Attack 10 Composer Sender ListMsgs LevelUp Messaging

    Main Implicit Intent Activity Service Explicit Intent Legend ix Intent SMS permission Location permission i1 i2 i3 // If (checkCallingPermission ("android.permission.SEND_SMS") == PackageManager.PERMISSION_GRANTED)

11. Hidden ICC Attack 11 Composer Sender ListMsgs FunGame LevelUp Messaging

    Main Implicit Intent Dynamically Loaded Code Activity Service Explicit Intent ix Intent SMS permission Location permission <<external>> i1 i3 i2 Private component Legend

12. Outline Ø Approach q Experimental Results q Threats & Conclusion

    12

13. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

14. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

15. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

16. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

17. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

18. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

19. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

20. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

21. Android apps • Each Android app, APK file, includes •

    configuration file called manifest file • App’s bytecode • The manifest file specifies: • principal components that constitute the app • provided interface, i.e., Intent Filters • required permissions • enforced permissions • Bytecode contains among other things: • App’s business logic • Components communications • Enforced permissions 21

22. Step 1: Architectural Elements Extractor ID App Component Type Exported

    Intent Permissions Intents Name Filter Granted Used Enforced 1 Messaging ListMsgs Activity Yes {SMS} 2 Messaging Composer Activity Yes {SMS} {i1} 3 Messaging Sender Service Yes SEND_SMS {SMS} {SMS} 4 FunGame LevelUp Service No {Location} 5 FunGame Main Activity Yes MAIN {Location} {i2} 22

23. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

24. Multiple Domain Matrix (MDM) • MDM models a complex system

    with multiple domains • Each domain is modeled as a Design Structure Matrix (DSM) • DSM and MDM are very effective in capturing and analyzing the architecture of a complex system 24

25. Multiple Domain Matrix (MDM) Design Structure Matrix (DSM) Task 1

    Task 2 Task 3 A system with three tasks Task 1 Task 2 Task 3 Task-to-person relationship P1 P2 MDM captures the architecture P1 P2 1 1 1 1 25 Task 1 Task 2 Task 3 Task 1 1 Task 2 1 Task 3 1 Task 1 Task 2 Task 3 Task 1 1 Task 2 1 Task 3 1

26. The Original architecture 26

27. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

28. The LP architecture 28

29. Original vs. LP architectures 29 Original Architecture LP Architecture

30. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

31. • Let us assume LevelUp does not use dynamic class

    loading Privilege escalation analysis 31

32. • DELDroidmarks , as a potential privilege escalation attack Privilege

    escalation analysis 32 LP Architecture

33. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

34. Communication ECA rule example : ∈ :. = ∧ .

    = ∧ . = : 34

35. Resource access ECA rule example : : = ∧ =Context.LOCATION_SERVICE

    : 35

36. DELDroid Design time ECA Rules Original Architecture LP Architecture Resource

    Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Run time

37. Outline q Approach Ø Experimental Results q Threats & Conclusion

    37

38. Implementation details • DELDRoid is a Java application • input

    : set of apps • output: LP architecture and ECA rules • The enforcement mechanism implemented in the AOSP version 6 (Marshmallow) • Privilege Manager introduced a new package in the Android runtime • This package does not affect the existing apps • Other components are modified such as ActivityManager and ContextWrapper • Installed on Android emulator and Nexus 5X phone 38

39. Evaluation • RQ1: How effective is DELDroid in reducing the

    attack surface? • RQ2: How effective is DELDroid in detecting and preventing attacks in real-world apps? • RQ3: What is the performance of DELDroid? 39

40. Evaluation setup Dataset Apps Benign 370 Vulnerable 335 Malicious 225

    Malicious Dataset Malgenome Brain Test AndroTotal Contagio Dataset Apps Distribution 40 Benign 40% Vulnerable 36% Malicious 24%

41. Bundle Apps Components Intent Intent Explicit Implicit Filter Bundle 1

    30 306 344 79 176 Bundle 2 30 432 468 379 287 Bundle 3 30 422 574 212 200 Bundle 4 30 449 348 370 511 Bundle 5 30 353 304 277 292 Bundle 6 30 541 890 476 4919 Bundle 7 30 562 412 38 324 Bundle 8 30 362 417 267 242 Bundle 9 30 265 180 98 166 Bundle 10 30 421 322 1231 185 Average 30 411.3 425.9 342.7 730.2 Avg. (per app) 13.7 14.2 11.4 24.3 RQ1: Attack surface reduction 41

42. Bundle Components Intent Intent Communication Domain Explicit Implicit Filter Original

    LP Reduction (%) Bundle 1 306 344 79 176 29,031 42 99.86 Bundle 2 432 468 379 287 78,237 625 99.20 Bundle 3 422 574 212 200 65,709 173 99.74 Bundle 4 449 348 370 511 80,372 205 99.74 Bundle 5 353 304 277 292 56,868 345 99.39 Bundle 6 541 890 476 4919 85,556 661 99.23 Bundle 7 562 412 38 324 82,863 137 99.83 Bundle 8 362 417 267 242 50,208 250 99.50 Bundle 9 265 180 98 166 25,817 129 99.50 Bundle 10 421 322 1231 185 50,001 74 99.85 Average 411.3 425.9 342.7 730.2 60,466.2 264.1 99.58 Avg. (per app) 13.7 14.2 11.4 24.3 2,015.5 8.8 99.56 RQ1: Attack surface reduction – communication 42

43. Bundle Components Intent Intent Permission Granted Domain Explicit Implicit Filter

    Original LP Reduction (%) Bundle 1 306 344 79 176 1,642 45 97.26 Bundle 2 432 468 379 287 2,954 61 97.94 Bundle 3 422 574 212 200 2,510 54 97.85 Bundle 4 449 348 370 511 4,234 78 98.16 Bundle 5 353 304 277 292 1,536 51 96.68 Bundle 6 541 890 476 4919 4,461 181 95.94 Bundle 7 562 412 38 324 1,577 58 96.32 Bundle 8 362 417 267 242 1,946 24 98.77 Bundle 9 265 180 98 166 1,568 30 98.09 Bundle 10 421 322 1231 185 2,386 28 98.83 Average 411.3 425.9 342.7 730.2 2,481.4 61.0 97.58 Avg. (per app) 13.7 14.2 11.4 24.3 82.7 2.0 97.54 RQ1: Attack surface reduction - permission 43

44. Bundle Components Intent Intent Priv. Esca. Security Analysis Explicit Implicit

    Filter Original LP Bundle 1 306 344 79 176 25,944 0 Bundle 2 432 468 379 287 35,601 110 Bundle 3 422 574 212 200 22,721 2 Bundle 4 449 348 370 511 33,551 0 Bundle 5 353 304 277 292 26,914 2 Bundle 6 541 890 476 4919 24,745 2 Bundle 7 562 412 38 324 15,503 1 Bundle 8 362 417 267 242 27,663 14 Bundle 9 265 180 98 166 19,428 8 Bundle 10 421 322 1231 185 16,953 3 Average 411.3 425.9 342.7 730.2 24,902.3 14.2 Avg. (per app) 13.7 14.2 11.4 24.3 498.0 0.3 RQ1: Attack surface reduction – potential attacks 44

45. RQ2: Attacks detection and prevention • 54 malicious and vulnerable

    apps • The steps and inputs required to create the attacks are known • The dataset contains • 18 privilege escalation attacks • 24 hidden ICC attacks through dynamic class loading • Detection: DELDroid analyzes the derived LP architecture • Prevention: manually exercise the apps to create the attacks 45

46. RQ2: Privilege escalation detection results 46 TP Malicious behavior detected

    (18) FP Benign behavior detected (1) FN Malicious behavior not detected (0) • 18 privilege escalation Precision ( ) = 94.74% Recall ( ) = 100%

47. RQ2: Attacks prevention 47 TP Malicious behavior prevented (42) FP

    Benign behavior prevented (1) FN Malicious behavior allowed (0) • 18 privilege escalation • 24 hidden ICC attacks • 42 attacks Precision ( ) = 97.76% Recall ( ) = 100%

48. • Execution time of running DELDroid on the 10 bundles,

    repeated 33 times RQ3: Performance – design time Recovery (min) LP Determination (sec) Analysis (sec) ECA Rules (sec) Average per bundle 69.5 ± 2.7 1.61 ± 0.69 0.002 ± 0.001 0.45 ± 0.99 48

49. • A script that sends 363 requests to an Android

    system • Each request causes the system to perform an ICC transaction • On average, DELDroid takes 25 ± 10 milliseconds to check an intercepted ICC RQ3: Performance – run time 49

50. Outline q Approach q Experimental Results Ø Threats & Conclusion

    50

51. Threats to validity • Not all hidden ICC communications are

    malicious • Previous study proposed a technique that check the integrity of the loaded code [1] • Static analysis tools cannot effectively analyze obfuscated apps • integrating dynamic analysis techniques [1] S. Poeplau et al. Execute this! analyzing unsafe and maliciousdynamic code loading in android applications. In NDSS, SanDiego, California, February 2014. 51

52. Conclusion • DELDroid is an automated approach for determining and

    enforcing the LP architecture for an Android system • The LP architecture narrows the attack surface and thwarts certain security attacks • Experimental results show • between 97% to 99% attack surface reduction • detecting and preventing security attacks (97% precision and 100% recall) • negligible runtime performance overhead 52
53. None