application-layer security extensions · 2016-09-15 · 1 application-layer security extensions •...

1

Application-layer security extensions

• Inlined Reference Monitoring• App Virtualization• Compiler-based instrumentation

GOALS &USE-CASES

§ Deploysecuritysolutionsindependentlyfromthedevice/OSvendororappdevelopers

- Endusershouldempowered

§ Ifpossibleabstainfromescalatedprivileges,i.e.,fromroot

§ Providestrongestpossiblesecurityguarantees

2

POSSIBLE APPLICATION-LAYER SOLUTIONS

§ Variousapplicationareas,suchas:

- Privacyprotection• E.g.,AppGuard [99],Aurasium [100],I-ARM-Droid[101],RetroSkeleton [102],DroidForce [103]

- Deployingthird-partysecuritypatches• E.g.,AppSealer [104],Capper[105]

- Enforcingenterprisepolicies• E.g.,DeepDroid [106]

- PatchingAndroidvulnerabilities• E.g.,PatchDroid [107]

- Appvirtualization• E.g.,Boxify [108],NJAS[109]

3

4

Application-layer security extensions

Inlined Reference Monitoring

MOTIVATION

Existingpermissionsystem Understandanappsbehavior Enforceadesiredlevelofprivacy

How to enforce such dynamic permissions?

PROBLEM DESCRIPTION

§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!

UntrustedApp

OperatingSystem

Monitor

PROBLEM DESCRIPTION

§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!

§ Androidisolatesappprocesses:“allappsarecreatedequal”à Monitornotprivilegedenough!

Untr.App

OperatingSystem

MonitorApp

PROBLEM DESCRIPTION

§ IdeallyperformedatOS/Middlewarelayerà Requiresfirmwaremodification!

§ Androidisolatesappprocesses:“allappsarecreatedequal”à Monitornotprivilegedenough!

§ Solution: Combinemonitorandappinto“self-monitoring”app

OperatingSystem

Monitor

UntrustedApp

INLINE REFERENCE MONITORING

§ DynamicAccessControl

– Preventappsfromaccessingcertainsystemresources– Revocationandre-grantingofpermissions

§ Fine-granularSecurityPolicies

– Comprehensibleforuser– Expressivefordeveloper

§ “Gracefuldegradation”

– Appsshouldnotcrashafteraccesstorestrictedresource

§ NochangetotheOS

– DeploymentasregularAndroidapp(no root)

INLINE REFERENCE MONITORING

§ Goal:Mediatesecurity-relevantoperations

- Monitorprogrambehavioratcriticalpoints

- Instrumentprogramtoredirectcontrolflowtothemonitor

- Takeactionbasedonsecuritypolicy

• Terminateprogram

• Suppressoperation

§ Security-relevantoperations

- Functioncalls:JavaCoreAPI,AndroidAPI

- Controlflowredirectioneitheratcaller-site orcallee-site

§ Typicallybybytecodemodification

7. BWINF Forschungstage

CALLER- VS.CALLEE-SITE REWRITING

Strings;URLu;

s=“http://attacker.com/“;u=newURL(s);u.openConnection();...

UntrustedApp

Application.main()

SystemLibrary

URL.openConnection()

...returnconnection;

7. BWINF Forschungstage

2. CyberCrime Kongress 2013

CALLEE-SITE REWRITING

Monitor

Monitor.checkConnection(url)

if(!connectionAllowed(url)){System.exit();

}

Strings;URLu;

s=“http://attacker.com/“;u=newURL(s);u.openConnection();...

UntrustedApp

Application.main()

SystemLibrary

URL.openConnection()

...returnconnection;Monitor.checkConnection(this);...returnconnection;

7. BWINF Forschungstage

CALLER-SITE REWRITING

Strings;URLu;

s=“http://attacker.com/“;u=newURL(s);Monitor.openConnection(u);...

UntrustedApp

Application.main()

SystemLibrary

URL.openConnection()

...returnconnection;

Monitor

Monitor.openConnection(url)

if(connectionAllowed(url)){returnurl.openConnection();

}else{System.exit();

}

7. BWINF Forschungstage

Strings;URLu;

s=“http://attacker.com/“;u=newURL(s);u.openConnection();...

CALLER- VS.CALLEE-SIDE REWRITING

Caller-side

Manyplacestoinstrument

Dynamicallyloadedcode

Reflection

Possibleinpracticeforend-users

Callee-side

Fewplacestoinstrument

Dynamicallyloadedcode

Reflection

Impossibleinpracticeforend-users

APPGUARD:REWRITER

§ Rewriter

- WorksdirectlyonDalvikexecutable(DEX)bytecode

- Generatesruntimemonitorfrompoliciesandmergesitintothetargetapp

- Identifiesinvocationsofsecurity-relevantmethodswithinthetargetapp‘sbytecode

- Rewritestargetapptocallintothemonitorrightbeforeeveryinvocationofasecurity-relevantmethod(caller-siterewriting)

- Additionaltry-catchblockallowsmonitortosuppressthesecurity-relevantmethodcallandreturnamockvalue

7. BWINF Forschungstage

APPGUARD:REWRITER

URL url = new URL(loc);try {

url.openConnection();} catch (IOException) {

// handle IOException}

URL url = new URL(loc);try {

Monitor.checkConnection(url);url.openConnection();

} catch (IOException) {// handle IOException

} catch (MonitorException) {// no return value, ignore

}

TelephonyManager tm =getTelephonyManager();

String deviceId = tm.getDeviceId();

TelephonyManager tm =getTelephonyManager();

String deviceId;try {

Monitor.checkDeviceId(tm);deviceId = tm.getDeviceId();

} catch (MonitorException e) {deviceId = e.mockValue();

}

Original code After rewriting

7. BWINF Forschungstage

DIFFERENT SOLUTIONS TO IRM

18

APPGUARD – CONCEPTUAL OVERVIEW

Policies

Manage-mentRewriterUntrusted

App

Monitor

UntrustedApp

logging

config

Implemented as stand-alone app:

à easily deployable

APPGUARD:MANAGEMENT

§ UIforrewritingappsonthephone

Forschungstage Informatik 2014

APPGUARD:MANAGEMENT

§ UIforrewritingappsonthephone

Forschungstage Informatik 2014

APPGUARD:MANAGEMENT

§ UIforrewritingappsonthephone

§ Policyconfigurationperapp

- Passedtotargetappviaworld-readableconfigfile

- Fine-grainedconfigurationsupported

Forschungstage Informatik 2014

APPGUARD:MANAGEMENT

§ UIforrewritingappsonthephone

§ Policyconfigurationperapp

- Passedtotargetappviaworld-readableconfigfile

- Fine-grainedconfigurationsupported

Forschungstage Informatik 2014

APPGUARD:MANAGEMENT

§ UIforrewritingappsonthephone

§ Policyconfigurationperapp

- Passedtotargetappviaworld-readableconfigfile

- Fine-grainedconfigurationsupported

§ Logofsecurity-relevantevents

- PushedviaIPCfrominlinedmonitor

Forschungstage Informatik 2014

CASE STUDIES

§ Providesweatherinformation&forecast

§ Displaysadvertisements

§ Situation

- Retrievesweatherdatafromwetter.com

- RequestsINTERNET permissionforfullInternetaccess

§ Solution

- Selectivelyallowaccesstowetter.com serversonly

- Nomoreadvertisementsdisplayed

Wetter.com

Forschungstage Informatik 2014

CASE STUDIES

§ Mobileclientforpopularmicro-bloggingservice

§ Situation

- AutomaticallytransferscontactdatatoTwitterserverswithoutuser‘sknowledgeorconsent

- PartofTwitter‘s„findfriends“feature

§ Solution

- Blockaccesstouser‘scontactdata

- Friendscanstillbeaddedmanually

Twitter

Forschungstage Informatik 2014

CASE STUDIES

§ Tracksyouroutdoorsportactivities(running,cycling,etc...)

§ Createspersonalsportsprofile

§ Situation

- LeaksauthenticationtokenviaHTTP

§ Solution

- InterceptHTTP connectionsandredirecttoencryptedHTTPS

EndomondoSportsTracker

Forschungstage Informatik 2014

CASE STUDIES

§ Simpletimerapp

§ RequiresINTERNET permissiononly

§ Situation

- Uploadsuser‘spersonalphotostopublicphotosharingsite

- Nopermissionrequiredtoaccessphotosstorage

§ Solution

- Blockaccesstophotostorage

(Evil)TeaTimer

Forschungstage Informatik 2014

APPGUARD:DISCUSSION

§ Practicalsolutiontoapressingsecurityproblem

- Negligibleruntimeoverhead(<6%)

- Reasonablerewritingtime(5-60seconds)

- Deployed&widelyadopted(~1milliondownloadsover8months)

§ Generalpurposelightweightruntimeinstrumentation

- Onlyminimalstaticrewriting(caller-site)necessary

Forschungstage Informatik 2014

§ Inlined referencemonitorsharesthesameprocessspaceastheuntrustedmonitoredcode

§ Nostrongsecurityboundarybetweenmonitoringandmonitoredcode!

▶Maliciouscodecanattackanddisable/modifythereferencemonitor!

§ Rewritermustbeabletoidentifythecall-sites

▶MaliciouscodecanincludecustomimplementationsofSDKfunctionswithdifferentfunctionsignatures!

▶Nativecodenotcovered!

DRAWBACKS OF INLINED REFERENCE MONITORING

30

§ Androidreliesonsame-originmodelforapplicationupdates

- Everyappiscryptographicallysignedbyitsdeveloper

- Digitalsignatureidentifiesorigin

- Appupdatesonlyallowediffromsameorigin(i.e.,havingsamesignatureasoriginalapp)

§ IRMbreakswiththesameoriginmodel,becauseapplicationcodehastobeinstrumentedwithinlined code

▶ Breaksthedigitalsignatureandhenceorigin!

DRAWBACKS OF INLINED REFERENCE MONITORING (2)

31

32

Application-layer security extensions

App virtualization

MOTIVATION

33

Cells[SOSP‘11]

Apex[ASIACCS‘10]

ASM[SEC‘15]

L4Android[SPSM‘11]

AppGuard[TACAS‘13]

TaintDroid[OSDI‘10]

CRePE[ISC‘10] TrustDroid

[SPSM‘11]

I-ARM-Droid[MoST‘12] DroidForce

[ARES‘14]

MOSES[SACMAT‘12]

AirBag[NDSS‘14]

Aurasium[SEC‘12]

FlaskDroid[SEC‘13]

RetroSkeleton[MobiSys‘13]

Dr. Android & Mr. Hide[SPSM‘12]

OS Extensions Application LayerSolutions

ANDROID OSEXTENSIONS

34

SystemServices

LinuxKernelBinderIPC Syscall API

App App

Kernel Boundary

Process Boundary

ANDROID OSEXTENSIONS

35

SystemServices

Linux KernelBinderIPC

Syscall API

App App

Monitor

Monitor

✔ Strongsecurity

✖ Hard to deploy

APPLICATION LAYER SOLUTIONS

36

SystemServices

LinuxKernelBinderIPC Syscall API

App App

APPLICATION LAYER SOLUTIONS

37

SystemServices

Linux KernelBinderIPC Syscall API

App AppMonitor

✔ Easyto deploy

✖ No app monitoring possible

INLINED REFERENCE MONITORING

38

SystemServices

Linux KernelBinderIPC Syscall API

AppAppMonitor

✔ Easyto deploy

✖ Weak security

GOAL OF APP VIRTUALIZATION

39

✖ Hard to deploy

OS Extensions ApplicationLayer Solutions

✔ Strong security

✔ Easy to deploy

✖ Weak security

GOAL OF APP VIRTUALIZATION

40

✖ Hard to deploy

✔ Strong security

OS Extensions ApplicationLayer Solutions

✔ Easy to deploy

✖ Weak security

Our Goal

✔ Easy to deploy

✔ Strong security

OBJECTIVES

Monitorand constrain untrusted applications

✔ Easyto deploy- No firmware modification /root- No application modification

✔ Strongsecurity- Protected reference monitor- Fail-safedefaults

41

APPROACH (1)

42

Objective: Nofirmwaremodification/root

Solution: Regularuser-spaceapplication

SystemServices

Linux KernelBinderIPC Syscall API

App AppMonitor

APPROACH (2)

43

SystemServices

Linux KernelBinderIPC Syscall API

AppAppMonitorSystemServices

Linux KernelBinderIPC Syscall API

App AppMonitor

Objective: Noapplicationmodification

APPROACH (2)

44

Objective: Noapplicationmodification

Solution: Applicationvirtualization

SystemServices

Linux KernelBinderIPC Syscall API

MonitorAppApp

APPROACH (3)

45

SystemServices

Linux KernelBinderIPC Syscall API

MonitorAppAppSystemServices

Linux KernelBinderIPC Syscall API

Monitor AppShimApp

Objective: Protectedreferencemonitor

Solution: Separateprocess

APPROACH (4)

46

Objective: Fail-safedefaults

SystemServices

Linux KernelBinderIPC Syscall API

Monitor AppShimApp

APPROACH (4)

47

Objective: Fail-safedefaults

SystemServices

Linux KernelBinderIPC Syscall API

Monitor AppShimApp

APPROACH (4)

48

Objective: Fail-safedefaults

SystemServices

Linux KernelBinderIPC Syscall API

Monitor AppZeroPerm

App

APPROACH (4)

49

Objective: Fail-safedefaults

Solution: Isolatedprocess

ISOLATED PROCESS

§ Allowsservicecomponents torunisolatedfromtherestoftheapplication

§ Isolatedprocesses

- Havezeropermissions

- Havenoaccesstosystemservices

- Runwithadistinct,transientUID

- Cannotwritetothefilesystem

50

APP VIRTUALIZATION ARCHITECTURE

51

Boxify

SystemServices

Linux KernelBinderIPC Syscall API

Monitor App

IsolatedProcessApp

APP VIRTUALIZATION ARCHITECTURE

52

Boxify

SystemServices

Linux KernelBinderIPC Syscall API

Broker App

TargetApp

TARGET

53

Broker

TargetApp

IPCShim Syscall ShimSandboxServiceIPCShim Syscall ShimSandboxService

Divert Binder IPC to BrokerDivert Syscalls to BrokerControl channel for loading/terminating apps

LOADING AN APP

54

Broker Target

Context.bindService()

BinderSandboxService

SandboxService.prepare()

BinderApplicationThread

ApplicationThread.bindApplication()

Isolatedprocessiscreated

Shimsaresetup

Appisstarted

BROKER

55

APILayer

Target

IPCReceiver SyscallReceiver

CoreLogicLayer

VirtualizationLayer

Srv Stub Srv Stub

ServicePEP

ServicePEP

CoreServices

SyscallPEP

ComponentBroker

…

…

APILAYER

56

APILayer

Target

IPCReceiver SyscallReceiver

CoreLogicLayer

VirtualizationLayer

Srv Stub Srv Stub

ServicePEP

ServicePEP

CoreServices

SyscallPEP

ComponentBroker

…

…

Establish compatibility across Android versions

CORE LOGIC LAYER

57

APILayer

Target

IPCReceiver SyscallReceiver

CoreLogicLayer

VirtualizationLayer

Srv Stub Srv Stub

ServicePEP

ServicePEP

CoreServices

SyscallPEP

ComponentBroker

…

…

Baseline enforcement & virtual system services

ServicePEP

ServicePEP

SyscallPEP

CoreServices

VIRTUALIZATION LAYER

58

APILayer

Target

IPCReceiver SyscallReceiver

CoreLogicLayer

VirtualizationLayer

Srv Stub Srv Stub

ServicePEP

ServicePEP

CoreServices

SyscallPEP

ComponentBroker

…

…

Translate between Boxify and Android system

VIRTUALIZATION LAYER

59

App

ActivityA ActivityB ServiceA ServiceB ReceiverA

Boxify

Activity1 ActivityN Service1… … Receiver1ServiceN …

startActivity(ActivityA)

startActivity(Activity1) scheduleLaunchActivity(Activity1)

scheduleLaunchActivity(ActivityA)

ActivityA

Activity1

SYSTEM INTEGRATION

60

§ Launchingapps

- DedicatedActivity

- ShortcutsonHomeScreen

- VirtualizedLauncher

§ Installing/Updatingapps

- DirectlyviaAppStores

DISCUSSION &LIMITATIONS

§ Cancels Android‘s own access control checks

§ Violates Principle of LeastPrivilege

§ Full kernel attack surface available

§ Presenceof Boxify detectable

61

USE-CASES

§ InstantiateOSextensionsatapplicationlayer

- Fine-grainedaccesscontrol- Informationflowcontrol

- Dual-persona,BYOD

- Dynamicanalysis

- Automatedtesting

- Xposed- …

62

63

Application-layer Security

Compiler-based instrumentation

MOTIVATION AND RESEARCH QUESTIONS

§ AndroidRuntime(ART)supersedesDalvik VirtualMachine(DVM)- Movefrominterpretationtoahead-of-timeon-devicecompilation- BreakscompatibilitywithDVM-basedpriorwork(e.g.TaintDroid)

§ ARTyetuncharted- Onlyfewworksonthetopic- Securityimplicationsunclear- Potentiallyinterestingtargetforsecurityresearch

§ Thiswork:Understandingandutilizingthenovelruntime

- Researchingthenewon-devicecompiler

- Creatinganapp-instrumentationframework

- Provingitsapplicabilitybyimplementinguse-cases

64

DVMVS ART

Dalvik VirtualMachine- DefaultruntimeuptoAndroid

5.0

- Pre-optimizationofbytecode

- Dalvik executablebytecodeformat(.dex)

- Interpretationandjust-in-timecompilation

- Repeatedfetch-executecycles

65

AndroidRuntime- DefaultruntimesinceAndroid5.0

- Compilationofbytecodetobinarycode

- ARTELFbinary(.oat)

- NativeexecutionintheAndroidRuntime

- Improvedperformanceandbatterylife

THE ANDROID RUNTIME

§ Twomaincomponents:compilersuiteandruntime

§ Dex2oatCompiler:transformdex filesintooatfiles

- OatfollowstheELFformat

- Completedex codeisstoredalongwiththebinarycode

- Multiplecompilationbackends andcodegenerators

- Backends handleoptimizations

§ Runtime:loadandexecutecompiledapps

- Compensateformissingvirtualmachine

- Preloadframeworkcode

- Garbagecollection

- Debugginghooks

66

DEX2OAT:OVERVIEW

67

DEX2OAT:OPTIMIZING IR

§ Singleintermediaterepresentation

§ EnrichedmethodCFGs

§ SingleStaticAssignmentform

§ Def-usepairs

§ Nodescomparabletodex instructions

§ Inlined Javasemanticchecks

68

INSTRUMENTATION POINTS

69

• Minimalinterferencewithdex2oat• Leavestransformationfromdex andcodegeneratorsintact• Supportforvisitorpattern• Lightweightstaticanalysispossible

ARTIST:THE ARTINSTRUMENTATION AND SECURITY TOOLKIT

§ Injectionofwholelibraries- Supporttomergeadditionaldex files

- Implementedasapreprocessingstep

- Invocationsofthoseaddedmethodscanbeinjected

§ SimpleAPIforcodeinjection- Injectsmethodcalls

- Policy-driven:(target,method,parameters)

- UsedtoimplementsimpleIRMuse-case

§ SupportforModules- Implementedascustomoptimizationpassesoverthecode

- IntegratesneatlywithoptimizationsandotherModules

- FullaccesstomethodCFG:remove,addandreplacenodes

70

ARTIST:DEPLOYMENT

§ Replacesystemdex2oat

§ Shipthecompilerasabinary

- RegularAndroidapp

- UItopickappforinstrumentation

- Recompilationgeneratesalternativeoatfile(oat’)

§ Trickandroidintoloadingoat’insteadofoat

- root:replaceoatwithoat’

- Noroot:usevirtualizationtechnique(Boxify,NJAS)

§ ApplicationLayer-onlysolution

- Leavessystembinaryuntouched

- Norootrequired

71

POSSIBLE USE CASES

§ TaintTracking

- Trackingofprohibitedflowsfromprotectedsourcestoappsinks§ IRM

- Dynamicpermissionenforcement

§ Hot-patchingofvulnerabilities

- Detectandfixcommonvulnerabilitiesintroducedbydevelopers

§ Enforcedappcompartmentalization- Splitapplicationsintodistinctsecurityprincipals

§ DebuggingandProfiling

- Injectcustomdebugginghooksandbenchmarkingcode

§ …

72

CASE STUDY:TAINT TRACKING WITH ARTIST

§ De-factostandardTaintDroid notapplicableanymoreonART

- Existingworksfocusondex rewriting(TaintMan,…)

§ Investigatewhethertainttrackingcanbeimplementedusingcompiler-basedinstrumentation

- Specificchallenges

- Compileroperatesonmethod-level

- Interplaywithoptimizations

§ Hybridanalysis

- Lightweightstaticanalysistosupporttargetedinstrumentation

- Nofullstatictaintanalysis!

- Dynamictainttrackinghappensatruntime

73

CASE STUDY:INFORMATION FLOW ANALYSIS

§ Refiningthedefinitionsofsourcesandsinks

- Globalsource/sink:dataenters/leavesapplication- Localsource/sink:dataenters/leavescurrentmethod

§ Intra-methodtainttracking

- Staticallycomputebackwardslicesofglobalandlocalsinks

- Stopatmethodborder,i.e.localsources

§ Inter-methodtainttracking- Injectcodeatsourcesandsinkstoobtainandpropagatetaintinformation

- Thread-localtaintstackfortaintedargumentsandreturnvalues

- Createidentifierforobjectandstaticfieldsandstoreinmap- Addcodetochecktaintvalueatglobalsinks

74

CASE STUDY:TAINT TRACKING EXAMPLE

75

ONGOING WORK

§ IntegrateARTist withBoxify

- Currentimplementationrequiresroot

§ Combinewithstate-of-the-artstaticanalysis

- Evenmoretargetedinstrumentation

§ Multi-dex support

- Allowstoalsorecompilethelargestapps(Facebook,…)

- Moveadditionaldex mergingintothecompileritself

76