“tipped off by your memory allocator”: device-wide user ...€¦ · timeliner “tipped off by...
TRANSCRIPT
Timeliner“TippedOffbyYourMemoryAllocator”:
Device-WideUserActivitySequencingfromAndroidMemoryImages
RohitBhatia,BrendanSaltaformaggio,SeungJeiYang,AishaAli-Gombe,XiangyuZhang,DongyanXu,
GoldenG.RichardIII
ImportanceofaTimeline
CrimeSceneReconstruction
"involvesevaluatingthecontextofasceneandthephysicalevidencefoundthereinanefforttoidentifywhatoccurredandinwhatorderitoccurred.“
Call/Messagedatabase,Webbrowsing,Chatlogs
ImportanceofaTimeline
AppSpecificLogs
CoarseGrainedActions
NotaDevice-WideTimeline
Call/Messagedatabase,Webbrowsing,Chatlogs
Isthisacrime?NOWhatifappisterminated?Isthisacrime?POSSIBLY–DistractedDriving
ImportanceofaDevice-WideTimeline
Cybercrimestypicallyinvolveavarietyofmobileapps,withcomplexsequencingofuser-actions
NeedaDevice-Widesolutiontorecoverpastuser-actionsthatisnotinfluenceablebythedevice-owner
Netflix
Maps
Persistentstorageisnotenoughtore-sequenceadevice-widetimeline
MemoryForensics
Timelinercomplementsexistingmemoryforensictechniques
GUITAR[CCS2015]BestPaper
VCR[CCS2015] RETROSCOPE[UsenixSec.2016]
DSCRETE[UsenixSec.2014]BestStudentPaper
ActivitiesAsUser-Actions
ActivitiesareAndroidabstractionsfora“single,focusedthingausercando”
WhatsApp VoipActivity RecordAudio CameraActivity
Signal ConversationList Conversation ShareActivity
Dialer InCallActivity CallLogActivity CallDetailActivity
Chase AccountsActivity TransferActivity QuickDepositStart
Netflix HomeActivity SearchActivity MovieDetails
SomeApplicationsandaFewExampleActivities
Android
Apps
ActivitiesAsUser-Actions
ActivitiesareAndroidabstractionsfora“single,focusedthingausercando”
ActivityLifecyclehandledbyActivityManagerServicewhichprovidesdevice-widesupervision
ActivityManagerService
ActivityStackAsASolution?
NoorderingavailablebetweendifferentActivityStacks
ActivityStackscontainthecurrentstate,andnotthepaststate–whichiswhatwewant
DialContactsActivity HomeActivity
SearchActivity
MovieDetailsActivity
Dialer Netflix(Current)
Android
Apps
Timeliner
TimelinerrecoversActivitiesusingkeyself-identifyingdatastructures
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
Timeliner
TimelinerrecoversActivitiesusingkeyself-identifyingdatastructures
Inferorderingbasedonallocatedlocationsinmemory
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
Launcher
Timeliner
Android
Apps
ResidualDataStructures
ActivityManagerService
MovieDetailsActivity
Android
Apps
ResidualDataStructures
ActivityManagerService
MovieDetailsActivity
Android
Apps
ResidualDataStructures
ActivityManagerService
MovieDetailsActivity
Android
Apps
ResidualDataStructures
ActivityManagerService
Roots
Field/ValueMatches
MovieDetailsActivity
Android
Apps
ResidualDataStructures
ActivityManagerService
MovieDetailsActivitynetflix.ui.MovieDetailsActivity
“First-Available”Allocation
InCallActivity
DialContactsActivity
Launcher
SizeA SizeB SizeC
MemoryAllocator
TemporalOrderingFromSpatialOrdering
{ (r1,a1),(r2,a2),(r3,a3)}
{ (r1,b1),(r2,b2),(r3,b3)}
{ (r1,c1),(r2,c2),(r3,c3)}
InCallActivity
DialContactsActivity
Launcher
SizeA SizeB SizeC
MemoryAllocator
TemporalOrderingFromSpatialOrdering
TransitionGraph
allPrecede(e,f)=|{r|(r,m)∈e∧(r,n)∈f∧max(m)<min(n)}|anySucceed(e,f)=|{r|(r,m)∈e∧(r,n)∈f∧max(m)>min(n)}|
2
3
3
InCallActivity
DialContactsActivity
Launcher
SizeA SizeB SizeC
MemoryAllocator
PruningErroneousEdges
TransitionGraph
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
4
2
3
3
Launcher
1
ErroneousEdge
PruningErroneousEdges
Launcher
PlayerActivity
MovieDetailsActivity
TransitionGraph
4
SizeA SizeB SizeC
ExistingAllocation
Launcher
PruningErroneousEdges
Launcher
DialContactsActivity
PlayerActivity
MovieDetailsActivity
TransitionGraph
4
31
SizeA SizeB SizeC
ExistingAllocation
Launcher
ErroneousEdge
PruningErroneousEdges
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
TransitionGraph
4
2
3
3
1
SizeA SizeB SizeC
ExistingAllocation
Launcher
ErroneousEdge
PruningErroneousEdges
Min-Cut
PlayerActivity
UndirectedTransitionGraph
4
2
3
3
Launcher
1
ErroneousEdge
Launcher
SizeA SizeB SizeC
ExistingAllocation
DialContactsActivity
InCallActivity
MovieDetailsActivity
PruningErroneousEdges
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
TransitionGraph
4
2
3
3
Launcher
GlobalOrdering
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
TransitionGraph
LocalOrderings
GlobalOrdering
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
TransitionGraph
TopologicalSortLauncher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
LocalOrderings
GlobalOrdering
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
TransitionGraph
TopologicalSortLauncher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
Launcher
OtherAllocations
GlobalOrdering
GlobalOrdering
TransitionGraph
TopologicalSortLauncher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
Launcher
DialContactsActivity
InCallActivity
PlayerActivity
MovieDetailsActivity
GarbageCollection SizeA SizeB SizeC
GarbageCollectedActivity
PlayerActivity
ConversationList
Conversation
GarbageCollectionfreesuppriorruns,potentiallycausingaspatialdisordering
GarbageCollection SizeA SizeB SizeC
PlayerActivity
OtherAllocations
Launcher
DialContactsActivity
InCallActivity
MovieDetailsActivity
GarbageCollection
PlayerActivity
Launcher
DialContactsActivity
InCallActivity
MovieDetailsActivity
Launcher
JoinableLocalOrderingsdonotendinGarbageCollectedActivities
PeriodofGarbageCollectionActiveUsage:41-50minutesIdle:98-112minutes
TestSequence
#ofActivityOrdered
#OfPaths
GroundTruthDistance
A 16 1 0
B 14 1 0
G 15 1 0
H 16 1 0
I 14 1 0
J 16 1 0
TestSequence
#ofActivityOrdered
#OfPaths
GroundTruthDistance
A 15 1 0
C 15 1 0
D 12 1 0
G 14 1 0
H 14 1 0
I 14 1 0
Micro-BenchmarksTestSequence
#ofActivityOrdered
#OfPaths
GroundTruthDistance
A 16 1 0
B 14 1 0
C 16 1 0
D 12 1 0
E 14 1 0
F 15 1 0
SamsungS4(Android5.0) LGG3(Android5.1) MotoG3(Android6.0)
AccurateResults
RecoveredActivityLaunchedBeforeTestSequence
10TestSequences
A-J
DesignGenerality:SpywareAttackInvestigation
BroadcastY
ActivityA
BroadcastX
ActivityB
TransitionGraph
DesignGenerality:SpywareAttackInvestigation
VideoTimeReceiver
FrontCameraActivity
StopRecordingReceiver
GmailComposeActivity
TransitionGraph
CommunicationReceiver
ConversationActivity
CallRecorderReceiver
InCallActivity
SMSSpyingService CallSpyingService
CameraPictureSpyingService
MicrophoneAudioSpyingService
CameraVideoSpyingService
DesignGenerality:Extensiontojemalloc
SizeA SizeB SizeC
Slot
Android mozjemalloc
Region
Run Run
BinBucket
“First-Available”“First-Available”
CaseStudy
Conclusion
Timelinerre-sequencesanAndroiduser’spastactions,evenforterminatedapplications
TimelinerinferstemporalorderingofActivitiesfrommemorylayoutofkeyself-identifyingdatastructures
AccuratereconstructionofvariousapplicablecrimescenariosandextensionbeyonduseractionsandAndroid