1 / 57

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. Zhemin Yang, Min Yang, Yuan Zhang, X.Sean Wang Fudan University Guofei Gu, Peng Ning Texas A&M University, NC State University CCS,2013. Speaker: Ting Luo Date : 2014/04/07. Outline.

benard
Download Presentation

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Zhemin Yang, Min Yang, Yuan Zhang, X.Sean Wang Fudan University Guofei Gu, Peng Ning Texas A&M University, NC State University CCS,2013 Speaker: Ting Luo Date: 2014/04/07

  2. Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work

  3. Introduction • Many benign apps normally need to collectsensitive data such as location, contact, to send out to the cloud. • Malicious apps that steal user data may also exhibit the same behavior • Therefore, transmission of sensitive data by itself may not indicate true privacy leakage • A better indicator should be whether the transmission is user intended or not.

  4. Introduction • User-intended data transmission • For example • SMS managementapps • Location-based service • Not a privacy leakage. • Unintended data transmission • Unknown to users • Irrelevant to the function user enjoys • Judge as a privacy leakage

  5. Introduction • It is more practical to design an automated tool toprovide a human analyst with the context information inwhich the data transmission occurs. • Given sensitive data transmission, AppIntent derives the input data and user interaction inputs that lead to the transmission • Context information:The form of a sequence of UI manipulations that is captured from a controlled execution.

  6. Introduction • Symbolic Execution • Systematically explore feasible paths of the program. • Dealing with events triggered by user actions in GUI apps is challenging • Path explosion problem • New technique • Event-space constraint guided symbolic execution

  7. Introduction • Event-space constraint guided symbolic execution • 1. static analysis • 2. generate event-space constraints • 3. symbolic execution

  8. Outline 1.Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work

  9. Background • Symbolic Execution • “Symbolic Execution and Program Testing,” CACM,1976 • (2) “Symbolic Execution for Software Testing:Three Decades Later,” CACM,2013

  10. Background • Symbolic Execution • Explore as many different program paths as possible in a given amount of time. • For each path to • Generate a set of concrete input values exercising that path • Check for the presence of various kinds of errors • Security vulnerability • Uncaught exception • Using symbols instead of values !!

  11. Background • Symbolic Execution • (1) Symbolicstateσ • σ is initialized to an empty map • (2) Symbolicpath constraint PC • PC is initialized to true. • (3) If a symbolic execution instance hits an exit statement or an error, the current instance of symbolic execution is terminated • (4) Finally, PC issolved using a constraint solver togenerate concrete inputvalues.

  12. Background • Symbolic Execution Reference : “Symbolic Execution for Software Testing:Three Decades Later ,” CACM,2013

  13. Background • Symbolic Execution • (5) Execution tree PC: X0=2y0 PC’: X0≠2y0 PC: (X0=2y0)˄(X0>y0+10) y0>10, X0>20 PC’: (X0=2y0)˄(X0≤y0+10) X0≤20,y0≤10

  14. Background • Symbolic Execution • (6) Loops or recursion • Infinite number of paths if the termination condition for the loop is symbolic • (7) In practice, one needs to put a limit on the search • A timeout, a limit on the number of paths, • loop iterations, or exploration depth

  15. Background • 2.Android Event • Callbacks of Lifecycle States • These callbacks are automatically invoked by Android application manager • Non-deterministic • Unbounded • Search space explosion problem! • (2) GUI Events and System Events • Event Listeners • Non-deterministic • They can be triggered in any order and at any time

  16. Background

  17. Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work

  18. Goal And Overall Architecture • Goal : • Produce the critical app inputs that lead to sensitive data transmission • Guarantee a good code coverage • Provide an easy-to-understand tool for human analysts to ascertain under what circumstance the sensitive data transmission happens.

  19. Goal And Overall Architecture • Overall Architecture : • Event-space Constraint Guided Symbolic Execution • static taint analysis • construct an event-space constraint graph • Symbolic execution • Dynamic Program Analysis Platform • Android InstrumentationTestRunner

  20. Goal And Overall Architecture

  21. Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work

  22. Event-Space ConstraintGuided Symbolic Execution

  23. Event-Space ConstraintGuided Symbolic Execution • A concrete example : Anzhuduanxin安卓短信 • (1)Broadcast Receiver : PushReceiver • To retrieve extended data from the intent Taint Analysis { OnReceive, i1 } a is tainted

  24. Event-Space ConstraintGuided Symbolic Execution Taint Analysis { OnReceive, i1 } (2)Activity MessagePopup : { startNewMessageQuery, i2} { forward, i3} To Irene: Hello… { forward, i4} Retreive message from a

  25. Event-Space ConstraintGuided Symbolic Execution (4)Start up ComposeMessageActivity Taint Analysis { OnReceive, i1 } Forward or not? { startNewMessageQuery, i2} { forward, i3} SEND! { forward, i4} { sendMessage, i5} { sendMessage, i6 }

  26. Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events

  27. Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (1)Two kinds of nodes • A thick-line node (critical events) • Event handler method contains at least one instruction of a given data propagation path. • A thin-line node (essential events) • A prerequisite for a critical event • It does not contain any instructions of the given path.

  28. Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph (1)Two kinds of nodes

  29. Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events

  30. Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (2) Extracting Critical Events • For each instruction in the path, webackward traverse the call graph to find all events that mighttrigger it.

  31. Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph

  32. Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph

  33. Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events

  34. Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (3) Extracting Essential Events • Supplement those missing lifecycle callbacks with directed edges according to the origin order • In the current version of AppIntent, we only track • Intents that eventually start a new activity or • service • Broadcast messages that are properly handled by a BroadcastReceiver

  35. Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph

  36. Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events Guided Symbolic Execution

  37. Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (4) Guided Symbolic Execution • P: the events that are triggered before the last traversed critical event • C : the data constraints that should be fulfilled to reach the current execution point. • If C is empty, then none of the data inputs can result in the target execution

  38. Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (4) Guided Symbolic Execution • Each time when we proceed from a thick-line node, possible successors of this critical event are extracted • We randomly pick an event first and calculate a feasible pathfrom the current critical event to the chosen successor • extract the minimal path (using the Dijistra’s algorithm) as a chain of events

  39. Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (4) Guided Symbolic Execution • We rollback the symbolic execution and try to trigger other feasible critical events. • If the event chain is revealed to be not available to any inputs (C == ∅), or • all possible successors in critical event chains are already explored (∀ e : < ne; e > Ɇ CEC)

  40. Event-Space ConstraintGuided Symbolic Execution ce : critical event ne : next event

  41. Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work

  42. Dynamic Analysis Platform • Present which functionality is used when the transmission happens. • Test case • automatically generates based on the inputs gathered before • attaches it to the app by repackaging the original Android apk. • Android InstrumentationTestRunner

  43. Dynamic Analysis Platform • Features • Automatically trigger Event Inputs • To trigger a clickingevent, a performClick operation is applied to the correspondingview • Automatically provide Data Inputs • Not support networkinputs • AndroidInstrumentationTestRunner cannotintercept and modify network inputs. • Highlight activated views of GUI events • Setting background color to red • Highlight sensitive data read and transmission • when the data loading and transmission happen

  44. Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work

  45. Evaluation 1.Effectiveness of Event-space ConstraintGuided Symbolic Execution

  46. Evaluation 2.Effectiveness on Analyzing Sensitive DataTransmission (1000) (750)

  47. Evaluation • Effectiveness on Analyzing Sensitive DataTransmission • Interesting findings • Data transmission of device IDs and phone numbers are very common but typically not noticed by most smartphone users. • (2)Lots of apps write sensitive data into local logging system

  48. Evaluation • 4.Analysis Time • Static analysis phase costs 96 hours • Can be reduced by distributing the analysis workload to multiple machines • Symbolic execution costs 5 to 134 minutes • Can be processed in parallel

  49. Evaluation • 5. Case Studies • Anzhuoduanxin (安卓短信) • SMS management app • Video • https://www.youtube.com/watch?v=RRqWQk4ztmI • Tapsnake • A game but stealthily transmit user locations to third party receiver • Video • https://www.youtube.com/watch?v=L4IvXzpYqzw

More Related