570 likes | 732 Views
AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. Zhemin Yang, Min Yang, Yuan Zhang, X.Sean Wang Fudan University Guofei Gu, Peng Ning Texas A&M University, NC State University CCS,2013. Speaker: Ting Luo Date : 2014/04/07. Outline.
E N D
AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Zhemin Yang, Min Yang, Yuan Zhang, X.Sean Wang Fudan University Guofei Gu, Peng Ning Texas A&M University, NC State University CCS,2013 Speaker: Ting Luo Date: 2014/04/07
Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work
Introduction • Many benign apps normally need to collectsensitive data such as location, contact, to send out to the cloud. • Malicious apps that steal user data may also exhibit the same behavior • Therefore, transmission of sensitive data by itself may not indicate true privacy leakage • A better indicator should be whether the transmission is user intended or not.
Introduction • User-intended data transmission • For example • SMS managementapps • Location-based service • Not a privacy leakage. • Unintended data transmission • Unknown to users • Irrelevant to the function user enjoys • Judge as a privacy leakage
Introduction • It is more practical to design an automated tool toprovide a human analyst with the context information inwhich the data transmission occurs. • Given sensitive data transmission, AppIntent derives the input data and user interaction inputs that lead to the transmission • Context information:The form of a sequence of UI manipulations that is captured from a controlled execution.
Introduction • Symbolic Execution • Systematically explore feasible paths of the program. • Dealing with events triggered by user actions in GUI apps is challenging • Path explosion problem • New technique • Event-space constraint guided symbolic execution
Introduction • Event-space constraint guided symbolic execution • 1. static analysis • 2. generate event-space constraints • 3. symbolic execution
Outline 1.Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work
Background • Symbolic Execution • “Symbolic Execution and Program Testing,” CACM,1976 • (2) “Symbolic Execution for Software Testing:Three Decades Later,” CACM,2013
Background • Symbolic Execution • Explore as many different program paths as possible in a given amount of time. • For each path to • Generate a set of concrete input values exercising that path • Check for the presence of various kinds of errors • Security vulnerability • Uncaught exception • Using symbols instead of values !!
Background • Symbolic Execution • (1) Symbolicstateσ • σ is initialized to an empty map • (2) Symbolicpath constraint PC • PC is initialized to true. • (3) If a symbolic execution instance hits an exit statement or an error, the current instance of symbolic execution is terminated • (4) Finally, PC issolved using a constraint solver togenerate concrete inputvalues.
Background • Symbolic Execution Reference : “Symbolic Execution for Software Testing:Three Decades Later ,” CACM,2013
Background • Symbolic Execution • (5) Execution tree PC: X0=2y0 PC’: X0≠2y0 PC: (X0=2y0)˄(X0>y0+10) y0>10, X0>20 PC’: (X0=2y0)˄(X0≤y0+10) X0≤20,y0≤10
Background • Symbolic Execution • (6) Loops or recursion • Infinite number of paths if the termination condition for the loop is symbolic • (7) In practice, one needs to put a limit on the search • A timeout, a limit on the number of paths, • loop iterations, or exploration depth
Background • 2.Android Event • Callbacks of Lifecycle States • These callbacks are automatically invoked by Android application manager • Non-deterministic • Unbounded • Search space explosion problem! • (2) GUI Events and System Events • Event Listeners • Non-deterministic • They can be triggered in any order and at any time
Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work
Goal And Overall Architecture • Goal : • Produce the critical app inputs that lead to sensitive data transmission • Guarantee a good code coverage • Provide an easy-to-understand tool for human analysts to ascertain under what circumstance the sensitive data transmission happens.
Goal And Overall Architecture • Overall Architecture : • Event-space Constraint Guided Symbolic Execution • static taint analysis • construct an event-space constraint graph • Symbolic execution • Dynamic Program Analysis Platform • Android InstrumentationTestRunner
Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work
Event-Space ConstraintGuided Symbolic Execution • A concrete example : Anzhuduanxin安卓短信 • (1)Broadcast Receiver : PushReceiver • To retrieve extended data from the intent Taint Analysis { OnReceive, i1 } a is tainted
Event-Space ConstraintGuided Symbolic Execution Taint Analysis { OnReceive, i1 } (2)Activity MessagePopup : { startNewMessageQuery, i2} { forward, i3} To Irene: Hello… { forward, i4} Retreive message from a
Event-Space ConstraintGuided Symbolic Execution (4)Start up ComposeMessageActivity Taint Analysis { OnReceive, i1 } Forward or not? { startNewMessageQuery, i2} { forward, i3} SEND! { forward, i4} { sendMessage, i5} { sendMessage, i6 }
Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events
Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (1)Two kinds of nodes • A thick-line node (critical events) • Event handler method contains at least one instruction of a given data propagation path. • A thin-line node (essential events) • A prerequisite for a critical event • It does not contain any instructions of the given path.
Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph (1)Two kinds of nodes
Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events
Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (2) Extracting Critical Events • For each instruction in the path, webackward traverse the call graph to find all events that mighttrigger it.
Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph
Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph
Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events
Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (3) Extracting Essential Events • Supplement those missing lifecycle callbacks with directed edges according to the origin order • In the current version of AppIntent, we only track • Intents that eventually start a new activity or • service • Broadcast messages that are properly handled by a BroadcastReceiver
Event-Space ConstraintGuided Symbolic Execution 2.Construction of the Event-space Constraint Graph
Event-Space ConstraintGuided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events Guided Symbolic Execution
Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (4) Guided Symbolic Execution • P: the events that are triggered before the last traversed critical event • C : the data constraints that should be fulfilled to reach the current execution point. • If C is empty, then none of the data inputs can result in the target execution
Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (4) Guided Symbolic Execution • Each time when we proceed from a thick-line node, possible successors of this critical event are extracted • We randomly pick an event first and calculate a feasible pathfrom the current critical event to the chosen successor • extract the minimal path (using the Dijistra’s algorithm) as a chain of events
Event-Space ConstraintGuided Symbolic Execution • 2.Construction of the Event-space Constraint Graph • (4) Guided Symbolic Execution • We rollback the symbolic execution and try to trigger other feasible critical events. • If the event chain is revealed to be not available to any inputs (C == ∅), or • all possible successors in critical event chains are already explored (∀ e : < ne; e > Ɇ CEC)
Event-Space ConstraintGuided Symbolic Execution ce : critical event ne : next event
Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work
Dynamic Analysis Platform • Present which functionality is used when the transmission happens. • Test case • automatically generates based on the inputs gathered before • attaches it to the app by repackaging the original Android apk. • Android InstrumentationTestRunner
Dynamic Analysis Platform • Features • Automatically trigger Event Inputs • To trigger a clickingevent, a performClick operation is applied to the correspondingview • Automatically provide Data Inputs • Not support networkinputs • AndroidInstrumentationTestRunner cannotintercept and modify network inputs. • Highlight activated views of GUI events • Setting background color to red • Highlight sensitive data read and transmission • when the data loading and transmission happen
Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8.Conclusion And Future Work
Evaluation 1.Effectiveness of Event-space ConstraintGuided Symbolic Execution
Evaluation 2.Effectiveness on Analyzing Sensitive DataTransmission (1000) (750)
Evaluation • Effectiveness on Analyzing Sensitive DataTransmission • Interesting findings • Data transmission of device IDs and phone numbers are very common but typically not noticed by most smartphone users. • (2)Lots of apps write sensitive data into local logging system
Evaluation • 4.Analysis Time • Static analysis phase costs 96 hours • Can be reduced by distributing the analysis workload to multiple machines • Symbolic execution costs 5 to 134 minutes • Can be processed in parallel
Evaluation • 5. Case Studies • Anzhuoduanxin (安卓短信) • SMS management app • Video • https://www.youtube.com/watch?v=RRqWQk4ztmI • Tapsnake • A game but stealthily transmit user locations to third party receiver • Video • https://www.youtube.com/watch?v=L4IvXzpYqzw