120 likes | 273 Views
Efficient, Context-Aware Privacy Leakage Confinement for Android Applications without Firmware Modding. Mu Zhang Heng Yin. Department of EECS, Syracuse University. Motivation: We need a practical solution for privacy leakage confinement in Android. What does a practical solution mean?
E N D
Efficient, Context-Aware Privacy Leakage Confinement for Android Applications without Firmware Modding Mu Zhang Heng Yin Department of EECS, Syracuse University
Motivation: We need a practical solution for privacy leakage confinement in Android • What does a practical solution mean? • Information-flow based security • Most of existing solutions are end-point solutions • Context-aware policy enforcement • Existing solutions are all-or-nothing protection • No firmware modding • All existing solutions require firmware modding • Low runtime overhead • Taint tracking is slow!
Capper:Context-Aware Privacy Policy Enforcement with Re-writing • Key Techniques • BytecodeRewriting for Information Flow Tracking and Control • Context-aware Policy Enforcement
BRIFT: Bytecode Rewriting for Information Flow Tracking and Control • Key: to place minimally required code into a bytecode program to accurately keep track of privacy leakage. Android App New App Resources Resources Translation Static Analysis Static Instrumentation Optimization Code Generation DEX DEX’ IR Slices New IR Optimized IR
BRIFT: Some Technical Details • Static Data-flow Analysis • Similar to CHEX[Lu et al. CCS’12] • Discover entry points, compute program splits, and perform permutation on the splits • Static Instrumentation • Create shadow variables • Insert taint propagation statements • Pass shadow parameters across function boundary • Optimization • Remove unnecessary shadow parameters • Lift taint propagation logic into the function caller • Other built-in optimizations, such as constant propagation, dead code elimination, etc.
BRIFT: A Running Example 1 publicclassLeakage extendsActivity{ • 2 privatebytekey= DEFAULT_KEY; • 3 private String addr= DEFAULT_ADDR; • 4 privatestatic String deviceId; 5 6 public String getIMEI(){ 7 TelephonyManager manager = (TelephonyManager) • getSystemService(“phone”); 8 Stringimei = manager.getDeviceId(); 9 if(imei==null){ 10 imei = “”; • 11 }else{ 12 imei = manager.getDeviceId(); 13 } 14 returnimei; 15 } 16 • 17 publicbytecrypt(byte plain){ • 18 return (byte)(plain ^ key); 19 } 20 • 21 publicvoidpost(String addr, byte[] bytes){ • 22 OutputStream output = conn.getOutputStream(); • 23 output.write(bytes, 0, bytes.length); • ... • } • 26 • 27 publicvoidtoastIMEI(String imei){ • 28 Context app = getApplicationContext(); • 29 String text = “Your IMEI is ” + imei; • 30 int duration = Toast.LENGTH_SHORT; • 31 Toast toast = Toast.makeText(app, text, duration); • toast.show(); • 33 } • 34 • 35 publicvoidonStart(){ • 36 Leakage.deviceId = getIMEI(); • 37 } • 38 • 39 publicvoidonResume(){ • 40 toastIMEI(Leakage.deviceId); • 41 } • 42 • 43 publicvoidonDestroy(){ • 44 String imei = Leakage.deviceId; • 45 byte[] bytes = location.getBytes(); • 46 for(inti=0; i<bytes.length; i++) • 47 bytes[i] = crypt(bytes[i]); • 48 } • 49 post(addr, bytes); • 50 } • }
BRIFT: the Rewritten Program 1publicclass Leakage extends Activity{ ... 4 privatestatic String deviceId; Ipublicstaticboolean deviceId_s0_t; ... 6publicString getIMEI(BoolWrapper ret_s0_wrapper){ ... 8 String imei = manager.getDeviceId(); 9if(imei==null){ 10 imei = “”; I imei_s0_t = false; • }else{ • imei = manager.getDeviceId(); • I imei_s0_t = true; • } • I ret_s0_wrapper.status = imei_s0_t; 14 returnimei; 15 } • ... • 21 publicvoid post(String addr, byte[] bytes, • BoolWrapper bytes_s0_w){ • I boolean bytes_s0_t = bytes_s0_wrapper.status; • OutputStream output = conn.getOutputStream(); • I booleanisAllow = false; • I if(bytes_s0_t == true) • I isAllow = queryPolicyService(0, 0, addr); • I if(isAllow) • output.write(bytes, 0, bytes.length);} • I else{...} • ... • } • ... • 35 publicvoidonStart(){ • I BoolWrapper ret_s0_wrapper = new BoolWrapper(); • I ret_s0_wrapper.status = false; • Leakage.deviceId = getIMEI(ret_s0_wrapper); • I Leakage.deviceId_s0_t = ret_s0_wrapper.status; • 37 } • ... • 43 publicvoidonDestroy(){ • 44 String imei = Leakage.deviceId; • 45 byte[] bytes = imei.getBytes(); • I boolean bytes_s0_t = Leakage.deviceId_s0_t; • 46 for(inti=0,; i< bytes.length; i++){ • 47 bytes[i] = crypt(bytes[i]); • I bytes_s0_t = bytes_s0_t || false; • 48 } • I BoolWrapper bytes_s0_wrapper = newBoolWrapper(); • I bytes_s0_wrapper.status = bytes_s0_t; • P BoolWrapper url_s0_w = newBoolWrapper(); • 49 post(addr, bytes, bytes_s0_wrapper); • 50 } • 51 } See more details in our NDSS’14 paper
Context-Aware Policy: How to model the context of an information flow • Taint Propagation Trace • Heavy-weight • Overly precise • Source and Sink Call-sites • Light-weight • Mimicry attack? • Parameterized Source and Sink Pairs
Evaluation: Overview • 4723 apps real-world apps evaluated • 1414 (33%) are risky (may leak information) • Increase of Program Size • Runtime Performance of Analysis and Rewriting • Runtime Overhead • Effectiveness
Related Work • Extend install-time constraints • Kirin, CCS’09;Saint, ACSAC’09 • Enforce finer-grained/flexible permissions • MockDroid, HotMobile’11; CRePE, ISC’10; Apex, ASIACCS’10; TISSA, TRUST’11 • Improve isolations • Cells, SOSP’11; SPSM’11; AdSplit, Usenix Security’12 • Ask for user approval • Livshits and Jung, Usenix Security’13;Aurasium, Usenix Security’12 • Information flow based solution • TaintDroid, OSDI’10; AppFence, CCS’11
Conclusion: We achieved four goals • G1: Information-flow based security • Yes, we track sensitive information flow by rewriting • G2: Context-aware policy enforcement • Yes, we model the context of an information flow, and bind this context with user’s decision • G3: No firmware modding • Yes, we only rewrite apps and install a policy service • G4: Low runtime overhead • Yes, we only insert a minimal amount of code to keep track of sensitive information flow