490 likes | 726 Views
2014 Network and Distributed System Security Symposium AppSealer : Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android Application Mu Zhang, Heng Yin Syracuse University. 林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU
E N D
2014 Network and Distributed System Security SymposiumAppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android ApplicationMu Zhang, Heng Yin Syracuse University 林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU Email : linliang258369@gmail.com
Introduction Component Hijacking Attack Implementation Evaluation Conclusion Reference Outline
Component Hijacking Attack : A class of attacks that seek to gain unauthorized access (read/write or combined) to protected or private resources through exported componentsin vulnerable apps. Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities (CCS 2012) Introduction
Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Unauthorized access to protected resources Contact Manager App • Enumerator • Service Component hijacking attacks Android Framework Contacts Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Unauthorized access to private resources Contact Manager App Private Storage Component hijacking attacks Android Framework • Setting Update • Receiver Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
AppSealer as a Security Service 1. No source code access 2. Vulnerability-specific patching 3. Minimal performance overhead 4. Minimal impact on usability
[ VulActivity ] onCreate() onStart() – getLocation() onDestroy() – post(addr, location) getLocation() – getLastKnownLocation() crypt() post() – HttpURLConnection – outputStrem
Workflow IR Translation Slice Computation Patch Statement Placement Patch Statement Optimization Bytecode Generation
Forward Dataflow Analysis • Basic Algorithm : use Def-use chain • Special Considerations • Static field • Instance field • Intent • Class inheritance • Thread • Backward Dependency Analysis Taint Slice Computation
Slice 2 Slice 1
Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement
Shadow Variables • Local Variables Patch Statement Placement
Shadow Variables 2. Static/Instance Fields Patch Statement Placement
Shadow Variables 3. Parameters and Return Value Patch Statement Placement
Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement
Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement
Instrumenting Taint Propagation • Simple Assignments Patch Statement Placement
Instrumenting Taint Propagation 2. Function Calls Patch Statement Placement
Instrumenting Taint Propagation • API Calls • getString(), toString() • Android.widget.TextView,setText() • Vector.add(Object) • Android.content.ContentValues.put(String key, Byte value) • Tracking References If one of the references is tainted, all other references should also be tainted. Patch Statement Placement
Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement
Cleaning the Taint To properly clean the taint, for each variable appearing in the def-use chain inside the slice, we need to find all its definitions. For the definitions outside the slice, we need to insert a statement after that definition to set its shadow variable to 0(non-tainted) Patch Statement Placement
Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement
Instrumenting the Sink If they are tainted by certain sources, we can raise a pop-up dialog to the user, asking for decision. • Restart • Continue Patch Statement Placement
In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers • Copy propagation and dead assignment elimination O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations Patch Optimization
In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters Patch Optimization
In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code • Inlining the body of small function into its callers, the function call overhead can be avoided. Patch Optimization
In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations Patch Optimization
Workflow IR Translation Slice Computation Patch Statement Placement Patch Statement Optimization Bytecode Generation
Automatically generate patch • Shadow mechanism • Optimization Conclution