340 likes | 458 Views
On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android. Presenter: Lu Gong. Authors. Students: Hao Hao, Vicky Singh Professor: Wenliang (Kevin) Du Dept. of EE & CS, Syracuse University, New York. The Conference. AsiaCCS :
E N D
On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android Presenter: Lu Gong
Authors • Students: Hao Hao, Vicky Singh • Professor: Wenliang (Kevin) Du • Dept. of EE & CS, Syracuse University, New York
The Conference • AsiaCCS: • ACM Symposium on Information, Computer and Communications Security • Rank C in the CCF recommendation list • Network and Information Security
The paper • The first systematic study on the effectiveness of using bytecode rewriting for API-level access control • Cited by: • Structural detection of android malware using embedded call graphs (AISec ’13) • Compac: Enforce Component-Level Access Control in Android (ACM CodaSpy ’14)
Background (1/3) • Bytecode rewriting • Use static analysis to identify sensitive API calls • Instrument bytecode to control access • Aim at implement fine-grained access control
Background (2/3) • API-Level Access Control
Background (3/3) • Method invocation instructions: • invoke-virtual: used to invoke a normal virtual method • invoke-direct: used to invoke either a private instance method or a constructor • invoke-static: used to invoke a static method • invoke-interface: used to invoke an interface method on an object whose concrete class is not known • invoke-super: used to invoke the closest superclass’ virtual method
Scoping (1/5) • Two kinds of byte-code rewrite mechanisms: • Put the reference monitor in another service • Put the reference monitor within the application • Only focus on the second approach • Because the first one is fail-safe
Scoping (2/5) • Assumption • The application either do not have native code or their native code is blocked from being executed • Reasons • Native code is running in the same process space as DVM • With native code, the app can easily tamper the DVM state, thus byte-code rewriting is useless
Scoping (3/5) • Privileged resources • Hardware devices • Kernel data • Data from another process space • Ways to access them • System calls • Inter-process communication
Scoping (5/5) • Concealing API usage (the 4th attack) is possible • Java reflection • Dynamic binding
Prelude (1/2) • Byte-code rewriting for a non-final class
Prelude (2/2) • Byte-code rewriting for a final class
Methodology • Study all possible attacks against bytecode rewriting • Give deeper insight into the attacks • Make recommendations on how to defend against these attacks
The problem MyClass.my_Func() Java_MyClass_my_1Func MyClass.my.1Func()
Recommendations • If any names starts with numbers, bytecoderewriter should remove the digit as it is illegal.
Recommendations • Stop application’s Java code from reloading preloaded Android core classes • BaseDexClassLoader.findClass() • DexFile.loadClass()
Recommendation • Apply API-level access control on android.os.ServiceManager.getService() • Alternative: rewrite android.os.Binder
Conclusion • Although all problems are fixable, more static analysis and dynamic checking should be performed while byte-code rewriting