1 / 22

Analysis of the Communication between Colluding Applications on Modern Smartphones

Annual Computer Security Applications Conference (ACSAC) 2012. Analysis of the Communication between Colluding Applications on Modern Smartphones. Claudio Marforio 1 , Hubert Ritzdorf 1 , Aurélien Francillon 2 , Srdjan Capkun 1 1 Institute of Information Security, ETH Zurich

rich
Download Presentation

Analysis of the Communication between Colluding Applications on Modern Smartphones

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Annual Computer Security Applications Conference (ACSAC) 2012 Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio1, Hubert Ritzdorf1, AurélienFrancillon2, SrdjanCapkun1 1Institute of Information Security, ETH Zurich 2Networking and Security Group, Eurecom 左昌國 10/29, 2012, Seminar @ ADLab, NCU

  2. Outline • Introduction • Channels Classification • Channels • Overt Channels in Android • Covert Channels in Android • Communication Channel with External Agents • Results of the Analysis • Existing Tools • TaintDroid • XManDroid • Mitigation Techniques • Conclusion

  3. Introduction • Permission-based security models • Assumption: Apps can be independently restricted in accessing resources and then safely composed on a single platform • Collusion Attacks • SoundComber (link) channel

  4. Introduction • This paper… • demonstrates the practicality of application collusion attacks on Android • measures the throughput of these attacks • confirms that TaintDroid and XManDroid still fail to detect several of the implemented channels • proposes countermeasures which limit the throughput

  5. Channels Classification • Application • API: Android’s Java API, Windows Phone 7 C# / Silverlight APIs, iOS’s Object-C API • OS • Native calls • Hardware • Exploiting hardware functionalities

  6. Overt Channels in Android • Shared Preferences (Application) • The sink app uses an API to create an Android preference XML file • World-readable and world-writable • The source app writes ASCII data to it • Internal Storage (Application) • The source app writes a world-readable file to the internal storage • The sink app reads it • External Storage (Application) • WRITE_EXTERNAL_STORAGE

  7. Overt Channels in Android • Broadcast Intents (Application) • The source app adds private data as extra payload to a broadcast message • The sink app registers itself to receive the message • System Log (Application) • The source writes a specially-crafted message to the system log • The sink reads to extract the information • READ_LOGS • 4000 characters limit

  8. Overt Channels in Android • UNIX Socket Communication (OS) • The source sends the data through a UNIX socket that the sink app opened

  9. Covert Channels in Android • Single and Multiple Settings (Application) • The source modifies a general setting on the phone and the sink reads it • SoundComber • Multiple settings can be changed at the same time to achieve higher throughput • Most settings can be changed without permissions • Type of Intents (Application) • The source sends a broadcast message to the sink and encodes the data into the type of the intent • Flags, action, particular extra data

  10. Covert Channels in Android • Automatic Intents (Application/OS) • The source modifies particular settings that trigger automatic broadcasts by the system to registered apps • The vibration setting in SoundComber • Ex: vibration on = 1; vibration off = 0 • Threads Enumeration (OS) • The source spawns a number of threads and the sink reads how many threads are currently active for the source app • /procfilesystem

  11. Covert Channels in Android • UNIX Socket Discovery (OS) • The source uses 2 sockets, a synchronization socket and a communication socket • The sink checks if the source communication socket is open, and infer the transferred bit • The synchronization socket is open if the communication socket can be checked

  12. Covert Channels in Android • Free Space on Filesystem (OS) • The source app writes or deletes data on the disk to encode the information • Ex: the source allocates 3 blocks to encode a ‘1’ and clears 3 blocks to encode a ‘0’ • The sink checks the available blocks at predefined time intervals • 75ms for Nexus One; 100ms for Galaxy S • Bit-errors percentages • 0.01% (Nexus One) • 0.03% (Galaxy S)

  13. Covert Channels in Android • Reading /proc/stat (OS) • The source app performs some computations, while the sink monitors the processor usage statistics

  14. Covert Channels in Android • Timing Channel (Hardware) • The source runs CPU-intensive tasks as to send bit ‘1’ • The sink continuously runs computation-intensive operations and records the time required to complete them • An initial learning period is used to benchmark the system behavior • Majority vote(out of 5) to eliminate noise • Transmitting time interval: 6ms (Nexus One) • Bit-errors percentages • 0.10% (Nexus One) • 0.05% (Galaxy S)

  15. Covert Channels in Android • Processor Frequency (Hardware) • Similar to Timing Channel • Improving the throughput and reducing the synchronization time • Dynamic Frequency Scaling • Source: the same as in the case of Timing Channel • The sink monitors the trend of the processor frequency and decodes the current bit • Afterward, the source waits for the CPU to “slow down” before the next transmission • Bit-errors percentages • 0.14% (Nexus One) • 4.67% (Galaxy S)

  16. Covert Channels in Android

  17. Communication Channel With External Agents • Similar to Processor Frequency covert channel • The source either tries to increase the processor frequency or sleeps • The sink measures how many dummy RC4 operations it can perform in a fix time period • 1.29 bps (Nexus One)

  18. Results of the Analysis • Low throughput: • Timing channel (3.70 bps) • GPS coordinates: 19.4 sec • 135 byte contacts: 304.9 sec • Processor Frequency (4.88 bps) • GPS coordinates: 14.8 sec • 135 byte contacts: 231.1 sec • High throughput: • Type of Intents or UNIX Socket Discovery • Less than a second

  19. Existing Tools: TaintDroid • Overt Channels • Internal Storage and Broadcast Intents … ok • External Storage • The external storage uses the FAT filesystem w/o extended attributes • Shared Preferences • System Log • TaintDroid is not currently capable to extend tagging to native code • Removing the taint from tainted variables • n-way Switch Statement: 27.65 Mbps • Java Exception Handling: 107.42 kbps • File-based: 680 bps • Timing-based: 98 bps

  20. Existing Tools: XManDroid • Policy enforcement • Modifying the Android reference monitor to check for • direct IPC calls at runtime • indirect communication through Android system components • The prototype successfully detected all Overt Channels • except the System Log channel • XManDroid would be able to detect the System Log channel • Covert Channels • Type of Intents and UNIX Socket Discovery … ok • Reading /proc/stat and Threads Enumeration … ok • Free Space on Filesystem, Processor Frequency, and Timing Channel

  21. Mitigation Techniques • General Purpose Techniques • User control on private data access • Limiting APIs • Limiting Multitasking • Application Review • Policy-Based Installation Strategy • Application-Level Channels • Operating-System-Level Channels • Hardware-Level Channels • REQUIRE_PRECISE_TIMING

  22. Conclusion • Collusion attacks against the permission-based mechanisms are a serious threat • Covert channels with low throughput are sufficient to leak private data • Current solutions do not provide a complete solution

More Related