DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

1. DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid Mahmoud Hammad Software Engineering Ph.D. Candidate Mahmoud Hammad, Hamid Bagheri, and Sam Malek IEEE International Conference on Software Architecture (ICSA 2017) Gothenburg, Sweden, April 2017. 3/22/2017

2. 2 Android in the market Source: International Data Corporation (IDC)

3. Source: Statista Number of apps in Google Play store 3

4. Not as rosy as it may seem Source: NOKIA Threat Intelligence Report 4 Androidmalwaresamples

5. Over-privileged resource access 5 Implicit Intent ComposerSender ListMsgs Activity Service FunGame LevelUp Messaging Main Explicit Intent Legend SMS permission Location permission Private component <<Android system>>

6. Over-privileged Inter-Component Communication 6 Implicit Intent ComposerSender ListMsgs Activity Service FunGame LevelUp Messaging Main Explicit Intent Legend SMS permission Location permission Private component <<Android system>>

7. Research problem Components are over-privileged and violate the Least Privilege (LP) principle 7

8. LP in Android documentation The Android system implements the principle of least privilege. That is, each app, by default, has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not given permission. Android security mechanisms treat apps as the minimum security entities 8

9. Security Consequences • Hard to comprehend the security posture of an Android system • Increases the attack surface • Cause many security vulnerabilities • Privilege escalation attack • Hidden Inter-Component Communication (ICC) attack 9

10. FunGame Privilege Escalation Attack 10 ComposerSender ListMsgs LevelUp Messaging Main Implicit Intent Activity ServiceExplicit Intent Legend ix Intent SMS permission Location permission i1 i2 i3 // If (checkCallingPermission ("android.permission.SEND_SMS") == PackageManager.PERMISSION_GRANTED)

11. Hidden ICC Attack 11 ComposerSender ListMsgs FunGame LevelUp Messaging Main Implicit Intent Dynamically Loaded Code Activity ServiceExplicit Intent ix Intent SMS permission Location permission <<external>> i1i3 i2 Private component Legend

12. Outline  Approach  Experimental Results  Threats & Conclusion 12

13. DELDroidDesigntime ECA Rules Original Architecture LP Architecture Resource Monitor ICC Monitor Architectural Elements 5. LP Enforcer 4. Security Analyzer 1. Architectural Elements Extractor 3. Privilege Reducer Android Apps Layer System Resources 2. Privilege Analyzer ~~~ ~~~ ~~~ ~~~~ ~~~~~ ~~~~~ Analysis Result A,~~~ B,~~~ C,~~~ DELDroid Step Resource request ICC Repository DELDroid transaction Legend APKs Privilege Manager Layer Runtime

21. Android apps • Each Android app, APK file, includes • configuration file called manifest file • App’s bytecode • The manifest file specifies: • principal components that constitute the app • provided interface, i.e., Intent Filters • required permissions • enforced permissions • Bytecode contains among other things: • App’s business logic • Components communications • Enforced permissions 21

22. Step 1: Architectural Elements Extractor ID App Component Type Exported Intent Permissions Intents Name Filter Granted Used Enforced 1 Messaging ListMsgs Activity Yes {SMS} 2 Messaging Composer Activity Yes {SMS} {i1} 3 Messaging Sender Service Yes SEND_SMS {SMS} {SMS} 4 FunGame LevelUp Service No {Location} 5 FunGame Main Activity Yes MAIN {Location} {i2} 22

24. Multiple Domain Matrix (MDM) • MDM models a complex system with multiple domains • Each domain is modeled as a Design Structure Matrix (DSM) • DSM and MDM are very effective in capturing and analyzing the architecture of a complex system 24

25. Multiple Domain Matrix (MDM) Design Structure Matrix (DSM) Task 1 Task 2 Task 3 A system with three tasks Task 1 Task 2 Task 3 Task-to-person relationship P1 P2 MDM captures the architecture P1 P2 1 1 1 1 25 Task1 Task2 Task3 Task 1 1 Task 2 1 Task 3 1 Task1 Task2 Task3 Task 1 1 Task 2 1 Task 3 1

26. The Original architecture 26

28. The LP architecture 28

29. Original vs. LP architectures 29 Original Architecture LP Architecture

31. • Let us assume LevelUp does not use dynamic class loading Privilege escalation analysis 31

32. • DELDroid marks 𝑐𝑜𝑚𝑚𝑢𝑛𝑖𝑐𝑎𝑡𝑒 𝐿𝑒𝑣𝑒𝑙𝑈𝑝 , 𝑆𝑒𝑛𝑑𝑒𝑟 as a potential privilege escalation attack Privilege escalation analysis 32 LP Architecture

34. Communication ECA rule example 𝑬𝒗𝒆𝒏𝒕: 𝑖 ∈ 𝐼𝐶𝐶 𝑜𝑐𝑐𝑢𝑟𝑠 𝑪𝒐𝒏𝒅𝒊𝒕𝒊𝒐𝒏: 𝑖. 𝑠𝑒𝑛𝑑𝑒𝑟𝑃𝑘𝑔 = 𝐹𝑢𝑛𝐺𝑎𝑚𝑒 ∧ 𝑖. 𝑠𝑒𝑛𝑑𝑒𝑟𝐶𝑜𝑚𝑝 = 𝐿𝑒𝑣𝑒𝑙𝑈𝑝 ∧ 𝑖. 𝑟𝑒𝑐𝑒𝑖𝑣𝑒𝑟𝑃𝑘𝑔 = 𝑀𝑒𝑠𝑠𝑎𝑔𝑖𝑛𝑔 𝑨𝒄𝒕𝒊𝒐𝒏: 𝑝𝑟𝑒𝑣𝑒𝑛𝑡 34

35. Resource access ECA rule example 𝑬𝒗𝒆𝒏𝒕: 𝑟𝑒𝑠𝑜𝑢𝑟𝑐𝑒𝐴𝑐𝑐𝑒𝑠𝑠𝑅𝑒𝑞𝑢𝑒𝑠𝑡 𝑪𝒐𝒏𝒅𝒊𝒕𝒊𝒐𝒏: 𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑒𝑟 = 𝐿𝑒𝑣𝑒𝑙𝑈𝑝 ∧ 𝑠𝑒𝑟𝑣𝑖𝑐𝑒 =Context.LOCATION_SERVICE 𝑨𝒄𝒕𝒊𝒐𝒏: 𝑝𝑟𝑒𝑣𝑒𝑛𝑡 35

37. Outline  Approach  Experimental Results  Threats & Conclusion 37

38. Implementation details • DELDRoid is a Java application • input : set of apps • output: LP architecture and ECA rules • The enforcement mechanism implemented in the AOSP version 6 (Marshmallow) • Privilege Manager introduced a new package in the Android runtime • This package does not affect the existing apps • Other components are modified such as ActivityManager and ContextWrapper • Installed on Android emulator and Nexus 5X phone 38

39. Evaluation • RQ1: How effective is DELDroid in reducing the attack surface? • RQ2: How effective is DELDroid in detecting and preventing attacks in real-world apps? • RQ3: What is the performance of DELDroid? 39

40. Evaluation setup Dataset Apps Benign 370 Vulnerable 335 Malicious 225 Malicious Dataset Malgenome Brain Test AndroTotal Contagio Dataset Apps Distribution 40 Benign 40% Vulnerable 36% Malicious 24%

41. Bundle Apps Components Intent Intent Explicit Implicit Filter Bundle 1 30 306 344 79 176 Bundle 2 30 432 468 379 287 Bundle 3 30 422 574 212 200 Bundle 4 30 449 348 370 511 Bundle 5 30 353 304 277 292 Bundle 6 30 541 890 476 4919 Bundle 7 30 562 412 38 324 Bundle 8 30 362 417 267 242 Bundle 9 30 265 180 98 166 Bundle 10 30 421 322 1231 185 Average 30 411.3 425.9 342.7 730.2 Avg. (per app) 13.7 14.2 11.4 24.3 RQ1: Attack surface reduction 41

42. Bundle Components Intent Intent Communication Domain Explicit Implicit Filter Original LP Reduction (%) Bundle 1 306 344 79 176 29,031 42 99.86 Bundle 2 432 468 379 287 78,237 625 99.20 Bundle 3 422 574 212 200 65,709 173 99.74 Bundle 4 449 348 370 511 80,372 205 99.74 Bundle 5 353 304 277 292 56,868 345 99.39 Bundle 6 541 890 476 4919 85,556 661 99.23 Bundle 7 562 412 38 324 82,863 137 99.83 Bundle 8 362 417 267 242 50,208 250 99.50 Bundle 9 265 180 98 166 25,817 129 99.50 Bundle 10 421 322 1231 185 50,001 74 99.85 Average 411.3 425.9 342.7 730.2 60,466.2 264.1 99.58 Avg. (per app) 13.7 14.2 11.4 24.3 2,015.5 8.8 99.56 RQ1: Attack surface reduction – communication 42

43. Bundle Components Intent Intent Permission Granted Domain Explicit Implicit Filter Original LP Reduction (%) Bundle 1 306 344 79 176 1,642 45 97.26 Bundle 2 432 468 379 287 2,954 61 97.94 Bundle 3 422 574 212 200 2,510 54 97.85 Bundle 4 449 348 370 511 4,234 78 98.16 Bundle 5 353 304 277 292 1,536 51 96.68 Bundle 6 541 890 476 4919 4,461 181 95.94 Bundle 7 562 412 38 324 1,577 58 96.32 Bundle 8 362 417 267 242 1,946 24 98.77 Bundle 9 265 180 98 166 1,568 30 98.09 Bundle 10 421 322 1231 185 2,386 28 98.83 Average 411.3 425.9 342.7 730.2 2,481.4 61.0 97.58 Avg. (per app) 13.7 14.2 11.4 24.3 82.7 2.0 97.54 RQ1: Attack surface reduction - permission 43

44. Bundle Components Intent Intent Priv. Esca. Security Analysis Explicit Implicit Filter Original LP Bundle 1 306 344 79 176 25,944 0 Bundle 2 432 468 379 287 35,601 110 Bundle 3 422 574 212 200 22,721 2 Bundle 4 449 348 370 511 33,551 0 Bundle 5 353 304 277 292 26,914 2 Bundle 6 541 890 476 4919 24,745 2 Bundle 7 562 412 38 324 15,503 1 Bundle 8 362 417 267 242 27,663 14 Bundle 9 265 180 98 166 19,428 8 Bundle 10 421 322 1231 185 16,953 3 Average 411.3 425.9 342.7 730.2 24,902.3 14.2 Avg. (per app) 13.7 14.2 11.4 24.3 498.0 0.3 RQ1: Attack surface reduction – potential attacks 44

45. RQ2: Attacks detection and prevention • 54 malicious and vulnerable apps • The steps and inputs required to create the attacks are known • The dataset contains • 18 privilege escalation attacks • 24 hidden ICC attacks through dynamic class loading • Detection: DELDroid analyzes the derived LP architecture • Prevention: manually exercise the apps to create the attacks 45

46. RQ2: Privilege escalation detection results 46 TP Malicious behavior detected (18) FP Benign behavior detected (1) FN Malicious behavior not detected (0) • 18 privilege escalation Precision ( ) = 94.74% Recall ( ) = 100%

47. RQ2: Attacks prevention 47 TP Malicious behavior prevented (42) FP Benign behavior prevented (1) FN Malicious behavior allowed (0) • 18 privilege escalation • 24 hidden ICC attacks • 42 attacks Precision ( ) = 97.76% Recall ( ) = 100%

48. • Execution time of running DELDroid on the 10 bundles, repeated 33 times RQ3: Performance – design time Recovery (min) LP Determination (sec) Analysis (sec) ECA Rules (sec) Average per bundle 69.5 ± 2.7 1.61 ± 0.69 0.002 ± 0.001 0.45 ± 0.99 48

49. • A script that sends 363 requests to an Android system • Each request causes the system to perform an ICC transaction • On average, DELDroid takes 25 ± 10 milliseconds to check an intercepted ICC RQ3: Performance – run time 49

50. Outline  Approach  Experimental Results  Threats & Conclusion 50

51. Threats to validity • Not all hidden ICC communications are malicious • Previous study proposed a technique that check the integrity of the loaded code [1] • Static analysis tools cannot effectively analyze obfuscated apps • integrating dynamic analysis techniques [1] S. Poeplau et al. Execute this! analyzing unsafe and maliciousdynamic code loading in android applications. In NDSS, SanDiego, California, February 2014. 51

52. Conclusion • DELDroid is an automated approach for determining and enforcing the LP architecture for an Android system • The LP architecture narrows the attack surface and thwarts certain security attacks • Experimental results show • between 97% to 99% attack surface reduction • detecting and preventing security attacks (97% precision and 100% recall) • negligible runtime performance overhead 52

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Similar to DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid (20)

Recently uploaded

Recently uploaded (20)

DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid

Editor's Notes