Android is widely used for the development and deployment of autonomous and smart systems, including software targeted for IoT and mobile devices. Security of such systems is an increasingly important concern.
Android relies on a permission model to secure the system's resources and apps. In Android, since the permissions are granted at the granularity of apps, and all components in an app inherit those permissions, an app's components are over-privileged, i.e., components are granted more privileges than they actually need. Systematic violation of least-privilege principle in Android is the root cause of many security vulnerabilities. To mitigate this issue, we have developed DELDroid, an automated system for determination of least privilege architecture in Android and its enforcement at runtime. A key contribution of DELDroid is the ability to limit the privileges granted to apps without modifying them. DELDroid utilizes static analysis techniques to extract the exact privileges each component needs. A Multiple-Domain Matrix representation of the system's architecture is then used to automatically analyze the security posture of the system and derive its least-privilege architecture. Our experiments on hundreds of real-world apps corroborate DELDroid's ability in effectively establishing the least-privilege architecture and its benefits in alleviating the security threats.
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
1. DELDroid: Determination & Enforcement
of Least Privilege Architecture in AnDroid
Mahmoud Hammad
Software Engineering Ph.D. Candidate
Mahmoud Hammad, Hamid Bagheri, and Sam Malek
IEEE International Conference on Software Architecture (ICSA 2017)
Gothenburg, Sweden, April 2017. 3/22/2017
2. 2
Android in the market
Source: International Data Corporation (IDC)
8. LP in Android documentation
The Android system implements the principle of least privilege. That is, each app, by
default, has access only to the components that it requires to do its work and no more.
This creates a very secure environment in which an app cannot access parts of the
system for which it is not given permission.
Android security mechanisms treat apps as the minimum security entities 8
9. Security Consequences
• Hard to comprehend the security posture of an Android system
• Increases the attack surface
• Cause many security vulnerabilities
• Privilege escalation attack
• Hidden Inter-Component Communication (ICC) attack
9
24. Multiple Domain Matrix (MDM)
• MDM models a complex system with multiple domains
• Each domain is modeled as a Design Structure Matrix (DSM)
• DSM and MDM are very effective in capturing and analyzing the
architecture of a complex system
24
38. Implementation details
• DELDRoid is a Java application
• input : set of apps
• output: LP architecture and ECA rules
• The enforcement mechanism implemented in the AOSP version 6 (Marshmallow)
• Privilege Manager introduced a new package in the Android runtime
• This package does not affect the existing apps
• Other components are modified such as ActivityManager and ContextWrapper
• Installed on Android emulator and Nexus 5X phone
38
39. Evaluation
• RQ1: How effective is DELDroid in reducing the attack surface?
• RQ2: How effective is DELDroid in detecting and preventing attacks in
real-world apps?
• RQ3: What is the performance of DELDroid?
39
45. RQ2: Attacks detection and prevention
• 54 malicious and vulnerable apps
• The steps and inputs required to create the attacks are known
• The dataset contains
• 18 privilege escalation attacks
• 24 hidden ICC attacks through dynamic class loading
• Detection: DELDroid analyzes the derived LP architecture
• Prevention: manually exercise the apps to create the attacks
45
48. • Execution time of running DELDroid on the 10 bundles, repeated 33 times
RQ3: Performance – design time
Recovery
(min)
LP Determination
(sec)
Analysis
(sec)
ECA Rules
(sec)
Average per
bundle
69.5 ± 2.7 1.61 ± 0.69 0.002 ± 0.001 0.45 ± 0.99
48
49. • A script that sends 363 requests to an Android system
• Each request causes the system to perform an ICC transaction
• On average, DELDroid takes 25 ± 10 milliseconds to check an intercepted ICC
RQ3: Performance – run time
49
51. Threats to validity
• Not all hidden ICC communications are malicious
• Previous study proposed a technique that check the integrity of the loaded code [1]
• Static analysis tools cannot effectively analyze obfuscated apps
• integrating dynamic analysis techniques
[1] S. Poeplau et al. Execute this! analyzing unsafe and maliciousdynamic code loading in android applications. In NDSS, SanDiego, California, February 2014.
51
52. Conclusion
• DELDroid is an automated approach for determining and enforcing the LP
architecture for an Android system
• The LP architecture narrows the attack surface and thwarts certain security
attacks
• Experimental results show
• between 97% to 99% attack surface reduction
• detecting and preventing security attacks (97% precision and 100% recall)
• negligible runtime performance overhead
52
Editor's Notes
In this presentation, I will talk about DELDroid, our automated system for determination and enforcement of least privilege architecture in Android.
As you may know, Android is the most predominant mobile platform with 87% market share. Which means 87% of the smarphone users are running Android platform.
One of the main reasons that people are attracted to smartphone devices is the abundant number of apps in the app stores.
For example, Google play app store contains more than 2.6 million apps as of Dec. 2016, and there are numerous other app stores.
Unfortunately, the number of malicious Android apps is increasing exponentially, as you can see in this figure.
In fact, Android platform is the most targeted mobile platform not only because of its popularity, it is one reason, but also because the Android platform is not secure enough.
I am saying that because, if you, as a user, installs an Android application, such as Messaging app or FunGame app, each app consists of several components, different screens, called Activities in Android, different services that run in the background, or different database components.
If an app asks for permissions to access the various system resources, such as SMS permission in the messaging app or Location permission in the FunGame app, Android grants permissions at the granularity of applications. Therefore, all components in an application are granted the same permissions that are granted to their parent application.
Keep in your mind that, not all components in an app are developed by the app’s developer. For example, if an app includes an advertisement library, payment processing library, or social networking library, these libraries they add components to the app, yet Android treats all components in an app alike and grant them the same permissions that are granted to their parent app.
Therefore, almost all components have more permissions than they actually need. They can use these permissions to access the various system resources.
So, this is the first issue, that components have more permissions than they actually need.
The second issue is that, Android promotes component-based development in which components can communicate with one another either inside one app or across apps with no restrictions in most cases. As long a component is not set to private, all components from various apps can communicate with it.
Components can communicate with one another using event messages called Intents. Either explicit Intent, in which the target component is explicitly specified or implicit Intent in which the action to be performed is specified. For example, a component can send an implicit Intent to all components that can open html file or play a music file.
Again, since Android grants privileges at the granularity of apps, almost all components have more communication privileges than they actually need.
So we have these two issues, components have more permissions than they actually need, and components have more communication privileges than they actually need.
And These two issues form our research problem.
Which is components are over-privileged and violate the well established least-privilege security principle. This security principle promotes for granting each component that exact privileges it needs to fulfil its task.
This shows that Android security mechanisms treat applications as the minimum security entities and cannot distinguish between their components.
https://developer.android.com/guide/components/fundamentals.html
This systematic violation of least privilege security principle has many security consequences. among them, it makes comprehending the security posture of an Android system tedious and error prone, not only for a security architect, but also for security analysis tools that need to examine all possible communications and all allowed permissions in an Android system to understand the risk it poses.
Also, it increases the attack surface of an Android system. So if a component is compromised, the impact might be severe due to the extra privileges that component has.
Moreover, this violation is the root cause of many security vulnerabilities such as privilege escalation attack and hidden Inter-Component-Communication ICC attacks. In the next two slides, I will describe each vulnerabilit individually.
Privilege escalation or permission re-delegation is an attack in which a component performs a privileged task on behalf of an unprivileged component.
In Android, a component can define its provided capabilities using an object called Intent filter. For example, a component can say I can send a text message or I can open html file, etc. And Android uses these information to match the implicit Intent with the component that can handle it.
In this Android system, the Sender component provides an interface to send text messages upon receiving an Intent from another component. So, once Sender receives Intent i1, it extracts the phone number and the message body and uses the SMS permission to send a text message.
In this system, the Sender service is a vulnerable component in which it does not check if the calling component has SMS permission before sending a text message. So this is the missing code in this service. In this situation, another component such as LevelUp can communicate with the Sender using implicit Intent i3 to send a text message without having an SMS permission. This communication results in leaking the user’s location to a premium rate number.
A more sophisticated attack is the hidden ICC attack. Instead of LevelUp directly communicating with the Sender to send a text message, it can leverage a dynamic class loading feature which allows LevelUp to download a JAR file from external sources, such as SD card or remote web server, then LevelUp can load and executes the contained codes in that JAR file. So the loaded code can use the location permission to determine the user’s location and creates an implicit Intent, i3, that LevelUp can use to communicate with the Sender service. Again, the LevelUp can send text messages to any premium rate number without having SMS permission.
This hidden ICC attack is not detected by static analysis tools, the tools that analyze applications source code or bytecode without running them, since the code that allows LevelUp to communicate with Sender is not part of the FunGame app, neither its source code nor its bytecode.
Additionally, dynamic analysis techniques, the techniques that run and monitor the execution of the applications, cannot effectively detect such vulnerability, especially if the app incorporates complicated evasion tactics such as timing-bombs. Execute the malicious code on Saturday at 3am.
In this presentation, I will use this Android system as a running example to illustrate
our approach and then present experimental results of DELDroid and conclude the presentation.
This figure depicts our approach, DELDroid, an automated system for determination of least-privilege architecture, an architecture that grants each component the exact privileges it needs to fulfill its task, then it enforces it at runtime.
Our approach consists of 5 steps:
the first step takes a set of Android apps packages, APK files, and statically extracts information from them
the second step derives the original system architecture, an architecture that shows the current privileges each component has as allowed or as permitted by Android platform. The permissions that each component is granted and the communication privileges each component has.
the third step determines the exact privileges each component needs to fulfil its task and models that in an architecture called least-privilege architecture
The fourth step analyzes the security posture of the Android system in light of the determined LP architecture to check if the system is vulnerable to privilege escalation attacks and reports that. Then, a security architect can further adapt or modify the determined architecture.
LP Enforcer transforms the determined least-privilege architecture to a set of Event-Condition-Action rules. Each rule reads as follows: when an event occurs, check a condition, if it holds, executes the action.
Then our Privilege Manager layer in our modified version of Android enforces the ECA rules at runtime.
Now let’s see how each step works in light of our running example.
Again, the first step takes a set of Android applications’ packages or APK files and leverages several static analysis tools to extract information from these applications.
Each Android package or APK file contains a configuration file called manifest file and the app’s bytecode. The manifest file contains information about the components in the app, their properties such as their types and the capabilities that each component defines using Intent Filters, and the permissions that the application asks for. So, in our example, the Messaging app is granted the SMS permission and all of its components are granted it as well. Same thing for the FunGame application.
The bytecode contains information about the used permissions, for example, the Sender service uses the SMS permission through calling the sensitive SMS APIs. Therefore, the Sender service uses the SMS permission.
The enforced permissions are the permissions that a component requires from the calling components to have. Remember the checkCallingPermisssion API, if the Sender service used that code, the SMS permission would be an enforced permission by the Sender service. And also there is another way of enforcing permissions in Android in which an app can create a permission and uses that permission for self-protecting. In our running example none of the components is enforcing a permission and hence this domain is empty.
In addition to that, this step extracts the latent Intents in the app’s bytecode. Therefore, Intent i1 and i2 are statically extracted from the app’s bytecode and placed in this table. Notice that neither the location permission usage nor the Intent i3 are statically extracted since they are not part of the app’s bytecode. They are part of the dynamically loaded code and hence they are not part of this table. The ID column in this table contains auto generated numbers for later use.
This step analyzes the privileges each component has in terms of permissions it has and communication privileges it has, and it represents that in an architecture called the original system architecture. So this architecture shows how Android manages the components’ privileges.
Our approach uses Multiple Domain Matrix to model the architecture.
MDM is a matrix representation of a complex system with multiple domains. Each domain is modeled as Design Structured Matrix or Dependency Structure Matrix DSM.
DSM and MDM are very effective tools in capturing and analyzing the architecture of a complex system. Let’s see an example.
Suppose that we have this system that consists of three tasks where task 1 depends on Task 2, Task 2 depends on Task 3, etc. We can represent this system using DSM where each non-empty cell represent a dependency between the element in the row to the element in the column.
Now, if we need to model another domain in this system, where a task is assigned to a person, for example Task 1 is assigned to person 1, task 2 is assigned to both person 1 and 2, in this case, we can use a MDM to represent the system with two domain.
So in our approach we borrowed this concept to represent the architecture of an Android system with multiple domains.
Regarding to our running example where by default all components in an app are granted the same permissions that are granted to their parent apps and components can communicate with one another, this would be the derived original architecture represented as MDM with 4 domain.
The communication domain shows that the component in the row is allowed to communicate with the component in the column.
Permission granted domain shows the granted permissions for each component. Since all components in an app are granted the same permissions, all components in the Messaging app are granted the SMS permissions. The permission usage are the directly used permissions by each component and the permission enforcement domain are the enforced permissions by each component as described in the table of the first step.
Privilege Reducer step determines the exact privileges each component needs to fulfil its task and models that in an architecture called LP architecture in a MDM.
For our running example, this is the determined LP architecture. The communication domain shows the needed communications that each component needs as determined by the Intents that each components creates and uses.
For example, the Composer component is allowed to communicate with the Sender component since there is an Intent, i1. Same thing for the communication between Main and LevelUp.
Notice that, the communication between LevelUp and Sender is not part of the LP architecture since the code that creates the Intent, i3, is not part of the FunGame’s bytecode.
Permission granted domain shows the granted permissions for each component. Sender component is granted the SMS permission since it uses this permission to send text messages. On the other hand, Composer component is granted this permission since it communicates with the Sender that uses this permission and its app, Messaging app, is granted this permission. In this case, the Composer component has a legitimate reason to hold this permission.
So what DELDroid did so far, it derived the original architecture and determined the LP architecture of an Android system. As you can see it reduced both the communication domain and the permission granted domain.
Now, once DELDroid determined the LP architecture, the next step, Security Analyzer, analyzes the architecture for any potential privilege escalation attacks and report them, so a security architect can further manages the privileges.
It worths mentioning that DELDroid can be configured to remove any communication marked as potential privilege escalation attack until a security architect decides otherwise.
As a concrete example, let’s assume that LevelUp does not use dynamic class loading to communicate with the Sender component, instead it creates an implicit Intent and uses it to communicate with the Sender to leak the user’s location via a text message. In this case, the Location usage and the Intent i3 is part of the FunGame’s bytecode and hence it is statically extracted.
This architecture would be the determined LP architecture for this Android system. The LP architecture allows the LevelUp to communicate with the Sender and grants LevelUp the location permission.
Now, the LP Analyzer step automatically checks each communication and once it sees that there is a communication between LevelUp and Sender, in which Sender uses SMS permission without enforcing it and LevelUp does not have this permission, it marks this communication as potential privilege escalation attack.
Then a security architect can further adapt or modify the architecture.
Once the LP architecture is determined, this step transforms the architecture to a set of Event-Condition-Action or ECA rules that capture the architecture.
Back to our running example where LevelUp uses dynamic class loading to conduct a hidden ICC attack. For this Android system, this is the determined LP architecture. Since LevelUp is not allowed to communicate with all components in the Messaging application, this step creates this ECA rule that prevents LevelUp from communicating with all components in the Messaging app.
So, enforcing this ECA rule at runtime would prevent LevelUp from communicating with the Sender service and hence preventing the hidden ICC attack.
Similarly, the LevelUp is not granted the Location permission in this architecture, therefore, this step creates this ECA rule that would prevent LevelUp from accessing the Location service.
The generated ECA rules are enforced using the Privilege Manager Layer, a layer that we have added to the Android platform. This layer contains two components and the ECA rules repository.
ICC Monitor component intercepts each ICC transaction and vet it against the stored ECA rules.
Resource Monitor component intercepts each resource access request and checks it the requester component has a permission to access the requested resources.
Let’s take a look at the DELDroid’s evaluation results.
We have implemented DELDroid as a java application that takes a set of Android apps as input and generates a LP architecture and a set of rules that capture the architecture.
The enforcement mechanisms implemented in the AOSP version 6.
The privilege manager introduces a new package but this package does not affect the existing apps.
Finally, we have successfully installed our modified Android version on Android emulator and Android Nexus 5X device.
(S36)
Our evaluation address these thre research questions.
(1) The effectiveness of DELDroid in reducing the attack surface,
(2) the ability of our approach in detecting and preventing security attacks, and
(3) the performance overhead of our DELDroid
To perform the evaluation, we have downloaded apps from various repositories as you can see from the upper table. 370 benign apps from Google play store; 335 vulnerable apps identified by a previous study, and 225 malicious apps drawn from various repositories shown in the green table.
To answer the RQ1, we created 10 bundles each containing 30 randomly selected apps from the 3 datasets. Each bundle contains 24 benign, 3 malicious, and 3 vulnerable apps. This table shows the structure of each bundle in terms of the number of components, Intents, and Intent Filters.
This table shows the attack surface reduction in the communication domain. For example, the possible communications in Bundle 1 is 99% reduced from over 29K to only 42 inter app communications (IAC).
Similarly, the permission granted domain is also reduced by 97%.
As I presented before in step 4, once the LP architecture is determined, DELDroid analyzes it for any potential privilege escalation vulnerabilities.
This table depicts the number of the potential privilege escalation vulnerabilities in bith, the original and the LP architectures.
For example, in Bundle 5, there are more than 26 thousand potential privilege escalation vulnerabilities and only 2 of them are in the LP architecture.
These numbers show the effectiveness of our approach in reducing the attack surface of Android system.
To answer the second research question, we used 54 apps with known vulnerabilities and the steps to generate the attacks.
The dataset contains 18 privilege escalation attack and 24 hidden ICC attacks. We manually checked and confirmed the correctness of their implementation.
For the determination, DELDroid determined and analyzed the LP architecture for this dataset and reported the detected potential privilege escalation attacks.
For the prevention study, we manually installed these apps and exercised them while enforcing the determined LP architecture to see if DELDroid prevented the attacks or not.
DELDroid detected 19 communications as privilege escalation attacks. 18 of them are true positive and 1 is false positive.
Our manual inspection of the FP case showed that this was due to the shortcomings of the used static analysis tools. In particular, since the static analysis tools we relied upon are not path sensitive, they tend to over-approximate the behavior of Android architecture and hence leads to such FP.
Overall, the precision is 94.7% and the recall is 100%
Remember we have 18 privilege escalation attacks and 24 hidden ICC attacks, so the total is 42 attacks. DELDroid prevented all the 19 detected privilege escalation attacks and all the 24 hidden ICC attacks. Therefore, the precision is 97.7% and 100% recall.
These high accuracy numbers show the ability of our approach in detecting and preventing certain security attacks.
Last experiment, we measured the performance of DELDroid. We ran this experiment on the 10 bundles repeated 33 times to achieve high confident. On average, it takes about 70 minutes to statically analyze the apps and determines the LP architecture. The vast majority of the time is spent in the static analysis tools.
For measuring the runtime performance overhead, we sent 363 request to an Android system, each request causes the system to perform an ICC transaction of some sort, then we measured the time it takes to check each ICC transaction. On average, it takes 25 milliseconds.
This time cannot perceive as delay by the users, as Android documentation stated that the user starts noticing delays after 100-200 ms.
These experimental results corroborate DELDroid’s effectiveness in reducing the attack surface and its ability to detect and prevent security attacks in a negligible time.
Some limitation of DELDroid: not all hidden ICC communication are malicious, although a previous study showed that benign developers, even for the top 50 apps, are not infallible of mistakenly use this feature such as downloading a code from http servers rather than https.
They proposed an enhancement to the Android kernel to check the integrity of the loaded code before executing it. So we can integrate such a technique in our approach.
Our approach also has some limitations inherited from the use of of the static analysis tools such as their ineffectiveness to analyze an obfuscated code. Therefore, we are planning to integrate dynamic analysis approaches to discover the architecture.
I have presented DELDroid, an automated system for determining and enforcing the least privilege architecture of an Android system without the need to modify the apps.
Our experimental results show the effectiveness of our approach in reducing the attack surface and the ability of our approach in detecting and preventing certain security attack in a negligible time. Moreover, our approach allows a security architect to adapt or modify the architecture and enforces it while the system is running.