• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Trendmicro Security Award 2012 Final Presentation
 

Trendmicro Security Award 2012 Final Presentation

on

  • 4,394 views

Lectured at Trendmicro Security Award 2012 Final Round

Lectured at Trendmicro Security Award 2012 Final Round

Statistics

Views

Total Views
4,394
Views on SlideShare
801
Embed Views
3,593

Actions

Likes
0
Downloads
2
Comments
0

4 Embeds 3,593

http://yumetaro.info 3439
http://www.yumetaro.info 146
https://www.google.co.jp 5
http://webcache.googleusercontent.com 3

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • I’m going to talking about the new malware detection system with SEAndroid for Android.\n
  • My name is Hiromu Yakura.\nI’m 15 years old.\nMy twitter account is hiromu1996.\n
  • I’m a youngest Japanese national certified security specialist.\nI like competitive programming and\nI got bronze medal at Asia and Pacific Informatics Olympiad.\n
  • And I’m working for Linux Kernel and have accepted some patches.\nAlso I’m an Android Developer.\nI have lectured about Android Security entitled “What is SEAndroid?” at Tokyo University.\n
  • These years, number of Android malware is increasing explosively.\nThis is a chart of detected Android malware.\n
  • It is clear that they are becoming a big threat in the Android market.\n
  • This is a chart of detected malware types.\nLet’s look at the lower right.\n
  • \n
  • This is DroidKungFu, it is only about 3 percent.\nBut I think it is the biggest threat because it gains root access.\n
  • DroidKungFu has two exploit codes to gain root access.\nThe first one is using a vulnerability of Linux kernel.\nThe second one is using that of Android.\nIt execute them and gain root access.\n
  • After gained root access, it install other malware without user permit.\nAnd user can’t delete malware.\n
  • You may think user can defend with Android security application.\nBut security applications can not detect and remove DroidKungFu.\nBecause security applications work under the Android Sandbox.\n
  • Also, all of security applications are adopting signature-based scanning system.\nSo they can not detect Zero-day Attack and encrypted files.\n\n
  • I propose a new Android security system.\nIt can defend from zero-day attack and root exploit.\n
  • This is an overview of the proposal system.\n
  • This system use SEAndroid and Jubatus.\n
  • Jubatus is distributed machine learning system developed by Japanese companies.\nSEAndroid is Linux Security Module for Android.\n\n
  • First, I want to explain about Jubatus.\nJubatus is distributed processing framework and streaming machine learning library.\nJubatus is more excellent in real-time and distribution than other system like MapReduce and Hadoop.\n
  • Second, SEAndroid.\nSEAndroid is Android version of popular Linux Security System, SELinux.\nIt’s developed by National Security Agency, United States of America. \n\n
  • SEAndroid has 3 function.\nThe first one is Mandatory Access Control.\nThe second one is Least privileges.\nThe last one is Audit log.\nMy system use audit log for detection.\n
  • Next, I want to explain how this system works.\n
  • When application send commands to Android OS.\n\n
  • SEAndroid judge the command is valid with security policy.\n\n
  • If SEAndroid judges the command is valid, SEAndroid pass that to kernel.\n\n
  • If SEAndroid judges the command is invalid, SEAndroid block that.\n\n
  • And the command is record in Audit log.\n\n
  • When audit log are updated, system send log to Jubatus.\nAnd Jubatus judge whether the application is malware or not from the log.\n
  • If Jubatus judges the application is not malware, the application are added to whitelist.\nAnd SEAndroid pass all commands of the application.\n\n
  • If Jubatus judges the application is malware, system notify to user.\nAnd system urge user to remove application.\n
  • I want to show some demonstration.\n
  • There is three features of this system.\nThe first one is adopting behavioral detection system. So this system can defend from Zero-day attack. Any of existing product can not defend from Zero-day Attack.\nThe second one is using Linux Security Module to enable root access detection.\n\n
  • The second one is using Linux Security Module to enable root access detection.\nAnd SEAndroid record to audit log only security incident.\nThat’s why, this system keep higher precision and lighter than hooking system calls.\n\n
  • The last one is real-time machine learning.\nThe system study from user feedback and always become higher precision.\nJubatus is best sutable for this system than all other system.\n
  • There is a few issue.\nThis system depends on SEAndroid.\nBut SEAndroid is built-in system of kernel.\nThat’s why, in order to use SEAndroid, vendors must install by default.\n
  • However, this system can use other Linux Security Module instead of SEAndroid.\nOnly changing log parser, this system can adopt another Linux Security Module.\nAnd there are devices supporting TOMOYO Linux, which is one of Linux Security Module.\nThe devices are made by Japanese company, Fujitsu and sold on Japanese Market.\n
  • That’s why, this system is already work on some of commercial devices.\nAnd I think all device will support Linux Security Module in several years.\nBecause Linux Security Module is essential to defend Android from malware.\n
  • Lastly, I want to improve Android security system and decrease damage of Android malware with this system.\nThank you for listening.\n
  • \n

Trendmicro Security Award 2012 Final Presentation Trendmicro Security Award 2012 Final Presentation Presentation Transcript

  • The new malware detection system with SEAndroidHiromu Yakura <hiromu1996@gmail.com>
  • Self-Introduction• Hiromu Yakura• 15 yo.• Twitter: @hiromu1996
  • Self-Introduction• Japanese national certified security specialist • Youngest Record• competitive programmer • Asia and Pacific Informatics Olympiad • won a bronze medal
  • Self-Introduction• Linux Kernel Developer • Accepted some patches• Android Developer • Lectured about Android security • “What is SEAndroid?” • at Tokyo University
  • Background• An alarming increase in Android malware McAfee Threats Report: First Quarter 2012
  • Background• An alarming increase in Android malware Big threat McAfee Threats Report: First Quarter 2012
  • Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
  • Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
  • Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
  • DroidKungFu• This application contains exploit code • CVE-2009-1185 • Linux kernel vulnerability • CVE-2010-EASY • Android vulnerability
  • DroidKungFu• After gain root access • Install other malware • without user permit • user can’t delete malware
  • Security Application• Usual Android security application • Can’t detect root access • Can’t remove DroidKungFu• Because of Android Sandbox
  • Security Application• All of them adopt signature-based system • Can’t detect Zero-day Attack • Can’t detect encrypted files
  • The new system• I propose a new system • Defend from Zero-day Attack • Defend from root exploit
  • The new system• System OverviewApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• This system use SEAndroid and JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• This system use Jubatus and SEAndroid • Jubatus is distributed learning system • SEAndroid is LSM(Linux Security Module)
  • Jubatus• Distributed processing framework• Streaming machine learning library • More excellent in real-time, distribution • than MapReduce, Hadoop
  • SEAndroid• SEAndroid • One of the popular LSM • Android version of SELinux • Developed by NSA
  • SEAndroid• Mandatory Access Control• Least privileges• Audit log
  • The new system• How to workApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• When application send commandsApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• Judge whether command is valid with policyApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• If SEAndroid judges the command is validApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• If SEAndroid judges the command is invalidApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• The command is record in Audit logApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• System send log to JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• Jubatus judges the application isn’t malware WhitelistedApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • The new system• Jubatus judges the application is malwareApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  • ~Demo~
  • Features• Behavioral detection system • Defend from Zero-day Attack • Any of existing product can’t defend
  • Features• Use SEAndroid(Linux Security Module) • Enable root access detection • Logging only security incident • Higher precision and Lighter • than syscall hooking
  • Features• Real-time machine learning • Study from user feedback • Become higher precision steadily • Jubatus is best suitable for this system
  • Issue• This system depends on SEAndroid • SEAndroid is built-in system of kernel • Vendors must install SEAndroid• No device support SEAndroid on the market
  • Solution• This system can use other LSM • With only changing log parser• There are devices supporting TOMOYO Linux • TOMOYO Linux is LSM • The devices are made by Fujitsu
  • Solution• Work on some of commercial devices• In several years, All device support LSM • Because LSM is essential for Android
  • Lastly• I want to • Improve Android security system • Decrease damage of Android malware
  • Thank you for listening