3. Self-Introduction
• Japanese national certified security specialist
• Youngest Record
• competitive programmer
• Asia and Pacific Informatics Olympiad
• won a bronze medal
4. Self-Introduction
• Linux Kernel Developer
• Accepted some patches
• Android Developer
• Lectured about Android security
• “What is SEAndroid?”
• at Tokyo University
32. Features
• Use SEAndroid(Linux Security Module)
• Enable root access detection
• Logging only security incident
• Higher precision and Lighter
• than syscall hooking
33. Features
• Real-time machine learning
• Study from user feedback
• Become higher precision steadily
• Jubatus is best suitable for this system
34. Issue
• This system depends on SEAndroid
• SEAndroid is built-in system of kernel
• Vendors must install SEAndroid
• No device support SEAndroid on the market
35. Solution
• This system can use other LSM
• With only changing log parser
• There are devices supporting TOMOYO Linux
• TOMOYO Linux is LSM
• The devices are made by Fujitsu
36. Solution
• Work on some of commercial devices
• In several years, All device support LSM
• Because LSM is essential for Android
37. Lastly
• I want to
• Improve Android security system
• Decrease damage of Android malware
I’m going to talking about the new malware detection system with SEAndroid for Android.\n
My name is Hiromu Yakura.\nI’m 15 years old.\nMy twitter account is hiromu1996.\n
I’m a youngest Japanese national certified security specialist.\nI like competitive programming and\nI got bronze medal at Asia and Pacific Informatics Olympiad.\n
And I’m working for Linux Kernel and have accepted some patches.\nAlso I’m an Android Developer.\nI have lectured about Android Security entitled “What is SEAndroid?” at Tokyo University.\n
These years, number of Android malware is increasing explosively.\nThis is a chart of detected Android malware.\n
It is clear that they are becoming a big threat in the Android market.\n
This is a chart of detected malware types.\nLet’s look at the lower right.\n
\n
This is DroidKungFu, it is only about 3 percent.\nBut I think it is the biggest threat because it gains root access.\n
DroidKungFu has two exploit codes to gain root access.\nThe first one is using a vulnerability of Linux kernel.\nThe second one is using that of Android.\nIt execute them and gain root access.\n
After gained root access, it install other malware without user permit.\nAnd user can’t delete malware.\n
You may think user can defend with Android security application.\nBut security applications can not detect and remove DroidKungFu.\nBecause security applications work under the Android Sandbox.\n
Also, all of security applications are adopting signature-based scanning system.\nSo they can not detect Zero-day Attack and encrypted files.\n\n
I propose a new Android security system.\nIt can defend from zero-day attack and root exploit.\n
This is an overview of the proposal system.\n
This system use SEAndroid and Jubatus.\n
Jubatus is distributed machine learning system developed by Japanese companies.\nSEAndroid is Linux Security Module for Android.\n\n
First, I want to explain about Jubatus.\nJubatus is distributed processing framework and streaming machine learning library.\nJubatus is more excellent in real-time and distribution than other system like MapReduce and Hadoop.\n
Second, SEAndroid.\nSEAndroid is Android version of popular Linux Security System, SELinux.\nIt’s developed by National Security Agency, United States of America. \n\n
SEAndroid has 3 function.\nThe first one is Mandatory Access Control.\nThe second one is Least privileges.\nThe last one is Audit log.\nMy system use audit log for detection.\n
Next, I want to explain how this system works.\n
When application send commands to Android OS.\n\n
SEAndroid judge the command is valid with security policy.\n\n
If SEAndroid judges the command is valid, SEAndroid pass that to kernel.\n\n
If SEAndroid judges the command is invalid, SEAndroid block that.\n\n
And the command is record in Audit log.\n\n
When audit log are updated, system send log to Jubatus.\nAnd Jubatus judge whether the application is malware or not from the log.\n
If Jubatus judges the application is not malware, the application are added to whitelist.\nAnd SEAndroid pass all commands of the application.\n\n
If Jubatus judges the application is malware, system notify to user.\nAnd system urge user to remove application.\n
I want to show some demonstration.\n
There is three features of this system.\nThe first one is adopting behavioral detection system. So this system can defend from Zero-day attack. Any of existing product can not defend from Zero-day Attack.\nThe second one is using Linux Security Module to enable root access detection.\n\n
The second one is using Linux Security Module to enable root access detection.\nAnd SEAndroid record to audit log only security incident.\nThat’s why, this system keep higher precision and lighter than hooking system calls.\n\n
The last one is real-time machine learning.\nThe system study from user feedback and always become higher precision.\nJubatus is best sutable for this system than all other system.\n
There is a few issue.\nThis system depends on SEAndroid.\nBut SEAndroid is built-in system of kernel.\nThat’s why, in order to use SEAndroid, vendors must install by default.\n
However, this system can use other Linux Security Module instead of SEAndroid.\nOnly changing log parser, this system can adopt another Linux Security Module.\nAnd there are devices supporting TOMOYO Linux, which is one of Linux Security Module.\nThe devices are made by Japanese company, Fujitsu and sold on Japanese Market.\n
That’s why, this system is already work on some of commercial devices.\nAnd I think all device will support Linux Security Module in several years.\nBecause Linux Security Module is essential to defend Android from malware.\n
Lastly, I want to improve Android security system and decrease damage of Android malware with this system.\nThank you for listening.\n