Trendmicro Security Award 2012 Final Presentation

13,057 views

Published on

Lectured at Trendmicro Security Award 2012 Final Round

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
13,057
On SlideShare
0
From Embeds
0
Number of Embeds
10,865
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • I’m going to talking about the new malware detection system with SEAndroid for Android.\n
  • My name is Hiromu Yakura.\nI’m 15 years old.\nMy twitter account is hiromu1996.\n
  • I’m a youngest Japanese national certified security specialist.\nI like competitive programming and\nI got bronze medal at Asia and Pacific Informatics Olympiad.\n
  • And I’m working for Linux Kernel and have accepted some patches.\nAlso I’m an Android Developer.\nI have lectured about Android Security entitled “What is SEAndroid?” at Tokyo University.\n
  • These years, number of Android malware is increasing explosively.\nThis is a chart of detected Android malware.\n
  • It is clear that they are becoming a big threat in the Android market.\n
  • This is a chart of detected malware types.\nLet’s look at the lower right.\n
  • \n
  • This is DroidKungFu, it is only about 3 percent.\nBut I think it is the biggest threat because it gains root access.\n
  • DroidKungFu has two exploit codes to gain root access.\nThe first one is using a vulnerability of Linux kernel.\nThe second one is using that of Android.\nIt execute them and gain root access.\n
  • After gained root access, it install other malware without user permit.\nAnd user can’t delete malware.\n
  • You may think user can defend with Android security application.\nBut security applications can not detect and remove DroidKungFu.\nBecause security applications work under the Android Sandbox.\n
  • Also, all of security applications are adopting signature-based scanning system.\nSo they can not detect Zero-day Attack and encrypted files.\n\n
  • I propose a new Android security system.\nIt can defend from zero-day attack and root exploit.\n
  • This is an overview of the proposal system.\n
  • This system use SEAndroid and Jubatus.\n
  • Jubatus is distributed machine learning system developed by Japanese companies.\nSEAndroid is Linux Security Module for Android.\n\n
  • First, I want to explain about Jubatus.\nJubatus is distributed processing framework and streaming machine learning library.\nJubatus is more excellent in real-time and distribution than other system like MapReduce and Hadoop.\n
  • Second, SEAndroid.\nSEAndroid is Android version of popular Linux Security System, SELinux.\nIt’s developed by National Security Agency, United States of America. \n\n
  • SEAndroid has 3 function.\nThe first one is Mandatory Access Control.\nThe second one is Least privileges.\nThe last one is Audit log.\nMy system use audit log for detection.\n
  • Next, I want to explain how this system works.\n
  • When application send commands to Android OS.\n\n
  • SEAndroid judge the command is valid with security policy.\n\n
  • If SEAndroid judges the command is valid, SEAndroid pass that to kernel.\n\n
  • If SEAndroid judges the command is invalid, SEAndroid block that.\n\n
  • And the command is record in Audit log.\n\n
  • When audit log are updated, system send log to Jubatus.\nAnd Jubatus judge whether the application is malware or not from the log.\n
  • If Jubatus judges the application is not malware, the application are added to whitelist.\nAnd SEAndroid pass all commands of the application.\n\n
  • If Jubatus judges the application is malware, system notify to user.\nAnd system urge user to remove application.\n
  • I want to show some demonstration.\n
  • There is three features of this system.\nThe first one is adopting behavioral detection system. So this system can defend from Zero-day attack. Any of existing product can not defend from Zero-day Attack.\nThe second one is using Linux Security Module to enable root access detection.\n\n
  • The second one is using Linux Security Module to enable root access detection.\nAnd SEAndroid record to audit log only security incident.\nThat’s why, this system keep higher precision and lighter than hooking system calls.\n\n
  • The last one is real-time machine learning.\nThe system study from user feedback and always become higher precision.\nJubatus is best sutable for this system than all other system.\n
  • There is a few issue.\nThis system depends on SEAndroid.\nBut SEAndroid is built-in system of kernel.\nThat’s why, in order to use SEAndroid, vendors must install by default.\n
  • However, this system can use other Linux Security Module instead of SEAndroid.\nOnly changing log parser, this system can adopt another Linux Security Module.\nAnd there are devices supporting TOMOYO Linux, which is one of Linux Security Module.\nThe devices are made by Japanese company, Fujitsu and sold on Japanese Market.\n
  • That’s why, this system is already work on some of commercial devices.\nAnd I think all device will support Linux Security Module in several years.\nBecause Linux Security Module is essential to defend Android from malware.\n
  • Lastly, I want to improve Android security system and decrease damage of Android malware with this system.\nThank you for listening.\n
  • \n
  • Trendmicro Security Award 2012 Final Presentation

    1. 1. The new malware detection system with SEAndroidHiromu Yakura <hiromu1996@gmail.com>
    2. 2. Self-Introduction• Hiromu Yakura• 15 yo.• Twitter: @hiromu1996
    3. 3. Self-Introduction• Japanese national certified security specialist • Youngest Record• competitive programmer • Asia and Pacific Informatics Olympiad • won a bronze medal
    4. 4. Self-Introduction• Linux Kernel Developer • Accepted some patches• Android Developer • Lectured about Android security • “What is SEAndroid?” • at Tokyo University
    5. 5. Background• An alarming increase in Android malware McAfee Threats Report: First Quarter 2012
    6. 6. Background• An alarming increase in Android malware Big threat McAfee Threats Report: First Quarter 2012
    7. 7. Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
    8. 8. Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
    9. 9. Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
    10. 10. DroidKungFu• This application contains exploit code • CVE-2009-1185 • Linux kernel vulnerability • CVE-2010-EASY • Android vulnerability
    11. 11. DroidKungFu• After gain root access • Install other malware • without user permit • user can’t delete malware
    12. 12. Security Application• Usual Android security application • Can’t detect root access • Can’t remove DroidKungFu• Because of Android Sandbox
    13. 13. Security Application• All of them adopt signature-based system • Can’t detect Zero-day Attack • Can’t detect encrypted files
    14. 14. The new system• I propose a new system • Defend from Zero-day Attack • Defend from root exploit
    15. 15. The new system• System OverviewApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    16. 16. The new system• This system use SEAndroid and JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    17. 17. The new system• This system use Jubatus and SEAndroid • Jubatus is distributed learning system • SEAndroid is LSM(Linux Security Module)
    18. 18. Jubatus• Distributed processing framework• Streaming machine learning library • More excellent in real-time, distribution • than MapReduce, Hadoop
    19. 19. SEAndroid• SEAndroid • One of the popular LSM • Android version of SELinux • Developed by NSA
    20. 20. SEAndroid• Mandatory Access Control• Least privileges• Audit log
    21. 21. The new system• How to workApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    22. 22. The new system• When application send commandsApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    23. 23. The new system• Judge whether command is valid with policyApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    24. 24. The new system• If SEAndroid judges the command is validApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    25. 25. The new system• If SEAndroid judges the command is invalidApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    26. 26. The new system• The command is record in Audit logApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    27. 27. The new system• System send log to JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    28. 28. The new system• Jubatus judges the application isn’t malware WhitelistedApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    29. 29. The new system• Jubatus judges the application is malwareApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
    30. 30. ~Demo~
    31. 31. Features• Behavioral detection system • Defend from Zero-day Attack • Any of existing product can’t defend
    32. 32. Features• Use SEAndroid(Linux Security Module) • Enable root access detection • Logging only security incident • Higher precision and Lighter • than syscall hooking
    33. 33. Features• Real-time machine learning • Study from user feedback • Become higher precision steadily • Jubatus is best suitable for this system
    34. 34. Issue• This system depends on SEAndroid • SEAndroid is built-in system of kernel • Vendors must install SEAndroid• No device support SEAndroid on the market
    35. 35. Solution• This system can use other LSM • With only changing log parser• There are devices supporting TOMOYO Linux • TOMOYO Linux is LSM • The devices are made by Fujitsu
    36. 36. Solution• Work on some of commercial devices• In several years, All device support LSM • Because LSM is essential for Android
    37. 37. Lastly• I want to • Improve Android security system • Decrease damage of Android malware
    38. 38. Thank you for listening

    ×