Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Trendmicro Security Award 2012 Final Presentation

14,548 views

Published on

Lectured at Trendmicro Security Award 2012 Final Round

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Trendmicro Security Award 2012 Final Presentation

  1. 1. The new malware detection system with SEAndroidHiromu Yakura <hiromu1996@gmail.com>
  2. 2. Self-Introduction• Hiromu Yakura• 15 yo.• Twitter: @hiromu1996
  3. 3. Self-Introduction• Japanese national certified security specialist • Youngest Record• competitive programmer • Asia and Pacific Informatics Olympiad • won a bronze medal
  4. 4. Self-Introduction• Linux Kernel Developer • Accepted some patches• Android Developer • Lectured about Android security • “What is SEAndroid?” • at Tokyo University
  5. 5. Background• An alarming increase in Android malware McAfee Threats Report: First Quarter 2012
  6. 6. Background• An alarming increase in Android malware Big threat McAfee Threats Report: First Quarter 2012
  7. 7. Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
  8. 8. Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
  9. 9. Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より
  10. 10. DroidKungFu• This application contains exploit code • CVE-2009-1185 • Linux kernel vulnerability • CVE-2010-EASY • Android vulnerability
  11. 11. DroidKungFu• After gain root access • Install other malware • without user permit • user can’t delete malware
  12. 12. Security Application• Usual Android security application • Can’t detect root access • Can’t remove DroidKungFu• Because of Android Sandbox
  13. 13. Security Application• All of them adopt signature-based system • Can’t detect Zero-day Attack • Can’t detect encrypted files
  14. 14. The new system• I propose a new system • Defend from Zero-day Attack • Defend from root exploit
  15. 15. The new system• System OverviewApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  16. 16. The new system• This system use SEAndroid and JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  17. 17. The new system• This system use Jubatus and SEAndroid • Jubatus is distributed learning system • SEAndroid is LSM(Linux Security Module)
  18. 18. Jubatus• Distributed processing framework• Streaming machine learning library • More excellent in real-time, distribution • than MapReduce, Hadoop
  19. 19. SEAndroid• SEAndroid • One of the popular LSM • Android version of SELinux • Developed by NSA
  20. 20. SEAndroid• Mandatory Access Control• Least privileges• Audit log
  21. 21. The new system• How to workApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  22. 22. The new system• When application send commandsApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  23. 23. The new system• Judge whether command is valid with policyApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  24. 24. The new system• If SEAndroid judges the command is validApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  25. 25. The new system• If SEAndroid judges the command is invalidApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  26. 26. The new system• The command is record in Audit logApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  27. 27. The new system• System send log to JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  28. 28. The new system• Jubatus judges the application isn’t malware WhitelistedApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  29. 29. The new system• Jubatus judges the application is malwareApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server
  30. 30. ~Demo~
  31. 31. Features• Behavioral detection system • Defend from Zero-day Attack • Any of existing product can’t defend
  32. 32. Features• Use SEAndroid(Linux Security Module) • Enable root access detection • Logging only security incident • Higher precision and Lighter • than syscall hooking
  33. 33. Features• Real-time machine learning • Study from user feedback • Become higher precision steadily • Jubatus is best suitable for this system
  34. 34. Issue• This system depends on SEAndroid • SEAndroid is built-in system of kernel • Vendors must install SEAndroid• No device support SEAndroid on the market
  35. 35. Solution• This system can use other LSM • With only changing log parser• There are devices supporting TOMOYO Linux • TOMOYO Linux is LSM • The devices are made by Fujitsu
  36. 36. Solution• Work on some of commercial devices• In several years, All device support LSM • Because LSM is essential for Android
  37. 37. Lastly• I want to • Improve Android security system • Decrease damage of Android malware
  38. 38. Thank you for listening

×