"From reactive toproactive mobile security" by Eric Boddenwith with Siegfried Rasthofer, Steven Arzt,Marc Miltenberger and Michael Pradel.
MobileSoft2017, Buenos Aires, Argentina, 2017.
2. SOFTWARE ENGINEERING
GROUP
SECURE2
reactive security proactive security
•Find vulnerabilities
•React to disclosures
•Fix vulnerabilities
•Static analysis
•Dynamic analysis
•Bug bounty
•…
•Accept that vulnerabilities
are a part of life
•Proactively contain
their effect
•Proactively reason about
those effects (risk analysis)
•Principle of least privilege
•Distrustful decomposition
6. sources
sinks code analysis
report potential
privacy leaks
SMS/MMS Bluetooth NFC Email Internet
SuSi [NDSS’14]
•Found that many previous
lists missed 90% of sources
and sinks
•Also found that definition of
sources/sinks is not trivial
18. Even works for…
18
public static void gdadbjrj(String paramString1,
String paramString2) throws Exception{
// Get class instance
Class clz = Class.forName(
gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af") );
Object localObject = clz.getMethod(
gdadbjrj.gdadbjrj("]a9maFVM.9")).invoke(null);
// Get method name
String s = gdadbjrj.gdadbjrj(“BaRIta*9caBBV]a");
// Build parameter list
Class c = Class.forName(
gdadbjrj.gdadbjrj("VRIf3+InVTTnSaRI+R]KR9aR9"));
Class[] arr = new Class[] {
nglpsq.cbhgc, nglpsq.cbhgc, nglpsq.cbhgc, c, c };
// Get method and invoke it
clz.getMethod(s, arr).invoke(localObject, paramString1,
null, paramString2, null, null);
}
SmsManager.sendTextMessage(...)
19. Harvester enables de-obfuscation
19
Class c = Class.forName(gdadbjrj.gdadbjrj(„VRIf3+InVTTnSaRI+R]KR9aR9“));
...
Class c = Class.forName("SmsManager");
...
SmsManager.sendTextMessage(a, b, c, d, e);SmsManager
...
21. SOFTWARE ENGINEERING
GROUP
SECURE
FuzzDroid - Algorithm
Repeat until code target reached
• Static pre-analysis
• Execute in controlled environment
Intercept and modify environment values
Record trace
• Refine environment
21
• DeviceID: 00000
1st environment:
Miss most code
22. SOFTWARE ENGINEERING
GROUP
SECURE
FuzzDroid - Algorithm
Repeat until code target reached
• Static pre-analysis
• Execute in controlled environment
Intercept and modify environment values
Record trace
• Refine environment
22
• DeviceID: 12345
• SMS: “”
2nd environment:
Miss code targetReach reading of SMS
23. SOFTWARE ENGINEERING
GROUP
SECURE
FuzzDroid - Algorithm
Repeat until code target reached
• Static pre-analysis
• Execute in controlled environment
Intercept and modify environment values
Record trace
• Refine environment
23
• DeviceID: 12345
• SMS: “startAttack”
3rd environment:
Reach code target
24. SOFTWARE ENGINEERING
GROUP
SECURE
Extensible set of
value providers
24
t inference
Application + Target Locations + Fuzzed APIs
Fuzzing Framework
Constant Value Provider
Symbolic Value Provider
File Value Provider
...
Environment to reach
target location
Figure 12: Overview of the FuzzDroid approach
p checks whether the user’s network operator is part of a pre-defined list of
(lines 13 to 28). This kind of technique is usually used in cases of targeted
where only specific users are attacked, e.g., only users located in a certain
DeviceID: 12345
SMS: “startAttack”
28. SOFTWARE ENGINEERING
GROUP
SECURE28
reactive security proactive security
•Find vulnerabilities
•React to disclosures
•Fix vulnerabilities
•Static analysis
•Dynamic analysis
•Bug bounty
•…
•Accept that vulnerabilities
are a part of life
•Proactively contain
their effect
•Proactively reason about
those effects (risk analysis)
•Principle of least privilege
•Distrustful decomposition
29. SOFTWARE ENGINEERING
GROUP
SECURE
StagefrightVulnerability
• Buffer overflow in video transcoding function that
produces a preview thumbnail on Android text
messages
• Send a crafted video to a phone arbitrary code
execution
29
• Process listening to text messages requires root
privileges
• Process for producing thumbnails also ran as root
• Ergo:Arbitrary code execution as root!
31. SOFTWARE ENGINEERING
GROUP
SECURE
Other problem:
data protection
• German law prohibits any usage of personal data
without explicit (!) consent
• Purpose of usage must be clear, and must be clearly
related to the customer’s business
• Hence: current data-sharing practices used by most
ad frameworks are illegal in Germany
• Will become illegal EU-wide on May 25th, 2018
31
33. SOFTWARE ENGINEERING
GROUP
SECURE
In-process solution
• Advantage: still one process per
app, no need for IPC with libs
• Drawback: weak isolation
• Could allow for permission
assignment to individual libraries
• Possible implementation:
piggyback on Java security manager
if it only were available (it’s not)
33
34. SOFTWARE ENGINEERING
GROUP
SECURE
Multi-process solution
• Advantages:
strong process isolation
Permission assignment to individual
libraries could probably be done
through standard Android means
• Drawback: libraries must
communicate with app via IPC
• Tool support could alleviate this
problem
34
35. SOFTWARE ENGINEERING
GROUP
SECURE
What will this take?
• Changes to the Android OS
• Developer support: must be able to master
permission assignment to libraries
• Usability research: Do we want to show
library permissions to users? Do we want to
allow them to even change them?
• App-store support: Can one use additional
permission info during triaging?
35