SlideShare a Scribd company logo

Native Code Execution Control for Attack Mitigation on Android

Fraunhofer AISEC
Fraunhofer AISEC

In this talk, researchers from Fraunhofer AISEC demonstrate how Android can be made immune against all current local root exploits. The techniques detailed in this talk significantly raise the hurdles for successful potent attacks on Android devices and strongly limit the capabilities of malware. Currently, any app with Internet access can download code via the network at runtime and execute it, without the user or the system noticing. This includes malicious code such as root exploits. These flaws are addressed by the paper presented in this talk, entitled "Native Code Execution Control for Attack Mitigation on Android". The presentation was given at the 3rd Annual Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'13), colocated with the ACM Conference on Computer and Communications Security 2013 (CCS'13) in Berlin, Germany. If you are interested in our techreport "On the Effectiveness of Malware Protection on Android" please visit http://ais.ec/techreport

Technology
1 of 19
Download to read offline
Native Code Execution Control for Attack Mitigation on Android 3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) Rafael Fedler, Marcel Kulicke, and Julian Schütte, November 8, 2013
Motivation and Teaser Currently, native code can be downloaded and executed at runtime on Android devices Includes (root) exploits All current root exploits are native code Allows for adding code after app installation, thus circumventing user and package manager authority Should not be possible in our opinion Any app with Internet access can download and execute root exploits w/o any hindrance Our approach: To control local privilege escalation attacks and malware building upon them, control native code execution Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 1 © Fraunhofer
Native Code Execution Control for Attack Mitigation on Android Background Malware on Android Basic observations: Exploits and native code usage Native code execution on Android Approach Binaries Libraries Discussion Shortcomings Comparison to other approaches Conclusion Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 2 © Fraunhofer
Malware on Android Classification Trivial classification: 1. Malware using root exploits 2. Malware not using root exploits For obvious reasons, 1. much more dangerous: Droppers or disguised, seemingly legitimate apps can silently install malicious apps from the net, circumventing the package manager and permission system If no NAND write protection: Irremovable installation of malicious apps to /system partition (usually mounted read-only) Apps installed on /system get access to potentially hazardous permissions (protection level signatureOrSystem) Generally, it can do anything and everything; Android’s sandboxing mechanism no longer applies Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 3 © Fraunhofer
Malware on Android Classification (2) & Further problems Class 2, on the other hand... Has to trick the user into manually installing malware Far more limited control over device Can be uninstalled by user Trivial conclusion: Root exploits problematic – Cpt. Obvious Additional problems: Device vendors’ patch policy Patches take many months, if supplied at all End of life for products often < 1.5 years Consequence: Many devices vulnerable to exploits for very long time Antivirus software extremely easy to fool Root exploits downloaded at runtime completely invisible to AV Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 4 © Fraunhofer
Exploits and native code usage Basic observations 1. All current root exploits exclusively implemented as native code Reasons: C header files → ease of development System call interfaces for privilege escalation Some creative tricks, e.g., excessive spawning of processes to hit RLIMIT_NPROC (RageAgainstTheCage) Flexibility for memory manipulation and system interaction Currently only as standalone binaries, no libraries 2. Less than 5% of all apps in Google Play Store use native code at all Mostly libraries, almost no binaries Our conclusion: Control native code to control exploits, without affecting most apps at all Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 5 © Fraunhofer
Background Native code execution on Android Two (official) ways: 1. Binaries Process, ProcessBuilder, Runtime API classes from within apps Need to be marked executable beforehand (!) 2. Libraries System API class: load() and loadLibrary() from within apps No need to mark executable before executing 3. Inofficial: Load/map machine code into memory space, make instruction pointer point to beginning of code Only works from within native code, not from within apps in Dalvik Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 6 © Fraunhofer
Background Native code execution on Android Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 7 © Fraunhofer
Background Advanced malware: Typical chain of actions until infection 1. Initial propagation Disguised as a legitimate app Repackaged Update of legitimate app after hijacking of developer’s account and signing key etc. 2. Download of root exploit at runtime, in case it is not shipped with app package file 3. Mark exploit executable with chmod 4. Execute root exploit and carry out payload Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 8 © Fraunhofer
Native Code Execution Control for Attack Mitigation on Android Background Malware on Android Basic observations: Exploits and native code usage Native code execution on Android Approach Binaries Libraries Discussion Shortcomings Comparison to other approaches Conclusion Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 9 © Fraunhofer
Approach Basic idea Do not break native code execution, but control what can be executed by whom Mandatory or Discretionary (Android permission based) Access Control solutions possible Different approaches in the following Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 10 © Fraunhofer
Approach Binaries Control ability to set the executable bit No scenario where an app should mark anything executable at runtime Undermines the system’s & user’s authority over runnable software on device Apps should ship all software at install time and not be able to download & execute code from the net at runtime −→ default case: disallow setting the executable bit for files Exception: directories (different semantics of executable bit) Checks to be integrated into (f)chmod system call interface in kernel Could be circumvented if integrated into chmod utility or libc stub by invoking syscall No problem for preshipped binaries: file system image manipulation Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 11 © Fraunhofer
Approach Binaries: Potential exceptions Problem with last slide’s MAC approach: Device owners want to root, too Potential MAC or DAC remedies: 1. UID or GID based exceptions Introduce option into AndroidManifest.xml and let package manager mark specified binaries executable + according permission (would still prevent download & execution at runtime) Whitelist root (UID 0) and shell (UID 2000) user s.t. they can still mark binaries as executable → device owners can run root exploits via USB access Introduce permission for apps to set executable bit & introduce corresponding GID 2. Permission-based exceptions Introduce permissions into Process, ProcessBuilder and Runtime classes’ methods for executing binaries If dangerous protection level: DAC If signature or signatureOrSystem protection level: MAC Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 12 © Fraunhofer
Approach Libraries Controlling binaries alone would trigger a shift to native libraries Three approaches: 1. Loader- and filesystem-based Require executable bit also for libraries & make System.load() and System.loadLibrary() check for it Thus, the aforementioned measures for binaries would apply to libraries too 2. Permission-based Secure the System class with a permission To be granted by users at installation time Retains possibility to still play games 3. Path-based Restrict System.load() and System.loadLibrary() to default path for preinstalled libraries Allows developers to still use preshipped libraries, but no own native code Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 13 © Fraunhofer
Native Code Execution Control for Attack Mitigation on Android Background Malware on Android Basic observations: Exploits and native code usage Native code execution on Android Approach Binaries Libraries Discussion Shortcomings Comparison to other approaches Conclusion Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 14 © Fraunhofer
Discussion Shortcomings mmap() some code + just jump into it mmap() can only be called from within native code → initial protection still provided Tampering with mmap() at kernel level can break library loading mechanisms and much more Return-oriented programming inside preshipped libraries/binaries Exploits targeting Dalvik not covered Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 15 © Fraunhofer
Discussion Comparison to other approaches SEAndroid: achieves the same (and even more) Requires extensive policies, not very lightweight, needs configuration Removing executability of any native code added after device manufacturing altogether Our approach obviously more flexible Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 16 © Fraunhofer
Discussion Conclusion Different levels of strictness and protection possible (MAC or DAC) Not perfect, but... lightweight compared to MAC approaches s.a. SEAndroid no policies required flexible Users may (DAC: permission-based) or may not (MAC) grant apps permission to still run native code Openness to modification retained All current root exploits would fail Hurdles of exploitation strongly increased 95% of apps not affected at all as they do not run native code Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 17 © Fraunhofer
Contact Information Rafael Fedler, Marcel Kulicke, and Julian Schütte Group Mobile Security Department Service & Application Security Fraunhofer Research Institution for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: Fax: E-Mail: +49 89 3229986-173 +49 89 3229986-299 rafael.fedler@aisec.fraunhofer.de Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 18 © Fraunhofer

Recommended

An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition Fraunhofer AISEC
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
Ids & ips
Ids & ipsIds & ips
Ids & ipsLan & Wan Solutions
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 

Recommended

An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition Fraunhofer AISEC
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
Ids & ips
Ids & ipsIds & ips
Ids & ipsLan & Wan Solutions
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesIRJET Journal
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
What's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecurityWhat's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecuritySophos Benelux
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Advanced fuzzing in the vo ip space
Advanced fuzzing in the vo ip spaceAdvanced fuzzing in the vo ip space
Advanced fuzzing in the vo ip spaceUltraUploader
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slidesrahul kundu
 
Panda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security
 
NIDS ppt
NIDS pptNIDS ppt
NIDS pptMahendar Reddy
 
UTM - The Complete Security Box
UTM - The Complete Security BoxUTM - The Complete Security Box
UTM - The Complete Security BoxSophos
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesMiguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Andrew Ryan
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníMarketingArrowECS_CZ
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systemssamis
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 

More Related Content

What's hot

Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesIRJET Journal
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
What's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecurityWhat's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecuritySophos Benelux
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Advanced fuzzing in the vo ip space
Advanced fuzzing in the vo ip spaceAdvanced fuzzing in the vo ip space
Advanced fuzzing in the vo ip spaceUltraUploader
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slidesrahul kundu
 
Panda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security
 
UTM - The Complete Security Box
UTM - The Complete Security BoxUTM - The Complete Security Box
UTM - The Complete Security BoxSophos
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Andrew Ryan
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníMarketingArrowECS_CZ
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systemssamis
 

What's hot (20)

Denial of Service Attack Defense Techniques
Denial of Service Attack Defense TechniquesDenial of Service Attack Defense Techniques
Denial of Service Attack Defense Techniques
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
What's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized SecurityWhat's cooking at Sophos - an introduction to Synchronized Security
What's cooking at Sophos - an introduction to Synchronized Security
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Advanced fuzzing in the vo ip space
Advanced fuzzing in the vo ip spaceAdvanced fuzzing in the vo ip space
Advanced fuzzing in the vo ip space
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slides
 
Panda Security - Endpoint Protection
Panda Security - Endpoint ProtectionPanda Security - Endpoint Protection
Panda Security - Endpoint Protection
 
NIDS ppt
NIDS pptNIDS ppt
NIDS ppt
 
UTM - The Complete Security Box
UTM - The Complete Security BoxUTM - The Complete Security Box
UTM - The Complete Security Box
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
APT - Project
APT - Project APT - Project
APT - Project
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešení
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systems
 

Similar to Native Code Execution Control for Attack Mitigation on Android

Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfNomanKhan869872
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devicesIOSR Journals
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Comodo advanced endpoint protection
Comodo advanced endpoint protectionComodo advanced endpoint protection
Comodo advanced endpoint protectionDavid Waugh
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01rajesh kumar
 
Mobile Application Development powerpoint
Mobile Application Development powerpointMobile Application Development powerpoint
Mobile Application Development powerpointJohnLagman3
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDHONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDIJCNCJournal
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 

Similar to Native Code Execution Control for Attack Mitigation on Android (20)

Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Android
AndroidAndroid
Android
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Comodo advanced endpoint protection
Comodo advanced endpoint protectionComodo advanced endpoint protection
Comodo advanced endpoint protection
 
Android
AndroidAndroid
Android
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01
 
Mobile Application Development powerpoint
Mobile Application Development powerpointMobile Application Development powerpoint
Mobile Application Development powerpoint
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROIDHONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
HONEYPOTLABSAC: A VIRTUAL HONEYPOT FRAMEWORK FOR ANDROID
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 

More from Fraunhofer AISEC

Fraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer AISEC
 
Produktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteProduktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteFraunhofer AISEC
 
Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Fraunhofer AISEC
 
Marktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitMarktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitFraunhofer AISEC
 
Cybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityCybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityFraunhofer AISEC
 
Sicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITSicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITFraunhofer AISEC
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
PEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsPEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsFraunhofer AISEC
 
Firmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFirmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFraunhofer AISEC
 
Cyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftCyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftFraunhofer AISEC
 
IKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthIKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthFraunhofer AISEC
 
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungInnovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungFraunhofer AISEC
 
40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg40 Jahre Informatik Hamburg
40 Jahre Informatik HamburgFraunhofer AISEC
 
Security for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsSecurity for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsFraunhofer AISEC
 

More from Fraunhofer AISEC (20)

Fraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vornFraunhofer Magazin weiter.vorn
Fraunhofer Magazin weiter.vorn
 
Internet of (Every)Thing
Internet of (Every)ThingInternet of (Every)Thing
Internet of (Every)Thing
 
App Ray: 10000 Apps
App Ray: 10000 AppsApp Ray: 10000 Apps
App Ray: 10000 Apps
 
Produktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische GeräteProduktschutz-Technologien für elektronische Geräte
Produktschutz-Technologien für elektronische Geräte
 
Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013Cyber-Sicherheit - Newsletter 2013
Cyber-Sicherheit - Newsletter 2013
 
Marktchancen mit IT-Sicherheit
Marktchancen mit IT-SicherheitMarktchancen mit IT-Sicherheit
Marktchancen mit IT-Sicherheit
 
Cybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for SecurityCybersecurity 2013 - Design for Security
Cybersecurity 2013 - Design for Security
 
Sicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der ITSicherheitsgipfel - Chancen und Risiken der IT
Sicherheitsgipfel - Chancen und Risiken der IT
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
PEP - Protecting Electronic Products
PEP - Protecting Electronic ProductsPEP - Protecting Electronic Products
PEP - Protecting Electronic Products
 
Firmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote UpdateFirmware Encryption and Secure Remote Update
Firmware Encryption and Secure Remote Update
 
Infografik Produktschutz
Infografik ProduktschutzInfografik Produktschutz
Infografik Produktschutz
 
Cyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der WissenschaftCyber Security aus Sicht der Wissenschaft
Cyber Security aus Sicht der Wissenschaft
 
Produktschutz Infografik
Produktschutz InfografikProduktschutz Infografik
Produktschutz Infografik
 
IKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealthIKT-Trends und deren Bedeutung für eHealth
IKT-Trends und deren Bedeutung für eHealth
 
Innovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht ForschungInnovation braucht Sicherheit - Sicherheit braucht Forschung
Innovation braucht Sicherheit - Sicherheit braucht Forschung
 
Alan Turing
Alan Turing Alan Turing
Alan Turing
 
Sicherheit im Smart Grid
Sicherheit im Smart GridSicherheit im Smart Grid
Sicherheit im Smart Grid
 
40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg
 
Security for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded SystemsSecurity for Automotive with Multicore-based Embedded Systems
Security for Automotive with Multicore-based Embedded Systems
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Native Code Execution Control for Attack Mitigation on Android

  • 1. Native Code Execution Control for Attack Mitigation on Android 3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) Rafael Fedler, Marcel Kulicke, and Julian Schütte, November 8, 2013
  • 2. Motivation and Teaser Currently, native code can be downloaded and executed at runtime on Android devices Includes (root) exploits All current root exploits are native code Allows for adding code after app installation, thus circumventing user and package manager authority Should not be possible in our opinion Any app with Internet access can download and execute root exploits w/o any hindrance Our approach: To control local privilege escalation attacks and malware building upon them, control native code execution Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 1 © Fraunhofer
  • 3. Native Code Execution Control for Attack Mitigation on Android Background Malware on Android Basic observations: Exploits and native code usage Native code execution on Android Approach Binaries Libraries Discussion Shortcomings Comparison to other approaches Conclusion Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 2 © Fraunhofer
  • 4. Malware on Android Classification Trivial classification: 1. Malware using root exploits 2. Malware not using root exploits For obvious reasons, 1. much more dangerous: Droppers or disguised, seemingly legitimate apps can silently install malicious apps from the net, circumventing the package manager and permission system If no NAND write protection: Irremovable installation of malicious apps to /system partition (usually mounted read-only) Apps installed on /system get access to potentially hazardous permissions (protection level signatureOrSystem) Generally, it can do anything and everything; Android’s sandboxing mechanism no longer applies Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 3 © Fraunhofer
  • 5. Malware on Android Classification (2) & Further problems Class 2, on the other hand... Has to trick the user into manually installing malware Far more limited control over device Can be uninstalled by user Trivial conclusion: Root exploits problematic – Cpt. Obvious Additional problems: Device vendors’ patch policy Patches take many months, if supplied at all End of life for products often < 1.5 years Consequence: Many devices vulnerable to exploits for very long time Antivirus software extremely easy to fool Root exploits downloaded at runtime completely invisible to AV Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 4 © Fraunhofer
  • 6. Exploits and native code usage Basic observations 1. All current root exploits exclusively implemented as native code Reasons: C header files → ease of development System call interfaces for privilege escalation Some creative tricks, e.g., excessive spawning of processes to hit RLIMIT_NPROC (RageAgainstTheCage) Flexibility for memory manipulation and system interaction Currently only as standalone binaries, no libraries 2. Less than 5% of all apps in Google Play Store use native code at all Mostly libraries, almost no binaries Our conclusion: Control native code to control exploits, without affecting most apps at all Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 5 © Fraunhofer
  • 7. Background Native code execution on Android Two (official) ways: 1. Binaries Process, ProcessBuilder, Runtime API classes from within apps Need to be marked executable beforehand (!) 2. Libraries System API class: load() and loadLibrary() from within apps No need to mark executable before executing 3. Inofficial: Load/map machine code into memory space, make instruction pointer point to beginning of code Only works from within native code, not from within apps in Dalvik Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 6 © Fraunhofer
  • 8. Background Native code execution on Android Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 7 © Fraunhofer
  • 9. Background Advanced malware: Typical chain of actions until infection 1. Initial propagation Disguised as a legitimate app Repackaged Update of legitimate app after hijacking of developer’s account and signing key etc. 2. Download of root exploit at runtime, in case it is not shipped with app package file 3. Mark exploit executable with chmod 4. Execute root exploit and carry out payload Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 8 © Fraunhofer
  • 10. Native Code Execution Control for Attack Mitigation on Android Background Malware on Android Basic observations: Exploits and native code usage Native code execution on Android Approach Binaries Libraries Discussion Shortcomings Comparison to other approaches Conclusion Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 9 © Fraunhofer
  • 11. Approach Basic idea Do not break native code execution, but control what can be executed by whom Mandatory or Discretionary (Android permission based) Access Control solutions possible Different approaches in the following Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 10 © Fraunhofer
  • 12. Approach Binaries Control ability to set the executable bit No scenario where an app should mark anything executable at runtime Undermines the system’s & user’s authority over runnable software on device Apps should ship all software at install time and not be able to download & execute code from the net at runtime −→ default case: disallow setting the executable bit for files Exception: directories (different semantics of executable bit) Checks to be integrated into (f)chmod system call interface in kernel Could be circumvented if integrated into chmod utility or libc stub by invoking syscall No problem for preshipped binaries: file system image manipulation Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 11 © Fraunhofer
  • 13. Approach Binaries: Potential exceptions Problem with last slide’s MAC approach: Device owners want to root, too Potential MAC or DAC remedies: 1. UID or GID based exceptions Introduce option into AndroidManifest.xml and let package manager mark specified binaries executable + according permission (would still prevent download & execution at runtime) Whitelist root (UID 0) and shell (UID 2000) user s.t. they can still mark binaries as executable → device owners can run root exploits via USB access Introduce permission for apps to set executable bit & introduce corresponding GID 2. Permission-based exceptions Introduce permissions into Process, ProcessBuilder and Runtime classes’ methods for executing binaries If dangerous protection level: DAC If signature or signatureOrSystem protection level: MAC Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 12 © Fraunhofer
  • 14. Approach Libraries Controlling binaries alone would trigger a shift to native libraries Three approaches: 1. Loader- and filesystem-based Require executable bit also for libraries & make System.load() and System.loadLibrary() check for it Thus, the aforementioned measures for binaries would apply to libraries too 2. Permission-based Secure the System class with a permission To be granted by users at installation time Retains possibility to still play games 3. Path-based Restrict System.load() and System.loadLibrary() to default path for preinstalled libraries Allows developers to still use preshipped libraries, but no own native code Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 13 © Fraunhofer
  • 15. Native Code Execution Control for Attack Mitigation on Android Background Malware on Android Basic observations: Exploits and native code usage Native code execution on Android Approach Binaries Libraries Discussion Shortcomings Comparison to other approaches Conclusion Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 14 © Fraunhofer
  • 16. Discussion Shortcomings mmap() some code + just jump into it mmap() can only be called from within native code → initial protection still provided Tampering with mmap() at kernel level can break library loading mechanisms and much more Return-oriented programming inside preshipped libraries/binaries Exploits targeting Dalvik not covered Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 15 © Fraunhofer
  • 17. Discussion Comparison to other approaches SEAndroid: achieves the same (and even more) Requires extensive policies, not very lightweight, needs configuration Removing executability of any native code added after device manufacturing altogether Our approach obviously more flexible Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 16 © Fraunhofer
  • 18. Discussion Conclusion Different levels of strictness and protection possible (MAC or DAC) Not perfect, but... lightweight compared to MAC approaches s.a. SEAndroid no policies required flexible Users may (DAC: permission-based) or may not (MAC) grant apps permission to still run native code Openness to modification retained All current root exploits would fail Hurdles of exploitation strongly increased 95% of apps not affected at all as they do not run native code Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 17 © Fraunhofer
  • 19. Contact Information Rafael Fedler, Marcel Kulicke, and Julian Schütte Group Mobile Security Department Service & Application Security Fraunhofer Research Institution for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: Fax: E-Mail: +49 89 3229986-173 +49 89 3229986-299 rafael.fedler@aisec.fraunhofer.de Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 18 © Fraunhofer