Presentation is loading. Please wait.

Presentation is loading. Please wait.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

Similar presentations


Presentation on theme: "2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking."— Presentation transcript:

1 2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android Application Mu Zhang, Heng Yin Syracuse University 林良軒 Advanced Defense Lab Seminar, NCU

2 Outline Introduction Component Hijacking Attack ImplementationEvaluationConclusionReference 1

3 Introduction Component Hijacking Attack : A class of attacks that seek to gain unauthorized access (read/write or combined) to protected or private resources through exported components in vulnerable apps. Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities (CCS 2012) 2

4 3 Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities

5 4 Component hijacking attacks Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities Contact Manager App EnumeratorService Enumerator Service Returns the address book upon request Accepts unauthorized requests READ Contacts Android Framework Unauthorized access to protected resources

6 Component hijacking attacks Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities Setting Update Receiver Accepts external updates App Internal DB is not permission protected Write to critical area Unauthorized access to private resources Contact Manager App Android Framework Setting Update Receiver Private Storage Private Storage KeyValue VoIP_Prefix“1234” Is_App_Lisencedfalse 5

7 AppSealer as a Security Service 6 1. No source code access 2. Vulnerability-specific patching 3. Minimal performance overhead 4. Minimal impact on usability

8 [ VulActivity ] onCreate() onStart() – getLocation() onDestroy() – post(addr, location) getLocation() – getLastKnownLocation() crypt() post() – HttpURLConnection – outputStrem 7

9 8

10 9

11 10

12 11

13 Workflow 12 (1)IR Translation (2)Slice Computation (3)Patch Statement Placement (4)Patch Statement Optimization (5)Bytecode Generation

14 Taint Slice Computation A. A.Forward Dataflow Analysis 1. 1.Basic Algorithm : use Def-use chain 2. 2.Special Considerations a. a.Static field b. b.Instance field c. c.Intent d. d.Class inheritance e. e.Thread B. B.Backward Dependency Analysis 13

15 14 Slice 1 Slice 2

16 15

17 Slice 1 16

18 Slice 1 17

19 Slice 1 18

20 Slice 1 19

21 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 20

22 Patch Statement Placement B. B.Shadow Variables 1. 1.Local Variables 21

23 Patch Statement Placement B. B.Shadow Variables 2. Static/Instance Fields 22

24 Patch Statement Placement B. B.Shadow Variables 3. Parameters and Return Value 23

25 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 24

26 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 25

27 Patch Statement Placement D. D.Instrumenting Taint Propagation 1. 1.Simple Assignments 26

28 Patch Statement Placement D. D.Instrumenting Taint Propagation 2. Function Calls 27

29 Patch Statement Placement D. D.Instrumenting Taint Propagation 3. 3.API Calls 1. 1.getString(), toString() 2. 2.Android.widget.TextView,setText() 3. 3.Vector.add(Object) 4. 4.Android.content.ContentValues.put(String key, Byte value) 4. 4.Tracking References If one of the references is tainted, all other references should also be tainted. 28

30 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 29

31 Patch Statement Placement E. E.Cleaning the Taint To properly clean the taint, for each variable appearing in the def-use chain inside the slice, we need to find all its definitions. For the definitions outside the slice, we need to insert a statement after that definition to set its shadow variable to 0(non-tainted) 30

32 Patch Statement Placement A. A.Tainting Policy 1. 1.Directly modifies the bytecode to keep track of selected tainted information 2. 2.Each single local variable, field, etc. - Have a shadow variable B. B.Creating Shadow Variables 1. 1.Local Variables 2. 2.Static/Instance Fields 3. 3.Parameters and Return Value C. C.Instrumenting the Source D. D.Instrumenting Taint Propagation E. E.Cleaning the Taint F. F.Instrumenting the Sink 31

33 Patch Statement Placement F. F.Instrumenting the Sink If they are tainted by certain sources, we can raise a pop-up dialog to the user, asking for decision. - -Restart - -Continue 32

34 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers Copy propagation and dead assignment elimination O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations 33

35 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters 34

36 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code Inlining the body of small function into its callers, the function call overhead can be avoided. 35

37 Patch Optimization In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations 36

38 Workflow 37 (1)IR Translation (2)Slice Computation (3)Patch Statement Placement (4)Patch Statement Optimization (5)Bytecode Generation

39 38

40 39

41 40

42 41

43 42

44 43

45 Evaluation 44

46 Evaluation 45

47 Evaluation 46

48 Evaluation 47

49 Conclution A.Automatically generate patch B.Shadow mechanism C.Optimization 48


Download ppt "2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking."

Similar presentations


Ads by Google