Presentation is loading. Please wait.

Presentation is loading. Please wait.

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.

Similar presentations


Presentation on theme: "Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM."— Presentation transcript:

1 Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM 2011 報告人:張逸文 Soundcomber : A Stealthy and Context-Aware Sound Trojan for Smartphones

2 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 2

3 Introduction ( 1/2 ) Full-fledged computing platforms The plague of data-stealing malwaredata-stealing malware  Sensory malware, ex : video camera, microphone video camera Security protections  Java virtual machines on Android  Anti-virus  Control installing un-trusted software Tow new observations  Context of phone conversation is predictable and fingerprinted  Built-in covert channel 3

4 Introduction ( 2/2 ) 4 Main goal :  Extract a small amount of high-value private data from phone conversations and transmit it to a malicious party Major contributions :  Targeted, context-aware information discovery from sound recordings  Stealthy data transmission  Implementation and evaluation  Defensive architecture

5 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 5

6 Overview ( 1/2 ) 6 Assumptions  work under limited privileges Architectural overview

7 Overview ( 2/2 ) 7 Video Demo. Video Demo

8 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 8

9 Context-Aware Information Collection ( 1/7 ) 9 monitor the phone state identify, record, analysis, extract 1.Audio recording 2.Audio processing 3.Targeted data extraction using profiles

10 Context-Aware Information Collection ( 2/7 ) Audio recording  When to record  Whenever the user initiates a phone call  Recording in the background  Determining the number called  intercept outgoing phone calls / read contact data  the first segment compare with keywords in database  relevant, non-overlapping keywords  minimize necessary permissions

11 Context-Aware Information Collection ( 3/7 ) Audio processing  decode file  speech/tone recognition  speech/tone extraction

12 Context-Aware Information Collection ( 4/7 ) 12 a) tone recognition  DTMF ( dual-tone multi-frequency ) DTMF  signaling channel to inform mobile phone network of the pressed key  aural feedback leaks to side-channel  Goertzel’s algorithm Goertzel’s algorithm

13 Context-Aware Information Collection ( 5/7 ) 13 b. Speech recognition  Google service : speech recognition functionality  PocketSphinx  Segmentation --- contain speech

14 Context-Aware Information Collection ( 6/7 ) Targeted data extraction using profiles  focus on IVRs ( Interactive Voice Response system )  Phone menus  based on predetermined profiles

15 Context-Aware Information Collection ( 7/7 ) 15  general profiles  Speech signatures  Sequence detection  Speech characteristics

16 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 16

17 Stealthy Data Transmission 17 Processing centrally isn’t ideal No local processing on 1 minute recording → 94KB Credit card number → 16 bytes Legitimate, existing application with network access A paired Trojan application with network access and communication through covert channel

18 Leveraging third-party applications 18 Permission mechanism only restricts individual application  Ex : using browser open URL http : // target ? number=N drawback : more noticeable due to “foreground”  Ads to cover

19 Covert channels with paired Trojans ( 1/4 ) 19 paired Trojans : Soundminer, Deliverer Installation of paired Trojan applications  Pop-up ad.  Packaged app. Covert channels on the smartphone  Vibration settings  Volume settings  Screen  File locks

20 Covert channels with paired Trojans ( 2/4 ) 20  Vibration settings  any application can change the vibration settings  communication channel : every time the setting is changed, the system sends a notification to interested applications  saving and restoring original settings at opportune times  no permissions needed  not leave any traces

21 Covert channels with paired Trojans ( 3/4 ) 21  Volume settings  not automatically broadcasted  set and check the volume alternatively  3 bits per iteration  Sending at times  Reading at times  miss a window  Screen  invisible visible channel  covert channel : screen settings  prevent the screen from actually turning on  permission WAKE_LOCK

22 Covert channels with paired Trojans ( 4/4 ) 22  File locks  exchange information through competing for a file lock  signaling files, S 1,……,S m  one data file  S 1 ~S m/2 for Soundminer, S m/2+1 ~S m for Deliverer

23 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 23

24 Defense Architecture 24 add a context-sensitive reference monitor to control the AudioFinger service AudioFinger block all applications from accessing the audio data when a sensitive call is in progress Reference Service RIL ( radio interface layer )  enter/leave a sensitive state Controller  Embedded in the AudioFinger service  Exclusive Mode / Non-Exclusive Mode

25 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 25

26 Evaluation ( 1/2 ) 26 Experiment settings  Environment  Service hotline detection  Tone recognition  Speech recognition --- getrusage()getrusage()  Profile-based data discovery --- extracted high-value information  Cover channel study --- bandwidth in bits per second  Reference monitor

27 Evaluation ( 2/2 ) 27 Experiment results  Effectiveness  Service hotline detection  Tone/speech recognition Tone/speech recognition  Detection by anti-virus applications  Performance Performance

28 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 28

29 Discussion 29 Improvements on attack Defenses

30 Conclusion 30 Soundminer, innocuous permissions Defense on sensor data stealing Highlighted the threat of stealthy sensory malware

31 31 Thanks ~

32 Goertzel’s algorithm 32

33 Performance 33


Download ppt "Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM."

Similar presentations


Ads by Google