Download presentation
Presentation is loading. Please wait.
Published byCallie Steveson Modified over 9 years ago
1
Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM 2011 報告人:張逸文 Soundcomber : A Stealthy and Context-Aware Sound Trojan for Smartphones
2
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 2
3
Introduction ( 1/2 ) Full-fledged computing platforms The plague of data-stealing malwaredata-stealing malware Sensory malware, ex : video camera, microphone video camera Security protections Java virtual machines on Android Anti-virus Control installing un-trusted software Tow new observations Context of phone conversation is predictable and fingerprinted Built-in covert channel 3
4
Introduction ( 2/2 ) 4 Main goal : Extract a small amount of high-value private data from phone conversations and transmit it to a malicious party Major contributions : Targeted, context-aware information discovery from sound recordings Stealthy data transmission Implementation and evaluation Defensive architecture
5
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 5
6
Overview ( 1/2 ) 6 Assumptions work under limited privileges Architectural overview
7
Overview ( 2/2 ) 7 Video Demo. Video Demo 4392 2588 8888 8888
8
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 8
9
Context-Aware Information Collection ( 1/7 ) 9 monitor the phone state identify, record, analysis, extract 1.Audio recording 2.Audio processing 3.Targeted data extraction using profiles
10
Context-Aware Information Collection ( 2/7 ) 10 1. Audio recording When to record Whenever the user initiates a phone call Recording in the background Determining the number called intercept outgoing phone calls / read contact data the first segment compare with keywords in database relevant, non-overlapping keywords minimize necessary permissions
11
Context-Aware Information Collection ( 3/7 ) 11 2. Audio processing decode file speech/tone recognition speech/tone extraction
12
Context-Aware Information Collection ( 4/7 ) 12 a) tone recognition DTMF ( dual-tone multi-frequency ) DTMF signaling channel to inform mobile phone network of the pressed key aural feedback leaks to side-channel Goertzel’s algorithm Goertzel’s algorithm
13
Context-Aware Information Collection ( 5/7 ) 13 b. Speech recognition Google service : speech recognition functionality PocketSphinx Segmentation --- contain speech
14
Context-Aware Information Collection ( 6/7 ) 14 3. Targeted data extraction using profiles focus on IVRs ( Interactive Voice Response system ) Phone menus based on predetermined profiles
15
Context-Aware Information Collection ( 7/7 ) 15 general profiles Speech signatures Sequence detection Speech characteristics
16
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 16
17
Stealthy Data Transmission 17 Processing centrally isn’t ideal No local processing on 1 minute recording → 94KB Credit card number → 16 bytes Legitimate, existing application with network access A paired Trojan application with network access and communication through covert channel
18
Leveraging third-party applications 18 Permission mechanism only restricts individual application Ex : using browser open URL http : // target ? number=N drawback : more noticeable due to “foreground” Ads to cover
19
Covert channels with paired Trojans ( 1/4 ) 19 paired Trojans : Soundminer, Deliverer Installation of paired Trojan applications Pop-up ad. Packaged app. Covert channels on the smartphone Vibration settings Volume settings Screen File locks
20
Covert channels with paired Trojans ( 2/4 ) 20 Vibration settings any application can change the vibration settings communication channel : every time the setting is changed, the system sends a notification to interested applications saving and restoring original settings at opportune times no permissions needed not leave any traces
21
Covert channels with paired Trojans ( 3/4 ) 21 Volume settings not automatically broadcasted set and check the volume alternatively 3 bits per iteration Sending at times Reading at times miss a window Screen invisible visible channel covert channel : screen settings prevent the screen from actually turning on permission WAKE_LOCK
22
Covert channels with paired Trojans ( 4/4 ) 22 File locks exchange information through competing for a file lock signaling files, S 1,……,S m one data file S 1 ~S m/2 for Soundminer, S m/2+1 ~S m for Deliverer
23
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 23
24
Defense Architecture 24 add a context-sensitive reference monitor to control the AudioFinger service AudioFinger block all applications from accessing the audio data when a sensitive call is in progress Reference Service RIL ( radio interface layer ) enter/leave a sensitive state Controller Embedded in the AudioFinger service Exclusive Mode / Non-Exclusive Mode
25
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 25
26
Evaluation ( 1/2 ) 26 Experiment settings Environment Service hotline detection Tone recognition Speech recognition --- getrusage()getrusage() Profile-based data discovery --- extracted high-value information Cover channel study --- bandwidth in bits per second Reference monitor
27
Evaluation ( 2/2 ) 27 Experiment results Effectiveness Service hotline detection Tone/speech recognition Tone/speech recognition Detection by anti-virus applications Performance Performance
28
Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 28
29
Discussion 29 Improvements on attack Defenses
30
Conclusion 30 Soundminer, innocuous permissions Defense on sensor data stealing Highlighted the threat of stealthy sensory malware
31
31 Thanks ~
32
Goertzel’s algorithm 32
33
Performance 33
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.