Presentation is loading. Please wait.

Presentation is loading. Please wait.

Free Powerpoint Templates 1 AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Speaker: Ting Luo Date: 2014/04/07.

Published byBlaze Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Free Powerpoint Templates 1 AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Speaker: Ting Luo Date: 2014/04/07."— Presentation transcript:

1 Free Powerpoint Templates 1 AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Speaker: Ting Luo Date: 2014/04/07 Zhemin Yang, Min Yang, Yuan Zhang, X.Sean Wang Fudan University Guofei Gu, Peng Ning Texas A&M University, NC State University CCS,2013

2 Free Powerpoint Templates 2 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

3 Free Powerpoint Templates 3 Introduction Many benign apps normally need to collect sensitive data such as location, contact, to send out to the cloud. Malicious apps that steal user data may also exhibit the same behavior Therefore, transmission of sensitive data by itself may not indicate true privacy leakage A better indicator should be whether the transmission is user intended or not.

4 Free Powerpoint Templates 4 Introduction User-intended data transmission For example SMS management apps Location-based service Not a privacy leakage. Unintended data transmission Unknown to users Irrelevant to the function user enjoys Judge as a privacy leakage

5 Free Powerpoint Templates 5 Introduction It is more practical to design an automated tool to provide a human analyst with the context information in which the data transmission occurs. Given sensitive data transmission, AppIntent derives the input data and user interaction inputs that lead to the transmission Context information: The form of a sequence of UI manipulations that is captured from a controlled execution.

6 Free Powerpoint Templates 6 Introduction Symbolic Execution Systematically explore feasible paths of the program. Dealing with events triggered by user actions in GUI apps is challenging Path explosion problem New technique Event-space constraint guided symbolic execution

7 Free Powerpoint Templates 7 Introduction Event-space constraint guided symbolic execution 1. static analysis 2. generate event-space constraints 3. symbolic execution

8 Free Powerpoint Templates 8 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

9 Free Powerpoint Templates 9 Background 1.Symbolic Execution (1)“Symbolic Execution and Program Testing,” CACM,1976 (2) “Symbolic Execution for Software Testing:Three Decades Later,” CACM,2013

10 Free Powerpoint Templates 10 Background 1.Symbolic Execution Explore as many different program paths as possible in a given amount of time. For each path to Generate a set of concrete input values exercising that path Check for the presence of various kinds of errors Security vulnerability Uncaught exception Using symbols instead of values !!

11 Free Powerpoint Templates 11 Background 1.Symbolic Execution (1) Symbolic state σ σ is initialized to an empty map (2) Symbolic path constraint PC PC is initialized to true. (3) If a symbolic execution instance hits an exit statement or an error, the current instance of symbolic execution is terminated (4) Finally, PC is solved using a constraint solver to generate concrete input values.

12 Free Powerpoint Templates 12 Background 1.Symbolic Execution Reference : “Symbolic Execution for Software Testing:Three Decades Later,” CACM,2013

13 Free Powerpoint Templates 13 lineσPCPC’ initEmptyTrue 17{x->x 0,y->y 0 }True 6{x->x 0, y->y 0, z->2y 0 } True 7{x->x 0, y->y 0, z->2y 0 } X 0 = 2y 0 X 0 ≠ 2y 0 8{x->x 0, y->y 0, z->2y 0 } (X 0= 2y 0 ) ˄ (X 0 >y 0 +10)(X 0= 2y 0 ) ˄ (X 0 ≤y 0 +10)

14 Free Powerpoint Templates 14 Background 1.Symbolic Execution (5) Execution tree PC: X 0 = 2y 0 PC’: X 0 ≠2y 0 PC: (X 0= 2y 0 ) ˄ (X 0 >y 0 +10) PC’: (X 0= 2y 0 ) ˄ (X 0 ≤y 0 +10)  X 0 ≤20, y 0 ≤10  y 0 >10, X 0 >20

15 Free Powerpoint Templates 15 Background 1.Symbolic Execution (6) Loops or recursion Infinite number of paths if the termination condition for the loop is symbolic (7) In practice, one needs to put a limit on the search A timeout, a limit on the number of paths, loop iterations, or exploration depth

16 Free Powerpoint Templates 16 Background 2. Android Event (1) Callbacks of Lifecycle States These callbacks are automatically invoked by Android application manager Non-deterministic Unbounded  Search space explosion problem! (2) GUI Events and System Events Event Listeners Non-deterministic They can be triggered in any order and at any time

17 Free Powerpoint Templates 17 Background

18 Free Powerpoint Templates 18 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

19 Free Powerpoint Templates 19 Goal And Overall Architecture Goal : 1.Produce the critical app inputs that lead to sensitive data transmission 2.Guarantee a good code coverage 3.Provide an easy-to-understand tool for human analysts to ascertain under what circumstance the sensitive data transmission happens.

20 Free Powerpoint Templates 20 Goal And Overall Architecture Overall Architecture : Event-space Constraint Guided Symbolic Execution (1)static taint analysis (2)construct an event-space constraint graph (3)Symbolic execution Dynamic Program Analysis Platform Android InstrumentationTestRu nner

21 Free Powerpoint Templates 21 Goal And Overall Architecture

22 Free Powerpoint Templates 22 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

23 Free Powerpoint Templates 23 Event-Space Constraint Guided Symbolic Execution

24 Free Powerpoint Templates 24 Event-Space Constraint Guided Symbolic Execution 1.A concrete example : Anzhuduanxin 安卓短信 (1) Broadcast Receiver : PushReceiver To retrieve extended data from the intent Taint Analysis { OnReceive, i1 } a is tainted

25 Free Powerpoint Templates 25 (2) Activity MessagePopup : To Irene: Hello… To Irene: Hello… Taint Analysis { OnReceive, i1 } Retreive message from a { startNewMessageQuery, i2} { forward, i3} { forward, i4} Event-Space Constraint Guided Symbolic Execution

26 Free Powerpoint Templates 26 (4) Start up ComposeMessageActivity Forward or not? SEND! Taint Analysis { OnReceive, i1 } { startNewMessageQuery, i2} { forward, i3} { forward, i4} { sendMessage, i5} { sendMessage, i6 } Event-Space Constraint Guided Symbolic Execution

27 Free Powerpoint Templates 27 Event-Space Constraint Guided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events

28 Free Powerpoint Templates 28 2. Construction of the Event-space Constraint Graph (1) Two kinds of nodes A thick-line node (critical events) Event handler method contains at least one instruction of a given data propagation path. A thin-line node (essential events) A prerequisite for a critical event It does not contain any instructions of the given path. Event-Space Constraint Guided Symbolic Execution

29 Free Powerpoint Templates 29 2. Construction of the Event-space Constraint Graph (1) Two kinds of nodes Event-Space Constraint Guided Symbolic Execution

30 Free Powerpoint Templates 30 Event-Space Constraint Guided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events

31 Free Powerpoint Templates 31 2. Construction of the Event-space Constraint Graph (2) Extracting Critical Events For each instruction in the path, we backward traverse the call graph to find all events that might trigger it. Event-Space Constraint Guided Symbolic Execution

32 Free Powerpoint Templates 32 2. Construction of the Event-space Constraint Graph Event-Space Constraint Guided Symbolic Execution

33 Free Powerpoint Templates 33 2. Construction of the Event-space Constraint Graph Event-Space Constraint Guided Symbolic Execution

34 Free Powerpoint Templates 34 Event-Space Constraint Guided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events

35 Free Powerpoint Templates 35 2. Construction of the Event-space Constraint Graph (3) Extracting Essential Events Supplement those missing lifecycle callbacks with directed edges according to the origin order In the current version of AppIntent, we only track -Intents that eventually start a new activity or service -Broadcast messages that are properly handled by a BroadcastReceiver Event-Space Constraint Guided Symbolic Execution

36 Free Powerpoint Templates 36 2. Construction of the Event-space Constraint Graph Event-Space Constraint Guided Symbolic Execution

37 Free Powerpoint Templates 37 Event-Space Constraint Guided Symbolic Execution Construction of the Event-space Constraint Graph Extracting Critical Events Extracting Essential Events Guided Symbolic Execution

38 Free Powerpoint Templates 38 2. Construction of the Event-space Constraint Graph (4) Guided Symbolic Execution P : the events that are triggered before the last traversed critical event C : the data constraints that should be fulfilled to reach the current execution point. If C is empty, then none of the data inputs can result in the target execution Event-Space Constraint Guided Symbolic Execution

39 Free Powerpoint Templates 39 2. Construction of the Event-space Constraint Graph (4) Guided Symbolic Execution Each time when we proceed from a thick-line node, possible successors of this critical event are extracted We randomly pick an event first and calculate a feasible path from the current critical event to the chosen successor extract the minimal path (using the Dijistra’s algorithm) as a chain of events Event-Space Constraint Guided Symbolic Execution

40 Free Powerpoint Templates 40 2. Construction of the Event-space Constraint Graph (4) Guided Symbolic Execution We rollback the symbolic execution and try to trigger other feasible critical events. If the event chain is revealed to be not available to any inputs (C == ∅ ), or all possible successors in critical event chains are already explored ( ∀ e : CEC) Event-Space Constraint Guided Symbolic Execution

41 Free Powerpoint Templates 41 Event-Space Constraint Guided Symbolic Execution ce : critical event ne : next event

42 Free Powerpoint Templates 42 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

43 Free Powerpoint Templates 43 Dynamic Analysis Platform Present which functionality is used when the transmission happens. Test case automatically generates based on the inputs gathered before attaches it to the app by repackaging the original Android apk. Android InstrumentationTestRunner

44 Free Powerpoint Templates 44 Features (1)Automatically trigger Event Inputs To trigger a clicking event, a performClick operation is applied to the corresponding view (2)Automatically provide Data Inputs Not support network inputs Android InstrumentationTestRunner cannot intercept and modify network inputs. (3)Highlight activated views of GUI events Setting background color to red (4)Highlight sensitive data read and transmission when the data loading and transmission happen Dynamic Analysis Platform

45 Free Powerpoint Templates 45 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

46 Free Powerpoint Templates 46 Evaluation 1.Evaluation Methodology (i)When producing app inputs leading to some sensitive data transmission, to what extent does event-space constraint guided symbolic execution reduce the search space while guaranteeing the code coverage? (ii)Using the controlled execution based on app inputs, how effective is AppIntent to distinguish unintended data transmission with user-intended one?

47 Free Powerpoint Templates 47 1. Effectiveness of Event-space Constraint Guided Symbolic Execution Evaluation

48 Free Powerpoint Templates 48 2. Effectiveness on Analyzing Sensitive Data Transmission (750) (1000) Evaluation

49 Free Powerpoint Templates 49 3.Effectiveness on Analyzing Sensitive DataTransmission Interesting findings (1)Data transmission of device IDs and phone numbers are very common but typically not noticed by most smartphone users. (2) Lots of apps write sensitive data into local logging system Evaluation

50 Free Powerpoint Templates 50 4. Analysis Time Static analysis phase costs 96 hours Can be reduced by distributing the analysis workload to multiple machines Symbolic execution costs 5 to 134 minutes Can be processed in parallel Evaluation

51 Free Powerpoint Templates 51 5. Case Studies Anzhuoduanxin ( 安卓短信 ) SMS management app Video https://www.youtube.com/watch?v=RR qWQk4ztmIhttps://www.youtube.com/watch?v=RR qWQk4ztmI Tapsnake A game but stealthily transmit user locations to third party receiver Video https://www.youtube.com/watch?v=L4I vXzpYqzwhttps://www.youtube.com/watch?v=L4I vXzpYqzw Evaluation

52 Free Powerpoint Templates 52 5. Case Studies Evaluation

53 Free Powerpoint Templates 53 6. Usability of AppInent We Invited 3 android experts Introduced AppIntent with less than 15 minutes Ran the driven executions to 3 participants Ask 3 participants to fill a sheet Evaluation

54 Free Powerpoint Templates 54 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

55 Free Powerpoint Templates 55 Related Work Event listener analysis and symbolic execution for testing gui applications. S. R. Ganov, C. Killmar, S. Khurshid, and D. E.Perry. In ICFEM, 2009. A symbolic execution framework for javascript. P. Saxena, D. Akhawe, S. Hanna, F. Mao,S. McCamant, and D. Song. Security and Privacy, IEEE Symposium on, 0:513–528, 2010. Vetting undesirable behaviors in android apps with permission use analysis. (VetDroid) Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. Wang, and B. Zang. In CCS, 2013.

56 Free Powerpoint Templates 56 Outline 1. Introduction 2. Background 3. Goal And Overall Architecture 4. Event-Space Constraint Guided Symbolic Execution 5. Dynamic Analysis Platform 6. Evaluation 7. Related Work 8. Conclusion And Future Work

57 Free Powerpoint Templates 57 Conclusion And Future Work AppIntent A new app validation framework to help human analysts determine if data transmission is intended by the user. Future Work native code Instrumentation of network input Fails to analyze some apps because the DEX decompilation tool, DED, failed to decompile these apps

58 Free Powerpoint Templates 58 Q & A Img src: 辛卡米克

Download ppt "Free Powerpoint Templates 1 AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Speaker: Ting Luo Date: 2014/04/07."

Similar presentations

Analyzing Regression Test Selection Techniques

Analyzing Regression Test Selection Techniques
Automated Test Data Generation Maili Markvardt. Outline Introduction Test data generation problem Black-box approach White-box approach.

Automated Test Data Generation Maili Markvardt. Outline Introduction Test data generation problem Black-box approach White-box approach.
Verification and Validation

Verification and Validation
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1, Juan Caballero 2, Kevin Zhijie Chen 1, Stephen.

Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1, Juan Caballero 2, Kevin Zhijie Chen 1, Stephen.
VanarSena: Automated App Testing. App Testing Test the app for – performance problems – crashes Testing app in the cloud – Upload app to a service – App.

VanarSena: Automated App Testing. App Testing Test the app for – performance problems – crashes Testing app in the cloud – Upload app to a service – App.
Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.

Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.
Mrs. Chapman. Tabs (Block Categories) Commands Available to use Script Area where you type your code Sprite Stage All sprites in this project.

Mrs. Chapman. Tabs (Block Categories) Commands Available to use Script Area where you type your code Sprite Stage All sprites in this project.
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.

Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.

1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
Testing an individual module

Testing an individual module
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Testing Components in the Context of a System CMSC 737 Fall 2006 Sharath Srinivas.

Testing Components in the Context of a System CMSC 737 Fall 2006 Sharath Srinivas.
Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.

Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.

Similar presentations

Ads by Google