Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joshua Garcia Institute for Software Research

Published byTheodora Briggs Modified over 6 years ago

Similar presentations

Presentation on theme: "Joshua Garcia Institute for Software Research"— Presentation transcript:

1 Automatic Generation of Inter-Component Communication Exploits for Android Applications
Joshua Garcia Institute for Software Research Department of Informatics University of California, Irvine

2 Mobile Malware Samples
The Rise of Mobile Security Threats 100% 0% 50% 51.3% Mobile 48.7% Desktop Internet Usage Sources: 12M 6M >13M Malware Mobile Malware Samples 2009 2010 2011 2012 2013 2014 2015 2016

3 Android is the Primary Target
Source:

4 Inter-Component Communication in Android
Intent: Android event message Intent action : SHARE Photo Facebook name: picture1 Intent uri : media://picture1

5 Some Android Vulnerability Types
Inter-Process Denial of Service Fragment Injection Cross-Application Scripting (XAS)

6 Inter-Process Denial-of-Service Vulnerability
Mal App Vuln App Intent

7 Fragment Injection Vulnerability
Mal App Vuln App Your loaded, no password needed

8 Cross-Application Scripting Vulnerability
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Fake Statement vulnerable to cross-application scripting

9 Cross-Application Scripting Vulnerability
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent action : APPWALL expirytime : 2 url : Statement vulnerable to cross-application scripting Malicious URL

10 Vulnerable vs. Exploitable
Vulnerability: a weakness in an application, system, device, or service that could lead to a failure to achieve security or privacy properties Exploitability: the extent to which a vulnerability can be successfully used by a malicious attacker Is the exploit code available? Is the code hard to construct? Does the code work consistently? Not all vulnerabilities are exploitable Vulnerability: a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, availability, authentication, authorization or non-repudiation.

11 Cross-Application Scripting Non-Exploitable
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { Bundle data = intent.getExtras(); WebView webView = … ; String url = data.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent action : APPWALL expirytime : 2 url : Statement vulnerable to cross-application scripting

12 Cross-Application Scripting Non-Exploitable
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { Bundle data = intent.getExtras(); WebView webView = … ; String url = data.getStringExtra("url"); if ( LocalDate.now().equals(“ ”) ) { webView.loadUrl( url );} }}}} Attack Intent action : APPWALL expirytime : 2 url : Non-exploitable vulnerability

13 Determining Exploitability
Are the vulnerabilities that existing techniques detect actually exploitable? Manual and painstaking effort Automatically identify exploitable vulnerabilities Benefits Reduce spurious vulnerabilities Prioritize bug fixes Inputs that help fix security bugs Stay ahead of zero-day vulnerabilities

14 Automatic Exploit Generation for Android
No approach exists that applies AEG to Android applications (apps) Challenges of AEG for Android apps Inter-component communication among Android components Automatic assessment of exploitation of a vulnerability

15 Solution: LetterBomb Goal: Automatic generation of inter-component communication exploits for Android apps Combined static and dynamic analysis consisting of the following: Generation of Intents needed to make vulnerable statements execute Ability to modify Intent to include logic of malicious attack Production of software test oracles to verify exploitation

16 Instrumented Application
LetterBomb Overview LetterBomb Attack Intents App Instrumented Framework Android Framework Instrumented Application

17 LetterBomb Overview LetterBomb Attack Intents App
Intent Modifications Attack Intents Vulnerability Identifier App Vulnerable Statements Instrumented Framework Android Framework Instrumented Application

18 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Instrumented Application

19 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application

20 Vulnerability Identification - XAS
Identify final injection point of the malicious URL Track data passed to injection point to identify if it is from a received Intent

21 XAS Vulnerability Identification
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Identify injection point for XAS

22 XAS Vulnerability Identification
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Track data passed to injection point to determine if it originates from an Intent

23 XAS Vulnerability Identification
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Identified extraction from Intent

24 XAS Vulnerability Identification
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}}

25 XAS Vulnerability Identification
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Verify that Intent was received externally

26 XAS Vulnerability Identification
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Statement vulnerable to cross-application scripting

27 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application

28 Attack Intent Generation
Construct an Intent to attack an app Given a vulnerable statement, Start analysis at vulnerable statement Identify attributes of Intent needed to execute the vulnerable program path Supply logic of attack by modifying an Intent

29 XAS Attack Intent Generation Example
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent Statement vulnerable to cross-application scripting

30 XAS Attack Intent Generation Example
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent url : ∅

31 XAS Attack Intent Generation Example
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent expirytime : 2 url : ∅

32 XAS Attack Intent Generation Example
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent action : APPWALL expirytime : 2 url : ∅

33 XAS Attack Intent Generation Example
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent action : APPWALL expirytime : 2 url : Attacker-supplied logic

34 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application

35 Exploit Oracle Instrumentation
One-time specification or construction of oracle per vulnerability type Oracles are reusable across all apps Two parts of customized oracle Instrumentation of the vulnerable application or the Android framework Post-processing of logged statements to determine if exploit was succesful

36 XAS Exploit Oracle Instrumentation
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); }}}} Attack Intent action : APPWALL expirytime : 2 url :

37 XAS Exploit Oracle Instrumentation
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); webView.setWebViewClient (new WebViewClient () { public void onPageFinished(WebView view ,String url ) { Log.i("Instrument "," loaded url:" + url ); super.onPageFinished(view , url);}}) ; }}}} Attack Intent action : APPWALL expirytime : 2 url : Add instrumentation code

38 XAS Exploit Oracle Instrumentation
public class AdsActivity extends Activity { public void onCreate ( Bundle savedInstanceState ) { Intent intent = getIntent(); String action = intent.getAction(); if ("APPWALL". equals(action)) { if (intent.getIntExtra ("expirytime" ,0) > 0) { WebView webView = … ; String url = intent.getStringExtra("url"); webView.loadUrl( url ); webView.setWebViewClient (new WebViewClient () { public void onPageFinished(WebView view ,String url ) { Log.i("Instrument "," loaded url:" + url ); super.onPageFinished(view , url);}}) ; }}}} Attack Intent action : APPWALL expirytime : 2 url : Assert that the log contains statement “Instrument: loaded url:

39 Empirical Evaluation Exploitability Detection
Spurious Vulnerability Reduction Vulnerability Detection Comparison Runtime Efficiency Comparison

40 Exploitability Detection - Results
Successfully identified over 180 exploits from 10,000 apps

41 Spurious Vulnerability Reduction - Results
24%-96% spurious vulnerability reduction across 10,000 apps

42 Vulnerability Detection Comparison - Results
33%-60% improvement in vulnerability detection for LetterBomb

43 Efficiency Comparison - Results
LetterBomb executes 6 to 13 times faster than IBM ASC

44 Conclusion LetterBomb: Automatic Exploit Generation over the ICC interface of Android Apps First exploitability detection for Android apps 24%-96% spurious vulnerability reduction 6 to 13 times faster than the state-of-the-art with 33%-60% improvement in vulnerability detection Future work Add other vulnerability types to LetterBomb Utilize generated exploits for automatic vulnerability repair Thank You! Credits:

45 Intent Accuracy – Subject Apps
App Package Name App Description SLOC Intent-Controlled Paths com.samsung.srpol List a device's app categories and permissions 4,649 47 com.naholyr.android.horairessncf Search and track regional train in France 4,054 90 cri.sanity Phone call, SMS, audio recording, and bluetooth management 9,604 458 com.ghostsq.commander Multi-protocol local and remote file manager 24,883 973 org.thialfihar.android.apg Android port of OpenPGP for data encryption and decryption 461,338 2,650

46 Intent Accuracy - Results
Correctness rate of over 96%

47 Automatic Exploit Generation Equation
Goal: automatically generate an input that satisfies the equation πbug ∧ πexploit πbug is an unsafe path predicate πexploit is an exploit predicate Attacker’s logic Successful exploitation Input Space Unsafe Inputs Exploits (πbug ⋀ πexploit)

48 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Exploit generation goal: πbug ∧ πexploit LetterBomb Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application

49 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Aim to satisfy πbug Exploit generation goal: πbug ∧ πexploit LetterBomb Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application

50 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Contains attacker’s logic of πexploit Exploit generation goal: πbug ∧ πexploit LetterBomb Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application

51 LetterBomb Overview LetterBomb Attack Intents Attack Intent Generator
Exploit generation goal: πbug ∧ πexploit LetterBomb Intent Modifications Attack Intents Vulnerability Identifier Attack Intent Generator App Vulnerable Statements Instrumented Framework Android Framework Exploit Oracle Instrumenter Instrumented Application Handles successful exploitation portion of πexploit

Download ppt "Joshua Garcia Institute for Software Research"

Similar presentations

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
Security in Software Engineering PRESENTED BY ROHIT MUKHERJEE AND RAMAKRISHNA VEERAVALLI.

Security in Software Engineering PRESENTED BY ROHIT MUKHERJEE AND RAMAKRISHNA VEERAVALLI.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011.

Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011.
Software Security Testing Vinay Srinivasan cell: +91 9823104620.

Software Security Testing Vinay Srinivasan cell:
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.
Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.

Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.
SOFTWARE TESTING www.rockfortnetworks.com. Scope of Testing  The dynamic Indian IT industry has always lured the brightest minds with challenging career.

SOFTWARE TESTING Scope of Testing  The dynamic Indian IT industry has always lured the brightest minds with challenging career.

Similar presentations

Ads by Google