Presentation is loading. Please wait.

Presentation is loading. Please wait.

MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.

Published byToby McKinney Modified over 5 years ago

Similar presentations

Presentation on theme: "MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan."— Presentation transcript:

1 MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan Luo, Chen Cao, Kai Chen, Jian Liu, Limin Liu, Neng Gao, Min Yang, Xinyu Xing, and Peng Liu

2 Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding
Android Architecture

3 … … Android Framework App Android Framework Libraries & Runtime
Location Manager Service App Window Manager Service Activity Manager Service Package Manager Service Telephony Manager Service Senor Manager Service … … Android Framework Libraries & Runtime Linux Kernel

4 Android Framework is Vulnerable

5 Threats Caused by Framework Vulnerabilities
Vulnerabilities in Android Framework affect EACH android device Stealing user passwords Taking pictures in the background Tampering with user data … … …

6 Android Security Research
Most focus on Android apps Very few techniques and tools for analyzing Android Framework No tool available for automatically discovering vulnerabilities in Android Framework

7 Background: Symbolic Execution
Symbolic execution refers to execution of a program or function with symbols as parameters Systematically exploring all paths of a program Much powerful than fuzzing Conventional vulnerability discovery uses Fuzzing, where inputs are randomly generated and path exploration is non-systematic Symbolic execution is the state of the art in vulnerability discovery

8 int foo (int x) { if (x < 0) return -1; assert (x != 0xFFF0000);
x is symbolic input x >= 0 return -1 x < 0 int foo (int x) { if (x < 0) return -1; assert (x != 0xFFF0000); return x/2; } Symbolic branch x == -1 if (x != 0xFFF0000) Symbolic branch return x/2 flaw detected! (x != 0xfff0000)∧(x >= 0) (x == 0xfff0000)∧(x >= 0) x == 1 x == 0xfff0000

9 PoC exploit generation Vulnerability discovery
Proving the vulnerability is exploitable The first tool for symbolic execution of Android Framework Symbolic Execution

10 How to Exploit a Framework Vulnerability
An exploit is a piece of code (or inputs) that takes advantage of a vulnerability in order to cause unintended behavior System service call Resources AndroidManifest.xml Dalvik bytecode App App a1 a0 API Android Framework Libraries & Runtime Linux Kernel a1 a0 Access An exploit is part of a malicious app Symbolic inputs Parameters of API 2) Variables storing configuration values of the malicious app Symbolic inputs???

11 Very complex ! main () { forking system service threads;
parsing all apps’ information; storing app information into memory; … … } Very complex ! The main thread first initializes Android Framework Android Framework Start here? Main Thread App System Service Thread 1 System Service Thread n … … Path explosion! API API Symbolic execution starts here! memory

12 … … Challenge A: State space explosion
Solution: Skipping initialization phase of Android Framework Challenge B: Execution context is missing Challenge B Solution: Phased Concrete-to-Symbolic Execution (PC2SE) Challenge C: Identifying variables derived from malicious app Challenge C Solution: Slim tainting System Service Thread 1 System Service Thread n … … Android Framework memory M Main Thread API Symbolic inputs Parameters of API Variables storing configuration values of the malicious app

13 Phased Concrete-to-Symbolic Execution (PC2SE)

14 Decoupled architecture
Migrating execution context App Symbolic executor Context query server Symbolic executor Context query client Android Framework Libraries & Runtime Linux Kernel Heap memory snapshot Symbolic executor cannot obtain execution context?

15 Architecture of our system
Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Architecture of our system

16 Instrumenting bytecode instructions for heap migration
Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Instrumenting bytecode instructions for heap migration

17 Example of a test driver
Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Example of a test driver

18 Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding
Migrating heap

19 Slim Tainting

20 Scattered!!! Access pattern Array-based Hash-table-based index
Android Framework Memory M Array-based Hash-table-based Access pattern index Package name UID App Taint sinks Taint propagation Taint sources key

21 Tainting propagation (uid%100, 000 − 10, 000)
Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Self-shielding Tainting propagation (uid%100, 000 − 10, 000)

22 Evaluation Effectiveness Efficiency 7 vulnerability instances
6 instances of Inconsistent security policy enforcement 1 instances of Task hijacking Efficiency

23 List of Vulnerability Instances & Analysis Statistics
New vulnerability instances

24 An Example of an Exploit
A set of concrete values Configuration An exploit System service call

25 https://github.com/Android-Framewrok-Symbolic-Executor/Centaur
Code is open source!

26

Download ppt "MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan."

Similar presentations

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Android architecture overview

Android architecture overview
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.

Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
OPERATING SYSTEMS AND SYSTEMS SOFTWARE. SYSTEMS SOFTWARE Systems software consists of the programs that control the operations of the computer and its.

OPERATING SYSTEMS AND SYSTEMS SOFTWARE. SYSTEMS SOFTWARE Systems software consists of the programs that control the operations of the computer and its.
Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.

Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.

@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.

Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.
University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,

University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,
Effective Real-time Android Application Auditing

Effective Real-time Android Application Auditing
MAPLD Reconfigurable Computing Birds-of-a-Feather Programming Tools Jeffrey S. Vetter M. C. Smith, P. C. Roth O. O. Storaasli, S. R. Alam www.csm.ornl.gov/ft.

MAPLD Reconfigurable Computing Birds-of-a-Feather Programming Tools Jeffrey S. Vetter M. C. Smith, P. C. Roth O. O. Storaasli, S. R. Alam
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Similar presentations

Ads by Google