Embed Size (px)
Citation preview
L.C.SmithCollege of Engineering and Computer Science
Efficient, Context-Aware Privacy Leakage Confinement for Android Applications without Firmware Modding
Mu Zhang
Heng Yin
Department of EECS, Syracuse University
1
Motivation: We need a practical solution for privacy leakage confinement in Android
• What does a practical solution mean?– Information-flow based security• Most of existing solutions are end-point solutions
– Context-aware policy enforcement• Existing solutions are all-or-nothing protection
– No firmware modding• All existing solutions require firmware modding
– Low runtime overhead• Taint tracking is slow!
2
Capper: Context-Aware Privacy Policy Enforcement with Re-writing
• Key Techniques– Bytecode Rewriting for Information Flow Tracking and
Control– Context-aware Policy Enforcement
3
BRIFT: Bytecode Rewriting for Information Flow Tracking and Control
• Key: to place minimally required code into a bytecode program to accurately keep track of privacy leakage.
Resources
DEX
Android App
Translation
IR
Static Analysis
Slices
Static Instrumentation
New IR
Optimization
Optimized IR
Code Generation
Resources
DEX’
New App
4
BRIFT: Some Technical Details• Static Data-flow Analysis
– Similar to CHEX[Lu et al. CCS’12]– Discover entry points, compute program splits, and perform
permutation on the splits
• Static Instrumentation– Create shadow variables – Insert taint propagation statements– Pass shadow parameters across function boundary
• Optimization– Remove unnecessary shadow parameters– Lift taint propagation logic into the function caller– Other built-in optimizations, such as constant propagation, dead code
elimination, etc.
5
BRIFT: A Running Example 1 public class Leakage extends Activity{ 2 private byte key = DEFAULT_KEY; 3 private String addr = DEFAULT_ADDR; 4 private static String deviceId; 5 6 public String getIMEI(){ 7 TelephonyManager manager = (TelephonyManager) getSystemService(“phone”); 8 String imei = manager.getDeviceId(); 9 if(imei==null){10 imei = “”;11 }else{12 imei = manager.getDeviceId();13 }14 return imei;15 }1617 public byte crypt(byte plain){18 return (byte)(plain ^ key);19 }2021 public void post(String addr, byte[] bytes){22 OutputStream output = conn.getOutputStream();23 output.write(bytes, 0, bytes.length);24 ...25 }2627 public void toastIMEI(String imei){28 Context app = getApplicationContext();29 String text = “Your IMEI is ” + imei;30 int duration = Toast.LENGTH_SHORT;31 Toast toast = Toast.makeText(app, text, duration);32 toast.show();33 }
3435 public void onStart(){36 Leakage.deviceId = getIMEI();37 }3839 public void onResume(){40 toastIMEI(Leakage.deviceId);41 }4243 public void onDestroy(){44 String imei = Leakage.deviceId;45 byte[] bytes = location.getBytes();46 for(int i=0; i<bytes.length; i++)47 bytes[i] = crypt(bytes[i]);48 }49 post(addr, bytes);50 }51 }
6
BRIFT: the Rewritten Program
7
1 public class Leakage extends Activity{ ...4 private static String deviceId;I public static boolean deviceId_s0_t; ...6 public String getIMEI(BoolWrapper ret_s0_wrapper){ ...8 String imei = manager.getDeviceId();9 if(imei==null){10 imei = “”;I imei_s0_t = false;11 }else{12 imei = manager.getDeviceId();I imei_s0_t = true;13 }I ret_s0_wrapper.status = imei_s0_t;14 return imei;15 } ...21 public void post(String addr, byte[] bytes, BoolWrapper bytes_s0_w){I boolean bytes_s0_t = bytes_s0_wrapper.status;22 OutputStream output = conn.getOutputStream();I boolean isAllow = false;I if(bytes_s0_t == true)I isAllow = queryPolicyService(0, 0, addr);I if(isAllow)23 output.write(bytes, 0, bytes.length);}I else{...}24 ...25 } ...
35 public void onStart(){I BoolWrapper ret_s0_wrapper = new BoolWrapper();I ret_s0_wrapper.status = false;36 Leakage.deviceId = getIMEI(ret_s0_wrapper);I Leakage.deviceId_s0_t = ret_s0_wrapper.status;37 } ... 43 public void onDestroy(){44 String imei = Leakage.deviceId;45 byte[] bytes = imei.getBytes();I boolean bytes_s0_t = Leakage.deviceId_s0_t;46 for(int i=0,; i< bytes.length; i++){47 bytes[i] = crypt(bytes[i]);I bytes_s0_t = bytes_s0_t || false;48 }I BoolWrapper bytes_s0_wrapper = new BoolWrapper();I bytes_s0_wrapper.status = bytes_s0_t;P BoolWrapper url_s0_w = new BoolWrapper();49 post(addr, bytes, bytes_s0_wrapper);50 }51 }
See more details in our NDSS’14 paper
Context-Aware Policy: How to model the context of an information flow
• Taint Propagation Trace– Heavy-weight– Overly precise
• Source and Sink Call-sites– Light-weight– Mimicry attack?
• Parameterized Source and Sink Pairs
8
Evaluation: Overview
• 4723 apps real-world apps evaluated– 1414 (33%) are risky (may leak information)– Increase of Program Size– Runtime Performance of Analysis and Rewriting– Runtime Overhead– Effectiveness
9
Related Work
• Extend install-time constraints– Kirin, CCS’09; Saint, ACSAC’09
• Enforce finer-grained/flexible permissions– MockDroid, HotMobile’11; CRePE, ISC’10; Apex, ASIACCS’10; TISSA,
TRUST’11
• Improve isolations– Cells, SOSP’11; SPSM’11; AdSplit, Usenix Security’12
• Ask for user approval– Livshits and Jung, Usenix Security’13; Aurasium, Usenix Security’12
• Information flow based solution– TaintDroid, OSDI’10; AppFence, CCS’11
10
Conclusion: We achieved four goals
• G1: Information-flow based security – Yes, we track sensitive information flow by rewriting
• G2: Context-aware policy enforcement – Yes, we model the context of an information flow, and bind this
context with user’s decision
• G3: No firmware modding – Yes, we only rewrite apps and install a policy service
• G4: Low runtime overhead – Yes, we only insert a minimal amount of code to keep track of sensitive
information flow
11
Questions?
12
