Embed Size (px)
Citation preview
OS-level Side Channels without Procfs: Exploring Cross-App Information
Leakage on iOS
Xiaokuan Zhang1, Xueqiang Wang2, Xiaolong Bai3, Yinqian Zhang1 and XiaoFeng Wang2
1The Ohio State University, 2Indiana University Bloomington, 3Tsinghua University
Mobile Side-Channel Attacks
Sensor-basedSideChannels
CacheSideChannels
OS-levelSideChannels
2
• Side-channelAttack:makeuseofseeminglyharmlessinformationtoinfersensitiveinformation
OS-level Side-Channel Attacks on Android
• Maliciousapprunninginthebackground,callingAPIs
• Procfs:systemstatistics• virtual/physicalmemory,networktraffic,CPUusageinfo,…
3
• NoProcfsprovidingsystemstat
• Nounauthorizedcross-appquery
OS-level Side-Channel Attacks on iOS
IsitpossibletoconductOS-levelside-channelattacksoniOS?
4
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
5
Threat Model
• Monitoringapp:• UserdownloadsitfromAppStore• Audioplayer
6
New Attack Vectors
• Host_statistics64():Globalusageofmemoryresources• Getifaddrs():Globalnetworkresources
• [NSFileManagerfileExistsAtPath:]:Theexistenceofafile/directory
7
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
8
Classifying User Activities --- Example Trace
• CallingAPIstogettimeseriesA• Host_statistics64()• Getifaddrs()
• Plottingdiffseries:A[i]–A[i-1]
Timeseriesleakinformation!!!
9
VM
Network
Classifying User Activities --- Example Trace
10
Howtocombinemultipletimeseriestoperforminferenceattacks?
VM
Network
Classifying User Activities --- Example Trace
Howtocombinemultipletimeseriestoperforminferenceattacks?
11
• Requirements:• Combiningmultipletimeseries• Reducingthedimension
• Majorcomponents:• SAX(Keoghetal.,2002)• BOP(Linetal.,2009)• LibSVM(Changetal.,2011)
VM
Network
Classifying User Activities --- Case Studies • Device:jailbrokeniPhone7withiOS10.1.1
• AutomatedusingCycript • Monitoringapp:
• runninginthebackground• callingAPIsatarateof1000/s
12
Classifying User Activities --- Case Studies • ForegroundApps:
• 100appsfromTopCharts+20pre-installedapps• TopNaccuracy:thepercentageofthetestsamplesbeingcorrectlylabeledbyoneofthetopNpredictedclassesbytheclassifier
97.5%89.2%
13
Classifying User Activities --- Case Studies
• SafariWebsites
84.5%
14
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
15
Detecting Sensitive In-App Activities
16
Blockchain.info
Detecting Sensitive In-App Activities --- Attack Methods
• Identifycriticalevents
• Correlateswithpublicrecords
17
Detecting Sensitive In-App Activities --- Case Studies
• Target:BlockchainWalletApp
• Goal:identifypaymentevent(idx:0)
18
Detecting Sensitive In-App Activities --- Case Studies
• Target:BlockchainWalletApp
• Goal:identifypaymentevent(idx:0)
• Normalizethedistanceperrow usingcell(i,i)asthebase(diagonal)
19
Detecting Sensitive In-App Activities --- Case Studies
Transaction Set
Transaction Set
Transaction Set
20
Detecting Sensitive In-App Activities --- Case Studies
Asent0.0035BTCtoB(1EwB…),TherestwenttoC(1Fbr…)
Csent0.001BTCtoE(1yNT…),TherestwenttoD(1ANE…)
Dsent0.0028BTCtoF(1CeN…),TherestwenttoG(16rU…)21
Detecting Sensitive In-App Activities --- Case Studies
• OtherTargets:Venmo/Twitter
22
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
23
Bypassing Sandbox Restrictions --- Attack Methods
• Device:non-jailbrokeniPhone7withiOS10.2.1
• ExecutiontimeofFileExistAtPath
HugeDifference!!!
24
Bypassing Sandbox Restrictions --- Case Studies
• Detectwhetheranapphasbeeninstalled
DivorceForce AsthmaMD Pregnancy+ SugarSense
25
Bypassing Sandbox Restrictions --- Case Studies • Pushnotifications:
• .pushstorefilewiththebundleidentifierasitsnamewillbecreatedinaspecificdirectory
• (/var/mobile/Library/SpringBoard/PushStore/com.google.Gmail.pushstorefortheGmailapp)
• Dynamicallyregisteredhomescreenquickactions:• .plistfilewiththebundleidentifierasitsnamewillbecreatedinaspecificdirectory(/var/mobile/Library/SpringBoard/ApplicationShortcuts/com.google.Gmail.plistfortheGmailapp)
• Top150appsinAppStore’s“TopCharts”(Aug.2017):
• Pushnotification:67(44.7%)• dynamicallyregisteredhomescreenquickactions:44(31.3%)
26
• Othercases:numberofphotos/memos
• Genericapproachtodetectfiles
27
Bypassing Sandbox Restrictions --- Case Studies
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
28
Practical Issues • AppStoreVetting
• DisguisedasanAudioPlayer• Passedthevetting
• PowerConsumption• Device:jailbrokeniPhone7withiOS10.1.1• 60min:5%batterywasconsumed
29
Practical Issues --- Cross-device Attack Feasibility
trainingdevice:DeviceAiOS10.1.1
testingdevice:DeviceBNon-jailbrokeniOS10.2.1
30
• Testset:Randomlyselect20third-partyapps • RedoForegroundAppsExperiment
91.5%
Practical Issues --- Cross-device Attack Feasibility
80.5%
31
• Target:BlockchainWallet
Practical Issues --- Cross-device Attack Feasibility
32
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
33
Countermeasures
• RateLimiting:limitthesamplingrate• Filterthedataandonlykeepevery(1000/N)thdatapoint• Re-evaluatetheforegroundappclassification
ImplementediniOS11.1forhost_statistics64():2/s
34
Countermeasures
• Coarse-grainedreturnvalues:maskingthedigitsofreturnvalues• Mask1/2/3digitsofall6features• Re-evaluatetheforegroundappclassification
1230Mask1digit:
1200Mask2digits:
1000Mask3digits:
1234Original:
35
Countermeasures
• Coarse-grainedreturnvalues:maskingthedigitsofreturnvalues• Mask1/2/3digitsofall6features• Re-evaluatetheforegroundappclassification
ImplementediniOS11forgetifaddrs():Roundto1KB 36
Countermeasures
• Eliminatingtheattackvectors
• Runtimedetection
• Privacy-preservingstatisticsreporting
• RemovingthefileExistsAtPathtimingchannelfileExistsAtPathtimingchannelhasbeeneliminatediniOS11
37
Outline
1. Side-channelAttackVectorsoniOS2. Attack1:ClassifyingUserActivities3. Attack2:DetectingSensitiveIn-AppActivities4. Attack3:BypassingSandboxRestrictions5. PracticalIssues6. Countermeasures7. Conclusion
38
Conclusion
• FirstexplorationofOS-levelsidechannelsoniOS
• Threecategoriesofside-channelattacks
• ProposedcountermeasuresintegratediniOSandMacOS
39
41
Detecting Sensitive In-App Activities --- Attack Methods
• Timeisshort(<0.5s)
• Differenceissubtle
42
Detecting Sensitive In-App Activities --- Attack Methods
• PatternMatching:comparetwomulti-dimensionaldatatraces• Sample:• Signature:• Goal:measurethedistance• ExtendedDTW(DTW_I):(wk:normalizationfactor)
43
iOS Attacks
44
Paper Vector ImpactChenetal.,Security’14
/proc/pid/statm
UIinferenceattacks(stealinglogincredentials,photos)
Diaoetal.,Oakland’16
/proc/interrupts
Interrupttiminganalysis(crackingunlockpatterns)
45
Classifying User Activities --- Attack Methods • Requirements:
• Combiningmultipletimeseries
• Reducingthedimension
• Majorcomponents:• SymbolicAggregateapproXimation(SAX)(Keoghetal.,2002)
• Bag-of-Patterns(BOP)representation(Linetal.,2009)
• SupportVectorMachine(LibSVM)(Changetal.,2011)
{cbb:1,bbc:1,bcc:1,ccc:1,ccb:1,cba:1,baa:1,aaa:1} 46
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
47
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
48
Classifying User Activities --- Case Studies • TopNAccuracyExample
Top1Accuracy:3/5=60%
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
49
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
50
Classifying User Activities --- Case Studies • TopNAccuracyExample
Top2Accuracy:(3+1)/5=80%
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
51
Classifying User Activities --- Case Studies • TopNAccuracyExample
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
52
Classifying User Activities --- Case Studies • TopNAccuracyExample
Top3Accuracy:(2+1+2)/5=100%
Sample TrueClass SVMPrediction(ProbabilityModel)A 1 4 2 1B 2 2 5 4C 3 3 1 2D 4 1 4 2E 5 5 2 4
53
Detecting Sensitive In-App Activities
54
Detecting Sensitive In-App Activities --- Attack Methods
• Identifycriticalevents
• Correlateswithpublicrecords
55
Detecting Sensitive In-App Activities
56
Classifying User Activities --- Case Studies
• Device:jailbrokeniPhone7withiOS10.1.1 • AutomatedusingCycript
57
Why global stat can work?
• iOSitselfsuspendsappswhentheyruninthebackground,unlesstheappspeciallyrequestsbackgroundpermissions
• iOSisrelativelyquieterthanAndroid,whichgreatlyfacilitatesside-channelattacks
58
Run Background Apps on iOS • AUDIObackgroundmode
• [NSTimerscheduledTimerWithTimeInterval:target:selector:userInfo:repeats:]
59
Detecting Sensitive In-App Activities
60
![App & Web User’s Manual For Studentsportal.sejong.ac.kr/popup/ucheck_std_eng_20170817.pdf · 2017-08-17 · SIMBIAN, BADA, Tizen etc. [Note 2] If the device is rooted, jailbroken,](https://img.pdfslide.us/doc/110x75/5f08eec77e708231d4246ce3/app-web-useras-manual-for-2017-08-17-simbian-bada-tizen-etc-note-2.jpg)
