AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection

Free Powerpoint Templates1

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection

Speaker: Ting LuoDate: 2014/04/07

Zhemin Yang, Min Yang, Yuan Zhang, X.Sean WangFudan University

Guofei Gu, Peng NingTexas A&M University, NC State University

CCS,2013

http://www.powerpointstyles.com/


Outline

1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work



Introduction

• Many benign apps normally need to collect sensitive data such as location, contact, to send out to the cloud.

• Malicious apps that steal user data may also exhibit the same behavior

• Therefore, transmission of sensitive data by itself may not indicate true privacy leakage

• A better indicator should be whether the transmission is user intended or not.



Introduction

• User-intended data transmission• For example

• SMS management apps • Location-based service

• Not a privacy leakage.

• Unintended data transmission• Unknown to users • Irrelevant to the function user enjoys• Judge as a privacy leakage



Introduction

• It is more practical to design an automated tool to provide a human analyst with the context information in which the data transmission occurs.

• Given sensitive data transmission, AppIntent derives the input data and user interaction inputs that lead to the transmission

• Context information:The form of a sequence of UI manipulations that is captured from a controlled execution.



Introduction

• Symbolic Execution• Systematically explore feasible paths

of the program.

• Dealing with events triggered by user actions in GUI apps is challenging

• Path explosion problem

• New technique• Event-space constraint guided

symbolic execution



Introduction

• Event-space constraint guided symbolic execution

1. static analysis2. generate event-space constraints3. symbolic execution



Outline




Background

1. Symbolic Execution

(1) “Symbolic Execution and Program Testing,” CACM,1976

(2) “Symbolic Execution for Software Testing:Three Decades Later,” CACM,2013



Background

1. Symbolic Execution

• Explore as many different program paths as possible in a given amount of time.

• For each path to• Generate a set of concrete input

values exercising that path• Check for the presence of various

kinds of errors• Security vulnerability• Uncaught exception

• Using symbols instead of values !!



Background

1. Symbolic Execution(1) Symbolic state σ

• σ is initialized to an empty map

(2) Symbolic path constraint PC• PC is initialized to true.

(3) If a symbolic execution instance hits an exit statement or an error, the current instance of symbolic execution is terminated

(4) Finally, PC is solved using a constraint solver to generate concrete input values.



Background1. Symbolic Execution

Reference : “Symbolic Execution for Software Testing:Three Decades Later ,” CACM,2013



line σ PC PC’

init Empty True

17 {x->x0,y->y0} True

6 {x->x0, y->y0, z->2y0}

True

7 {x->x0, y->y0, z->2y0}

X0=2y0 X0≠2y0

8 {x->x0, y->y0, z->2y0}

(X0=2y0)˄(X0>y0+10) (X0=2y0)˄(X0≤y0+10)



Background1. Symbolic Execution(5) Execution tree

PC: X0=2y0PC’: X0≠2y0

PC: (X0=2y0)˄(X0>y0+10)

PC’: (X0=2y0)˄(X0≤y0+10)

X0 ≤20, y0≤10

y0>10, X0>20



Background1. Symbolic Execution(6) Loops or recursion

• Infinite number of paths if the termination condition for the loop is symbolic

(7) In practice, one needs to put a limit on the search• A timeout, a limit on the number of paths, loop iterations, or exploration depth



Background

2. Android Event(1) Callbacks of Lifecycle StatesThese callbacks are automatically invoked by Android application manager

• Non-deterministic• Unbounded Search space explosion problem!

(2) GUI Events and System Events• Event Listeners• Non-deterministic• They can be triggered in any order

and at any time



Background



Outline




Goal And Overall Architecture

Goal : 1. Produce the critical app inputs that lead to

sensitive data transmission

2. Guarantee a good code coverage

3. Provide an easy-to-understand tool for human analysts to ascertain under what circumstance the sensitive data transmission happens.




Overall Architecture :• Event-space Constraint Guided Symbolic

Execution(1) static taint analysis(2) construct an event-space constraint

graph(3) Symbolic execution

• Dynamic Program Analysis Platform• Android InstrumentationTestRunner






Outline




Event-Space Constraint Guided Symbolic Execution




1. A concrete example : Anzhuduanxin安卓短信(1) Broadcast Receiver : PushReceiver

• To retrieve extended data from the intent

Taint Analysis { OnReceive, i1 }a is tainted



(2) Activity MessagePopup :

To Irene:Hello…

Taint Analysis { OnReceive, i1 }

Retreive messagefrom a

{ startNewMessageQuery, i2}

{ forward, i3}

{ forward, i4}




(4) Start up ComposeMessageActivity

Forward or not?

SEND!

Taint Analysis { OnReceive, i1 }

{ startNewMessageQuery, i2}

{ forward, i3}

{ forward, i4}

{ sendMessage, i5}

{ sendMessage, i6 }





Construction of the Event-space Constraint Graph

Extracting Critical Events

Extracting Essential Events



2. Construction of the Event-space Constraint Graph (1) Two kinds of nodes

• A thick-line node (critical events)• Event handler method contains at least one

instruction of a given data propagation path.

• A thin-line node (essential events)• A prerequisite for a critical event• It does not contain any instructions of the given

path.




2. Construction of the Event-space Constraint Graph (1) Two kinds of nodes










2. Construction of the Event-space Constraint Graph (2) Extracting Critical Events

• For each instruction in the path, we backward traverse the call graph to find all events that might trigger it.




2. Construction of the Event-space Constraint Graph














2. Construction of the Event-space Constraint Graph (3) Extracting Essential Events

• Supplement those missing lifecycle callbacks with directed edges according to the origin order

• In the current version of AppIntent, we only track - Intents that eventually start a new activity or service- Broadcast messages that are properly

handled by a BroadcastReceiver












Guided Symbolic Execution




(4) Guided Symbolic Execution• P : the events that are triggered before the last

traversed critical event• C : the data constraints that should be fulfilled to

reach the current execution point.• If C is empty, then none of the data inputs can

result in the target execution




2. Construction of the Event-space Constraint Graph (4) Guided Symbolic Execution

• Each time when we proceed from a thick-line node, possible successors of this critical event are extracted

• We randomly pick an event first and calculate a feasible path from the current critical event to the chosen successor• extract the minimal path (using the Dijistra’s

algorithm) as a chain of events





(4) Guided Symbolic Execution• We rollback the symbolic execution and try to

trigger other feasible critical events. • If the event chain is revealed to be not available

to any inputs (C == )∅ , or

• all possible successors in critical event chains are already explored ( e : < ne; e > Ɇ CEC)∀





ce : critical eventne : next event



Outline




Dynamic Analysis Platform

• Present which functionality is used when the transmission happens.

• Test case• automatically generates based on the

inputs gathered before• attaches it to the app by repackaging the

original Android apk.• Android InstrumentationTestRunner



• Features(1) Automatically trigger Event Inputs

• To trigger a clicking event, a performClick operation is applied to the corresponding view

(2) Automatically provide Data Inputs• Not support network inputs

• Android InstrumentationTestRunner cannot intercept and modify network inputs.

(3) Highlight activated views of GUI events• Setting background color to red

(4) Highlight sensitive data read and transmission• when the data loading and transmission

happen

Dynamic Analysis Platform



Outline




1. Effectiveness of Event-space Constraint Guided Symbolic Execution

Evaluation



2. Effectiveness on Analyzing Sensitive Data Transmission

(750) (1000)

Evaluation



3. Effectiveness on Analyzing Sensitive DataTransmission

• Interesting findings(1) Data transmission of device IDs and phone

numbers are very common but typically not noticed by most smartphone users.

(2) Lots of apps write sensitive data into local logging system

Evaluation



4. Analysis TimeStatic analysis phase costs 96 hours

Can be reduced by distributing the analysis workload to multiple machines

Symbolic execution costs 5 to 134 minutesCan be processed in parallel

Evaluation



5. Case Studies• Anzhuoduanxin (安卓短信 )

• SMS management app• Video• https://

www.youtube.com/watch?v=RRqWQk4ztmI

• Tapsnake• A game but stealthily transmit user

locations to third party receiver• Video• https://

www.youtube.com/watch?v=L4IvXzpYqzw

Evaluation


https://www.youtube.com/watch?v=RRqWQk4ztmI



https://www.youtube.com/watch?v=L4IvXzpYqzw




5. Case Studies

Evaluation



6. Usability of AppInent

• We Invited 3 android experts

• Introduced AppIntent with less than 15 minutes

• Ran the driven executions to 3 participants

• Ask 3 participants to fill a sheet

Evaluation



Outline




Related Work

• Event listener analysis and symbolic execution for testing gui applications.

• S. R. Ganov, C. Killmar, S. Khurshid, and D. E.Perry. In ICFEM, 2009.

• A symbolic execution framework for javascript.

• P. Saxena, D. Akhawe, S. Hanna, F. Mao,S. McCamant, and D. Song. Security and Privacy, IEEE Symposium on, 0:513–528, 2010.

• Vetting undesirable behaviors in android apps with permission use analysis. (VetDroid)

• Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. Wang, and B. Zang. In CCS, 2013.



Outline




Conclusion And Future Work

• AppIntent• A new app validation framework to help

human analysts determine if data transmission is intended by the user.

• Future Work• native code • Instrumentation of network input• Fails to analyze some apps because the

DEX decompilation tool, DED, failed to decompile these apps



Q & A

Img src:辛卡米克


Documents

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection