Upload
joon-young-park
View
589
Download
0
Embed Size (px)
Citation preview
Leave me alone: App-level Protection Against Runtime Information Gathering
on Android석사 29기 박준영
Contents• View Point
• Challenges
• RIG(Runtime Information Gathering) attacks
• /proc?
• Attacking NetCam (Video)
• AppGuardian Architecture
• Audio Recording Attack (Video)
• Detection Methods
• Evaluation & Analysis
• Discussion / Conclusion
• Protection NetCam (Video)
• Future Works
View Point
• RIG (Runtime Information Gathering)
• Protection against RIG
• Implementation and Evaluation
Challenges
• Increasing Malwares
• Enhancing access control causes compatibility issues
• OS-level solution is painful (in Android OS ecosystem)
RIG Attacks
• Android Permission은 그 범위가 너무 모호함.
• /proc 내의 공유된 runtime 정보를 주기적으로 읽어 의미있는 데이터를 얻어내는것이 가능.
RIG Attacks
• Android Permission은 그 범위가 너무 모호함.
• /proc 내의 공유된 runtime 정보를 주기적으로 읽어 의미있는 데이터를 얻어내는것이 가능.
Android Permission Issues
• Voice Recorder can tape any phone conversation.
• Game app with Bluetooth permission can alsodownload patient data from a Bluetooth glucose meter.
/proc/stat• cpuN (6*n + 7 stats)
• user: normal processes executing in user mode
• nice: niced processes executing in user mode
• system: processes executing in kernel mode
• idle: twiddling thumbs
• iowait: waiting for I/O to complete
• irq: servicing interrupts
• intr : counts of interrupts serviced since boot time.
• ctxt : total number of context switches across all CPUs.
• btime : line gives the time at which the system booted, in seconds
since the Unix epoch.
• processes : the number of processes and threads created.
• procs_running : the number of processes currently running on CPUs.
• procs_blocked : the number of processes currently blocked, waiting
for I/O to complete.
• softirq: servicing softirqs
/proc/[pid]/stattotal 44 stats
pid : process ID comm state : state of process (running, sleeping, zombie .. ) ppid / pgrp / session / tty_nr / tpgid flags / minflt / cminflt / majflt / cmajflt utime : Amount of time that this process has been scheduled in user mode stime : Amount of time that this process has been scheduled in kernel mode cutime / cstime / priority / nice / num_threads / itrealvalue starttime : The time the process started after system boot. vsize : Virtual memory size in bytes. rss / rsslim / startcode / endcode / startstack kstkesp / kstkeip / signal / blocked / sigignore sigcatch / wchan / nswap / cnswap / exit_signal / processor rt_priority / policy / delayacct_blkio_ticks / guest_time / cguest_time
/proc/uid_stat/<uid>/tcp_rcv
uid 1013’s tcp received packets
Playing with stats information
• identify the web page user visits, by browser’s memory footprint.
• detect twitter account by monitoring tcp_snd / tcp_rcv
• driving route could be determined by looking speaker’s status (on / off)
does not require any Permissions!
App Guardian arch.• Information Gathering
- Permissions, side-channels
• Install / Run time features
• Report suspicious apps
• kill suspicious app
• Principal finished,resume suspicious app
App Guardian arch.
KILL_BACKGROUND_PROCESSSYSTEM_ALERT_WINDOW
INTERNETGET_TASK
BIND_NOTIFICATION_LISTENER_SERVICE
Monitoring
package names, permissions..
action.PACKAGE_ADDED
proc files, recording thread …
Entering the ward
KILL_BACKGROUND_PROCESSES
WARD MODE
BACKGROUND APPS
Entering the wardoom_adj score (-17 ~ 15)
(typically) 9 2
Exiting the wardWARD MODE
BACKGROUND APPS HOME - WAIT - KILL
Restart vs Switch
무조건적인 Ward mode는 성능저하를 일으킬 수 있다.
Detecting RIG attacks• Phone conversation recorder
- RECORD_AUDIO permission - READ_PHONE_STATE permission- MediaRecorder object - AudioIn X
• Observed from /proc/<pid>/task/<tid>/status
• Side-channel attacks - look how frequently does app uses the CPU resources- SR(Scheduling Rate) score
Detection Avoid• Behavior Change
- keeps low profile before the principal show up / act aggressively afterwards.- use Pearson correlation coefficient (r)
• Collusion- multiple apps do their own play. (mal A : RECORD_AUDIO, mal B : READ_PHONE_STATE)- grouping apps signed with the same certificate - detect link-installed apps - detect PACKAGE_ADDED and ask user.
Evaluation and analysis
• Effectiveness- Defeat all 12 RIG Attacks
Evaluation and analysis
• Utility Impacts and Performance - 475 Apps from 27 categories on PlayStore
Evaluation and analysis
• Overhead- on two Nexus 5- 5% CPU Resource- 40MB Memory- 0.75% ~ 1.05% battery
Discussion
• Detection and Separation
• Background process protection
• Sanitization
Conclusion
• Evidence for the seriousness of RIG threat on Android.
• Application level protection method.
• Works effectively against all known attacks at a minimal performance.
Future Works
• Possible side-channel attack on iOS / WatchOS