Leave me alone: App-level Protection Against Runtime Information Gathering

on Android석사 29기 박준영

Contents• View Point

• Challenges

• RIG(Runtime Information Gathering) attacks

• /proc?

• Attacking NetCam (Video)

• AppGuardian Architecture

• Audio Recording Attack (Video)

• Detection Methods

• Evaluation & Analysis

• Discussion / Conclusion

• Protection NetCam (Video)

• Future Works

View Point

• RIG (Runtime Information Gathering)

• Protection against RIG

• Implementation and Evaluation

Challenges

• Increasing Malwares

• Enhancing access control causes compatibility issues

• OS-level solution is painful (in Android OS ecosystem)

RIG Attacks

• Android Permission은 그 범위가 너무 모호함.

• /proc 내의 공유된 runtime 정보를 주기적으로 읽어 의미있는 데이터를 얻어내는것이 가능.

RIG Attacks

• Android Permission은 그 범위가 너무 모호함.

• /proc 내의 공유된 runtime 정보를 주기적으로 읽어 의미있는 데이터를 얻어내는것이 가능.

Android Permission Issues

• Voice Recorder can tape any phone conversation.

• Game app with Bluetooth permission can alsodownload patient data from a Bluetooth glucose meter.

/proc/stat• cpuN (6*n + 7 stats)

• user: normal processes executing in user mode

• nice: niced processes executing in user mode

• system: processes executing in kernel mode

• idle: twiddling thumbs

• iowait: waiting for I/O to complete

• irq: servicing interrupts

• intr : counts of interrupts serviced since boot time.

• ctxt : total number of context switches across all CPUs.

• btime : line gives the time at which the system booted, in seconds

since the Unix epoch.

• processes : the number of processes and threads created.

• procs_running : the number of processes currently running on CPUs.

• procs_blocked : the number of processes currently blocked, waiting

for I/O to complete.

• softirq: servicing softirqs

/proc/[pid]/stattotal 44 stats

pid : process ID comm state : state of process (running, sleeping, zombie .. ) ppid / pgrp / session / tty_nr / tpgid flags / minflt / cminflt / majflt / cmajflt utime : Amount of time that this process has been scheduled in user mode stime : Amount of time that this process has been scheduled in kernel mode cutime / cstime / priority / nice / num_threads / itrealvalue starttime : The time the process started after system boot. vsize : Virtual memory size in bytes. rss / rsslim / startcode / endcode / startstack kstkesp / kstkeip / signal / blocked / sigignore sigcatch / wchan / nswap / cnswap / exit_signal / processor rt_priority / policy / delayacct_blkio_ticks / guest_time / cguest_time

/proc/uid_stat/<uid>/tcp_rcv

uid 1013’s tcp received packets

Playing with stats information

• identify the web page user visits, by browser’s memory footprint.

• detect twitter account by monitoring tcp_snd / tcp_rcv

• driving route could be determined by looking speaker’s status (on / off)

does not require any Permissions!

App Guardian arch.• Information Gathering

- Permissions, side-channels

• Install / Run time features

• Report suspicious apps

• kill suspicious app

• Principal finished,resume suspicious app

App Guardian arch.

KILL_BACKGROUND_PROCESSSYSTEM_ALERT_WINDOW

INTERNETGET_TASK

BIND_NOTIFICATION_LISTENER_SERVICE

Monitoring

package names, permissions..

action.PACKAGE_ADDED

proc files, recording thread …

Entering the ward

KILL_BACKGROUND_PROCESSES

WARD MODE

BACKGROUND APPS

Entering the wardoom_adj score (-17 ~ 15)

(typically) 9 2

Exiting the wardWARD MODE

BACKGROUND APPS HOME - WAIT - KILL

Restart vs Switch

무조건적인 Ward mode는 성능저하를 일으킬 수 있다.

Detecting RIG attacks• Phone conversation recorder

- RECORD_AUDIO permission - READ_PHONE_STATE permission- MediaRecorder object - AudioIn X

• Observed from /proc/<pid>/task/<tid>/status

• Side-channel attacks - look how frequently does app uses the CPU resources- SR(Scheduling Rate) score

Detection Avoid• Behavior Change

- keeps low profile before the principal show up / act aggressively afterwards.- use Pearson correlation coefficient (r)

• Collusion- multiple apps do their own play. (mal A : RECORD_AUDIO, mal B : READ_PHONE_STATE)- grouping apps signed with the same certificate - detect link-installed apps - detect PACKAGE_ADDED and ask user.

Evaluation and analysis

• Effectiveness- Defeat all 12 RIG Attacks

Evaluation and analysis

• Utility Impacts and Performance - 475 Apps from 27 categories on PlayStore

Evaluation and analysis

• Overhead- on two Nexus 5- 5% CPU Resource- 40MB Memory- 0.75% ~ 1.05% battery

Discussion

• Detection and Separation

• Background process protection

• Sanitization

Conclusion

• Evidence for the seriousness of RIG threat on Android.

• Application level protection method.

• Works effectively against all known attacks at a minimal performance.

Future Works

• Possible side-channel attack on iOS / WatchOS