From reactive toproactive mobile security
1 like299 views
The document discusses the transition from reactive to proactive mobile security in software engineering, highlighting the importance of finding and fixing vulnerabilities while also containing their effects through risk analysis. It underscores various analytical techniques such as static and dynamic analysis, along with examples of practical applications like fuzzdroid and harvester for enhanced security measures. Additionally, the document touches on legal aspects of data protection and outlines necessary improvements for Android OS to strengthen security measures.
![sources
sinks code analysis
report potential
privacy leaks
SMS/MMS Location Calendar Contact
SuSi [NDSS’14]](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-5-320.jpg)
![sources
sinks code analysis
report potential
privacy leaks
SMS/MMS Bluetooth NFC Email Internet
SuSi [NDSS’14]
•Found that many previous
lists missed 90% of sources
and sinks
•Also found that definition of
sources/sinks is not trivial](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-6-320.jpg)
![sources
sinks code analysis
report potential
privacy leaks
FlowDroid[PLDI’14]](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-7-320.jpg)
![sources
sinks code analysis
report potential
privacy leaks
ICCTA[ICSE’15]](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-8-320.jpg)
![sources
sinks code analysis
report potential
privacy leaks
StubDroid[ICSE’16]](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-9-320.jpg)
![sources
sinks code analysis
report potential
privacy leaks
StubDroid[ICSE’16]](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-10-320.jpg)
![sources
sinks code analysis
report potential
privacy leaks
StubDroid[ICSE’16]
StubDroid
data-flow
summaries
parameters
and field reads
parameters
and field writes](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-11-320.jpg)
![12
Harvester
sendTextMessage(num, text)
Class.forName(className)
sendTextMessage(“004242“, “loc_Other“)
sendTextMessage(“008888“, “loc_US“)
Class.forName(“SmsManager“)
Harvester[NDSS’16]](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-12-320.jpg)
![Even works for…
18
public static void gdadbjrj(String paramString1,
String paramString2) throws Exception{
// Get class instance
Class clz = Class.forName(
gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af") );
Object localObject = clz.getMethod(
gdadbjrj.gdadbjrj("]a9maFVM.9")).invoke(null);
// Get method name
String s = gdadbjrj.gdadbjrj(“BaRIta*9caBBV]a");
// Build parameter list
Class c = Class.forName(
gdadbjrj.gdadbjrj("VRIf3+InVTTnSaRI+R]KR9aR9"));
Class[] arr = new Class[] {
nglpsq.cbhgc, nglpsq.cbhgc, nglpsq.cbhgc, c, c };
// Get method and invoke it
clz.getMethod(s, arr).invoke(localObject, paramString1,
null, paramString2, null, null);
}
SmsManager.sendTextMessage(...)](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-18-320.jpg)
![Harvester enables de-obfuscation
19
Class c = Class.forName(gdadbjrj.gdadbjrj(„VRIf3+InVTTnSaRI+R]KR9aR9“));
...
Class c = Class.forName("SmsManager");
...
SmsManager.sendTextMessage(a, b, c, d, e);SmsManager
...](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-19-320.jpg)
![SOFTWARE ENGINEERING
GROUP
SECURE20
FuzzDroid
Code
target
send premium
SMS msg.
Environment that
provably reaches target
• DeviceID: 12345
• Incoming SMS:
“startAttack”
FuzzDroid [ICSE 2017]
Slides on FuzzDroid courtesy of Michael Pradel](https://image.slidesharecdn.com/20170523-mobilesoft-fromreactivetoproactivemobilesecurity-170526081440/85/From-reactive-toproactive-mobile-security-20-320.jpg)
From reactive toproactive mobile security
- 1. SOFTWARE ENGINEERING GROUP SECURE From reactive to proactive mobile security Eric Bodden with Siegfried Rasthofer, Steven Arzt, Marc Miltenberger and Michael Pradel
- 2. SOFTWARE ENGINEERING GROUP SECURE2 reactive security proactive security •Find vulnerabilities •React to disclosures •Fix vulnerabilities •Static analysis •Dynamic analysis •Bug bounty •… •Accept that vulnerabilities are a part of life •Proactively contain their effect •Proactively reason about those effects (risk analysis) •Principle of least privilege •Distrustful decomposition
- 3. SOFTWARE ENGINEERING GROUP SECURE Past work on Android analysis 3 Soot FlowDroid StubDroidSuSi Custom Analysis HarvesterFuzzDroid ICCTA see invited paper in proceedings!
- 4. sources sinks code analysis report potential privacy leaks
- 5. sources sinks code analysis report potential privacy leaks SMS/MMS Location Calendar Contact SuSi [NDSS’14]
- 6. sources sinks code analysis report potential privacy leaks SMS/MMS Bluetooth NFC Email Internet SuSi [NDSS’14] •Found that many previous lists missed 90% of sources and sinks •Also found that definition of sources/sinks is not trivial
- 7. sources sinks code analysis report potential privacy leaks FlowDroid[PLDI’14]
- 8. sources sinks code analysis report potential privacy leaks ICCTA[ICSE’15]
- 9. sources sinks code analysis report potential privacy leaks StubDroid[ICSE’16]
- 10. sources sinks code analysis report potential privacy leaks StubDroid[ICSE’16]
- 11. sources sinks code analysis report potential privacy leaks StubDroid[ICSE’16] StubDroid data-flow summaries parameters and field reads parameters and field writes
- 12. 12 Harvester sendTextMessage(num, text) Class.forName(className) sendTextMessage(“004242“, “loc_Other“) sendTextMessage(“008888“, “loc_US“) Class.forName(“SmsManager“) Harvester[NDSS’16]
- 17. 17 nr = "00" nr += "4242" nr += "8888" Log(nr, msg) if(EXECUTOR_1) sendTextMessage(nr, msg) main() { Callee1(false); Callee1(true); } Callee1(boolean EXECUTOR_1) { } msg = AES.decrypt("1234","fri$ds&S") Step 2: concrete dynamic execution (not symbolic nor concolic)
- 18. Even works for… 18 public static void gdadbjrj(String paramString1, String paramString2) throws Exception{ // Get class instance Class clz = Class.forName( gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af") ); Object localObject = clz.getMethod( gdadbjrj.gdadbjrj("]a9maFVM.9")).invoke(null); // Get method name String s = gdadbjrj.gdadbjrj(“BaRIta*9caBBV]a"); // Build parameter list Class c = Class.forName( gdadbjrj.gdadbjrj("VRIf3+InVTTnSaRI+R]KR9aR9")); Class[] arr = new Class[] { nglpsq.cbhgc, nglpsq.cbhgc, nglpsq.cbhgc, c, c }; // Get method and invoke it clz.getMethod(s, arr).invoke(localObject, paramString1, null, paramString2, null, null); } SmsManager.sendTextMessage(...)
- 19. Harvester enables de-obfuscation 19 Class c = Class.forName(gdadbjrj.gdadbjrj(„VRIf3+InVTTnSaRI+R]KR9aR9“)); ... Class c = Class.forName("SmsManager"); ... SmsManager.sendTextMessage(a, b, c, d, e);SmsManager ...
- 20. SOFTWARE ENGINEERING GROUP SECURE20 FuzzDroid Code target send premium SMS msg. Environment that provably reaches target • DeviceID: 12345 • Incoming SMS: “startAttack” FuzzDroid [ICSE 2017] Slides on FuzzDroid courtesy of Michael Pradel
- 21. SOFTWARE ENGINEERING GROUP SECURE FuzzDroid - Algorithm Repeat until code target reached • Static pre-analysis • Execute in controlled environment Intercept and modify environment values Record trace • Refine environment 21 • DeviceID: 00000 1st environment: Miss most code
- 22. SOFTWARE ENGINEERING GROUP SECURE FuzzDroid - Algorithm Repeat until code target reached • Static pre-analysis • Execute in controlled environment Intercept and modify environment values Record trace • Refine environment 22 • DeviceID: 12345 • SMS: “” 2nd environment: Miss code targetReach reading of SMS
- 23. SOFTWARE ENGINEERING GROUP SECURE FuzzDroid - Algorithm Repeat until code target reached • Static pre-analysis • Execute in controlled environment Intercept and modify environment values Record trace • Refine environment 23 • DeviceID: 12345 • SMS: “startAttack” 3rd environment: Reach code target
- 24. SOFTWARE ENGINEERING GROUP SECURE Extensible set of value providers 24 t inference Application + Target Locations + Fuzzed APIs Fuzzing Framework Constant Value Provider Symbolic Value Provider File Value Provider ... Environment to reach target location Figure 12: Overview of the FuzzDroid approach p checks whether the user’s network operator is part of a pre-defined list of (lines 13 to 28). This kind of technique is usually used in cases of targeted where only specific users are attacked, e.g., only users located in a certain DeviceID: 12345 SMS: “startAttack”
- 25. SOFTWARE ENGINEERING GROUP SECURE Example Malware: Commerzbank Phishing App 25 FuzzDroid circumvents integrity check and makes malware believe that Commerzbank Banking App was started
- 26. SOFTWARE ENGINEERING GROUP SECURE26 SuSi FuzzDroid FlowDroid ICCTA Harvester StubDroid Sources/Sinks Sources/Sinks Sources/Sinks Flows Summaries Flows Flows ValuesValues Static Analysis Hybrid Analysis
- 27. SOFTWARE ENGINEERING GROUP SECURE Further Reading 27 + Ph.D. theses by Siegfried Rasthofer & Steven Arzt all available at: http://bodden.de/pubs Our paper in the proceedings
- 28. SOFTWARE ENGINEERING GROUP SECURE28 reactive security proactive security •Find vulnerabilities •React to disclosures •Fix vulnerabilities •Static analysis •Dynamic analysis •Bug bounty •… •Accept that vulnerabilities are a part of life •Proactively contain their effect •Proactively reason about those effects (risk analysis) •Principle of least privilege •Distrustful decomposition
- 29. SOFTWARE ENGINEERING GROUP SECURE StagefrightVulnerability • Buffer overflow in video transcoding function that produces a preview thumbnail on Android text messages • Send a crafted video to a phone arbitrary code execution 29 • Process listening to text messages requires root privileges • Process for producing thumbnails also ran as root • Ergo:Arbitrary code execution as root!
- 30. SOFTWARE ENGINEERING GROUP SECURE30 what if vulnerable? what if malicious? Problem grows large very quickly!
- 31. SOFTWARE ENGINEERING GROUP SECURE Other problem: data protection • German law prohibits any usage of personal data without explicit (!) consent • Purpose of usage must be clear, and must be clearly related to the customer’s business • Hence: current data-sharing practices used by most ad frameworks are illegal in Germany • Will become illegal EU-wide on May 25th, 2018 31
- 32. SOFTWARE ENGINEERING GROUP SECURE32 Problem: Currently single protection domain Solution 1: Solution 2: In-process solution Multi-process solution
- 33. SOFTWARE ENGINEERING GROUP SECURE In-process solution • Advantage: still one process per app, no need for IPC with libs • Drawback: weak isolation • Could allow for permission assignment to individual libraries • Possible implementation: piggyback on Java security manager if it only were available (it’s not) 33
- 34. SOFTWARE ENGINEERING GROUP SECURE Multi-process solution • Advantages: strong process isolation Permission assignment to individual libraries could probably be done through standard Android means • Drawback: libraries must communicate with app via IPC • Tool support could alleviate this problem 34
- 35. SOFTWARE ENGINEERING GROUP SECURE What will this take? • Changes to the Android OS • Developer support: must be able to master permission assignment to libraries • Usability research: Do we want to show library permissions to users? Do we want to allow them to even change them? • App-store support: Can one use additional permission info during triaging? 35
- 37. Prof. Dr. Eric Bodden Chair for Software Engineering Heinz Nixdorf Institut Zukunftsmeile 1 33102 Paderborn Telefon: +49 5251 60-3313 eric.bodden@uni-paderborn.de https://www.hni.uni-paderborn.de/swt/ https://blogs.uni-paderborn.de/sse/ SOFTWARE ENGINEERING GROUP SECURE37