1 / 49

林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU Email : linliang258369@gmail.com

2014 Network and Distributed System Security Symposium AppSealer : Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android Application Mu Zhang, Heng Yin Syracuse University. 林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU

jennis
Download Presentation

林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU Email : linliang258369@gmail.com

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2014 Network and Distributed System Security SymposiumAppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking Attacks in Android ApplicationMu Zhang, Heng Yin Syracuse University 林良軒 2014/05/26 @ Advanced Defense Lab Seminar, NCU Email : linliang258369@gmail.com

  2. Introduction Component Hijacking Attack Implementation Evaluation Conclusion Reference Outline

  3. Component Hijacking Attack : A class of attacks that seek to gain unauthorized access (read/write or combined) to protected or private resources through exported componentsin vulnerable apps. Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities (CCS 2012) Introduction

  4. Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities

  5. Unauthorized access to protected resources Contact Manager App • Enumerator • Service Component hijacking attacks Android Framework Contacts Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities

  6. Unauthorized access to private resources Contact Manager App Private Storage Component hijacking attacks Android Framework • Setting Update • Receiver Ref : CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities

  7. AppSealer as a Security Service 1. No source code access 2. Vulnerability-specific patching 3. Minimal performance overhead 4. Minimal impact on usability

  8. [ VulActivity ] onCreate() onStart() – getLocation() onDestroy() – post(addr, location) getLocation() – getLastKnownLocation() crypt() post() – HttpURLConnection – outputStrem

  9. Workflow IR Translation Slice Computation Patch Statement Placement Patch Statement Optimization Bytecode Generation

  10. Forward Dataflow Analysis • Basic Algorithm : use Def-use chain • Special Considerations • Static field • Instance field • Intent • Class inheritance • Thread • Backward Dependency Analysis Taint Slice Computation

  11. Slice 2 Slice 1

  12. Slice 2

  13. Slice 1

  14. Slice 1

  15. Slice 1

  16. Slice 1

  17. Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement

  18. Shadow Variables • Local Variables Patch Statement Placement

  19. Shadow Variables 2. Static/Instance Fields Patch Statement Placement

  20. Shadow Variables 3. Parameters and Return Value Patch Statement Placement

  21. Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement

  22. Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement

  23. Instrumenting Taint Propagation • Simple Assignments Patch Statement Placement

  24. Instrumenting Taint Propagation 2. Function Calls Patch Statement Placement

  25. Instrumenting Taint Propagation • API Calls • getString(), toString() • Android.widget.TextView,setText() • Vector.add(Object) • Android.content.ContentValues.put(String key, Byte value) • Tracking References If one of the references is tainted, all other references should also be tainted. Patch Statement Placement

  26. Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement

  27. Cleaning the Taint To properly clean the taint, for each variable appearing in the def-use chain inside the slice, we need to find all its definitions. For the definitions outside the slice, we need to insert a statement after that definition to set its shadow variable to 0(non-tainted) Patch Statement Placement

  28. Tainting Policy • Directly modifies the bytecode to keep track of selected tainted information • Each single local variable, field, etc. - Have a shadow variable • Creating Shadow Variables • Local Variables • Static/Instance Fields • Parameters and Return Value • Instrumenting the Source • Instrumenting Taint Propagation • Cleaning the Taint • Instrumenting the Sink Patch Statement Placement

  29. Instrumenting the Sink If they are tainted by certain sources, we can raise a pop-up dialog to the user, asking for decision. • Restart • Continue Patch Statement Placement

  30. In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers • Copy propagation and dead assignment elimination O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations Patch Optimization

  31. In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters Patch Optimization

  32. In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code • Inlining the body of small function into its callers, the function call overhead can be avoided. Patch Optimization

  33. In order to reduce the amount of patch statements O1. Removing Redundant BoolWrappers O2. Removing Redundant Function Parameters O3. Inlining Instrumentation Code O4. Soot’s Build-in Optimizations Patch Optimization

  34. Workflow IR Translation Slice Computation Patch Statement Placement Patch Statement Optimization Bytecode Generation

  35. Evaluation

  36. Evaluation

  37. Evaluation

  38. Evaluation

  39. Automatically generate patch • Shadow mechanism • Optimization Conclution

More Related