安卓平台安全性增强 关键技术的研究

安卓平台安全性增强 关键技术的研究

2014 1 2 3 Google 2009 12 2013 7

4 Android 2012 5 Analyzing Inter-Application Communication in Android, in MobiSys11 Permission Re-Delegation: Attacks and Defenses, in USENIX Security11 Systematic Detection of Capability Leaks in Stock Android Smartphones, in NDSS12 CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities, in CCS12 DroidChecker: Analyzing Android Applications for Capability Leak, in WiSec12 Detecting Passive Content Leaks and Pollution in Android Applications, in NDSS13 The Impact of Vendor Customizations on Android Security, in CCS13 IntentFuzzer: Detecting Capability Leaks of Android Applications, in AsiaCCS14 6 2013 11 APP 2014 10

Google Play Bouncer 40% + 7 8 9

10 VetDroid Application Layer System Services Behavior Profiler Sample Apps(.apk) Application Driver Behavior Report VetDroid Sandbox Log File Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps IEEE Transactions on Information Forensics and Security, 2014

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis ACM Conference on Computer and Communications Security 2013 11

12 android.permission.ACCESS_FINE_LOCATION, Tag: 0x4 net.maxicom.android.snake.SnakeService$1; run()V ----> android.location .LocationManager ; requestLocationUpdates (X1, X2,X3,X4) X1="gps",X2=1L,X3=250.0F,X4=0x40528310(type=net.maxicom.android.sn ake.LocationListener ) LOCATION net.maxicom.android.snake.LocationListener ; onLocationChanged (X1,X2)

X1=0x40528310(type=net.maxicom.android.snake.LocationListener ), X2=0x40527568(type=android.location .Location , tag=0x4) LOCATION java.net.URI; (X1, X2) X1=0x40529aa0(type=java.net.URI), X2="?email=%22**%40gmail.com%22&code=%***%22&time =***&lat=* *&lng=**&pro=gps&acc=0.01"(tag=0x4) android.permission.INTERNET, Tag: 0x8 LOCATION net.maxicom.android.snake.SnakeService$1$1; handleMessage()VL----> org.apache.http .impl.client.AbstractHttpClient ; execute(X1,X2,X3) X1=0x4052f008(type=org.apache.http .impl.client.DefaultHttpClient ), X2=0x4053f238(type=org.apache.http .client.methods.HttpPost ), X3=0x400210c8(type=org.apache.http .impl.client.DefaultHttpClient ) INTERNET

org.apache.harmony.luni.platform .OSNetworkSystem;writeImpl(X1,X2,X3,X4,X5) X1=0x40310548(type=org.apache.harmony.luni.platform .OSNetworkSystem, tag=0x8), X2=0x4053fd20(type=java.io.FileDescriptor),X3=0x4056ac88(type=[B, tag=0x4),X4=0x0I,X5=0x140I 13 VetDroid Application Layer System Services Behavior Profiler VetDroid Sandbox Permission Use Analysis Sample Apps(.apk) Application Driver E-PUP Identifier Behavior Report

I-PUP Tracker Log Tracer Log File 14 android.permission.ACCESS_FINE_LOCATION, Tag: 0x4 net.maxicom.android.snake.SnakeService$1; run()V ----> android.location .LocationManager ; requestLocationUpdates (X1, X2,X3,X4) X1="gps",X2=1L,X3=250.0F,X4=0x40528310(type=net.maxicom.android.sn ake.LocationListener ) LOCATION net.maxicom.android.snake.LocationListener ; onLocationChanged (X1,X2) X1=0x40528310(type=net.maxicom.android.snake.LocationListener ), X2=0x40527568(type=android.location .Location , tag=0x4) java.net.URI; (X1, X2) X1=0x40529aa0(type=java.net.URI),

X2="?email=%22**%40gmail.com%22&code=%***%22&time =***&lat=* LOCATION *&lng=**&pro=gps&acc=0.01"(tag=0x4) android.permission.INTERNET, Tag: 0x8 net.maxicom.android.snake.SnakeService$1$1; handleMessage()VL----> org.apache.http .impl.client.AbstractHttpClient ; execute(X1,X2,X3) LOCATION X1=0x4052f008(type=org.apache.http .impl.client.DefaultHttpClient ), X2=0x4053f238(type=org.apache.http .client.methods.HttpPost ), X3=0x400210c8(type=org.apache.http .impl.client.DefaultHttpClient ) INTERNET org.apache.harmony.luni.platform .OSNetworkSystem;writeImpl(X1,X2,X3,X4,X5) X1=0x40310548(type=org.apache.harmony.luni.platform .OSNetworkSystem, tag=0x8), X2=0x4053fd20(type=java.io.FileDescriptor),X3=0x4056ac88(type=[B, tag=0x4),X4=0x0I,X5=0x140I

15 1 2 - 16 Application App_1 System Service App_2 Location Manager

Service Activity Manager Service AndPermChk AndPermChk ReqSysResource ReqSysResource ReqSysResource Package Manager Service ...... AndPermChk Android Framework KerPermChk KerPermChk Network

File System Binder IPC Linux Kernel 17 Application -System Interaction Application App.getLastLocation () E-PUP: ACCESS_FINE_LOCATIO N System LocationManagerService .getLastKnownLocation () ACCESS_FINE_LOCATION Permission Checked Binder

App.getLocationProviders () Not a E-PUP LocationManagerService .getAllProviders() No Permission Checked 18 1 Callback 2 TaintDroid 19

Android 2.3/4.1 Nexus S/Prime/4 GP 20 (Genome)Genome) # 46 BaseBridge, SMSReplicator, Zitmo, Gone60

38 ADRD, YZHC, GoldDream, Pjapps, GGTracker, GingerMaster, DroidDream, DroidKungFu[1-4] 8 Zitmo, Gone60, Walkinwat 9 TapSnake, DroidDream, DroidKungFu1, Bgserv, DroidKungFu2, DroidKungFu4 43

Pjapps, Zsone, Walkinwat, RogueSPPush, GGTracker, FakePlayer, SMSReplicator 22 Zitmo, RogueSPPush, GGTracker, Zsone 21 GP TaintDroid VetDroid 135 135 7

7 17 24 0 28 IMEI #

12 3 Vserv Ads Handmark 1 Mobile Public Inner-Active Ads Wetter Ads Flurry Ads Google Ads InMobi Ads Fortumo Payments 22 VetDroid Syscall-based

CopperDroid TaintDroid/ AppIntent ProfileDroid DroidScope PermissionEventG raph VetDroid ---- -- -- --

- --- -- --

23 24 SDK 25 func_x APP_1 func_y func_a APP_2

func_c func_b SEND_SMS SEND_SMS func_d func_e SEND_SMS Android Permission System 26 SDK 27

Aurasium Dr.Andorid & Mr.Hide SEAndroid Linux FlaskDroid

CRePE, MobileIFC, DR BACA, Saint IPC Inspection TrustDroid, XManDroid Quire Aframe, AdDroid, AdSplit

28 Android Framework Policy Engine Permission Record App_1 App_2 Permission Manager 4 1 2 Context API

3 Context Builder 4 5 Policy Manager install policy extend action Security Applications Library Layer Linux Kernel 29

Binder UID 30 Binder App_ 1 App_ 2 App_ 3 User Space App_ 1 (uid: pcc) App_ 1 App_ 2 (uid: pcc) (uid: pcc)

interaction interaction Context: None Linux Kernel App_ 1 (uid, pcc) App_ 1 (uid: pcc) App_ 2 (uid: pcc) 31 policy := action := grant | deny | ... context := ... uid-context := pcc-context := | method-chain := ...

32 LocationManager.getLastKnownLocation() UID: 10053, com.snapwork.finance android.permission.ACCESS_FINE_LOCATION com.flurry.android.e-e-LL-42 com.flurry.android.e-a-VLLZ-3 com.flurry.android.v-run-V-21

Flurry SDK SnapWork 33 Android 2.3/4.1 Nexus Prime/4 34 FineDroid

(w/ context) 7718 (+0.22 7671 (-0.39 AnTutu 7701 %) %) 42.50 (-1.99 Linpack 43.36 42.60 (-1.76 %) %) CaffeineMa 8457.5 (8518 8495 (-0.27 %) rk3 0.71 %) Socket (KEP) 0.14 ms

IMEI (AEP) 0.62 ms FineDroid (w/o context) FineDroid (w/o context) 2.16 ms 2.02 ms 0.69 ms 0.06 ms FineDroid (w/ context) 2.18 ms 0.02 ms 1.09 ms 0.40 ms 35

Socket (KEP) IMEI (AEP) FineDroid (w/o policy) 2.18 ms 1.09 ms FineDroid (w/ policy) 3.06 ms 1.99 ms

0.88 ms 0.90 ms 36 public class SmsReceiverService extends Service { public int onStartCommand(Intent intent, int flags , int startId) { ... ... Message msg =mServiceHandler.obtainMessage(); msg.arg1 =startId; msg.obj =intent; mS erviceHandler.sendMessage(msg); ... ... } private final class ServiceHandler extends Handler { public void handleMessage(Message msg) { Intent intent =(Intent)msg.obj; if (intent != null) { String action =intent.getAction(); ... ... }else if (SMS_RECEIVED_ACTION.equals(action)) { handleSmsReceived(intent, error);

} ... ... } } } private void handleSmsReceived(Intent intent, int error) { SmsMessage[] msgs =Intents.getMessagesFromIntent(intent); String format =intent.getStringExtra("format"); Uri messageUri =insertMessage(this, msgs, error, format); if (messageUri != null) { long threadId =MessagingNotification .getSmsThreadId(this, messageUri); MessagingNotification.blockingUpdateNewMessageIndicator(this, threadId, false); } } } AOSP Mms WRITE_SMS 37 Mms Mms

public interface c SmsReceiverService a SmsReceiver WRITE_SMS leak b SEND_SMS leak

38 CHEX com.gmail.traveldevel.android.vlc.app2 131 com.froogloid.kring.google.zxing.client. 24 android-67 de.cellular.tagesschau-5 361 com.akbur.mathsworkout-92 2 com.appspot.swisscodemonkeys.paintfx 2 -4 com.androidfu.torrents-26 1 com.espn.score_center-141 6 com.espn.score_center-142 6

fr.pb.tvflash-9 2 hu.tagsoft.ttorrent.lite-15 8 414 2 24 361 2 2 1 6 6 2 8 414 39 40

Recently Viewed Presentations

  • Benefits of Automating Quality Management Systems in Life

    Benefits of Automating Quality Management Systems in Life

    Central repository and management system. Manage everything related to employee training. Document Control. Device Master. CAPA / NCR. Audit Mgmt. Training Mgmt. Calibration. Risk Mgmt./ ISO 14971. Complaint Handling. Supplier Mgmt.
  • o potrebuje inkluzvna kola? o je inklzia vo

    o potrebuje inkluzvna kola? o je inklzia vo

    (The Salamanca statement and framework for action on special needs education, 1994) Je škola pre všetkých? Žiak - disponuje potrebným vedomosťami a zručnosťami, dokáže sa adaptovať na prostredie školy, má podporu rodičov, nemá žiadne špecifické vzdelávacie potreby, pochádza ...
  • Explaining and Harnessing Adversarial Examples

    Explaining and Harnessing Adversarial Examples

    G, the generative model, is a multilayer perceptron with some prior input noise with tunable parameter θ. g D, the discriminative model, is a multilayer perceptron that represents the probability of some x coming from the data distribution rather than...
  • Pre-AP English II April 8, 2013- MONDAY

    Pre-AP English II April 8, 2013- MONDAY

    IDENTIFY the verbs in each sentence… then DETERMINE whether they are correct… then EDIT if necessary. The moderator asks for questions as soon as the speaker has finished. Everyone hopes the plan would work. Harry wants to show his friends...
  • Exploring the Career Aspirations of Female Doctoral Students ...

    Exploring the Career Aspirations of Female Doctoral Students ...

    Fraser (2001) "examine institutionalized patterns of cultural value for their effects on the relative standing of social actors." Recogniton . Redistribution . In contrast to identity orientated models "misrecognition is a matter of externally manifest and publicly verifiable impediments to...
  • Tenant Research for Librarians - radicalreference.info

    Tenant Research for Librarians - radicalreference.info

    Supplemented annually. Contains all statutes and administrative material in one volume, plus supplement. Available at BPL Business Library Print Resources, cont. New York Landlord v. Tenant. New York: Vendome Group, LLC. Monthly periodical. Summaries of notable landlord/tenant disputes.
  • This webinar is brought to you by: Why

    This webinar is brought to you by: Why

    Catersource has assembled hundreds of vendors that are not only catering specific but are offering amazing discounts at the show. You will actually save money by shopping at the Catersource tradeshow every year! ... PowerPoint Presentation Last modified by:
  • Curriculum Activity Risk Assessment

    Curriculum Activity Risk Assessment

    Curriculum Activity Risk Assessment (CARA) School-wide CARA process Some curriculum activities in schools are high risk. All high risk activities must be documented as a CARA record through OneSchool.