permission use analysis for vetting undesirable behavior in

Permission Use Analysis for Vetting Undesirable Behavior in

Android Apps

Presented By

CHAITRA M (4MC11IS008)

Under the Guidance of

Mr. G.K.Sudarshan

Asst. Professor

Department of Information Science and Engineering

Malnad College Of Engineering, Hassan

ContentsIntroductionExisting systemUnique features of androidPermission use analysisVetDroidConclusion

IntroductionThe Android Application(App) needs user

permission at install time to access the resources

Apps could use these permissions with no further

restrictions

Hence, witnessed the explosion of undesirable

behavior in Android apps

VetDroid proposes a systematic permission use

technique

Existing system Analyzes malware at the level of system call

Sequences system calls with arguments are translated into actions that capture the sample’s behaviors

The temporal pattern of system call depicts the application behavior

Unique Features of android

The Existing system work readily not applicable to the Android platform due to some unique features that android posses.

Android Framework Managed Resources

Binder Inter Process Communication(IPC)

Event Triggers

Unique Features of android (Contd….)

Android overview The foundation of the Android platform is the Linux

kernel.

Android is a privilege-separated operating system, in which each application runs with a distinct system Identity (Linux user ID and group ID)

The Linux kernel provides Android with several key security features,

A user-based permission model Process isolation Extensible mechanism for secure IPC

Permission use analysis This analysis technique captures what and how

permissions are used to access system resources

Analyzes how these resources are further utilized by the application internally

Effectiveness lies in identifying all the permission use points (PUPs) with accurate permission information and precisely track their relationships

Permission use behavior which represents the extracted behaviors in terms of PUPs

Permission use analysis(Contd..)

Two kinds of permission use points in permission use behavior

Explicit Permission Use Points(E-PUP)

Implicit Permission Use Points(I-PUP)

Permission use analysis(Contd..)

Proceeded in two phases

Identifies all sensitive application-system interactions that causes permission checks(E-PUPs)

Locates all the permission-sensitive resources and track all the sensitive internal use points of these resources(I-PUPs)

VetDroid VetDroid, analysis tool for generally analyzing

sensitive behaviours in Android apps

Proposes a systematic permission use analysis technique to effectively construct permission use behaviours.

VetDroid is not limited to analyze malicious apps, but also capable of analyzing benign apps.

Approach Application Driver

Automatically executes the application in sandbox

E-PUP Identifier Invocations of Android APIs calling permissions check Possess two properties

Completeness Accuracy

Approach(contd…) I-PUP Tracker

Delivery point for each resource requested in the Application

Log Tracer

Permission use behaviors are recorded with runtime information into a log file

Behavior Profiler

The log file is processed offline to construct behavior representations

E-PUP IdentifierTo implement both complete and accurate E-PUP identifier new technique is designed

E-PUP Identification strategy

Identify boundary between application code and system code, Intercept all calls to Android APIs

Monitor permissions check events in permission enforcement system during execution of API

E-PUP Identifier(contd…)Acquire permission check information: Judges

whether a call site is an E-PUP and what permission is checked.

Android Permission Check (AndPermChk) Event Extend the Binder driver and protocol to propagate

permission check information from Service

Kernel Permission Check(KerPermChk) Event Instrument the GID isolation logic to record the checked

GID into a kernel thread-local storage

Two system calls are added to access and clear the checked GID in the kernel thread-local storage

E-PUP Identifier(contd…)

I-PUP Tracker Recognize Resource Delivery Point

Types of callbacks

BroadcastReceiver,PendingIntent, Listener

Monitor APIs register callbacks

BroadcastReceivers declared in the app’s manifest file

and registered to the system when installed

PendingIntents and Listeners registered via specific android APIs

I-PUP Tracker(contd…)

Permission-Based Taint Analysis

Tag Allocation: Tag bit allocated at each E-PUPs to mark the requested resource with corresponding Permission Check Information

Automatic Data Tainting: Add a wrapper around each registered callback to taint the delivered protected data

Identify I-PUP: At function-level, Tag for a function is calculated by a bitwise OR operation on the taint tags of its parameter values

Capabilities of VetDroid Android-level Semantics

Analyze Generic Sensitive Behaviors

Analyze Internal Behaviors

Filter Irrelevant Behaviors

Conclusion VetDroid, the first approach to perform accurate permission use analysis to vet undesirable behaviors.

To construct permission use behaviors, a systematic framework that completely identifies E-PUP and I-PUP with accurate permission information has been proposed

VetDroid provides a better vehicle for analyzing and examining Android apps, which brings benefits to malware

analysis/detection, vulnerability analysis, and other related fields.

References

Yuan Zhang, Min Yang, Zhemin Yang, Guofei Gu, Peng Ning, and Binyu Zang “Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps

Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: Behaviour based malware detection system for Android,” in Proc. 1st ACM Workshop SPSM, 2011, pp. 15–26.

Android Permissions. [Online]. Available: http://developer.android.com/ reference/android/Manifest.permission.html, accessed May 7, 2013

Links and websiteshttp://ieeexplore.ieee.orgwww.developer.android.com

Thank You