Kratos:DiscoveringInconsistentSecurityPolicyEnforcementintheAndroidFramework

YuruShao,JasonOtt†,QiAlfredChen,ZhiyunQian†,Z.MorleyMao

UniversityofMichigan,†UniversityofCaliforniaRiverside

1

SecurityPolicyEnforcement

• Securitypoliciesregulateaccessto– Sensitivedata– Systemresources– Privilegedoperations

• Policiesneedtobecorrectlyenforced

2

Inconsistenciesexist

3

TelecomService TelephonyService

(2)endCall()

CheckCALL_PHONE

PrivilegedMethods

Theenforcementofasecuritypolicyondifferentcodepathscanbeinconsistent

(3)onReceive()

Nosecuritycheck!

• AccordingtotheAndroiddocumentation– appsthatholdaCALL_PHONE permission canendphonecalls

(1)endCall()

CheckSYSTEM

Securityimplication

• Privilegeescalation

4

Requestfewerpermissions.

ExploitingInconsistencies

Securityimplication

• Privilegeescalation

5

Requestfewerpermissions.

ExploitingInconsistenciesBesidesapppermissions,attackerscanalso

bypasssystempermissions

Inconsistentsecuritypolicyenforcement

• AlsofoundinSELinux andXen1– Unauthorizeduseraccountaccess– Permanentdataloss

• NosolutionfortheAndroidframework– PriorworkisOSspecific– Androidhasnoexplicitlydefinedpolicies

6

[1]LinTanetal.AutoISES:Automatically InferringSecuritySpecification andDetectingViolations. USENIXSecurity2008.

Problemstatement

• FocusingontheAndroidframework,weanswerthefollowingquestion:– Howcanwesystematicallydetectinconsistentsecuritypolicyenforcementwithoutanyknowledgeofthepolicies?

7

Ourapproach

• Discoverapp-accessibleserviceinterfaces thathaveoverlapsinfunctionality– They’reexpectedtohaveconsistentsecurityenforcement

• Performadifferentialanalysis onsecuritychecksthattwooverlappinginterfacesemploy

8

Differentialanalysis

storeSMS(...) storeMMS(...)

...…

storageProvider

enforcePhone()

{RADIO} �

enforcePhone() checksifthecaller’sUIDis1001(RADIO)9

Pruning

storeSMS(...) storeMMS(...)

...…

storageProvider

ContentValues.put(...) String.equal(...)

{RADIO} �

enforcePhone() checksifthecaller’sUIDis1001(RADIO)10

enforcePhone()

App-accessibleserviceinterfaces

• Analysisscope:systemservices– Systemservicesperformenforcement

• Serviceinterfaces– AIDLmethods– Broadcastreceivers

AIDL:Androidinterfacedefinitionlanguage

Binder IPCadd

startScan...

addstartScan...

App WiFiService

11

broadcasts

Securitychecks

• Securityenforcement:asetofsecuritychecks• Weformulatefourtypesofchecks

– Permissioncheck– UID/PIDcheck– Packagenamecheck– Threadstatuscheck

12

KratosDesign

JavaClassFiles

RelevantSecurity

CheckTypes

Pre-processing

CallGraphConstruction

CallGraphAnnotation

InconsistencyDetection

InconsistentSecurity

Enforcement

Explorethecodebase tofind• Allsystem services&interfaces• Lookatserviceregistration

Buildapreciseframeworkcallgraph• Points-toanalysis• IPCshortcuts

Identifysecuritychecksapplied toeachnode(method)

Comparesecurityenforcement ofservice interfaces ifthey• Call thesameprivilegedmethods

1. Permission2. UID/PID3. Packagename4. Threadstatus

Ranked list formanualinvestigation13

Implementation• SupportAOSPandcustomizedframeworks

– ObtainJavaclassesfrom• Intermediatebuildingoutput(AOSP)• Decompileddex files(customized)

• Buildapreciseframeworkcallgraph– Points-toanalysisusingSpark– Anartificial,staticentrypointincludingallapp-accessibleserviceinterfaces

• Performdataflowanalysis– Identifysecuritycheckmethods– Collectsystemservices

14

Evaluation• 6differentAndroidcodebases

– AOSP4.4,5.0,5.1andMPreview– HTCOne,SamsungGalaxyNote3

• Accuracy

15

Codebase #Inconsistencies #TP #FP Precision #Exploitable

Android4.4 21 16 5 76.2% 8Android5.0 61 50 11 82.0% 11Android5.1 63 49 14 77.8% 10MPreview 73 58 15 79.5% 8

AT&THTCOne 29 20 9 69.0% 8T-Mobile

SamsungGalaxyNote3

128 102 26 79.7% 10

Falsepositiveandexploitability

• Falsepositivesexist– Twointerfacesarenotequivalentinfunctionality– Points-toanalysisproducesover-approximatedresults

• Notallinconsistenciesareexploitable– Difficulttoconstructvalidarguments– Difficulttotriggerparticularprivilegedmethods

16

Vulnerabilitiesdiscovered

• Wefound14vulnerabilities

• 5outof14affectallcodebases• BugreportsconfirmedbyGoogle

– Resultswebsite:http://tinyurl.com/kratos1517

Zero-days

Previouslyreportedorfixed

Casestudy1

• BypasssystempermissiontochangeHTTPproxysettings

18

udpateNetwork(conf) save(conf)

CheckCHANGE_WIFI_STATE

CONNECTIVITY_INTERNAL

addOrUpdateNetworkNative(conf)

CheckCHANGE_WIFI_STATEACCESS_WIFI_STATE

Documented inAndroidSDK Hidden,undocumented

• Allowsattackerstobypassthesystempermission• MITM,eavesdropping,trafficinterception,…

CONNECTIVITY_INTERNALisasystempermission

4.4.2_r1.Fixed inAndroid5.0.0_r1

Casestudy2

• Sendarbitraryrequeststotheradiohardwarewithoutanypermissions

19

invokeOemRilRequestRaw(r)sendRequestRawToRIL(r)

PhoneInterfaceManager PhoneInterfaceManagerExt(Samsung-customized)

CheckCALL_PHONE

Radio Interfaces

Nosecuritychecks!

• AllowsattackerstosendarbitraryrequeststoradioonvulnerableSamsungphones

• SendSMS,makephonecalls,…

Otherobservations

• 11vulnerableinterfacesarehidden toapps– NotavailableintheAndroidSDK– InvokeusingJavareflection

• AOSPframeworks– Newsystemservicesintroducenewinconsistencies,leadingtonewvulnerabilities

• Customizedframeworks– Samsungaddedmanysystemservices

• Introduced2additionalvulnerabilities• OnepresentinAOSPwasfixed

20

Conclusions

• Inconsistentsecuritypolicyenforcementgivesrisetomanyvulnerabilities

• OurtoolispracticalandusefulforAOSP,vendors,andcarriers

• Ourapproachisgeneralandcanbeappliedtoothersystems

• Toensuresystemsecurity,theimplementationmustfaithfullyrealizethedesign

21

Q&A

• Thankyou!

22