kratos: discovering inconsistent security policy ... … · kratos: discovering inconsistent...
TRANSCRIPT
Kratos:DiscoveringInconsistentSecurityPolicyEnforcementintheAndroidFramework
YuruShao,JasonOtt†,QiAlfredChen,ZhiyunQian†,Z.MorleyMao
UniversityofMichigan,†UniversityofCaliforniaRiverside
1
SecurityPolicyEnforcement
• Securitypoliciesregulateaccessto– Sensitivedata– Systemresources– Privilegedoperations
• Policiesneedtobecorrectlyenforced
2
Inconsistenciesexist
3
TelecomService TelephonyService
(2)endCall()
CheckCALL_PHONE
PrivilegedMethods
Theenforcementofasecuritypolicyondifferentcodepathscanbeinconsistent
(3)onReceive()
Nosecuritycheck!
• AccordingtotheAndroiddocumentation– appsthatholdaCALL_PHONE permission canendphonecalls
(1)endCall()
CheckSYSTEM
Securityimplication
• Privilegeescalation
4
Requestfewerpermissions.
ExploitingInconsistencies
Securityimplication
• Privilegeescalation
5
Requestfewerpermissions.
ExploitingInconsistenciesBesidesapppermissions,attackerscanalso
bypasssystempermissions
Inconsistentsecuritypolicyenforcement
• AlsofoundinSELinux andXen1– Unauthorizeduseraccountaccess– Permanentdataloss
• NosolutionfortheAndroidframework– PriorworkisOSspecific– Androidhasnoexplicitlydefinedpolicies
6
[1]LinTanetal.AutoISES:Automatically InferringSecuritySpecification andDetectingViolations. USENIXSecurity2008.
Problemstatement
• FocusingontheAndroidframework,weanswerthefollowingquestion:– Howcanwesystematicallydetectinconsistentsecuritypolicyenforcementwithoutanyknowledgeofthepolicies?
7
Ourapproach
• Discoverapp-accessibleserviceinterfaces thathaveoverlapsinfunctionality– They’reexpectedtohaveconsistentsecurityenforcement
• Performadifferentialanalysis onsecuritychecksthattwooverlappinginterfacesemploy
8
Differentialanalysis
storeSMS(...) storeMMS(...)
...…
storageProvider
enforcePhone()
{RADIO} �
enforcePhone() checksifthecaller’sUIDis1001(RADIO)9
Pruning
storeSMS(...) storeMMS(...)
...…
storageProvider
ContentValues.put(...) String.equal(...)
{RADIO} �
enforcePhone() checksifthecaller’sUIDis1001(RADIO)10
enforcePhone()
App-accessibleserviceinterfaces
• Analysisscope:systemservices– Systemservicesperformenforcement
• Serviceinterfaces– AIDLmethods– Broadcastreceivers
AIDL:Androidinterfacedefinitionlanguage
Binder IPCadd
startScan...
addstartScan...
App WiFiService
11
broadcasts
Securitychecks
• Securityenforcement:asetofsecuritychecks• Weformulatefourtypesofchecks
– Permissioncheck– UID/PIDcheck– Packagenamecheck– Threadstatuscheck
12
KratosDesign
JavaClassFiles
RelevantSecurity
CheckTypes
Pre-processing
CallGraphConstruction
CallGraphAnnotation
InconsistencyDetection
InconsistentSecurity
Enforcement
Explorethecodebase tofind• Allsystem services&interfaces• Lookatserviceregistration
Buildapreciseframeworkcallgraph• Points-toanalysis• IPCshortcuts
Identifysecuritychecksapplied toeachnode(method)
Comparesecurityenforcement ofservice interfaces ifthey• Call thesameprivilegedmethods
1. Permission2. UID/PID3. Packagename4. Threadstatus
Ranked list formanualinvestigation13
Implementation• SupportAOSPandcustomizedframeworks
– ObtainJavaclassesfrom• Intermediatebuildingoutput(AOSP)• Decompileddex files(customized)
• Buildapreciseframeworkcallgraph– Points-toanalysisusingSpark– Anartificial,staticentrypointincludingallapp-accessibleserviceinterfaces
• Performdataflowanalysis– Identifysecuritycheckmethods– Collectsystemservices
14
Evaluation• 6differentAndroidcodebases
– AOSP4.4,5.0,5.1andMPreview– HTCOne,SamsungGalaxyNote3
• Accuracy
15
Codebase #Inconsistencies #TP #FP Precision #Exploitable
Android4.4 21 16 5 76.2% 8Android5.0 61 50 11 82.0% 11Android5.1 63 49 14 77.8% 10MPreview 73 58 15 79.5% 8
AT&THTCOne 29 20 9 69.0% 8T-Mobile
SamsungGalaxyNote3
128 102 26 79.7% 10
Falsepositiveandexploitability
• Falsepositivesexist– Twointerfacesarenotequivalentinfunctionality– Points-toanalysisproducesover-approximatedresults
• Notallinconsistenciesareexploitable– Difficulttoconstructvalidarguments– Difficulttotriggerparticularprivilegedmethods
16
Vulnerabilitiesdiscovered
• Wefound14vulnerabilities
• 5outof14affectallcodebases• BugreportsconfirmedbyGoogle
– Resultswebsite:http://tinyurl.com/kratos1517
Zero-days
Previouslyreportedorfixed
Casestudy1
• BypasssystempermissiontochangeHTTPproxysettings
18
udpateNetwork(conf) save(conf)
CheckCHANGE_WIFI_STATE
CONNECTIVITY_INTERNAL
addOrUpdateNetworkNative(conf)
CheckCHANGE_WIFI_STATEACCESS_WIFI_STATE
Documented inAndroidSDK Hidden,undocumented
• Allowsattackerstobypassthesystempermission• MITM,eavesdropping,trafficinterception,…
CONNECTIVITY_INTERNALisasystempermission
4.4.2_r1.Fixed inAndroid5.0.0_r1
Casestudy2
• Sendarbitraryrequeststotheradiohardwarewithoutanypermissions
19
invokeOemRilRequestRaw(r)sendRequestRawToRIL(r)
PhoneInterfaceManager PhoneInterfaceManagerExt(Samsung-customized)
CheckCALL_PHONE
Radio Interfaces
Nosecuritychecks!
• AllowsattackerstosendarbitraryrequeststoradioonvulnerableSamsungphones
• SendSMS,makephonecalls,…
Otherobservations
• 11vulnerableinterfacesarehidden toapps– NotavailableintheAndroidSDK– InvokeusingJavareflection
• AOSPframeworks– Newsystemservicesintroducenewinconsistencies,leadingtonewvulnerabilities
• Customizedframeworks– Samsungaddedmanysystemservices
• Introduced2additionalvulnerabilities• OnepresentinAOSPwasfixed
20
Conclusions
• Inconsistentsecuritypolicyenforcementgivesrisetomanyvulnerabilities
• OurtoolispracticalandusefulforAOSP,vendors,andcarriers
• Ourapproachisgeneralandcanbeappliedtoothersystems
• Toensuresystemsecurity,theimplementationmustfaithfullyrealizethedesign
21
Q&A
• Thankyou!
22