1

PARANOID ANDROID:VERSATILE PROTECTION FOR SMARTPHONES

Georgios Portokalidis Columbia UniversityPhilip Homeburg Vrije UniversiteitKostas Anagnostakis Niometris R&DHerbert Bos Vrije Universiteit

2010/11/30

2

Paranoid Android?

2010/11/30

Click this album to play this song …

3

Outline

Introduction Architecture Implementation Evaluation Related Work Conclusion

2010/11/30

4

Introduction

Recently, iPhone and Android platform have shown to be susceptible to remote exploits

Obama’s blackberry

2010/11/30

5

Introduction

Using a file scanner or antivirus, like ClamAV Time-consuming (30 minutes) Battery problem (2% battery capacity) Is 11.8x slower than running it on

single-core VM We argue for a different security

model that completely devolves attack detection from the phone

Key: Cloud !2010/11/30

6

Introduction

Antivirus file scanning Zero-days? Remote exploits? Memory-

resident attacks? Smartphone APIs

Android: Java Dalvik VM But also provide native APIs May be vulnerable to these attacks

2010/11/30

7

Introduction

Contributions: Multiple security checks simultaneously

without overburdening the device Execution recording and replaying

framework for Android Transparent backup of all user data in

the cloud Replication mechanism Application transparent recording and

replaying2010/11/30

8

Architecture

Tracer Record all info needed to accurately replay its

execution Replayer

Receive the trace and faithfully replays the execution within the emulator

Proxy Intercept and temporarily store inbound traffic The replayer can access the proxy to retrieve

the data needed for replaying

2010/11/30

9

Architecture

2010/11/30

10

Architecture

Assumptions The replay server will not be

compromised Attackers cannot break the encryption The device is able to contact the server

safely, to create an initial replica, and setup the tracer

The servers have out-of-band channels to notify users about problems and a way to restore the image

2010/11/30

11

Architecture

Tracer Nondeterministic inputs and events

Mostly pass through the system calls Record all data transferred from kernel

to user space through system calls

2010/11/30

12

Architecture

Replayer Use the recorded values when replaying the

system calls on replica Including IPC using system calls Only replay process and not kernel execution May not be able to detect an attack against

the kernel But most kernel vulnerabilities are only

exploitable locally Shared memory: repeatable deterministic

task scheduler2010/11/30

13

Architecture

Synchronisation Loose Synchronisation

Transmit the trace only when the device is awake and connected to the Internet User is most likely to be attacked while

surfing the web Support extremely sychronisation

Only sync when recharging

2010/11/30

14

Architecture

Synchronisation Tamper-Evident Secure Storage

HMAC: Hash-based Message Authentication Code

HMAC = Hash( K xor opad, Hash(K xor ipad, text))

STORE(message + HMAC(key, message)) key’ = Hash(key) key = key’

If sync error, the device is treated as potentially compromised

2010/11/30

15

Architecture

Security Methods Dynamic analysis in emulator Antivirus software Memory scan System call detection

P.S. only implement the first two

2010/11/30

16

Architecture

Proxy and Server Location User Notification and Recovery Handling Data Generated On the

Device Bulk downloads Incremental downloads

2010/11/30

17

Implementation

Need a new boot image! Linux ptrace

PTRACE_SYSCALL

2010/11/30

18

Implementation

Starting The Tracer Init starts tracer first Next, init starts the exec stubs The stub writes its pid to tracer’s FIFO

and pauses Then tracer attaches to the process, and

continues the stub Exec

2010/11/30

19

Implementation

Scheduling And Shared Memory User space Scheduler Ensuring no two threads that share a

memory object can ever run concurrently

Triggered by system call Spinlock and mutexes Future work

CREW protocol (concurrent-read-exclusive-write) To track all reads from memory

2010/11/30

20

Implementation

Ioctls An interface between user and kernel

space /dev/binder Handles about 200 ioctl commands

2010/11/30

21

Implementation

Execution Trace Compression Record only system calls that introduce

nondeterminism Use a network proxy so that inbound

data are not logged in the trace Compress data using three algorithms

Delta encoding Huffman encoding DEFLATE algorithm (gzip)

2010/11/30

22

Implementation

Attack Detection Mechanisms Virus Scanner

ClamAV Dynamic Taint Analysis

Overhead imposed is high Only on replica

2010/11/30

23

Evaluation

HTC G1 with tracer Modified QEMU for replayer

2010/11/30

24

Evaluation

2010/11/30

25

Evaluation

Data Volume: 5 hours of audio

playback 22.5 MB

2010/11/30

64B/s

121B/s

26

Evaluation

CPU loading 15% higher Browsing may

consume up to 30% more energy

2010/11/30

27

Evaluation

Server Scalability Dual-Core NB

2.26GHz P8400 + 4G RAM

Quad-Core 2.40GHz Q6600 + 8G

RAM Amazon EC2

2010/11/30

28

Evaluation

Dynamic Taint Analysis X2-x2.5 slowdown If DTA applied to all replica

Only roughly half of the instances reported in Figure5

2010/11/30

29

Evaluation

Overhead Imposed By Ptrace Compression (deflate_slow) consumes

only 7.62% 65% is spent in ptrace and waitpid Solution: move to kernel

2010/11/30

30

Evaluation

2010/11/30

31

Related Work

Malkhi et al. Secure execution of java applets using a

remote playground Ripley: automatically securing web

2.0 applications through replicated execution

CloudCloud Acceleration

SmartSiren Antivirus in smartphones

2010/11/30

32

Related Work

VirusMeter Kirin

2010/11/30

33

Conclusion

Attack detection on a remote server in the cloud

No limit on the number of attack detection techniques

Transmission overhead is kept below 2.5KiBps

2010/11/30