permission use analysis for vetting undesirable behavior in
TRANSCRIPT
Permission Use Analysis for Vetting Undesirable Behavior in
Android Apps
Presented By
CHAITRA M (4MC11IS008)
Under the Guidance of
Mr. G.K.Sudarshan
Asst. Professor
Department of Information Science and Engineering
Malnad College Of Engineering, Hassan
ContentsIntroductionExisting systemUnique features of androidPermission use analysisVetDroidConclusion
IntroductionThe Android Application(App) needs user
permission at install time to access the resources
Apps could use these permissions with no further
restrictions
Hence, witnessed the explosion of undesirable
behavior in Android apps
VetDroid proposes a systematic permission use
technique
Existing system Analyzes malware at the level of system call
Sequences system calls with arguments are translated into actions that capture the sample’s behaviors
The temporal pattern of system call depicts the application behavior
Unique Features of android
The Existing system work readily not applicable to the Android platform due to some unique features that android posses.
Android Framework Managed Resources
Binder Inter Process Communication(IPC)
Event Triggers
Unique Features of android (Contd….)
Android overview The foundation of the Android platform is the Linux
kernel.
Android is a privilege-separated operating system, in which each application runs with a distinct system Identity (Linux user ID and group ID)
The Linux kernel provides Android with several key security features,
A user-based permission model Process isolation Extensible mechanism for secure IPC
Permission use analysis This analysis technique captures what and how
permissions are used to access system resources
Analyzes how these resources are further utilized by the application internally
Effectiveness lies in identifying all the permission use points (PUPs) with accurate permission information and precisely track their relationships
Permission use behavior which represents the extracted behaviors in terms of PUPs
Permission use analysis(Contd..)
Two kinds of permission use points in permission use behavior
Explicit Permission Use Points(E-PUP)
Implicit Permission Use Points(I-PUP)
Permission use analysis(Contd..)
Proceeded in two phases
Identifies all sensitive application-system interactions that causes permission checks(E-PUPs)
Locates all the permission-sensitive resources and track all the sensitive internal use points of these resources(I-PUPs)
VetDroid VetDroid, analysis tool for generally analyzing
sensitive behaviours in Android apps
Proposes a systematic permission use analysis technique to effectively construct permission use behaviours.
VetDroid is not limited to analyze malicious apps, but also capable of analyzing benign apps.
Approach Application Driver
Automatically executes the application in sandbox
E-PUP Identifier Invocations of Android APIs calling permissions check Possess two properties
Completeness Accuracy
Approach(contd…) I-PUP Tracker
Delivery point for each resource requested in the Application
Log Tracer
Permission use behaviors are recorded with runtime information into a log file
Behavior Profiler
The log file is processed offline to construct behavior representations
E-PUP IdentifierTo implement both complete and accurate E-PUP identifier new technique is designed
E-PUP Identification strategy
Identify boundary between application code and system code, Intercept all calls to Android APIs
Monitor permissions check events in permission enforcement system during execution of API
E-PUP Identifier(contd…)Acquire permission check information: Judges
whether a call site is an E-PUP and what permission is checked.
Android Permission Check (AndPermChk) Event Extend the Binder driver and protocol to propagate
permission check information from Service
Kernel Permission Check(KerPermChk) Event Instrument the GID isolation logic to record the checked
GID into a kernel thread-local storage
Two system calls are added to access and clear the checked GID in the kernel thread-local storage
E-PUP Identifier(contd…)
I-PUP Tracker Recognize Resource Delivery Point
Types of callbacks
BroadcastReceiver,PendingIntent, Listener
Monitor APIs register callbacks
BroadcastReceivers declared in the app’s manifest file
and registered to the system when installed
PendingIntents and Listeners registered via specific android APIs
I-PUP Tracker(contd…)
Permission-Based Taint Analysis
Tag Allocation: Tag bit allocated at each E-PUPs to mark the requested resource with corresponding Permission Check Information
Automatic Data Tainting: Add a wrapper around each registered callback to taint the delivered protected data
Identify I-PUP: At function-level, Tag for a function is calculated by a bitwise OR operation on the taint tags of its parameter values
Capabilities of VetDroid Android-level Semantics
Analyze Generic Sensitive Behaviors
Analyze Internal Behaviors
Filter Irrelevant Behaviors
Conclusion VetDroid, the first approach to perform accurate permission use analysis to vet undesirable behaviors.
To construct permission use behaviors, a systematic framework that completely identifies E-PUP and I-PUP with accurate permission information has been proposed
VetDroid provides a better vehicle for analyzing and examining Android apps, which brings benefits to malware
analysis/detection, vulnerability analysis, and other related fields.
References
Yuan Zhang, Min Yang, Zhemin Yang, Guofei Gu, Peng Ning, and Binyu Zang “Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps
Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: Behaviour based malware detection system for Android,” in Proc. 1st ACM Workshop SPSM, 2011, pp. 15–26.
Android Permissions. [Online]. Available: http://developer.android.com/ reference/android/Manifest.permission.html, accessed May 7, 2013
Links and websiteshttp://ieeexplore.ieee.orgwww.developer.android.com
Thank You