TaintART:APrac-calMul--levelInforma-on-FlowTrackingSystemforAndroidRunTime

MingshenSun,TaoWei,JohnC.S.Lui

SudeepNanjappaJayakumar

Agenda•  AndroidBasics•  Introduc-on•  Contribu-ons•  SDKDownloads–Google•  Background•  Environments•  Comparison–AndroidDalvik&ARTEnvironment•  SystemDesign-TaintART•  TainttagStorage•  TaintPropaga-onLogic•  Implementa-on•  CaseStudy•  MacrobenchmarksandMicrobenchmarks•  Comparisonofinstruc-onnumbersfordifferenttypes•  Limita-ons&relatedwork

AndroidBasics

WhatisAndroid?•  Free,opensourcemobileplaUorm

o  SourcecodeathVp://source.android.com

•  Anyhandsetmanufacturerorhobbyistcancustomize

•  Anydevelopercanuseo  SDKathVp://developer.android.com

Background

AndroidOverview:•  AndroidOSisbasedontheLinuxKernel.•  Androidhasmiddlewarecalledapplica-onframeworkwhichisbasedondatabaseandApprun-me

libraries.•  Theapplica-onframeworkprovidesvariousAPIsforappsdevelopers-ac-vitymanagement,content

management,andviewsystem.•  AndroidappsaremainlywriVeninjava,buttoenhancetheperformance,developerscanembedC/

C++anduseJavaNa-veInterface(JNI)tointeractwithappsandframeworkAPIs.•  Eachapprunsinanisolatedenvironment.Appscanalsocommunicatewithotherappsandservices

throughaspecificinter-processcommunica-onmechanismcalledthebinder.

Introduc-on•  TaintDroidweredesignedforthelegacyDalvikenvironmentusedforDynamictaintanalysisfor

Androidapps.•  ItcustomizesAndroidrun-me(DalvikVirtualMachine)toachievetaintstorageandtaint

propaga-on.•  LatestAndroidversionnolongersupportTaintDroidbecauseofthecompa-bilityandperformance

issues.•  TaintART–Dynamicmul-levelinforma-onflowtrackingsystem.•  SupportsthelatestAndroidrun-meenvironments.•  TaintARTu-lizesprocessorregistersfortaintstorage.ComparedtoTaintDroidwhichneedsatleast

twomemoryaccesses•  Mul--leveltaintanalysistechniquetominimizethetainttagstorage.•  Mul-levelprivacyenforcementisdonetoprotectsensi-vedatafromleakage.

Contribu-ons•  Methodology:

Efficientlytrackdynamicinforma-onflowsontheAndroidmobileopera-ngsystemwithahead-of--mecompila-onstrategy.Herethemul-levelanalysisisdoneontheop-mizedcodethandoingontheoriginalbytecodeoftheapplica-on.

•  Implementa7on: TaintART is implemented on Android Marshmallow. TaintART can track mul-level informa-on

flowswithinthemethod,acrossthemethodandalsodatatransmiVedbetweenthedifferentapps.

Contribu-onsContd…•  Performance:

Macrobenchmarks,microbenchmarksandcompa-bilitytestareperformedontheTaintART.Italsoachieves 2.5% and 99.7% faster for overall performance compared to quick compiler backend ARTrun-meandDalvikVMinAndroid4.4.

TaintARTcananalyzeappswithoutcompa-bilityissues.

•  Applica7ontoprivacyleakageanalysis:PrivacyleakageissueshavebeenaddressedonthepopularappsinAndroid6.0.

SDKDownloads-Google

Environments1.   DalvikEnvironment:

–  Dalvikadoptsvirtualmachineinterpreta-onstrategyatrun-me.–  Dexopt tool will op-mize original dex bytecode and at run-me, Dalvik virtual machine will

interpretbytecodeandexecutearchitecturespecificna-vecode.–  DalvikVMmaintainsaninternalstackforlocalvariablesandarguments.

2.ARTEnviroment:–  FirstintroducedasexperimentalenvironmentwithAndroid4.4–  ReplacedDalvikandwasmadeasdefaultenvironment–  ARTadoptsahead-of--me(AOT)compila-onstrategyinsteadofvirtualmachineinterpreta-on.–  dex2oat toolwill directly compile dex bytecode into na-ve code during app’s installa-on and

thenstoreasanoatfile.–  Dex2oatcompilerperformsmul-ple-mestoachievebeVerperformance.

Comparison–AndroidDalvik&ARTEnvironment

SystemDesign-TaintART

•  TaintARTu-lizesdynamictaintanalysistechniqueandcantrackdatabyinser-ngtrackinglogic.•  TaintARTemploysamul--leveltainttagmethodologytominimizetaintstoragesothattagscanbe

storedinprocessorregistersforfastaccess.•  ARTcompileriscustomizedtoretaintheoriginalaheadof-meorganiza-ons.•  TaintART’smul-leveldatatrackingstrategyisusedforpolicyenforcementondataleakage.•  Indynamictaintanalysis,sensi-vedataistargetedatanysensi-vefunc-oncalledtaintsourceand

tainttagwillbelabeledonthesensi-vedatafortracking.•  Whenthedataiscopiedortransformedtoanotherplace,itstainttagwillpropagatetothenew

place.

SystemDesign-TaintART•  Thetainttagstatusfortrackingdatawillbestoredintainttagstorage.•  Ifanytainteddataleavesthesystematsomespecifiedfunc-onscalledtaintsinks.

TainttagStorage

•  BuiltonGoogleNexus5–32bitARMplaUorm.•  16CPUregisters,eachwith32bits.•  RegisterR5isreservedfortaintstorage.•  Register allocator of TaintARTwill ensure R5 is not

assignedforotherpurposessuchasvariablestorage.•  Firstsixteenbits(frombit0tobit15)willbeusedfor

storing taint tags of sixteen registers (from R0 toR15).

•  Theremainingsixteenbitsareusedforstoringtainttagoffloa-ngpointregisters(fromS0toS15).

TaintPropaga-onLogic

•  TaintART introduces much less instruc-ons onhandlingthetaintstatuschanges.

•  There are two registers involved R5 as the taintstorageregister&R12registerforthetemporaryusage.

•  Involves 4 steps: clear des-na-on bit, maskingtaintedbit,shiqingbits,andmergingtaintedbits.

•  TaintART needs only three data processinginstruc-onswithoutmemoryaccess toefficientlypropagateataintlabel.

•  This will be good to track the run-me and theperformanceimpacts.

Implementa-on

Taintsourcesandsinks:•  TaintARTcanalsobeusedtoenforcepolicyonsensi-vedataleakage. •  Fourtypesofdatafromfiqeensourcesaretrackedanditiscategorizedintodeviceiden-ty,sensor

data,sensi-vecontentandloca-ondata.•  Taintsourcelogicisplacedincorrespondingclassestotrackthesedata.•  When it comes to device iden-ty apps can acquire telephony data by sending the request to

telephonymanagerandinreturnthetaintsourcelogicwillaVachataginthebinderparcel.•  loca-ondataandsensi-vecontentsuchasmessages,contactlistsandcalllogsarecategorizedinthe

thirdlevel.Thesedataareconsideredaslevelthreedataandasmostsensi-vedata.

Taintsourcesandprivacyleakagelevels

Implementa-on

TaintAnalysisInterface:•  Twobasicinterfacescanbedevelopedfortaintanalysis.•  addTaint()&getTaint()–Thesecanbeusedtoupdatetainttagofaspecificlocalvariablesorobjects

andinspecttainttaglater.•  Thesetwointer•  facesareimplementedinordertoachievebeVerperformance.

Implementa-on&Deployment

•  TheprototypeofTaintARTisimplementedonAndroid6.0.1MarshmallowforNexus5.•  ARTcompilerandARTrun-mesourcesarecustomizedtoimplementtainttagpropaga-on.•  BinderrelatedsourcesarealsocustomizedinAndroidframework.•  Theyprovidecustomizedbinaryandlibrariessuchasdex2oat,libart.soandlibart-compiler.so•  SincethecodebaseofARTenvironmentisstableaqerAndroid5.0,theimplementa-onisgeneric

forAndroid5.0and6.0versions.•  Analystscanoverwriteourcustomizedbinaryandlibrariestoatargetdevicewithrootprivilege.

Thereisnoneedofreinstallingthecustomizedsystemsfromscratch.

CaseStudy

ExperimentalSetup–TaintDroidisdownloadedandcompiledwhichisbasedonAndroid4.3.

–  TaintARTisrunonAndroid6.0.1&appsusedinthecasestudyweredownloadedfromtheGoogleplayinMay2016.

PrivacyTracking–Popularappsweretestedandpoten-alprivacyleakagewaschecked.–  TheymanuallyinteractedwitheachappinTaintDroidandTaintARTandrecordedthereportsof

privacyleakage.

PrivacyLeakageAnalysis

CaseStudyPolicyEnforcement–SinceTaintARtsupportslatestAndroidrun-meitiseasytodeploythepolicyenforcement.-  Hereuserscanpre-definemul--levelpolicyrules.

-  Foreachleveluserscandefinedifferentpolicies.

Macrobencmarks•  TaintARTisageneralframeworkthatcanbeusedbyend-userstoprotecttheir

privacy.•  Severalmacrobenchmarkswereperformedtomeasuretheoverheadfornormal

usageoftheapplica-ons.

MicrobenchmarksCompilerBenchmarks–Byadop-ngtheTaintARTthecompila-on-meisincreasedby336.076millisecondsto403.064millisecondsandintroducesabout19.9%overhead.-Thebelowfigureillustratesthecompila-on-mefor80built-inapps.

Comparisonofinstruc-onnumbersfordifferenttypes

•  Thetotalnumberofinstruc-onsincreasesabout21%.

•  The increases are mainly in data processinginstruc-ons (Type II) including arithme-cinstruc-ons (ADD, SUB), logical instruc-ons (ORR,AND),movementinstruc-ons(MOV,MVN).

•  TaintART compiler only introduces about 0.8 %moreinstruc-ons.

•  This means that TaintART can achieve beVerrun-me performance than the VM-basedTaintDroid with the gains of AOT compila-onstrategyinthenewARTenvironment.

Limita-ons

•  TaintARTcannottrackspecificdataflows.•  Allimplicitleakagecannotbetracked.•  ComplexmalwarescandetectthepresenceofTaintARTandcanhidetheirac-vi-es

withfewsomean-analysistechniquestodetecthostdevices.•  Malwareanalysis,analystsneedtomanuallytriggerthebehaviors

RelatedWork

•  Therearemany systemswhichdynamicallymonitor the run-me informa-on indifferent layersofthe systemand fewof themareDroidScope,BareCloudandCopperDroid introspectDalvikVM tocapturedynamicinforma-onforreconstruc-ngmalwarebehaviors.

•  Therearemanysystemswhichs-llusethesta-canalysissystemfordisassembledcodeandtrytopreciselymodelrun-mebehavioranduseprogramanalysistechniquetoresolveinforma-onflowsandfewofthemareAndroidLeaksandFlowdroid.

•  Also therearemanysystems todetect suspiciousbehaviorsandpreventpoten-alprivacy leakageand few of them are Aurasium and RetroSkeleton which can add enforcement policies and fine-grainedmandatoryaccesscontrolonsensi-veAPIinvoca-onsbyrewri-ngandrepackagingapps.

Thank you