improving android reliability and securitygeller/chairsconference/cschairs18-neamtiu.pdf · this...
Post on 12-Jul-2020
3 Views
Preview:
TRANSCRIPT
Improving Android Reliability and Security
IulianNeamtiu,Assoc.Prof.
CSChairsMeetingJune14,2018
…butusers/developers/vendorshavelittleinsight/assuranceofdevicebehavior/reliability/security
MobileOSesrapidlyexpandingtheirdevicerangeanduserbase….
ACSAC’12
ICSE’18OOPSLA’16ASPLOS’18
ISSTA’16
CoreSWstack(AOSP)
EASE’15
ICSE’13 MobiCom’12ISSRE’15
Android:2billionmonthlyactiveusers
Preinstalledsoftware Third-partyapps
The Nature of Mobile Bugs
EASE’15
Android iOSConcurrency:66% Crash(non-concurrency):52%
GUI:23% App.logic:32%Security:5% Build:12%
Howtofind/reproduce/fixthese?
Study:22,000confirmed&fixedmobilebugs(Android,iOS)over7yearsFocus:High-severitybugs(crashes,dataloss/corruption)
Concurrency Errors in Android
Harmful race in the Android OS!
MainThread BackgroundThread
LoaderTask.execute()onClick
Adapter.add(newslist)
scrollgetViewForPosition()validateForPosition()
adapter.notifyDataSetChanged
OK
onPostExecute adapter.notifyDataSetChanged
https://code.google.com/p/android/issues/detail?id=77846
Our Approach • Priorapproaches:alldynamic
• Lowcoverage,highrateoffalsenegatives&falsepositives• Ourapproach
• Action=context-sensitiveeventhandling• Novelabstraction,reifiesCallbacks,Threads,AsyncTasks,MsgHandler• Happens-before(HB):A1≺A2
• A1iscompletedbeforeA2
• Bootstrappingviaprogramsynthesisèprecisestaticanalysis• Backwardsymbolicexecutiontorefute(most)falsepositives
èEffectiveandefficient
ASPLOS’18
Program Synthesis to “Boot-strap” Precise Static Analysis
• Createsynthetic“main”activity
• Createsyntheticmethodcallsites1. Addlifecycle/GUI/systemactions2. Buildcallgraphforfoundactions3. Gobacktostep1,iterateuntilfixpoint
onCreate
onStart
onResumeonClick
onCreateOptionsMenu
onLowMemory
thread
AsyncTask
onPostExecution
msg1.handleMessage
Runnable1
onItemClick
onLongPress
Runnable2
……
……
onCreate
onStart
onResume
onClickonCreateOptionsMenu
onLowMemory
threadAsyncTaskonPost
Executionmsg1.
handleMessage Runnable1onItemClick onLongPress Runnable2
*
*
PriorAndroidstaticanalyses:imprecise
SyntheticMain.java
ASPLOS’18
Symbolic Execution-based Refutation
Path Constraints
Backwardsymbo
licexecutio
nmIsRunning=true
if(mIsRunning)mAccumTime=…
mIsRunning=false
mIsRunning=false
if(mIsRunning)
Methodentry
Methodexit
true
mIsRunning=falsemAccumTime=…
Can𝜶Boccurbefore𝜶A?
Timer.Runnable runner = { void run() {//action A if (mIsRunning) { mAccumTime=... // 𝜶A if (*) { ... postDelayed(runner,...); } else mIsRunning=false; } }}
void stop(){// action B if (mIsRunning) { mIsRunning = false; mAccumTime=... // 𝜶B } }
No! ASPLOS’18
Evaluation
Bestpriorwork(dynamic)
App Installs(millions)
Candidateracypairs
Afterouranalysis
Trueraces
Falseposi-tives
EventRacer
BarcodeScanner >100 64 15 11 4 7
VLC >100 202 35 32 3 0
FBReader >10 836 106 93 13 5
K-9 >5 1,347 89 72 17 1
NPR >1 607 21 21 0 3
Across20apps 431 33 29 4 4
≫
Effectiveness:racesfound
Dataset:194open-sourceapps;20analyzedmanuallyAnalysistime:about30minutes/apps
13x
ASPLOS’18
Skype >1,000
Snapchat >500
Netflix >100
AcrobatReader >100
PayPal >50
Walmart >10
178
464
793
3,134
51
48
(paperinpreparation)
GUI bugs
GUI Bugs: Restart Errors
GoogleResearch
Award2015
OOPSLA’16
Errorsummary
Data-flow
analysis
APK
Changeddata
Exit
Datasave
Control-flow
analysis
KRdata
Datarestore
Kill-and-restart(KR)errorsinAndroidappsDesktop/serverprogramscanassumeto“runforever”Mobileappscanbepaused/killedatanytimeAndroidsavesGUIstate,invokesuser-definedcallbacksDevelopersmustdotherest;confusinganderror-proneOurapproach:defineKRhierarchy,staticanalysistofindKRerrors
Restartisgood:cleansthestateRestartisbad:cleansthestateOurapproachexposesdatakept/lostuponrestart
changephoneorientation,alarmisreset!
orsendapptobackground,thenbringtoforegroundalarmisreset!
EarlierversionofAlarmClockPlusapp,morethan5millioninstalls
Results:49confirmedbugsin37apps,includinginwell-knownapps:Dr.WebAnti-virusLight,SymantecNortonSnap,MotorolaCamera,AlarmClockPlus,OIFileManager
Catch-22?
Security
This phone has 8 apps installed but the user can only see 6
There are running apps that the user cannot see
A malicious app has deleted a user’s messages without their knowledge or consent
WARNING!!
Missing SMS!
App stores do not disclose such behavior
SHB = Behavior meant to hide an app’s presence or actions ⇒ Fundamentally Deceptive Our approach detects and characterizes this behavior
‘Self Hiding’ Behavior (SHB)
ICSE’18
BroadcastReceiver.onReceive(SMS_RECEIVED/ACTION_VIEW)
SHB#6: Delete Message
Specialinvoke$r3.<java.lang.StringBuilder:void<init>(java.lang.String>(“content://sms/”)$r4=virtualinvoke$r3.<java.lang.StringBuilder:java.lang.StringtoString()>()$r5=staticinvoke<android.net.Uri:android.net.Uriparse(java.lang.String)>($r4)virtualinvoke$r2.<android.content.ContentResolver:intdelete(android.net.Uri.java.lang.String.java.lang.String[])>($r5,null,null)
Malware DroidKungFu1 deletes SMS messages
Essentially, the SMS messages self
destruct!
Control & data flow
Control & data flow
Control & data flow
NOTuser-initiated!
ICSE’18
Results: “Good” Apps Behave Badly
HIDE RUNNING APP Accesses and initializes location without user’s knowledge
HIDE NOTIFICATION / BLOCK MESSAGE
Blocks notifications without user consent
For “user convenience”
MUTE PHONE Manipulates the ringer mode
LURK/HOVER for a File Explorer?
Interposes between user and app
BLOCK CALL Not a False Positive!
ICSE’18
Dataset:3,219maliciousapps;6,233benignappsOurstaticanalysiscanseparatebenignfrommaliciouswith87.19%F-measure
Malwareemploysself-hiding(1.5SH/app;unsurprising)Somegoodappsemployself-hiding(0.2SH/app)
top related