kratos: discovering inconsistent security policy ... … · kratos: discovering inconsistent...
TRANSCRIPT
![Page 1: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/1.jpg)
Kratos:DiscoveringInconsistentSecurityPolicyEnforcementintheAndroidFramework
YuruShao,JasonOtt†,QiAlfredChen,ZhiyunQian†,Z.MorleyMao
UniversityofMichigan,†UniversityofCaliforniaRiverside
1
![Page 2: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/2.jpg)
SecurityPolicyEnforcement
• Securitypoliciesregulateaccessto– Sensitivedata– Systemresources– Privilegedoperations
• Policiesneedtobecorrectlyenforced
2
![Page 3: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/3.jpg)
Inconsistenciesexist
3
TelecomService TelephonyService
(2)endCall()
CheckCALL_PHONE
PrivilegedMethods
Theenforcementofasecuritypolicyondifferentcodepathscanbeinconsistent
(3)onReceive()
Nosecuritycheck!
• AccordingtotheAndroiddocumentation– appsthatholdaCALL_PHONE permission canendphonecalls
(1)endCall()
CheckSYSTEM
![Page 4: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/4.jpg)
Securityimplication
• Privilegeescalation
4
Requestfewerpermissions.
ExploitingInconsistencies
![Page 5: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/5.jpg)
Securityimplication
• Privilegeescalation
5
Requestfewerpermissions.
ExploitingInconsistenciesBesidesapppermissions,attackerscanalso
bypasssystempermissions
![Page 6: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/6.jpg)
Inconsistentsecuritypolicyenforcement
• AlsofoundinSELinux andXen1– Unauthorizeduseraccountaccess– Permanentdataloss
• NosolutionfortheAndroidframework– PriorworkisOSspecific– Androidhasnoexplicitlydefinedpolicies
6
[1]LinTanetal.AutoISES:Automatically InferringSecuritySpecification andDetectingViolations. USENIXSecurity2008.
![Page 7: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/7.jpg)
Problemstatement
• FocusingontheAndroidframework,weanswerthefollowingquestion:– Howcanwesystematicallydetectinconsistentsecuritypolicyenforcementwithoutanyknowledgeofthepolicies?
7
![Page 8: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/8.jpg)
Ourapproach
• Discoverapp-accessibleserviceinterfaces thathaveoverlapsinfunctionality– They’reexpectedtohaveconsistentsecurityenforcement
• Performadifferentialanalysis onsecuritychecksthattwooverlappinginterfacesemploy
8
![Page 9: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/9.jpg)
Differentialanalysis
storeSMS(...) storeMMS(...)
...…
storageProvider
enforcePhone()
{RADIO} �
enforcePhone() checksifthecaller’sUIDis1001(RADIO)9
![Page 10: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/10.jpg)
Pruning
storeSMS(...) storeMMS(...)
...…
storageProvider
ContentValues.put(...) String.equal(...)
{RADIO} �
enforcePhone() checksifthecaller’sUIDis1001(RADIO)10
enforcePhone()
![Page 11: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/11.jpg)
App-accessibleserviceinterfaces
• Analysisscope:systemservices– Systemservicesperformenforcement
• Serviceinterfaces– AIDLmethods– Broadcastreceivers
AIDL:Androidinterfacedefinitionlanguage
Binder IPCadd
startScan...
addstartScan...
App WiFiService
11
broadcasts
![Page 12: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/12.jpg)
Securitychecks
• Securityenforcement:asetofsecuritychecks• Weformulatefourtypesofchecks
– Permissioncheck– UID/PIDcheck– Packagenamecheck– Threadstatuscheck
12
![Page 13: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/13.jpg)
KratosDesign
JavaClassFiles
RelevantSecurity
CheckTypes
Pre-processing
CallGraphConstruction
CallGraphAnnotation
InconsistencyDetection
InconsistentSecurity
Enforcement
Explorethecodebase tofind• Allsystem services&interfaces• Lookatserviceregistration
Buildapreciseframeworkcallgraph• Points-toanalysis• IPCshortcuts
Identifysecuritychecksapplied toeachnode(method)
Comparesecurityenforcement ofservice interfaces ifthey• Call thesameprivilegedmethods
1. Permission2. UID/PID3. Packagename4. Threadstatus
Ranked list formanualinvestigation13
![Page 14: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/14.jpg)
Implementation• SupportAOSPandcustomizedframeworks
– ObtainJavaclassesfrom• Intermediatebuildingoutput(AOSP)• Decompileddex files(customized)
• Buildapreciseframeworkcallgraph– Points-toanalysisusingSpark– Anartificial,staticentrypointincludingallapp-accessibleserviceinterfaces
• Performdataflowanalysis– Identifysecuritycheckmethods– Collectsystemservices
14
![Page 15: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/15.jpg)
Evaluation• 6differentAndroidcodebases
– AOSP4.4,5.0,5.1andMPreview– HTCOne,SamsungGalaxyNote3
• Accuracy
15
Codebase #Inconsistencies #TP #FP Precision #Exploitable
Android4.4 21 16 5 76.2% 8Android5.0 61 50 11 82.0% 11Android5.1 63 49 14 77.8% 10MPreview 73 58 15 79.5% 8
AT&THTCOne 29 20 9 69.0% 8T-Mobile
SamsungGalaxyNote3
128 102 26 79.7% 10
![Page 16: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/16.jpg)
Falsepositiveandexploitability
• Falsepositivesexist– Twointerfacesarenotequivalentinfunctionality– Points-toanalysisproducesover-approximatedresults
• Notallinconsistenciesareexploitable– Difficulttoconstructvalidarguments– Difficulttotriggerparticularprivilegedmethods
16
![Page 17: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/17.jpg)
Vulnerabilitiesdiscovered
• Wefound14vulnerabilities
• 5outof14affectallcodebases• BugreportsconfirmedbyGoogle
– Resultswebsite:http://tinyurl.com/kratos1517
Zero-days
Previouslyreportedorfixed
![Page 18: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/18.jpg)
Casestudy1
• BypasssystempermissiontochangeHTTPproxysettings
18
udpateNetwork(conf) save(conf)
CheckCHANGE_WIFI_STATE
CONNECTIVITY_INTERNAL
addOrUpdateNetworkNative(conf)
CheckCHANGE_WIFI_STATEACCESS_WIFI_STATE
Documented inAndroidSDK Hidden,undocumented
• Allowsattackerstobypassthesystempermission• MITM,eavesdropping,trafficinterception,…
CONNECTIVITY_INTERNALisasystempermission
4.4.2_r1.Fixed inAndroid5.0.0_r1
![Page 19: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/19.jpg)
Casestudy2
• Sendarbitraryrequeststotheradiohardwarewithoutanypermissions
19
invokeOemRilRequestRaw(r)sendRequestRawToRIL(r)
PhoneInterfaceManager PhoneInterfaceManagerExt(Samsung-customized)
CheckCALL_PHONE
Radio Interfaces
Nosecuritychecks!
• AllowsattackerstosendarbitraryrequeststoradioonvulnerableSamsungphones
• SendSMS,makephonecalls,…
![Page 20: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/20.jpg)
Otherobservations
• 11vulnerableinterfacesarehidden toapps– NotavailableintheAndroidSDK– InvokeusingJavareflection
• AOSPframeworks– Newsystemservicesintroducenewinconsistencies,leadingtonewvulnerabilities
• Customizedframeworks– Samsungaddedmanysystemservices
• Introduced2additionalvulnerabilities• OnepresentinAOSPwasfixed
20
![Page 21: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/21.jpg)
Conclusions
• Inconsistentsecuritypolicyenforcementgivesrisetomanyvulnerabilities
• OurtoolispracticalandusefulforAOSP,vendors,andcarriers
• Ourapproachisgeneralandcanbeappliedtoothersystems
• Toensuresystemsecurity,theimplementationmustfaithfullyrealizethedesign
21
![Page 22: Kratos: Discovering Inconsistent Security Policy ... … · Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao, Jason Ott†, Qi Alfred](https://reader030.vdocuments.us/reader030/viewer/2022040410/5ed11a3f1088d4169f737371/html5/thumbnails/22.jpg)
Q&A
• Thankyou!
22