DOCSLIB.ORG

Download the Ethical Hacker's Guide to System Hacking

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The Ethical Hacker's Guide To System Hacking Attacker acquires information through techniques such as foot printing, scanning and enumeration to hack the target system. 1 Footprinting Scanning Enumeration Module Vulnerability Analysis It is the process of accumulating data Vulnerability Assessment is an This is a procedure for identifying This is a method of intrusive probing, Footprinting Scanning System Hacking regarding a specific network environment. active hosts, open ports, and unnecessary through which attackers gather examination of the ability of a system or In this phase, the attacker creates a profile services enabled on ports. Attackers use information such as network user lists, application, including current security CEH concepts of the target organization, obtaining different types of scanning, such as port routing tables, security flaws, and procedures, and controls to with stand 2 information such as its IP address range, scanning network scanning, and simple network protocol data (SNMP) assault. Attackers perform this analysis Methodology Vulnerability namespace and employees. Enumeration vulnerability, scanning of target networks data. to identify security loopholes, in the target Analysis Footprinting eases the process of or systems which help in identifying organization’s network, communication system hacking by revealing its possible vulnerabilities. infrastructure, and end systems. vulnerabilities 3 Clearing Logs Maintaining Access Gaining Access Hacking Stage Escalating Privileges Hacking Stage Gaining Access It involves gaining access to To maintain future system access, After gaining access to the target low-privileged user accounts by To acquire the rights of To bypass access CEH Hacking attackers attempt to avoid recognition system, attackers work to maintain cracking passwords through Goal another user or Goal controls to gain System Hacking by legitimate system users. To remain high levels of access to perform techniques such as brute forcing, and admin access to the system 4 Methodology Goals undetected, Attackers wipe out the malicious activities, such as stealing, password guessing, and social entries corresponding to their hiding or tampering with sensitive Exploiting known Password cracking, engineering and then escalate their (CHM) Technique used Technique used activities in the system log. files. system vulnerabilities Social engineering privileges to administrative levels, to perform a protected operation. Non- Electronic Active Online Attack – Dictionary, Hacking Stage Executing Applications Hacking Stage Hiding Files Hacking Stage Covering Tracks Social Engineering Brute Forcing and Rule Based attack Password Cracking Convincing people to reveal passwords Social Engineering To create and maintain Convincing people to reveal passwords To hide attackers Types of Shoulder Surfing Goal remote access Goal Goal To hide the evidence Attackers use this technique to gain Shoulder Surfing malicious activities of compromise 5 Looking at either the user’s keyboard or screen Looking at either the user’s keyboard or screen and data theft unauthorized access to vulnerable system. while he/she is logging in Such a technique is mostly successful due Password attacks while he/she is logging in Dumpster diving to weak or easy passwords. Dumpster diving Trojans, spywares, Searching for sensitive information in the Searching for sensitive information in the Technique used Technique used Rootkits, stenography Technique used Clearing logs backdoors, keyloggers user’s trash-bins, printer trash bins, and user’s trash-bins, printer trash bins, and user desk for sticky notes. user desk for sticky notes. Active Online Attack Active Online Attack – Password Guessing Active Online Attack – Dictionary, Passive Online Attack Passive Online Attack – Wire Sniffing Active Online Attack – LLMNR/NBT-NS Poisoning Active Online Attack – Hash Injection Attack – Trojan/Spyware /Keylogger The attacker creates a list of all possible passwords Brute Forcing and Rule Based attack Man in the Middle and replay attack from the information collected through social • Attacker run packet sniffer tools on the local area engineering or any other way and tries them Dictionary • In a MITM attack, the attacker acquires access to the network (LAN) to access and record the raw network • A hash injection attack allows an attacker to inject a A dictionary file is loaded into the cracking • LLMNR/NBT are two main elements of windows compromised hash into a local session and use the manually on the victim’s machine to crack the communication channels between victim and server to traffic. • Attacker installs Trojan/spyware/keylogger passwords. application that runs against user accounts extract the information • The captured data may include sensitive information operating systems used to perform name resolution hash to validate network resources on victim’s machine to collect victim’s usernames • In a replay attack, packets and authentication tokens for hosts present on the same link such as passwords (FTP, rlogin sessions, etc.) and • The attacker finds and extracts a logged-on and passwords Find a valid user Brute Forcing are captured using a sniffer. After the relevant info is emails. • The attacker cracks the NTLMv2 hash obtained from domain admin account hash the victim’s authentication process • Trojan/spyware/keylogger runs in the background Create a list possible password The program tries every combination of extracted, the tokens are placed back on the network • Sniffed credentials are used to gain unauthorized • The attacker uses the extracted hash to log on • The extracted credentials are used to log on to the and sends back all user credentials to the attacker. characters until the password is broken to gain access. access to the target system to the domain controller. Rank passwords from host system in the network high probability to low Rule Based attack Key in each password until correct This attack is used when the attacker gets password is discovered some information about the password Offline Online Attack – Rainbow table attack Offline Online Attack 1.Enable information security audit to monitor and track password attacks 2.Do not use the same password during password change • DNA technique is used for recovering passwords Distributed Network Attack •An attacker can gain access to the network using a non-admin user 3.Do not share passwords •An attacker can gain access to the network using a non-admin user from hashes or password protected files using the account and the next step would be to gain administrative privileges. 4.Do not share passwords that can be found in a dictionary account and the next step would be to gain administrative privileges. unused processing power of machines across the These 5.Do not cleartext protocols and protocols with weak encryption These network to decrypt passwords •These privileges allow attacker to view critical/ sensitive information, 6.Set the password change policy to 30 days •These privileges allow attacker to view critical/ sensitive information, • The DNA manager is installed in a central location where • A Rainbow table attack is a precomputed table delete files, or install malicious programs such as viruses, trojans, worms How to Defend against 7.Avoid storing passwords in an unsecured location Escalating delete files, or install malicious programs such as viruses, trojans, worms machines running on DNA client can access it over the which contains word lists like dictionary files and brute etc. 8.Do not use any systems default passwords etc. network force lists and their hash values. 6 •Attacker performs privilege escalation attack which takes advantage of 9.Make passwords hard to guess. 7 •Attacker performs privilege escalation attack which takes advantage of • DNA manager coordinates the attack and allocates Password Cracking Privileges design flaws, programming errors, bugs, and configuration oversights in 10.Ensure that applications neither store passwords to memory nor write them design flaws, programming errors, bugs, and configuration oversights in small portions of the key search to machines that are the OS and to disk in clear text. the OS and distributed over the network software application to gain administrative access to the network and 11.Use a random string or prefix or suffix with the password before encrypting software application to gain administrative access to the network and • DNA client runs in the background consuming only its associated applications. unused processor time 12.Monitor servers’ logs for brute force attacks on user accounts its associated applications. • The program combines processing capabilities of 13.Lock out an account subjected to too many incorrect password guesses all the clients connected to network and use it to 14.Enable SYSKEY with strong password to encrypt and protect SAM database crack the password Scheduled Task - Access token Manipulation – Other privilege Techniques •Windows task scheduler along with utilities such as ‘at’ and ‘schtasks’ can be used Type of privileges 1.Restrict the interactive logon privileges to schedule programs that can be executed at a specific date and time. •Windows operating system uses access tokens to determine the security 11.Change user account control settings to “Always Notify” 2.Use encryption technique to protect sensitive data •Attacker can use this technique to execute malicious programs at system startup, context of a process or thread Access token Manipulation – 12.Restrict users from writing
Recommended publications
  • NEWS: Fake Whatsapp App May Have Been Built to Spy on Iphone Users – What You Need to Know a Fake Version of the Whatsapp Mess

    NEWS: Fake Whatsapp App May Have Been Built to Spy on Iphone Users – What You Need to Know a Fake Version of the Whatsapp Mess

    NEWS: Fake WhatsApp app may have been built to spy on iPhone users – what you need to know A fake version of the WhatsApp messaging app is suspected of being created by an Italian spyware company to snoop upon individuals and steal sensitive data. The bogus app, uncovered by cybersecurity researchers at Citizen Lab and journalists at Motherboard, appears to be linked to an Italian firm called Cy4gate which develops “lawful interception” technology. https://hotforsecurity.bitdefender.com/blog/fake-whatsapp-app-may-have-been-built-to-spy-on-iphone- users-what-you-need-to-know-25270.html SOC teams spend nearly a quarter of their day handling suspicious emails Security professionals know that responding to relentless, incoming streams of suspicious emails can be a labor-intensive task, but a new study shared exclusively with SC Media in advance indicates just how time- consuming it actually is. Researchers at email security firm Avanan claim to have authored the “first comprehensive research study” that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms. https://www.scmagazine.com/home/email-security/soc-teams-spend-nearly-a-quarter-of-their-day- handling-suspicious-emails/ How to motivate employees to take cybersecurity seriously How can we push employees / users to take cybersecurity to heart? Dr. Maria Bada, external behavioral scientist at AwareGO, has been working on the answer for years. After studying media psychology, focusing her Ph.D. on behavior change, and working towards the treatment of excessive internet use in children and adolescents, nearly ten years ago she opted to join Oxford University as a postdoctoral researcher on cyberculture and online behavior.
  • Web Shell 101 Joe Schottman Infosecon 2018 Oct

    Web Shell 101 Joe Schottman Infosecon 2018 Oct

    Web Shell 101 Joe Schottman InfoSeCon 2018 Oct. 26, 2018 About Me Senior Security Analyst for BB&T Legal Stuff 2 How To Reach Me @JoeSchottman on Twitter [email protected] www.joeschottman.com Add me on LinkedIn Find me on local Slacks 3 Agenda What is a Web Shell? How do Web Shells work? How can you detect them? Not going to cover how to use them 4 Definitions for this talk 5 If you’re playing security conference bingo 6 First, a diversion Equifax hack ▪ ▪ ▪ 8 Equifax hack 9 Equifax hack 10 Equifax hack 11 “ 12 “ 13 What is a Web Shell? 14 A subset of malware that runs on web servers 15 Used by APT groups 16 But also script kiddies 17 Someone else’s code ▪ PHP ▪ JSP ▪ Perl ▪ Ruby ▪ Python ▪ Shell Scripts ▪ ASP 18 Mostly scripting languages 19 Designed to control your server via HTTP 20 Imagine an evil web application 21 Executes just like your web applications 22 Unless the attacker takes steps to avoid it... 23 Used for different purposes 24 Hidden in different ways 25 How do they get on systems? 26 Web Shells are not the initial attack 27 Why at least two problems? ▪ ▪ ▪ 28 Let’s consider where in the attack Web Shells are used ▪ ▪ 29 Cyber Kill Chain 30 ATT&CK Discovery Lateral movement Collection Exfiltration Command and control 31 ATT&CK 32 Time to engage incident response ▪ ▪ ▪ 33 A funny aside 34 Metasploit makes some Web Shells easy 35 Detecting Web Shells Strategies 38 39 You do get permission before doing research, right? VirusTotal 41 File integrity monitoring 42 In an ideal world..
  • " Detecting Malicious Code in a Web Server "

    " Detecting Malicious Code in a Web Server "

    UNIVERSITY OF PIRAEUS DEPARTMENT OF DIGITAL SYSTEMS Postgraduate Programme "TECHNO-ECONOMIC MANAGEMENT & SECURITY OF DIGITAL SYSTEMS" " Detecting malicious code in a web server " Thesis of Soleas Agisilaos Α.Μ. : MTE14024 Supervisor Professor: Dr. Christoforos Ntantogian Athens, 2016 Table of Contents Abstract ....................................................................................................................................................... 3 1.Introduction .............................................................................................................................................. 4 2.What is a web shell .................................................................................................................................. 5 2.1.Web shell examples ................................................................................................................... 6 2.2.Web shell prevention .............................................................................................................. 24 2.3.What is a backdoor ................................................................................................................. 26 2.4.Known backdoors .................................................................................................................... 31 2.5.Prevent from backdoors ......................................................................................................... 32 3. NeoPi analysis ........................................................................................................................................
  • Using Web Honeypots to Study the Attackers Behavior

    Using Web Honeypots to Study the Attackers Behavior

    i 2017 ENST 0065 EDITE - ED 130 Doctorat ParisTech THÈSE pour obtenir le grade de docteur délivré par TELECOM ParisTech Spécialité « Informatique » présentée et soutenue publiquement par Onur CATAKOGLU le 30 Novembre 2017 Using Web Honeypots to Study the Attackers Behavior Directeur de thèse : Davide BALZAROTTI T H Jury È William ROBERTSON, Northeastern University Rapporteur Magnus ALMGREN, Chalmers University of Technology Rapporteur S Yves ROUDIER, University of Nice Sophia Antipolis Examinateur Albert LEVI, Sabanci University Examinateur E Leyla BILGE, Symantec Research Labs Examinateur TELECOM ParisTech École de l’Institut Télécom - membre de ParisTech Using Web Honeypots to Study the Attackers Behavior Thesis Onur Catakoglu [email protected] École Doctorale Informatique, Télécommunication et Électronique, Paris ED 130 November 30, 2017 Advisor: Prof. Dr. Davide Balzarotti Examiners: EURECOM, Sophia-Antipolis Prof. Dr. Yves ROUDIER, University of Nice Sophia Antipolis Reviewers: Prof. Dr. William ROBERTSON, Prof. Dr. Albert LEVI, Northeastern University Sabanci University Prof. Dr. Magnus ALMGREN, Dr. Leyla BILGE, Chalmers University of Technology Symantec Research Labs Acknowledgements First and foremost I would like to express my gratitude to my supervisor, Davide Balzarotti. He was always welcoming whenever I need to ask questions, discuss any ideas and even when he was losing in our long table tennis matches. I am very thankful for his guidance throughout my PhD and I will always keep the mental image of him staring at me for various reasons as a motivation to move on when things will get tough in the future. I would also like to thank my reviewers for their constructive comments regarding this thesis.
  • Security in Ordinary Operating Systems

    Security in Ordinary Operating Systems

    39 C H A P T E R 4 Security in Ordinary Operating Systems In considering the requirements of a secure operating system,it is worth considering how far ordinary operating systems are from achieving these requirements. In this chapter, we examine the UNIX and Windows operating systems and show why they are fundamentally not secure operating systems. We first examine the history these systems, briefly describe their protection systems, then we show, using the requirements of a secure operating system defined in Chapter 2, why ordinary operating systems are inherently insecure. Finally, we examine common vulnerabilities in these systems to show the need for secure operating systems and the types of threats that they will have to overcome. 4.1 SYSTEM HISTORIES 4.1.1 UNIX HISTORY UNIX is a multiuser operating system developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs [266]. UNIX started as a small project to build an operating system to play a game on an available PDP-7 computer. However, UNIX grew over the next 10 to 15 years into a system with considerable mindshare, such that a variety of commercial UNIX efforts were launched. The lack of coherence in these efforts may have limited the market penetration of UNIX, but many vendors, even Microsoft, had their own versions. UNIX remains a significant operating system today, embodied in many systems, such as Linux, Sun Solaris, IBM AIX, the various BSD systems, etc. Recall from Chapter 3 that Bell Labs was a member of the Multics consortium. However, Bell Labs dropped out of the Multics project in 1969, primarily due to delays in the project.
  • User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems

    User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems

    This paper appears at the 33rd IEEE Symposium on Security and Privacy (Oakland 2012). User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems Franziska Roesner, Tadayoshi Kohno Alexander Moshchuk, Bryan Parno, Helen J. Wang Crispin Cowan ffranzi, [email protected] falexmos, parno, [email protected] [email protected] University of Washington Microsoft Research Microsoft Abstract— Modern client platforms, such as iOS, Android, Thus, a pressing open problem is how to allow users to Windows Phone, Windows 8, and web browsers, run each ap- grant applications access to user-owned resources: privacy- plication in an isolated environment with limited privileges. A and cost-sensitive devices and sensors (e.g., the camera, GPS, pressing open problem in such systems is how to allow users to grant applications access to user-owned resources, e.g., to or SMS), system services and settings (e.g., the contact list privacy- and cost-sensitive devices like the camera or to user or clipboard), and user content stored with various applica- data residing in other applications. A key challenge is to en- tions (e.g., photos or documents). To address this problem, able such access in a way that is non-disruptive to users while we advocate user-driven access control, whereby the system still maintaining least-privilege restrictions on applications. captures user intent via authentic user actions in the context In this paper, we take the approach of user-driven access con- trol, whereby permission granting is built into existing user ac- of applications. Prior work [22, 32, 33] applied this principle tions in the context of an application, rather than added as an largely in the context of least-privilege file picking, where an afterthought via manifests or system prompts.
  • Mitigating Webshell Attacks Through Machine Learning Techniques

    Mitigating Webshell Attacks Through Machine Learning Techniques

    future internet Article Mitigating Webshell Attacks through Machine Learning Techniques You Guo 1, Hector Marco-Gisbert 2,* and Paul Keir 2 1 School of Computing Science and Engineering, Xi’an Technological University, Xi’an 710021, China 2 School of Computing, Engineering and Physical Sciences, University of the West of Scotland, High Street, Paisley PA1 2BE, UK * Correspondence: [email protected]; Tel.:+44-141-849-4418 Received: 10 December 2019; Accepted: 2 January 2020; Published: 14 January 2020 Abstract: A webshell is a command execution environment in the form of web pages. It is often used by attackers as a backdoor tool for web server operations. Accurately detecting webshells is of great significance to web server protection. Most security products detect webshells based on feature-matching methods—matching input scripts against pre-built malicious code collections. The feature-matching method has a low detection rate for obfuscated webshells. However, with the help of machine learning algorithms, webshells can be detected more efficiently and accurately. In this paper, we propose a new PHP webshell detection model, the NB-Opcode (naïve Bayes and opcode sequence) model, which is a combination of naïve Bayes classifiers and opcode sequences. Through experiments and analysis on a large number of samples, the experimental results show that the proposed method could effectively detect a range of webshells. Compared with the traditional webshell detection methods, this method improves the efficiency and accuracy of webshell detection. Keywords: webshell attacks; machine learning; naïve Bayes; opcode sequence 1. Introduction With the development of web technology and the explosive growth of information, web security becomes more and more important.
  • Mac OS X and Ios Zero- Day Exploit

    Mac OS X and Ios Zero- Day Exploit

    Mac OS X and iOS Zero- Day Exploit Security Advisory AE-Advisory 16-08 Criticality High Advisory Released On 28 March 2016 Impact Allows someone to escalate privileges and also to bypass system integrity Solution See the solution section below for mitigation processes. Affected Platforms Mac OS X 10.11.3 and older, iOS 9.2 and older Summary aeCERT has researched and found out about a new threat on Apple Mac OS X and iOS; with the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac. The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation. However, it has been uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without karnel exploit impacting all versions to date. Threat Details The zero day vulnerability is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes. The attacker then escalates the malware's privileges to bypass System Integrity Protection SIP, alter system files, and then stay on the infected system. By default, System Integrity Protection or SIP protects these folders: /System.
  • Web Shells in PHP, ASP, JSP, Perl, and Coldfusion

    Web Shells in PHP, ASP, JSP, Perl, and Coldfusion

    Web Shells In PHP, ASP, JSP, Perl, And ColdFusion by Joseph Giron 2009 [email protected] Web shells come in many shapes and sizes. From the most complex of shells such as r57 and c99 to something you came up with while toying around with variables and functions. This paper is to discuss ways of uploading and executing web shells on web servers. We will discuss web shells for: PHP, ASP, Java, Perl, and ColdfFusion. A lot of these sections look the same because they are essentially the same. In a broad generalization of things, exploiting java is no different from exploiting Perl - we're watching certain variables and functions. The main emphasis of this paper however will be on ASP and PHP as they are the most common languages used in web applications today. We will also discuss how I've been able to place web shells on web servers in each language, as well as provide vulnerable code to look for to aid on placing a web shell on the box. With that said, lets get this show on the road! Sections: $ Intro to PHP Web Shells $ RFI's in PHP $ LFI's in PHP $ File Upload Vulnerabilities (covers all languages) $ Web Shells in ASP $ Command Execution Vulnerabilities in ASP $ Web Shells in Perl $ Command Execution Vulnerabilities in Perl $ Web Shells in JSP $ Command Execution Vulnerabilities in JSP $ Web Shells in Cold Fusion $ Command Execution Vulnerabilities in Cold Fusion ############################ Intro to PHP Web Shells ############################ PHP web shells are vital to us hackers if we want to elevate our access or even retain it.
  • Android Exploits Commanding Higher Price Than Ever Before

    Android Exploits Commanding Higher Price Than Ever Before

    Memo 10/09/2019 - TLP:WHITE Android exploits commanding higher price than ever before Reference: Memo [190910-1] – Version: 1.0 Keywords: Android, iOS, exploit, vulnerability Sources: Zerodium, Google, Wired Key Points The price of android exploits exceeds the price of iOS exploits for the first time This is possibly because Android security is improving over iOS The release of Android 10 is also a likely cause for the price hike Summary Zerodium1, a cyber security exploit broker dealing in zero-day vulnerabilities, has published its most recent price list. It indicates that the price of an Android full-chain exploit with persistence can fetch the developer up to 2,500,000 dollars. The going rate for a similar exploit for Apple’s iOS has gone down by 500,000 dollars and is now worth 2,000,000. This is the first confirmed time when Android exploits are valued more than iOS. Zerodium payouts for mobile devices Up to $2,500,000 Android zero click full compromise chain with persistence. Up to $2,000,000 iOS zero click full compromise chain with persistence. Up to $1,500,000 WhatsApp zero click remote code execution with iMessage remote code execution with local local privilege escalation on iOS or Android. privilege escalation. Up to $1,000,000 WhatsApp remote code execution with local privilege SMS/MMS remote code execution with local escalation on iOS or Android. privilege escalation on iOS or Android. Comments Zero-click exploits do not require interaction from the user. This is very difficult to achieve and thus commands the highest prices.
  • Extreme Privilege Escalation on Windows 8/UEFI Systems

    Extreme Privilege Escalation on Windows 8/UEFI Systems

    Extreme Privilege Escalation on Windows 8/UEFI Systems C o r e y K a l l e n b e r g @ c o r e y k a l X e n o K o v a h @ x e n o k o v a h John Butterworth @jwbutterworth3 Sam Cornwell @ssc0rnwell © 2014 The MITRE Corporation. All rights reserved. | 2 | Introduction . Who we are: – Trusted Computing and firmware security researchers at The MITRE Corporation . What MITRE is: – A not-for-profit company that runs six US Government "Federally Funded Research & Development Centers" (FFRDCs) dedicated to working in the public interest – Technical lead for a number of standards and structured data exchange formats such as CVE, CWE, OVAL, CAPEC, STIX, TAXII, etc – The first .org, !(.mil | .gov | .com | .edu | .net), on the ARPANET © 2014 The MITRE Corporation. All rights reserved. | 3 | Attack Model (1 of 2) . We’ve gained administrator access on a victim Windows 8 machine . But we are still constrained by the limits of Ring 3 © 2014 The MITRE Corporation. All rights reserved. | 4 | Attack Model (2 of 2) . As attackers we always want – More Power – More Persistence – More Stealth © 2014 The MITRE Corporation. All rights reserved. | 5 | Typical Post-Exploitation Privilege Escalation . Starting with x64 Windows vista, kernel drivers must be signed and contain an Authenticode certificate . In a typical post-exploitation privilege escalation, attacker wants to bypass the signed driver requirement to install a kernel level rootkit . Various methods to achieve this are possible, including: – Exploit existing kernel drivers – Install a legitimate (signed), but vulnerable, driver and exploit it .
  • Towards Taming Privilege-Escalation Attacks on Android

    Towards Taming Privilege-Escalation Attacks on Android

    Towards Taming Privilege-Escalation Attacks on Android Sven Bugiel1, Lucas Davi1, Alexandra Dmitrienko3, Thomas Fischer2, Ahmad-Reza Sadeghi1;3, Bhargava Shastry3 1CASED/Technische Universitat¨ Darmstadt, Germany 2Ruhr-Universitat¨ Bochum, Germany fsven.bugiel,lucas.davi,[email protected] thomas.fi[email protected] 3Fraunhofer SIT, Darmstadt, Germany falexandra.dmitrienko,ahmad.sadeghi,[email protected] Abstract 1. Introduction Android’s security framework has been an appealing sub- Google Android [1] has become one of the most popular ject of research in the last few years. Android has been operating systems for various mobile platforms [23, 3, 31] shown to be vulnerable to application-level privilege esca- with a growing market share [21]. Concerning security and lation attacks, such as confused deputy attacks, and more privacy aspects, Android deploys application sandboxing recently, attacks by colluding applications. While most of and a permission framework implemented as a reference the proposed approaches aim at solving confused deputy at- monitor at the middleware layer to control access to system tacks, there is still no solution that simultaneously addresses resources and mediate application communication. collusion attacks. The current Android business and usage model allows developers to upload arbitrary applications to the Android In this paper, we investigate the problem of designing and app market1 and involves the end-user in granting permis- implementing a practical security framework for Android to sions to applications at install-time. This, however, opens protect against confused deputy and collusion attacks. We attack surfaces for malicious applications to be installed on realize that defeating collusion attacks calls for a rather users’ devices (see, for instance, the recent DroidDream system-centric solution as opposed to application-dependent Trojan [6]).