DOCSLIB.ORG

Practical Root Exploit Containment for Android Devices

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Practical Root Exploit Containment for Android Devices PREC: Practical Root Exploit Containment for Android Devices Tsung-Hsuan Ho, Daniel Dean, Xiaohui Gu, William Enck Department of Computer Science North Carolina State University {tho,djdean2}@ncsu.edu, {gu,enck}@cs.ncsu.edu ABSTRACT (e.g., Bouncer [39]), dynamic analysis environments can be Application markets such as the Google Play Store and the easily detected by malware or avoided using logic bombs Apple App Store have become the de facto method of dis- and checks for emulation [20, 24, 44]. Thus, it is necessary tributing software to mobile devices. While official markets to provide on-device malware containment that can detect dedicate significant resources to detecting malware, state- and stop the malware during runtime. of-the-art malware detection can be easily circumvented us- We observe that the dynamic malware analysis performed ing logic bombs or checks for an emulated environment. by application markets provides an opportunity to obtain We present a Practical Root Exploit Containment (PREC) a normal behavior model for an application. In effect, this framework that protects users from such conditional mali- forces malware authors to commit to a behavior during mar- cious behavior. PREC can dynamically identify system calls ket malware analysis. Therefore, we can use online anomaly from high-risk components (e.g., third-party native libraries) detection and malware containment to protect the user from and execute those system calls within isolated threads. Hence, the malware that uses logic bombs or attempts to change ex- PREC can detect and stop root exploits with high accuracy ecution based on an emulated environment. while imposing low interference to benign applications. We The primary challenges in making runtime root exploit have implemented PREC and evaluated our methodology containment practical are achieving a low false alarm rate [18] on 140 most popular benign applications and 10 root ex- and imposing low interference to benign applications. We ploit malicious applications. Our results show that PREC address those challenges using two novel techniques. First, can successfully detect and stop all the tested malware while we propose a classified system call monitoring scheme that reducing the false alarm rates by more than one order of can separate system calls based on their origins (e.g., the magnitude over traditional malware detection algorithms. library that initiates the system call). Thus, we can dynam- PREC is light-weight, which makes it practical for runtime ically identify system calls originated from high-risk com- on-device root exploit detection and containment. ponents such as third-party native libraries (i.e., native li- braries that are not included in the Android system libraries but are downloaded with applications from the app market). Categories and Subject Descriptors Since less than 10% of benign applications include third- D.4.6 [Operating Systems]: Security and Protection—In- party native code [31], the majority of benign applications vasive software (e.g., viruses, worms, Trojan horses); D.2.5 will have zero false alarms using our scheme. Second, we pro- [Software Engineering]: Testing and Debugging pose a delay-based fine-grained containment mechanism that executes the anomalous system calls using a pool of separate Keywords threads, and slows them down exponentially to defeat the attack. The rationale behind our approach is that address Android, Host Intrusion Detection, Dynamic Analysis, Mal- space layout randomization (ASLR) in Android [6] forces ex- ware, Root Exploit ploits to repeat the attack sequence many times in order to guess the right stack address. Moreover, most existing root 1. INTRODUCTION exploits (e.g., Rage Against the Cage) use resource exhaus- Popular application markets (e.g., Apple’s App Store, and tion attacks (e.g., continuously forking). By slowing down the Google Play Store) [13, 54] have become a boon for the malicious activity, the exploit becomes unsuccessful and users and developers, but they also provide a distribution often results in an Application Not Responding (ANR) sta- point for malware. While markets perform malware analysis tus, which causes the Android system to kill the malicious application. Permission to make digital or hard copies of all or part of this work for personal or In this paper, we present the Practical Root Exploit Con- classroom use is granted without fee provided that copies are not made or distributed tainment (PREC) framework to achieve on-device malware for profit or commercial advantage and that copies bear this notice and the full cita- containment. We specifically focus on malware that exploits tion on the first page. Copyrights for components of this work owned by others than root privilege escalation vulnerabilities. This type of mal- ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- ware represents the highest risk for smartphones, because publish, to post on servers or to redistribute to lists, requires prior specific permission root access enables the greatest amount of malicious func- and/or a fee. Request permissions from [email protected]. CODASPY'14, March 3–5, 2014, San Antonio, Texas, USA. tionality, allows for hiding its existence, and makes the mal- Copyright 2014 ACM 978-1-4503-2278-2/14/03 ...$15.00. ware difficult to remove [31]. Figure 1 depicts the overall http://dx.doi.org/10.1145/2557547.2557563 . PREC architecture. PREC operates in two phases: 1) of- PREC Learning PREC Enforcement PREC Module fline learning when a developer submits an app into the mar- - Classified syscall PREC Market Normal monitoring Service Malware profile ket; and 2) online enforcement when the user downloads and - Normal profile Detection installs the app. creation {app1,app2,...} Normal app, When a developer submits an app into the market, the profiles market server (e.g., Google’s Bouncer) runs the app within trace Phone a controlled emulator, performing comprehensive malware app Developer App app detection using a combination of signature detection and Market Input Trace PREC Module dynamic analysis. If the application contains malicious func- (optional) - Runtime syscall classification - Runtime root exploit detection tionality, the market dynamic analysis will detect it and re- - Root exploit containment ject the malicious application. However, as mentioned ear- lier, malware authors often attempt to evade the malware detection system using logic bombs or by not executing ma- Figure 1: Overview of the PREC architecture. When licious code when running in a dynamic analysis environ- the developer submits an app to the app market, the ment. This is where PREC provides contribution by forcing market performs extensive malware detection in a con- the app to commit to a normal behavior. trolled emulator. If the app is detected as malware, it is During dynamic malware analysis, PREC records and la- rejected. If not, a normal execution profile is saved and bels a system call trace based on our classified monitoring forwarded to the PREC service. When a smartphone criteria. For this work, PREC labels each system call as user downloads an app, the normal execution profile is originating either from third-party native code or from Java retrieved. PREC then monitors operation and contains code. We use the third-party native code as the classifying root exploits on the phone. criteria, because it is more risky than Java code or system third-party native code significantly reduces false alarms of libraries: 1) all existing malware that exploits root privi- runtime root privilege escalation attack detection. lege escalation vulnerabilities uses third-party native code; This paper makes the following contributions: 2) low-level system APIs required by the root exploits are often not available to Java code; and 3) program analysis • We present an architecture for mitigating root exploit of third-party native code is significantly more difficult than malware that hides its existence during dynamic anal- Java code or system libraries, therefore most malware anal- ysis. Our approach forces malware to commit to a ysis tools to date ignore third-party native code. normal behavior during market dynamic analysis and Once system calls are labeled by PREC, it creates a nor- malicious attacks are detected and stopped at runtime. mal behavior model for the app. The normal behavior model • We describe a runtime, kernel-level, system call origin is sent to the PREC service that could be hosted within a identification mechanism that allows us to build fine- computing cloud. When choosing a model to represent the grained behavior models (i.e., third-party native code normal behavior of an application, we considered several fac- behaviors v.s. java code behaviors) for higher anomaly tors such as accuracy, overhead, and robustness to mimicry detection accuracy and practical malware containment. attacks. After examining several common models such as the hidden Markov model (HMM) and finite state automata • We provide a scalable and robust behavior learning (FSA), we developed a new lightweight and robust behav- and anomaly detection scheme using the self-organizing ior learning scheme based on the self-organizing map (SOM) map (SOM) learning algorithm [35] that can achieve technique [35, 23]. SOM is robust to noise in system calls both high accuracy and low overhead. by projecting a high dimensional space (noisy system call We have implemented PREC and evaluated our methodol- sequences) into a two-dimensional map that still captures ogy on 140 most popular benign applications (80 with native the principal normal patterns. Moreover, SOM is signifi- code and 60 without native code) covering all different appli- cantly less computation-intensive than most other learning cation categories and 10 root exploit malware (4 known root methods such as HMM. exploit applications from the Malware Genome project [59] Ideally, the normal behavior model should be comprehen- and 6 repackaged root exploit applications). Our experi- sive in order to avoid false alarms. PREC currently uses ments show that PREC can successfully detect and stop all a random input fuzz testing tool [11] to create the per-app the tested root exploits.
Load more

Recommended publications
  • Filesystem Hierarchy Standard
    Filesystem Hierarchy Standard LSB Workgroup, The Linux Foundation Filesystem Hierarchy Standard LSB Workgroup, The Linux Foundation Version 3.0 Publication date March 19, 2015 Copyright © 2015 The Linux Foundation Copyright © 1994-2004 Daniel Quinlan Copyright © 2001-2004 Paul 'Rusty' Russell Copyright © 2003-2004 Christopher Yeoh Abstract This standard consists of a set of requirements and guidelines for file and directory placement under UNIX-like operating systems. The guidelines are intended to support interoperability of applications, system administration tools, development tools, and scripts as well as greater uniformity of documentation for these systems. All trademarks and copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Permission is granted to make and distribute verbatim copies of this standard provided the copyright and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this standard under the conditions for verbatim copying, provided also that the title page is labeled as modified including a reference to the original standard, provided that information on retrieving the original standard is included, and provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this standard into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the copyright holder. Dedication This release is dedicated to the memory of Christopher Yeoh, a long-time friend and colleague, and one of the original editors of the FHS.
    [Show full text]
  • Consolidate Home Directories to Improve Workforce Productivity
    Solution brief Consolidate home directories to improve workforce productivity HPE 3PAR File Persona Software Empower and enable users while increasing security Efficient: Improve your primary storage efficiency and control • One-third the data center footprint and significant power savings • One converged capacity eliminates Challenge Truly converged storage for wasted block or file space reservation home directory consolidation Localized user data with inadequate and Effortless: Simplify your storage inefficient protection and control HPE 3PAR StoreServ is highly efficient, deployment and administration Every IT organization has a need to store • Autonomic provisioning of all capacity flash-optimized storage engineered for and manage user-generated data such as the true convergence of block, file, and • Single, simple, and streamlined business documents, images, audio, and administration of block, file, and object access. HPE 3PAR Operating System object access video files. Traditionally, this has been done and converged controllers incorporate in local home directories on individual users’ multi-protocol support into the heart Bulletproof: Deploy your file shares laptops and desktops resulting in higher of the system architecture. This unique with confidence than necessary client device costs, ineffective • Resilient Mesh-Active architecture solution delivers tightly integrated, truly and intrusive backup processes, complex converged storage for provisioning both • Mission-critical proven HPE file system and time-consuming restore processes, and block volumes for server workloads and file poor data governance. IT needs a solution and object shares for client workloads such that maximizes workforce productivity while as home directory consolidation—efficiently, ensuring that data is effectively protected, effortlessly, and without compromise. secured, and controlled—all with minimal cost and effort.
    [Show full text]
  • The Complete Freebsd
    The Complete FreeBSD® If you find errors in this book, please report them to Greg Lehey <grog@Free- BSD.org> for inclusion in the errata list. The Complete FreeBSD® Fourth Edition Tenth anniversary version, 24 February 2006 Greg Lehey The Complete FreeBSD® by Greg Lehey <[email protected]> Copyright © 1996, 1997, 1999, 2002, 2003, 2006 by Greg Lehey. This book is licensed under the Creative Commons “Attribution-NonCommercial-ShareAlike 2.5” license. The full text is located at http://creativecommons.org/licenses/by-nc-sa/2.5/legalcode. You are free: • to copy, distribute, display, and perform the work • to make derivative works under the following conditions: • Attribution. You must attribute the work in the manner specified by the author or licensor. • Noncommercial. You may not use this work for commercial purposes. This clause is modified from the original by the provision: You may use this book for commercial purposes if you pay me the sum of USD 20 per copy printed (whether sold or not). You must also agree to allow inspection of printing records and other material necessary to confirm the royalty sums. The purpose of this clause is to make it attractive to negotiate sensible royalties before printing. • Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. • For any reuse or distribution, you must make clear to others the license terms of this work. • Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.
    [Show full text]
  • Filesystem Hierarchy Standard
    Filesystem Hierarchy Standard Filesystem Hierarchy Standard Group Edited by Rusty Russell Daniel Quinlan Filesystem Hierarchy Standard by Filesystem Hierarchy Standard Group Edited by Rusty Russell and Daniel Quinlan Published November 4 2003 Copyright © 1994-2003 Daniel Quinlan Copyright © 2001-2003 Paul ’Rusty’ Russell Copyright © 2003 Christopher Yeoh This standard consists of a set of requirements and guidelines for file and directory placement under UNIX-like operating systems. The guidelines are intended to support interoperability of applications, system administration tools, development tools, and scripts as well as greater uniformity of documentation for these systems. All trademarks and copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Permission is granted to make and distribute verbatim copies of this standard provided the copyright and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this standard under the conditions for verbatim copying, provided also that the title page is labeled as modified including a reference to the original standard, provided that information on retrieving the original standard is included, and provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this standard into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the copyright holder. Table of Contents 1. Introduction........................................................................................................................................................1 1.1.
    [Show full text]
  • CS 103 Lab 1 - Linux and Virtual Machines
    CS 103 Lab 1 - Linux and Virtual Machines 1 Introduction In this lab you will login to your Linux VM and write your first C/C++ program, compile it, and then execute it. 2 What you will learn In this lab you will learn the basic commands and navigation of Linux/Unix, its file system, the GNU C/C++ compiler and a few basic applications such as Gedit. Important: The Linux operating system and environment shares a vast majority of commands and methods with Unix. 3 Background Information and Notes 3.1 Software to Install on your PC Start by following the course virtual machine installation instructions found at the link below. http://cs103.usc.edu/tools-and-links/installing-course-vm/ Below is a list of recommended software you should install that will be helpful over multiple courses in CS and EE. These tools allow you to access remote servers, run GUI apps on those servers, and transfer files between your PC and those servers. For Windows: FileZilla FTP – Available from : https://software.usc.edu/index.aspx XWin-32 – Available from : https://software.usc.edu/index.aspx PuTTY – Available from : https://software.usc.edu/index.aspx For Mac: X Server: http://developer.apple.com/opensource/tools/runningx11.html Fetch FTP – Available from : https://software.usc.edu/index.aspx Reference: http://www.usc.edu/its/unix/ Last Revised: 8/29/2014 1 CS 103 Lab 1 - Linux and Virtual Machines 3.2 Getting Started with Unix1 and Accessing your Account Solaris vs. Unix vs. Linux UNIX was developed by AT&T Bell Labs in 1969.
    [Show full text]
  • Downloading and Installing the Mobile Map for IOS, Android, Or Windows Device (See * Below) Common to All Devices: 1
    Downloading and Installing the Mobile Map for IOS, Android, or Windows device (See * below) Common to all devices: 1. Open your browser (see ** below) and return to www.mobilehuntingmaps.com, login and your My Account page will open. 2. On the left side, click on Orders. 3. Your order will appear on the right side of the page. 4. At the end of the order row, click on View to open the details of your order. 5. Beneath the name of the State you will see Download: Download Now and the password needed to open the map file with the CarryMap app. 6. Write down the password then click on Download Now. IOS Devices: (see ** below) 1. Dependent on your version of IOS (Apple operating system) you might be asked a second time to confirm the download. 2. How the download progress is displayed on your phone’s screen varies dependent on the IOS version on your phone. On IOS 12.0 or newer, a blue circle with a down pointing arrow inside will appear and a tiny blue line will move from left to right just under the circle as the download is in progress. Be patient as some of the map data files are large. Dependent on your internet speed and your WIFI strength, the download can take several minutes. Do not try to download a file using a cell phone service, more than likely it will drop before the download is complete. 3. Once the download progress is complete (the blue circle moves up and down and the blue line disappears), the file has been downloaded.
    [Show full text]
  • Introduction to Unix From
    Introduction to Unix from http://cnl.web.arizona.edu Index • Operating Systems • Files • Unix File System o The Path • Ownership and Permissions o Ownership o Permissions • Copy, Move and Remove Files and Directories • Archiving and Zipping • Viewing and Editing Text Files • Size • Unix Help • Tips and Tricks o Cut and Paste o Filename Completion o Find Command o History • Clients and Servers • Communicating across machines Related Resources • Glossary • Printing • Shell Scripts Operating Systems An Operating System (e.g., Windows 95, Windows 98 etc. from Microsoft; Unix systems like Linux, Irix, and Solaris) organizes your files and talks to the hardware. This means the OS translates from the very crude organization system that really exists on your hard drive to the hierarchical system that it presents to you. Essentially, it works like this: The Hard Drive has an area set aside that holds a table of addresses or "pointers" to blocks of information on the rest of the HD. The table's content and organization, the number and size of blocks on the HD etc. are dependent upon the particular OS. Although Unix systems are not exactly the same as each other, they are very similar to one another; just as Windows 95 and Windows 98 are very similar to one another. Files (A Comparison of Windows and Unix) Under Microsoft Windows, file names consist of two parts: a main part and an extension, separated by a special character, the dot (e.g., bird.jpg, fred.xls). The extension tells Windows which program to use to open the file (e.g., *.xls files are opened by MS Excel).
    [Show full text]
  • Linux File System and Linux Commands
    Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers Review of the Linux File System and Linux Commands 1. Introduction Becoming adept at using the Linux OS requires gaining familiarity with the Linux file system, file permissions, and a base set of Linux commands. In this activity, you will study how the Linux file system is organized and practice utilizing common Linux commands. Objectives • Describe the purpose of the /bin, /sbin, /etc, /var/log, /home, /proc, /root, /dev, /tmp, and /lib directories. • Describe the purpose of the /etc/shadow and /etc/passwd files. • Utilize a common set of Linux commands including ls, cat, and find. • Understand and manipulate file permissions, including rwx, binary and octal formats. • Change the group and owner of a file. Materials • Windows computer with access to an account with administrative rights The Air Force Cyber College thanks the Advanced Cyber Engineering program at the Air Force Research Laboratory in Rome, NY, for providing the information to assist in educating the general Air Force on the technical aspects of cyberspace. • VirtualBox • Ubuntu OS .iso File Assumptions • The provided instructions were tested on an Ubuntu 15.10 image running on a Windows 8 physical machine. Instructions may vary for other OS. • The student has administrative access to their system and possesses the right to install programs. • The student’s computer has Internet access. 2. Directories / The / directory or root directory is the mother of all Linux directories, containing all of the other directories and files. From a terminal users can type cd/ to move to the root directory.
    [Show full text]
  • Permissions and Ownership
    Getting Started with Linux: Novell’s Guide to CompTIA’s Linux+ Objective 1 Understand User and Group Configuration Files Information on users and groups on a Linux system is kept in the following files: ■ /etc/passwd ■ /etc/shadow ■ /etc/group Whenever possible, you should not modify these files with an editor. Instead, use the Security and Users modules in YaST or the command line tools described in the next objective, “Manage User Accounts and Groups from the Command Line” on 7-12. Modifying these files with an editor can lead to errors (especially in /etc/shadow), such as a user—including the user root—no longer being able to log in. To ensure consistency of these files, you need to understand how to ■ Check /etc/passwd and /etc/shadow ■ Convert Passwords to and from Shadow /etc/passwd The file /etc/passwd stores information for each user. In the past, UNIX and Linux users were handled in a single file: /etc/passwd. The user name, the UID, the home directory, the standard shell, and the encrypted password were all stored in this file. The password was encrypted using the function crypt (man 3 crypt). In principle, the plain text password could not be deciphered from the encrypted password. 7-2 Version 2 Use the Command Line Interface to Administer the System However, there are programs (such as john) that use dictionaries to encrypt various passwords with crypt, and then compare the results with the entries in the file /etc/passwd. With the calculation power of modern computers, simple passwords can be “guessed” within minutes.
    [Show full text]
  • User Accounts User Accounts User Info /Etc/Passwd User Info /Etc
    User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a computer may have just one user account, but several system accounts help keep the computer running. Accounts enable multiple users to share a single computer without causing each other too much trouble. User Accounts The Users in a Linux system are stored in the /etc/passwd file. If you are on your own VM - somewhere near the bottom you should see yourself and joe. On a brand new install you will see many users listed. Of course if you recall, we only added ourselves and joe. So what are all these other users for? These users are added because we don’t want to give sudo power to all of our programs. So each program installed gets its own user with its own limited permissions. This is a protection for our computer. User Info /etc/passwd Examine the /etc/passwd file using cat or less . Here is what we are seeing: It is colon : separated. So each : denotes a new column. username password The x is just a place-holder. The password is not really in this file User ID (UID) Just like every computer needs a unique ip address, every user needs a unique id. User Info /etc/passwd Group ID (GID) Every user belongs to its own group, with its own group id Comment field This is the Full name, phone number, office number, etc. It is okay if it is blank. Home Directory This is the location of the users home directory - This is how we can know the full path of any users home directory - /home/smorgan vs /home/s/smorgan.
    [Show full text]
  • Linux Filesystem Hierarchy and Hard Disk Partitioning
    LinuxLinux FilesystemFilesystem HierarchyHierarchy andand HardHard DiskDisk PartitioningPartitioning Moreno Baricevic CNR-IOM DEMOCRITOS Trieste, ITALY FileFile SystemSystem A file system is a set of methods and data structures used to organize, store, retrieve and manage information in a permanent storage medium, such as a hard disk. Its main purpose is to represent and organize storage resources. FileFile System:System: elementselements Name space: is a way to assign names to the items stored and organize them hierarchically. API: is a set of calls that allow the manipulation of stored items. Security Model: is a scheme to protect, hide and share data. Implementation: is the code that couples the logical model to the storage medium. 3 FileFile Systems:Systems: BasicBasic ConceptsConcepts (1/2)(1/2) Disk: A permanent storage medium of a certain size. Block: The smallest unit writable by a disk or file system. Everything a file system does is composed of operations done on blocks. Partition: A subset of all the blocks on a disk. Volume: The term is used to refer to a disk or partition that has been initialized with a file system. Superblock: The area of a volume where a file system stores its critical data. 4 FileFile Systems:Systems: BasicBasic ConceptsConcepts (2/2)(2/2) Metadata: A general term referring to information that is about something but not directly part of it. For example, the size of a file is very important information about a file, but it is not part of the data in the file. Ownerships, access permissions, creation/modification/access time, are also part of the metadata information pertaining a file.
    [Show full text]
  • Working with the File System, Configuration Files, and Software Images
    Working with the File System, Configuration Files, and Software Images This appendix describes how to manipulate the router flash file system, how to copy configuration files, and how to download software images to a router. Working with the File System Working with Configuration Files Working with Software Images Working with the File System Commands in this document use URLs as part of the command syntax. URLs used in the Cisco 910 Industrial Router file system contain the following two parts: File system or network prefix File identification suffix The following tables list URL keywords that can be used in the source-url and destination-url arguments for all commands in this document. The prefixes listed below can also be used in the filesystem arguments in this document. Table 5 lists common URL network prefixes used to indicate a device on the network. Table 5 Network Prefixes, Descriptions, and Formats Prefix Description Format ftp Specifies a File Transfer Protocol [[//[username[:password]@]location]/directory]/filename (FTP) network server. For example: ftp://network-config (prefix://filename) ftp://jeanluc:[email protected]/ship-config tftp Specifies a TFTP server. tftp:[[//location]/directory]/filename Table 6 common URL prefixes used to indicate memory locations on the system. Cisco Systems, Inc. www.cisco.com 1 Working with the File System, Configuration Files, and Software Images Table 6 URL Prefixes and Descriptions Prefix Description flash0 On board NAND flash memory, corresponding to /dev/mtd6 which is mounted as /mnt/apps. flash1 On board NAND flash memory, corresponding to /dev/mtd7 which is mounted as /mnt/data.
    [Show full text]