Open Enck-Dissertation.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
The Pennsylvania State University The Graduate School ANALYSIS TECHNIQUES FOR MOBILE OPERATING SYSTEM SECURITY A Dissertation in Computer Science and Engineering by William Harold Enck c 2011 William Harold Enck Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy May 2011 The dissertation of William Harold Enck was reviewed and approved∗ by the following: Patrick D. McDaniel Associate Professor of Computer Science and Engineering Dissertation Advisor, Chair of Committee Trent R. Jaeger Associate Professor of Computer Science and Engineering Thomas F. La Porta Distinguished Professor of Computer Science and Engineering Eileen Kane Professor of Law Raj Acharya Professor of Computer Science and Engineering Head of the Department of Computer Science and Engineering ∗Signatures are on file in the Graduate School. Abstract Devices such as smartphones running mobile operating systems have become an inte- gral part of society. Current smartphones are a response to the Internet’s influence on computing technology: devices provide nearly pervasive access to information and com- moditize a seemingly endless number of services. However, smartphones are more than ultra-portable Web browsers. They combine the expanse knowledge and information available on the Internet with local context made accessible through hardware features such as GPS receivers, microphones, cameras, and accelerometers. In the past several years, smartphone innovation and popularity has surged in response to more open pro- gramming interfaces and network capabilities. Underlying this valuable innovation lies increased security risk for users and providers of content and cellular service. In this dissertation, we explore the limitations of existing mobile operating systems to protect end users from undesirable behavior by downloaded applications. Existing security frameworks define security policy in terms of permissions. We use requested permissions to focuses security analysis of available applications. First, we consider which permissions applications request and show that this limited information can prevent applications with dangerous functionality from being installed. Second, we consider what applications do with permissions. We design and build a framework for realtime dynamic taint analysis to identify misuse of information such as location and phone identifiers. Finally, we consider what applications can do with permissions based on implemented functionality. In doing so, we use several types of source code analysis to identify both dangerous behavior and vulnerabilities in decompiled applications. While we find the coarseness of permissions to be insufficient in several cases, the permission-based model fundamentally aided our analysis, demonstrating new potential for protecting future mobile platforms. iii Table of Contents List of Figures viii List of Tables ix Acknowledgments x Chapter 1 Introduction 1 1.1 ThesisStatement............................... 3 1.2 Contributions................................. 5 1.3 DissertationOutline ............................. 6 Chapter 2 Mobile Operating System Security 8 2.1 Smartphone Threats . 8 2.1.1 Malware . 8 2.1.2 Privacy . 11 2.2 Application Markets . 12 2.3 Case Study: Android . 13 2.3.1 Application Framework . 14 2.3.2 Security Framework . 15 Chapter 3 Related Work 19 3.1 OperatingSystemSecurity ......................... 19 3.1.1 Kernel-level Protection . 20 3.1.2 Information Flow . 21 3.1.3 OtherMACModels ......................... 23 3.1.4 Defense of User Information . 24 3.2 SmartphoneSecurity............................. 25 iv 3.2.1 Smartphone OS Protection . 25 3.2.2 Malware Detection . 26 3.3 Information Tracking . 27 3.4 Security and Privacy Analysis . 30 3.4.1 Vulnerability Analysis . 30 3.4.2 Privacy and Malicious Behavior Analysis . 31 Chapter 4 Configuration-level Analysis of Smartphone Applications 33 4.1 Lightweight Smartphone Application Certification . 33 4.2 KirinOverview ................................ 35 4.3 KirinSecurityRules ............................. 37 4.3.1 Identifying Security Requirements . 38 4.3.2 Sample Malware Mitigation Rules . 41 4.3.2.1 Single Permission Security Rules . 41 4.3.2.2 Multiple Permission Security Rules . 42 4.3.2.3 Permission and Interface Security Rules . 43 4.4 Kirin Security Language . 43 4.4.1 KSL Syntax . 43 4.4.2 KSL Semantics . 44 4.5 KirinSecurityService ............................ 45 4.6 Evaluation . 45 4.6.1 Empirical Results . 46 4.6.2 Mitigating Malware . 49 4.7 DiscoveredVulnerabilities . 49 4.8 Summary ................................... 50 Chapter 5 Dynamic Tracking for Realtime Privacy Monitoring on Smartphones 51 5.1 Identifying Privacy Risks in Smartphone Applications . 51 5.2 Approach Overview . 53 5.3 Information Processing in Android . 56 5.4 TaintDroid . 57 5.4.1 Taint Tag Storage . 58 5.4.2 Interpreted Code Taint Propagation . 61 5.4.2.1 Taint Propagation Logic . 61 5.4.2.2 Tainting Object References . 63 5.4.3 Native Code Taint Propagation . 65 5.4.3.1 Internal VM Methods . 65 5.4.3.2 JNI Methods . 65 5.4.4 IPC Taint Propagation . 67 5.4.5 Secondary Storage Taint Propagation . 68 5.4.6 Taint Interface Library . 68 v 5.5 Privacy Hook Placement . 68 5.6 Application Study . 70 5.6.1 Experimental Setup . 70 5.6.2 Findings . 71 5.7 Performance Evaluation . 74 5.7.1 Macrobenchmarks . 74 5.7.2 Java Microbenchmark . 76 5.7.3 IPC Microbenchmark . 77 5.8 Discussion................................... 77 5.9 Summary ................................... 79 Chapter 6 Static Analysis of Smartphone Application Source Code 80 6.1 A Study of Android Application Security . 80 6.2 Overview of ded ............................... 82 6.3 Evaluating Android Security . 84 6.3.1 Analysis Specification . 84 6.3.2 Analysis Overview . 86 6.4 Analysis Query Definitions . 87 6.4.1 Dangerous Functionality . 87 6.4.1.1 Exfiltration of Information . 88 6.4.1.2 Misuse of Telephony Services . 90 6.4.1.3 Background Audio and Video Recording . 91 6.4.1.4 Socket API Use . 92 6.4.1.5 Harvesting Installed Applications . 92 6.4.2 Vulnerabilities . 93 6.4.2.1 Leaking Information to Insecure Locations . 93 6.4.2.2 Unprotected Broadcast Receivers . 94 6.4.2.3 Intent Injection Attacks . 95 6.4.2.4 Delegating Control . 96 6.4.2.5 Null Checks on IPC Input . 97 6.5 Application Analysis Results . 98 6.5.1 Information Misuse . 98 6.5.1.1 Phone Identifiers . 98 6.5.1.2 Location Information . 101 6.5.2 Phone Misuse . 102 6.5.2.1 Telephony Services . 102 6.5.2.2 Background Audio/Video . 103 6.5.2.3 Socket API Use . 103 6.5.2.4 Installed Applications . 104 6.5.3 Included Libraries . 105 6.5.3.1 Advertisement and Analytics Libraries . 105 vi 6.5.3.2 Developer Toolkits . 107 6.5.4 Android-specific Vulnerabilities . 108 6.5.4.1 Leaking Information to Logs . 108 6.5.4.2 Leaking Information via IPC . 109 6.5.4.3 Unprotected Broadcast Receivers . 109 6.5.4.4 Intent Injection Attacks . 110 6.5.4.5 Delegating Control . 110 6.5.4.6 Null Checks on IPC Input . 111 6.5.4.7 SDcard Use . 111 6.5.4.8 JNI Use . 112 6.5.5 General Application Vulnerabilities . 112 6.5.5.1 Password Misuse . 112 6.5.5.2 Cryptography Misuse . 113 6.5.5.3 Injection Vulnerabilities . 113 6.6 Study Limitations . 114 6.7 Summary of Findings . 114 Chapter 7 Directions for Smartphone Security 117 7.1 Host Security: A Conflict of Requirements . 118 7.1.1 Informed Consent . 118 7.1.2 Privilege Separation . 119 7.2 Future Work . 120 7.2.1 Application Analysis . 120 7.2.1.1 Analysis of Native Libraries . 120 7.2.1.2 Study of Least Privilege . 120 7.2.1.3 Characterization of Information Sharing . 121 7.2.2 Operating System Enhancements . 121 7.2.2.1 Information Flow Control . 121 7.2.2.2 Maintaining Firmware Integrity . 122 7.2.2.3 Extending Protection to the Cloud . 123 7.3 Concluding Remarks . 124 Bibliography 125 vii List of Figures 2.1 Typical IPC between application components . 14 4.1 Kirin based software installer . 36 4.2 Procedure for requirements identification . 38 4.3 Sample Kirin security rules to mitigate malware . 41 4.4 KSL syntax in BNF. 44 5.1 Multi-level approach for performance efficient taint tracking within a com- mon smartphone architecture. 54 5.2 TaintDroid architecture within Android. 57 5.3 Modified Stack Format. Taint tags are interleaved between registers for interpreted method targets and appended for native methods. Dark grayed boxes represent taint tags. ..