Towards Taming Privilege-Escalation Attacks on Android

Towards Taming Privilege-Escalation Attacks on Android

Towards Taming Privilege-Escalation Attacks on Android Sven Bugiel1, Lucas Davi1, Alexandra Dmitrienko3, Thomas Fischer2, Ahmad-Reza Sadeghi1;3, Bhargava Shastry3 1CASED/Technische Universitat¨ Darmstadt, Germany 2Ruhr-Universitat¨ Bochum, Germany fsven.bugiel,lucas.davi,[email protected] thomas.fi[email protected] 3Fraunhofer SIT, Darmstadt, Germany falexandra.dmitrienko,ahmad.sadeghi,[email protected] Abstract 1. Introduction Android’s security framework has been an appealing sub- Google Android [1] has become one of the most popular ject of research in the last few years. Android has been operating systems for various mobile platforms [23, 3, 31] shown to be vulnerable to application-level privilege esca- with a growing market share [21]. Concerning security and lation attacks, such as confused deputy attacks, and more privacy aspects, Android deploys application sandboxing recently, attacks by colluding applications. While most of and a permission framework implemented as a reference the proposed approaches aim at solving confused deputy at- monitor at the middleware layer to control access to system tacks, there is still no solution that simultaneously addresses resources and mediate application communication. collusion attacks. The current Android business and usage model allows developers to upload arbitrary applications to the Android In this paper, we investigate the problem of designing and app market1 and involves the end-user in granting permis- implementing a practical security framework for Android to sions to applications at install-time. This, however, opens protect against confused deputy and collusion attacks. We attack surfaces for malicious applications to be installed on realize that defeating collusion attacks calls for a rather users’ devices (see, for instance, the recent DroidDream system-centric solution as opposed to application-dependent Trojan [6]). policy enforcement. To support our design decisions, we Since its introduction, a variety of attacks have been re- conduct a heuristic analysis of Android’s system behavior ported on Android showing the deficiencies of its security (with popular apps) to identify attack patterns, classify dif- framework. Of particular interest and importance in this con- ferent adversary models, and point out the challenges to be text are the so-called application-level privilege escalation tackled. Then we propose a solution for a system-centric and attacks which are the main focus of this paper. policy-driven runtime monitoring of communication chan- nels between applications at multiple layers: 1) at the mid- Privilege escalation attacks at application-level. An- dleware we control IPCs between applications and indirect droid’s security framework (enforcing sandboxing and per- communication via Android system components. Moreover, mission checks) is not sufficient for transitive policy en- inspired by the approach in QUIRE, we establish semantic forcement allowing privilege escalation attacks as shown links between IPCs and enable the reference monitor to ver- by the recent attacks [16, 12, 20, 35]. Prominent examples ify the call-chain; 2) at the kernel level we realize mandatory are confused deputy and collusion attacks. Confused deputy access control on the file system (including Unix domain attacks [26] concern scenarios where a malicious application sockets) and local Internet sockets. To allow for runtime, exploits the vulnerable interfaces of another privileged (but dynamic low-level policy enforcement, we provide a callback confused) application2. On the other hand, collusion attacks channel between the kernel and the middleware. Finally, we evaluate the efficiency and effectiveness of our framework on 1One can register as an Android developer by only paying a fee of $25. known confused deputy and collusion attacks, and discuss Afterwards, developers are free to publish applications on the Android future directions. market. 2These attacks range from unauthorized phone calls [16] and text mes- sage sending [12] to illegal toggling of WiFi or GPS service state [20]. concern malicious applications that collude to combine their IPC calls that are checked at runtime by our monitor to permissions, allowing them to perform actions beyond their identify call-chains to protect against confused deputy individual privileges. Colluding applications can communi- attacks (caused by intents); 2) kernel-level Mandatory cate directly [28], or exploit covert or overt channels in the Access Control (MAC) on the file system (files, Unix Android core system components [35]. Moreover, applica- domain sockets) and Internet sockets; 3) a runtime inter- tions can launch privilege escalation attacks by exploiting action between our security extensions to the Android kernel-controlled channels and completely bypass the mid- middleware and the kernel-level MAC, allowing for dleware reference monitor. Examples for such attacks are dynamic runtime policy mapping from the middleware confused deputy attacks over a locally established Internet to the kernel. socket connection, or collusion attacks over the file system [12, 35]. Hence, one needs protection at both abstraction • Policy enforcement. Our policy enforcement is system- layers: namely the middleware and the Linux kernel. centric and uses an appropriate high-level policy lan- guage inspired by VALID [4] at the middleware layer. At the kernel level, we have adapted TOMOYO Security extensions to Android and problems. The Linux [25] to the Nexus One smartphone. Although TO- problem of application-level privilege escalation attacks has MOYO can intercept system calls and enforce MAC at been investigated in the last few years, and various security the kernel level, it isn’t aware of contextual information extensions and enhancements to Android have been pro- available to the Android middleware (e.g., permissions posed such as Kirin [16, 17], TaintDroid [14], Saint [33], that Android applications possess) in order to take the QUIRE [13], IPC Inspection [20] to name some. However, correct decision. To bridge the gap between policy as we will discuss in further detail (cf. Section 8), none of the enforcement at the middleware layer and TOMOYO, existing approaches satisfactorily addresses both confused we dynamically map the policies of the middleware to deputy and collusion attacks. While the existing solutions TOMOYO. are either static or mostly delegate the policy enforcement to applications, we realize that tackling collusion attacks calls • Performance and effectiveness. Our reference imple- for a system-centric solution, not dependent on applications. mentation has a negligible performance overhead not Moreover, previous solutions suffer from other deficiencies noticeable to the user. We evaluated our implemen- such as incompatibility to legacy applications (requiring to tation on a Nexus One development phone with 50 over-privilege some applications), or inefficiency. (popular) applications from the Android Market and 25 users (students). Note that in contrast to [15, 19] we perform our evaluation manually at runtime3, and Our goal and contributions. We investigate the problem hence, 50 applications are already sufficient for our of building a security framework for Android to protect it purposes. We successfully evaluated our framework against confused deputy and collusion attacks. We aim for against application-level privilege escalation attacks a general framework which can capture all variations of presented in [16, 12, 20, 35]. In contrast to exist- application-level privilege attacks, as opposite to previous ing solutions, our implementation detects all of these works targeting attack subclasses. To support our design attacks including the sophisticated attacks of Sound- decisions, we conducted a heuristic analysis of the runtime comber [35] and an attack launched through locally behavior of Android while running many popular applica- established Internet connection [12]. Finally, we dis- tions to observe and identify possible attack patterns. We cuss and evaluate the possible problems, such as the rate point out the related challenges towards tackling this prob- of attack detection and falsely denied communication. lem, and discuss the trade-offs with respect to other major existing solutions some of which could be integrated in our framework to improve our solution. In particular, our contri- Outline. The remainder of this paper is organized as fol- butions are the following: lows: After we recall the Android architecture in Section 2, we introduce the general problem of privilege escalation • Security Framework. We present the design and im- attacks, present our adversary model and assumptions in plementation of a security framework to detect and Section 3. In Section 4, we present the architecture of our prevent confused deputy and collusion attacks. For security framework, describe the graph-based system repre- this, we extend Android’s reference monitor concept at sentation used in our framework, and provide a graph-based both the middleware and the kernel level as follows: definition of privilege escalation attacks. Section 5 is de- 1) runtime monitoring on direct IPC calls between voted to defining a security policy for our framework. In applications and indirect communication through An- 3Note that automated testing of mobile phone applications has been droid system components. Inspired by the approach shown to exhibit a very low execution path coverage and is thus not suitable in QUIRE [13] we establish

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us