c 2018 Soteris Demetriou ANALYZING & DESIGNING THE SECURITY OF SHARED RESOURCES ON SMARTPHONE OPERATING SYSTEMS —REVISED VERSION— BY SOTERIS DEMETRIOU DISSERTATION Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate College of the University of Illinois at Urbana-Champaign, 2018 Urbana, Illinois Doctoral Committee: Professor Carl A. Gunter, Chair Professor Klara Nahrstedt Assistant Professor Adam M. Bates Professor XiaoFeng Wang, Indiana University Bloomington ABSTRACT Smartphone penetration surpassed 80% in the US and nears 70% in Western Europe. In fact, smartphones became the de facto devices users leverage to manage personal infor- mation and access external data and other connected devices on a daily basis. To support such multi-faceted functionality, smartphones are designed with a multi-process architecture, which enables third-party developers to build smartphone applications which can utilize smartphone internal and external resources to o↵er creative utility to users. Unfortunately, such third-party programs can exploit security inefficiencies in smartphone operating sys- tems to gain unauthorized access to available resources, compromising the confidentiality of rich, highly sensitive user data. The smartphone ecosystem, is designed such that users can readily install and replace applications on their smarpthones. This facilitates users’ e↵orts in customizing the capabil- ities of their smartphones tailored to their needs. Statistics report an increasing number of available smartphone applications—in 2017 there were approximately 3.5 million third-party apps on the offifial application store of the most popular smartphone platform. In addition we expect users to have approximately 95 such applications installed on their smartphones at any given point. However, mobile apps are developed by untrusted sources. On Android— which enjoys 80% of the smarpthone OS marketshare—application developers are identified based on self-sign certificates. Thus there is no good way of holding a developer account- able for a malicious behavior. This creates an issue of multi-tenancy on smartphones where principals from diverse untrusted sources share internal and external smartphone resources. Smartphone OSs rely on traditional operating system process isolation strategies to confine untrusted third-party applications. However this approach is insufficient because incidental seemingly harmless resources can be utilized by untrusted tenants as side-channels to by- pass the process boundaries. To make things worse, applications might include third-party libraries, for advertising or common recognition tasks. Such libraries share the process ad- dress space with their host apps and as such can inherit all the privileges the host app does. Identifying and mitigating these problems on smartphones is not a trivial process. Manual analysis on its own of all mobile apps is cumbersome and impractical, code analysis tech- niques su↵er from scalability and coverage issues, ad-hoc approaches are impractical and sucseptible to mistakes, while sometimes vulnerabilities are well hidden at the interplays between smartphone tenants and resources. In this work I follow an analytical approach to discover major security and privacy issues on smartphone platforms. I utilize the Android OS as a use case, because of its open-source ii nature but also its popularity. In particular I focus on the multi-tenancy characteristic of smartphones and identify the resources each tenant within a process, across processes and across devices can access. I design analytical tools to automate the discovery process, attacks to better understand the adversary models, and introduce design changes to the participating systems to enable robust fine-grained access control of resources. My approach revealed a new understanding of the threats introduced from third-party libraries within an application process; it revealed new capabilities of the mobile application adversary exploit- ing shared filesystem resources; and shows how a mobile app adversary can exploit shared communication mediums to compromise the confidentiality of the data collected by external devices (e.g. fitness and medical accessories, NFC tags etc.). Moreover, I show how we can eradicate these problems following an architectural design approach to introduce backward- compatible, e↵ective and efficient modifications in operating systems to achieve fine-grained application access to shared resources. Some of the problems we found are now addressed by Google, which overhauls the development of Android, the most popular smartphone OS. iii To my parents Yiannis and Maria, my brothers Michalis and Alexandros, my sister-in-law Georgia and my niece Florentia for their unconditional love and support. iv ACKNOWLEDGMENTS This thesis would have not been possible to realize without the invaluable support and guidance of my advisor and academic father Dr Carl A. Gunter. Professor Gunter trusted me to explore issues that I find interesting without any constraints. I consider myself privileged to be given the opportunity to work and learn from Dr. Gunter. I can not imagine having abetteradvisorandmentor. I would like to also thank Dr Xiaofeng Wang, whose indispensable guidance was continuous throughout my work. I was lucky during the beginning of my studies to meet with Professor Wang who got me involved in smartphone security, a topic which became the focus of my thesis. Unequivocally I learnt a lot during my interactions with Professor Wang both on how to find interesting problems and how to approach solving them. Special thanks to Dr Klara Nahrstedt and Adam M. Bates for their feedback and guidance. The final version of this thesis is shaped based on their astute observations. My sincere thanks also goes to Dr. Michael Grace and Dr. Xiaoyong Zhou who provided me with an opportunity to join their team as intern at Samsung Research America (SRA). At SRA I got exposed to real problems modern smartphone operating system vendors face and the approaches they take to tackle them. Lastly, I would like to thank all the people I got to work with during my Ph.D. studies: Dr. Carl A. Gunter; Dr. XiaoFeng Wang; Dr. Klara Nahrstedt; Dr. Kyu-Han Kim; Dr. Landon Cox; Dr. Patrick Tague; Dr. Xiaoyong Zhou; Dr. Muhammad Naveed; Dr. Michael Grace; Dr. Puneet Jain; Dr. Wei Yang; Dr. Aston Zhang; Dr. Yueh-Hsun Lin; Dr. Yuan Tian; Dr. Animesh Shrivastava; Dr. Wenrui Diao; Dr. Feng Qian; Dr. Kai Chen; Dr. Xinhui Han; Dr. Kehuan Zhang; Nan Zhang; Yeonjoon Lee; Dongjing He; Xiaorui Pan; Kan Yuan; Whitney Merrill; G¨uliz Seray Tuncay; Tongxin Li; Mingming Zha; Xianghang Mi; Peiyuan Zong; Karan Ganju. My interactions with all of them shaped me both as an academic and as a person. v TABLE OF CONTENTS CHAPTER 1 INTRODUCTION . 1 1.1 Motivation . 1 1.2 Problem Statement . 3 1.3 Approach ..................................... 4 1.4 Thesis Contributions . 7 1.5 Thesis Organisation . 9 CHAPTER 2 BACKGROUND . 10 2.1 AndroidOS .................................... 10 2.2 AndroidSecurityModel ............................. 14 2.3 Background on Techniques and Methodologies Used . 21 2.4 Android’sSharedResources . 22 CHAPTER3 LITERATUREREVIEW......................... 25 3.1 AdvertisingLibraries ............................... 25 3.2 InformationLeaksthrough FilesystemResources. 26 3.3 Shared Communication Channels . 27 3.4 Shared IoT Devices . 28 CHAPTER 4 SHARING PROCESS PRIVILEGES . 30 4.1 Introduction . 30 4.2 Analysis ...................................... 32 4.3 Detection Design . 42 4.4 Detection Evaluation . 51 4.5 UtilityandLimitations. 58 4.6 Summary . 61 CHAPTER 5 SHARING FILESYSTEM RESOURCES . 63 5.1 Introduction . 63 5.2 Analysis ...................................... 65 5.3 Mitigation Design . 82 5.4 Mitigation Evaluation . 85 5.5 Summary . 86 CHAPTER 6 SHARING DIRECT COMMUNICATION CHANNELS . 88 6.1 Introduction . 88 6.2 Analysis ...................................... 89 6.3 Mitigation Design . 105 6.4 Mitigation Evaluation . 118 6.5 Summary . 122 vi CHAPTER 7 SHARING DEVICES IN IoT ENVIRONMENTS . 123 7.1 Introduction . 123 7.2 Analysis ...................................... 126 7.3 Mitigation Design . 130 7.4 Mitigation Evaluation . 141 7.5 Discussion . 147 7.6 Summary . 149 CHAPTER8 DESIGNPRINCIPLES. 151 8.1 Contextual Threat Model . 153 8.2 Granularity of Mechanism . 154 8.3 Layered Responsibility . 157 CHAPTER 9 SUMMARY AND FUTURE DIRECTIONS . 160 9.1 Summary . 160 9.2 Contributions ................................... 162 9.3 Moving Forward . 164 REFERENCES....................................... 165 vii CHAPTER 1: INTRODUCTION 1.1 MOTIVATION Eleven years now, after the first iOS and Android enabled smartphones, the technology behemoths are now responsible for 90% [1] of total smartphone sales in 2018. These de- vices have revolutionized the way people communicate and manage personal and business tasks. Their unprecedented nature, which combines mobility, computational power and a model of easy to replace applications that can facilitate every facet of our everyday lives, constitute them an integral tool for people of any age. This very model, designed to leverage developers’ creativity to provide users with a menagerie of smartphone applications (apps for short) of any perceived purpose, led to the release of an astounding number of apps in official application markets. Statista reports an almost exponential increase in the number of available smartphone apps on the official application store