Mandatory Access Control for the Android Dalvik Virtual Machine Aline Bousquet1,Jer´ emy´ Briffaut1, Laurent Clevy2, Christian Toinard1, Benjamin Venelle2 1 LIFO - ENSI de Bourges - fi[email protected] 2 Alcatel-Lucent Bell Labs - fi[email protected] Abstract 1 Introduction With the growing use of smartphones and other mobile Android is the most widely used system for smartphones devices, it becomes essential to be able to assure the user and its security is therefore an essential challenge. In- that his system and applications are doing exactly what deed, due to its considerable popularity, Android is more they are supposed to do. Over the years and despite its and more frequently the target of attacks and the users configuration complexity, Mandatory Access Control has grow more concerned about the security of their devices. proven its efficiency in protecting systems. This paper Indeed, 96 new threats on Android were detected in Q4 proposes a solution providing a generic protection that 2012 by F-Secure 2 and 238 in the whole year, that is to doesn’t need to modify the applications. Moreover, in say 79% of the threats detected on mobiles. order to face the complexity of defining an efficient MAC For instance, [5] describes a conceptual weakness in policy, a tool automatizes the generation of the policies Android that allows privilege escalations attacks. Thus, required for the various applications. it is possible for an unprivileged application to access a However, to efficiently guarantee the security of a sys- protected resource through a privileged application. This tem, each layer that composes it must be secured. There- can happen because of the way the applications can inter- fore, MAC implementations should not be limited to the act: when an application accesses another one’s compo- operating system, but should also protect the inside of nents, Android does not ensure that the callee’s permis- the applications. sions form a subset of the caller’s permissions. Hence, This paper presents Security Enhanced Dalvik the calling application can indirectly obtain the callee’s (SEDalvik), a MAC approach for the Dalvik Virtual Ma- permissions. chine in order to control the flows inside the Java appli- A similar weakness is also described in [17] which ex- cations running in Android. plains how a privileged application can store sensitive data on the SDCard. Since the SDCard is world read- SEDalvik proposes a new mandatory protection to able (for Android versions 4.0 and earlier), the sensitive block the attacks that exploit the weakness of the Dalvik data becomes accessible to any other application, even VM. By controlling the information flows between the an unprivileged one. Java objects, SEDalvik could prevent the new vectors of One way to handle this risk is to use Mandatory attack coming from the threat of the Java virtual machine Access Control (MAC) to block malicious information as explained by Kaspersky Labs1. In contrast with other flows inside a Dalvik Java application. SEDalvik offers approaches, our solution corresponds to a self-organizing such a solution to control the permissions between the system since it transparently protects existing Java appli- caller and the callee objects. cations without any modifications. An experiment on an SEDalvik is a new protection for Android, derived Android phone shows the efficiency of the protection. from a previous work, SEJava [16], that aims to protect the Java Virtual Machine (JVM). However, the Dalvik Virtual Machine differs from the JVM. Therefore, Dalvik Keywords requires a dedicated solution to enforce MAC policy. Since requesting modifications of applications does Security, Java, Mandatory Access Control, Android, not fit with self-organizing systems, SEDalvik can reuse Dalvik an application without any change. Therefore, the pro- tection works with all the applications. a set of permissions, allowing it to perform specific ac- Furthermore, regarding the complexity of the defini- tions. For instance, an application that needs to send tion of the policy, a learning tool can generate the policy SMS has to request the SEND SMS permission. This is automatically when an application is installed. a security model based on capabilities. Section 2 introduces some key concepts of Android as Permissions are explicitly granted by the user during well as related works concerning the security of Android. the installation of the application. Nevertheless, since Then, section 3 describes SEDalvik’s concepts and im- Android does not allow a partial selection, the user must plementation. Finally, section 4 shows the results ob- either accept all the permissions or cancel the installa- tained with SEDalvik, concerning both its efficiency and tion. Moreover, the user cannot change the permissions its performances. afterwards: the only way is to uninstall the application. A solution, described in [10], has been implemented to allow the user to specify exactly what resources an ap- 2 Background plication can use. Many applications request too many permissions. 2.1 Android There is two reasons 1) the developer usually asks for unnecessary permissions, because of the difficulty to de- Android is a system for mobile devices that includes an fine a minimal set of permissions and 2) the application operating system based on the Linux kernel, a Java mid- is a malware that asks for illegal accesses. Since it goes dleware and Java applications available from the Google against the least privilege principle, these applications store. present a damageable risk: too many privileges implies Android also provides some tools and APIs easing that the application may access resources for illegitimate the development of third-party applications with the Java purpose. programming language. Android also implements an application sandboxing mechanism to isolate applications from one another. 2.1.1 Dalvik VM Each application runs in its own instance of the Dalvik VM and under a unique user identifier (uid). Thus An- Android uses its own virtual machine, named Dalvik [2] droid enforces a Discretionary Access Control to restrict and acquired by Google. Dalvik is quite different from accesses to the application’s resources. off-the-shelf implementations of the JVM. Dalvik was However, a given uid can be used by several applica- designed with optimization in mind, in order to run Java tions if they are signed by the same developer’s certifi- applications on devices with little memory, limited com- cate. Consequently, a misuse of the developer’s certifi- putational power and short battery life. cate may disable the offered isolation. Dalvik is a register based virtual machine. Its instruc- Both Android’s permissions model and the applica- tion set contains 246 opcodes (i.e. bytecodes) which are tion’s sandboxing are mechanisms derived from Discre- essentially different from the 144 opcodes defined by the tionary Access Control (DAC). This means that the data’s JVM specifications [15]. security is under the responsibility of its owner (i.e. the A standard Java compiler stores the program byte- application) and that a super user such as root can ac- codes into .class files, one .class file per defined Java cess all data. Besides, a DAC system fails to guarantee class. The Android’s Java compiler uses the dx tool to security properties [8]. merge all .class files into one single .dex file (Dalvik Therefore, the security of Android needs to be im- Executable - Dex). proved, as shown by the numerous studies that propose The .dex file format aims to minimize the VM mem- to address these problems. ory usage by sharing data. In contrast with the JVM, Dalvik uses several memory pools shared among all classes to store data according to their nature. 2.2 Related Works and Motivation TaintDroid [6] is an extension of Android that enables the 2.1.2 Access Control tracking of information flows on Android smartphones. TaintDroid uses data tainting to track sensible data. It Android provides several mechanisms limiting the inter- assumes that the applications installed by the user cannot actions between the system and the applications and be- be trusted. It monitors the user’s data and aims to detect tween the applications themselves. This subsection de- when some data leaves the system. scribes these access control mechanisms. YAASE [12] is a security extension for Android that To handle applications privileges, Android uses a spe- uses TaintDroid to provide a fine-grained access control cific model of permissions [7]. Each application requests mechanism. The user defines a set of policies to con- 2 trol the propagation of data. The policies are enforced 3 SEDalvik thanks to hooks positioned in Android framework’s com- ponents. SEDalvik extends SEJava to protect the Dalvik virtual AppFence [9] makes privacy controls on Android machine, including the Android applications. Indeed due applications by retrofitting the runtime environment. to major differences with the JVM, SEJava cannot work AppFence implements two systems: data shadowing, i.e. on Dalvik. Therefore, SEDalvik proposes a novel model giving an application fake data (empty contact list...) in- of Mandatory Access Control to prevent malicious flows stead of sensitive data, and ex-filtration blocking, i.e. between the Dalvik objects. preventing sensitive data (tainted by TaintDroid) from leaving the device. 3.1 Mandatory Access Control for Dalvik However, these three tools produce an important num- ber of false positives. Moreover, they cannot protect Inside the Dalvik VM, SEDalvik monitors the interac- from escalations of privileges, that are the more common tions between a source and a target Java object i.e. an attacks on Android. instance of a Java class. SEDalvik associates each ob- Saint [11] is a framework used to define policies for ject with a unique security identifier. A security identi- the applications. With Saint, it is for instance possible to fier includes the Java type, which is unique, and a unique restrict the access to a permission.