Kratos: Discovering Inconsistent Security Policy Enforcement in the - - PowerPoint PPT Presentation

kratos discovering inconsistent security policy
SMART_READER_LITE
LIVE PREVIEW

Kratos: Discovering Inconsistent Security Policy Enforcement in the - - PowerPoint PPT Presentation

Jan 23, 2023 644 likes •889 views

Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework Yuru Shao , Jason Ott , Qi Alfred Chen, Zhiyun Qian , Z. Morley Mao University of Michigan, University of California Riverside 1 Security Policy

slide-1
SLIDE 1

Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework

Yuru Shao, Jason Ott†, Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao

University of Michigan, †University of California Riverside

1

slide-2
SLIDE 2

Security Policy Enforcement

  • Security policies regulate access to

– Sensitive data – System resources – Privileged operations

  • Policies need to be correctly enforced

2

slide-3
SLIDE 3

Inconsistencies exist

3

Telecom Service Telephony Service (2) endCall() Check CALL_PHONE Privileged Methods

The enforcement of a security policy on different code paths can be inconsistent

(3) onReceive()

No security check!

  • According to the Android documentation

– apps that hold a CALL_PHONE permission can end phone calls

(1) endCall() Check SYSTEM

slide-4
SLIDE 4

Security implication

  • Privilege escalation

4

Request fewer permissions.

Exploiting Inconsistencies

slide-5
SLIDE 5

Security implication

  • Privilege escalation

5

Request fewer permissions.

Exploiting Inconsistencies

Besides app permissions, attackers can also bypass system permissions

slide-6
SLIDE 6

Inconsistent security policy enforcement

  • Also found in SELinux and Xen1

– Unauthorized user account access – Permanent data loss

  • No solution for the Android framework

– Prior work is OS specific – Android has no explicitly defined policies

6

[1] Lin Tan et al. AutoISES: Automatically Inferring Security Specification and Detecting

  • Violations. USENIX Security 2008.
slide-7
SLIDE 7

Problem statement

  • Focusing on the Android framework, we

answer the following question:

– How can we systematically detect inconsistent security policy enforcement without any knowledge of the policies?

7

slide-8
SLIDE 8

Our approach

  • Discover app-accessible service interfaces that

have overlaps in functionality

– They’re expected to have consistent security enforcement

  • Perform a differential analysis on security

checks that two overlapping interfaces employ

8

slide-9
SLIDE 9

Differential analysis

storeSMS(...) storeMMS(...)

... …

storageProvider enforcePhone()

{RADIO}

  • enforcePhone()checks if the caller’s UID is 1001 (RADIO)

9

slide-10
SLIDE 10

Pruning

storeSMS(...) storeMMS(...)

... …

storageProvider

ContentValues.put(...) String.equal(...)

{RADIO}

  • enforcePhone()checks if the caller’s UID is 1001 (RADIO)

10

enforcePhone()

slide-11
SLIDE 11

App-accessible service interfaces

  • Analysis scope: system services

– System services perform enforcement

  • Service interfaces

– AIDL methods – Broadcast receivers

AIDL: Android interface definition language

Binder IPC add startScan ... add startScan ... App WiFi Service

11

broadcasts

slide-12
SLIDE 12

Security checks

  • Security enforcement: a set of security checks
  • We formulate four types of checks

– Permission check – UID/PID check – Package name check – Thread status check

12

slide-13
SLIDE 13

Kratos Design

Java Class Files

Relevant Security Check Types

Pre-processing Call Graph Construction Call Graph Annotation Inconsistency Detection

Inconsistent Security Enforcement Explore the codebase to find

  • All system services & interfaces
  • Look at service registration

Build a precise framework call graph

  • Points-to analysis
  • IPC shortcuts

Identify security checks applied to each node (method) Compare security enforcement of service interfaces if they

  • Call the same privileged methods

1. Permission 2. UID/PID 3. Package name 4. Thread status

Ranked list for manual investigation

13

slide-14
SLIDE 14

Implementation

  • Support AOSP and customized frameworks

– Obtain Java classes from

  • Intermediate building output (AOSP)
  • Decompiled dex files (customized)
  • Build a precise framework call graph

– Points-to analysis using Spark – An artificial, static entry point including all app- accessible service interfaces

  • Perform data flow analysis

– Identify security check methods – Collect system services

14

slide-15
SLIDE 15

Evaluation

  • 6 different Android codebases

– AOSP 4.4, 5.0, 5.1 and M Preview – HTC One, Samsung Galaxy Note 3

  • Accuracy

15

Codebase # Inconsistencies # TP # FP Precision # Exploitable Android 4.4 21 16 5 76.2% 8 Android 5.0 61 50 11 82.0% 11 Android 5.1 63 49 14 77.8% 10 M Preview 73 58 15 79.5% 8 AT&T HTC One 29 20 9 69.0% 8 T-Mobile Samsung Galaxy Note 3 128 102 26 79.7% 10

slide-16
SLIDE 16

False positive and exploitability

  • False positives exist

– Two interfaces are not equivalent in functionality – Points-to analysis produces over-approximated results

  • Not all inconsistencies are exploitable

– Difficult to construct valid arguments – Difficult to trigger particular privileged methods

16

slide-17
SLIDE 17

Vulnerabilities discovered

  • We found 14 vulnerabilities
  • 5 out of 14 affect all codebases
  • Bug reports confirmed by Google

– Results website: http://tinyurl.com/kratos15

17

Zero-days Previously reported or fixed

slide-18
SLIDE 18

Case study 1

  • Bypass system permission to change HTTP

proxy settings

18

udpateNetwork(conf) save(conf) Check CHANGE_WIFI_STATE CONNECTIVITY_INTERNAL addOrUpdateNetworkNative(conf) Check CHANGE_WIFI_STATE ACCESS_WIFI_STATE Documented in Android SDK Hidden, undocumented

  • Allows attackers to bypass the system permission
  • MITM, eavesdropping, traffic interception, …

CONNECTIVITY_INTERNAL is a system permission 4.4.2_r1. Fixed in Android 5.0.0_r1

slide-19
SLIDE 19

Case study 2

  • Send arbitrary requests to the radio hardware

without any permissions

19

invokeOemRilRequestRaw(r) sendRequestRawToRIL(r) PhoneInterfaceManager PhoneInterfaceManagerExt (Samsung-customized) Check CALL_PHONE Radio Interfaces No security checks!

  • Allows attackers to send arbitrary requests to radio on

vulnerable Samsung phones

  • Send SMS, make phone calls, …
slide-20
SLIDE 20

Other observations

  • 11 vulnerable interfaces are hidden to apps

– Not available in the Android SDK – Invoke using Java reflection

  • AOSP frameworks

– New system services introduce new inconsistencies, leading to new vulnerabilities

  • Customized frameworks

– Samsung added many system services

  • Introduced 2 additional vulnerabilities
  • One present in AOSP was fixed

20

slide-21
SLIDE 21

Conclusions

  • Inconsistent security policy enforcement gives rise

to many vulnerabilities

  • Our tool is practical and useful for AOSP, vendors,

and carriers

  • Our approach is general and can be applied to
  • ther systems
  • To ensure system security, the implementation

must faithfully realize the design

21

slide-22
SLIDE 22

Q&A

  • Thank you!

22