AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection
Post on 22-Mar-2016
30 Views
Preview:
DESCRIPTION
Transcript
Free Powerpoint Templates1
AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection
Speaker: Ting LuoDate: 2014/04/07
Zhemin Yang, Min Yang, Yuan Zhang, X.Sean WangFudan University
Guofei Gu, Peng NingTexas A&M University, NC State University
CCS,2013
Free Powerpoint Templates2
Outline
1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates3
Introduction• Many benign apps normally need to collect
sensitive data such as location, contact, to send out to the cloud.
• Malicious apps that steal user data may also exhibit the same behavior
• Therefore, transmission of sensitive data by itself may not indicate true privacy leakage
• A better indicator should be whether the transmission is user intended or not.
Free Powerpoint Templates4
Introduction• User-intended data transmission
• For example• SMS management apps • Location-based service
• Not a privacy leakage.
• Unintended data transmission• Unknown to users • Irrelevant to the function user enjoys• Judge as a privacy leakage
Free Powerpoint Templates5
Introduction• It is more practical to design an automated
tool to provide a human analyst with the context information in which the data transmission occurs.
• Given sensitive data transmission, AppIntent derives the input data and user interaction inputs that lead to the transmission
• Context information:The form of a sequence of UI manipulations that is captured from a controlled execution.
Free Powerpoint Templates6
Introduction• Symbolic Execution
• Systematically explore feasible paths of the program.
• Dealing with events triggered by user actions in GUI apps is challenging
• Path explosion problem
• New technique• Event-space constraint guided
symbolic execution
Free Powerpoint Templates7
Introduction• Event-space constraint guided symbolic
execution
1. static analysis2. generate event-space constraints3. symbolic execution
Free Powerpoint Templates8
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates9
Background1. Symbolic Execution
(1) “Symbolic Execution and Program Testing,” CACM,1976
(2) “Symbolic Execution for Software Testing:Three Decades Later,” CACM,2013
Free Powerpoint Templates10
Background1. Symbolic Execution
• Explore as many different program paths as possible in a given amount of time.
• For each path to• Generate a set of concrete input
values exercising that path• Check for the presence of various
kinds of errors• Security vulnerability• Uncaught exception
• Using symbols instead of values !!
Free Powerpoint Templates11
Background1. Symbolic Execution(1) Symbolic state σ
• σ is initialized to an empty map
(2) Symbolic path constraint PC• PC is initialized to true.
(3) If a symbolic execution instance hits an exit statement or an error, the current instance of symbolic execution is terminated
(4) Finally, PC is solved using a constraint solver to generate concrete input values.
Free Powerpoint Templates12
Background1. Symbolic Execution
Reference : “Symbolic Execution for Software Testing:Three Decades Later ,” CACM,2013
Free Powerpoint Templates13
line σ PC PC’init Empty True17 {x->x0,y->y0} True
6 {x->x0, y->y0, z->2y0}
True
7 {x->x0, y->y0, z->2y0}
X0=2y0 X0≠2y0
8 {x->x0, y->y0, z->2y0}
(X0=2y0)˄(X0>y0+10) (X0=2y0)˄(X0≤y0+10)
Free Powerpoint Templates14
Background1. Symbolic Execution(5) Execution tree
PC: X0=2y0PC’: X0≠2y0
PC: (X0=2y0)˄(X0>y0+10)
PC’: (X0=2y0)˄(X0≤y0+10)
X0 ≤20, y0≤10
y0>10, X0>20
Free Powerpoint Templates15
Background1. Symbolic Execution(6) Loops or recursion
• Infinite number of paths if the termination condition for the loop is symbolic
(7) In practice, one needs to put a limit on the search• A timeout, a limit on the number of paths, loop iterations, or exploration depth
Free Powerpoint Templates16
Background
2. Android Event(1) Callbacks of Lifecycle StatesThese callbacks are automatically invoked by Android application manager
• Non-deterministic• Unbounded Search space explosion problem!
(2) GUI Events and System Events• Event Listeners• Non-deterministic• They can be triggered in any order
and at any time
Free Powerpoint Templates18
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates19
Goal And Overall Architecture
Goal : 1. Produce the critical app inputs that lead to
sensitive data transmission
2. Guarantee a good code coverage
3. Provide an easy-to-understand tool for human analysts to ascertain under what circumstance the sensitive data transmission happens.
Free Powerpoint Templates20
Goal And Overall ArchitectureOverall Architecture :• Event-space Constraint Guided Symbolic
Execution(1) static taint analysis(2) construct an event-space constraint
graph(3) Symbolic execution
• Dynamic Program Analysis Platform• Android InstrumentationTestRunner
Free Powerpoint Templates22
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates23
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates24
Event-Space Constraint Guided Symbolic Execution1. A concrete example : Anzhuduanxin安卓短信
(1) Broadcast Receiver : PushReceiver• To retrieve extended data from the intent
Taint Analysis { OnReceive, i1 }a is tainted
Free Powerpoint Templates25
(2) Activity MessagePopup :
To Irene:Hello…
Taint Analysis { OnReceive, i1 }
Retreive messagefrom a
{ startNewMessageQuery, i2}
{ forward, i3}
{ forward, i4}
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates26
(4) Start up ComposeMessageActivity
Forward or not?
SEND!
Taint Analysis { OnReceive, i1 }
{ startNewMessageQuery, i2}
{ forward, i3}
{ forward, i4}
{ sendMessage, i5}
{ sendMessage, i6 }
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates27
Event-Space Constraint Guided Symbolic Execution
Construction of the Event-space Constraint Graph
Extracting Critical Events
Extracting Essential Events
Free Powerpoint Templates28
2. Construction of the Event-space Constraint Graph (1) Two kinds of nodes
• A thick-line node (critical events)• Event handler method contains at least one
instruction of a given data propagation path.
• A thin-line node (essential events)• A prerequisite for a critical event• It does not contain any instructions of the given
path.
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates29
2. Construction of the Event-space Constraint Graph (1) Two kinds of nodes
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates30
Event-Space Constraint Guided Symbolic Execution
Construction of the Event-space Constraint Graph
Extracting Critical Events
Extracting Essential Events
Free Powerpoint Templates31
2. Construction of the Event-space Constraint Graph (2) Extracting Critical Events
• For each instruction in the path, we backward traverse the call graph to find all events that might trigger it.
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates32
2. Construction of the Event-space Constraint Graph
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates33
2. Construction of the Event-space Constraint Graph
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates34
Event-Space Constraint Guided Symbolic Execution
Construction of the Event-space Constraint Graph
Extracting Critical Events
Extracting Essential Events
Free Powerpoint Templates35
2. Construction of the Event-space Constraint Graph (3) Extracting Essential Events
• Supplement those missing lifecycle callbacks with directed edges according to the origin order
• In the current version of AppIntent, we only track - Intents that eventually start a new activity or service- Broadcast messages that are properly
handled by a BroadcastReceiver
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates36
2. Construction of the Event-space Constraint Graph
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates37
Event-Space Constraint Guided Symbolic Execution
Construction of the Event-space Constraint Graph
Extracting Critical Events
Extracting Essential Events
Guided Symbolic Execution
Free Powerpoint Templates38
2. Construction of the Event-space Constraint Graph
(4) Guided Symbolic Execution• P : the events that are triggered before the last
traversed critical event• C : the data constraints that should be fulfilled to
reach the current execution point.• If C is empty, then none of the data inputs can
result in the target execution
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates39
2. Construction of the Event-space Constraint Graph (4) Guided Symbolic Execution
• Each time when we proceed from a thick-line node, possible successors of this critical event are extracted
• We randomly pick an event first and calculate a feasible path from the current critical event to the chosen successor• extract the minimal path (using the Dijistra’s
algorithm) as a chain of events
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates40
2. Construction of the Event-space Constraint Graph
(4) Guided Symbolic Execution• We rollback the symbolic execution and try to
trigger other feasible critical events. • If the event chain is revealed to be not available
to any inputs (C == )∅ , or
• all possible successors in critical event chains are already explored ( e : < ne; e > Ɇ CEC)∀
Event-Space Constraint Guided Symbolic Execution
Free Powerpoint Templates41
Event-Space Constraint Guided Symbolic Execution
ce : critical eventne : next event
Free Powerpoint Templates42
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates43
Dynamic Analysis Platform• Present which functionality is used when the
transmission happens.• Test case
• automatically generates based on the inputs gathered before
• attaches it to the app by repackaging the original Android apk.
• Android InstrumentationTestRunner
Free Powerpoint Templates44
• Features(1) Automatically trigger Event Inputs
• To trigger a clicking event, a performClick operation is applied to the corresponding view
(2) Automatically provide Data Inputs• Not support network inputs
• Android InstrumentationTestRunner cannot intercept and modify network inputs.
(3) Highlight activated views of GUI events• Setting background color to red
(4) Highlight sensitive data read and transmission• when the data loading and transmission
happen
Dynamic Analysis Platform
Free Powerpoint Templates45
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates47
1. Effectiveness of Event-space Constraint Guided Symbolic Execution
Evaluation
Free Powerpoint Templates48
2. Effectiveness on Analyzing Sensitive Data Transmission
(750) (1000)
Evaluation
Free Powerpoint Templates49
3. Effectiveness on Analyzing Sensitive DataTransmission
• Interesting findings(1) Data transmission of device IDs and phone
numbers are very common but typically not noticed by most smartphone users.
(2) Lots of apps write sensitive data into local logging system
Evaluation
Free Powerpoint Templates50
4. Analysis TimeStatic analysis phase costs 96 hours
Can be reduced by distributing the analysis workload to multiple machines
Symbolic execution costs 5 to 134 minutesCan be processed in parallel
Evaluation
Free Powerpoint Templates51
5. Case Studies• Anzhuoduanxin (安卓短信 )
• SMS management app• Video• https://
www.youtube.com/watch?v=RRqWQk4ztmI
• Tapsnake• A game but stealthily transmit user
locations to third party receiver• Video• https://
www.youtube.com/watch?v=L4IvXzpYqzw
Evaluation
Free Powerpoint Templates53
6. Usability of AppInent• We Invited 3 android experts
• Introduced AppIntent with less than 15 minutes
• Ran the driven executions to 3 participants
• Ask 3 participants to fill a sheet
Evaluation
Free Powerpoint Templates54
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates55
Related Work• Event listener analysis and symbolic
execution for testing gui applications.• S. R. Ganov, C. Killmar, S. Khurshid, and D.
E.Perry. In ICFEM, 2009.• A symbolic execution framework for
javascript.• P. Saxena, D. Akhawe, S. Hanna, F. Mao,S.
McCamant, and D. Song. Security and Privacy, IEEE Symposium on, 0:513–528, 2010.
• Vetting undesirable behaviors in android apps with permission use analysis. (VetDroid)
• Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. Wang, and B. Zang. In CCS, 2013.
Free Powerpoint Templates56
Outline1. Introduction2. Background3. Goal And Overall Architecture4. Event-Space Constraint Guided Symbolic Execution5. Dynamic Analysis Platform6. Evaluation7. Related Work8. Conclusion And Future Work
Free Powerpoint Templates57
Conclusion And Future Work• AppIntent
• A new app validation framework to help human analysts determine if data transmission is intended by the user.
• Future Work• native code • Instrumentation of network input• Fails to analyze some apps because the
DEX decompilation tool, DED, failed to decompile these apps
top related