Transcript slides - Long Lu

CHEX:
Statically Vetting Android Apps for
Component Hijacking Vulnerability
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang
Vetting vulnerable apps in large scale
 High volume of app submissions
 Inexperienced developers
Accurate and scalable
app vetting methods
 Large number of vulnerable apps
Component hijacking vulnerability
2
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Components in Android apps
App1
App2
Basic building blocks of apps
Mutually independent yet
interactive
Exportable
Android Framework
3
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
What can go wrong?
Unauthorized access to protected resources
Enumerator
Service
Enumerator Service
Contact Manager App
Returns the
address book upon
request
Accepts
unauthorized
requests
Android Framework
Contacts
4
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
What can go wrong?
Unauthorized access to private resources
Setting Update
Receiver
Private
Storage
Android Framework
Setting Update Receiver
Contact Manager App
Overwrites
sensitive data upon
update
Accepts external
updates
5
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Component hijacking attacks
A class of attacks that seek to
gain unauthorized
access to protected or private resources
through exported components in vulnerable apps.
Vulnerable apps exist on target
devices
The attacking app is already installed
6
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Similar attacks and countermeasures
Attacks
Detections
• On permissionprotected
resources
• Lack of an indepth and
scalable method
• On a small set
of apps
• Alerting
exported
components
Mitigations
• Enforcing strict
permission
delegation
policy
• Data leakage
prevention
7
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
CHEX -- Component Hijacking Examiner
Goal: Vetting large volumes of apps for component hijacking vulnerabilities
Accurate
• Deep inspection
• Generic coverage
Fast
CHEX
• Static analysis
• No de-compilation
App market model
• No source code required
• No human assistance
8
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Analysis approach
 A data-flow perspective
 Component hijacking 

read/write protected or private data via exported components
Detecting component hijacking  finding “hijack-enabling flows”
App
Private
Protected
Android Framework
9
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Challenges
Lack of generic analysis tools for Dalvik
bytecode
Dealing with Android apps’ programming
paradigm
• Multiple entry points
• Event-based model
Data flow analysis on Android apps can be
expensive
• Asynchronous execution
• Inter-component data flows
10
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Dalysis: Dalvik Analysis Framework
Parse
manifest
Meta data
Constants
Disassemble
bytecode
(DexLib)
Class
hierarchy
Point-to
analysis
Instruction translation
Abstract interpretation
SSA conversion
Call graph
builder
SSA IR
Instructions
Frontend

Consumes off-the-shelf Android app package (.apk)

Generates SSA IR (adopted from WALA)

Supports extensible backend for multiple types analysis tasks
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
SDG builder
…
Backend
11
Modeling Android Framework
 Design choice: model the
App
framework
System managers
 For data-flow analysis, we model
 Asynchronous entry points
 Framework-assisted data-flows
Android Framework
Libraries
Runtime
Reflections
Mixed languages
Large codebase
…
12
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
App entry points
 Points through which control transfers to the app
 Start point
 Callbacks
Definition: App entry points are the methods that are defined by the app and
intended to be called only by the framework.
App launch
points
Component
lifecycle
callbacks
Asynchronou
s constructs
UI event
handlers
Others
13
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Entry point discovery
Observation: only two ways to “register” entry points
 Declaring them in the manifest file
 Overriding/implementing the designated interfaces
Unused methods
overriding framework
Dead code
Entry points

How to distinguish?


Containing class is instantiated
Original interface is never called by app
14
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Entry point discovery
Unused methods
overriding framework
Entry
points
Unused methods
overriding framework
Entry points
15
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
App splitting
Definition:
A split is a subset of the app code that is
reachable from an entry point.
App
 Modeling app execution by permuting
split executions in all feasible orders
 Why reasonable?
 Most splits cannot be interleaved
 Efficient pruning techniques
Android Framework
16
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
SDS and PDS
Src1
G1
Split Data-flow Summary (SDS)

Intra-split data-flows that start and end at
heap variables, sources, or sinks.
G1
Permutation Data-flow Summary (PDS)
 Linking two adjacent SDSs in a feasible
permutation
Sink1
Src1
G1
When permutation ends, all possible
data-flows have been enumerated.
17
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Sink1
Identifying “hijack-enabling flows”
 Using descriptive policies to specify flows of interests
Sensitive
Input
Input
Sensitive
…
Public
…
Critical
…
Inputspecified
exit
18
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Evaluations

5,486 apps from the official and alternative markets

Hardware spec: Intel Core i7-970 with 12GB RAM
Performance
Accuracy
 Median processing time: 37sec

254/5,486 flagged as vulnerable
 22% apps took >5min

True positive rate: 81%
Insights

50 entry points of 44 types per app

99.7% apps contain inter-split data-flows
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
19
Case study
Attack Class
Data Theft
Representative cases
Sending GPS data to URL specified by input string
Capability Leak
Input string used as hostname for socket
connection
Code Injection
Input string used for raw SQL query statement
Input string used as shell command
Intent Proxy
Object embedded in input used to start Activity
Data tampering
Input string submitted to server as game score
20
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities
Conclusion
Studied component hijacking vulnerabilities
Defined from a data flow perspective
Generalizing similar attacks
Designed and implemented CHEX
Identifying hijackenabling flows
Suited for large volume
app vetting
Overcoming analysis
challenges of apps
Conducted large-scale experiments
254 / 5,486 apps
37.02 sec
Case studies
21
CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities