20140910 - TAPAS FlowDroid and Susi copy
Download
Report
Transcript 20140910 - TAPAS FlowDroid and Susi copy
What's that app doing with my data?
Challenges and solutions to practical taint analysis
Eric Bodden
sources
sinks
code analysis
report potential
privacy leaks
SMS/MMS
Location
Calendar
Contact
sources
sinks
code analysis
report potential
privacy leaks
sources
code analysis
sinks
SMS/MMS
Bluetooth
NFC
report potential
privacy leaks
Email
Internet
sources
sinks
code analysis
report potential
privacy leaks
[Rasthofer, Arzt,
Bodden, NDSS 2014]
SuSi
Method
Location.getLongitude() Location.getLatitude()
Browser.getAllBookmarks() SmsManager.sendTextMessage
Log.d() URL.openConnection() TaintDroid
SCanDroid
DeD
Method
TaintDroid
?
Location.getLongitude() Location.getLatitude()
Browser.getAllBookmarks() SmsManager.sendTextMessage
Log.d() URL.openConnection() SCanDroid
DeD
Extracting Sources/Sinks
Oracle
Extracting Sources/Sinks
...
Android API
GoogleGlass API
Chromecast API
...
Oracle
Extracting Sources/Sinks
...
List of
Sources
Android API
GoogleGlass API
Chromecast API
...
Oracle
List of
Sinks
Extracting Sources/Sinks
Cat. 1
...
List of
Sources
Android API
Cat. 2
...
Cat. n
GoogleGlass API
Oracle
Cat. 1
Chromecast API
...
List of
Sinks
Cat. 2
...
Cat. n
Extracting Sources/Sinks
Cat. 1
...
List of
Sources
Android API
Cat. 2
...
Cat. n
GoogleGlass API
Oracle
SuSi
Cat. 1
Chromecast API
...
List of
Sinks
Cat. 2
...
Cat. n
Support-Vector Machine
training
feature database
-
test
Source
+
+
+
Feature 2
-
+
-
-
Feature1
-
Sink
Support-Vector Machine
training
feature database
-
test
Source
+
+
+
Feature 2
-
+
-
-
Feature1
-
Sink
Support-Vector Machine
training
feature database
+
Feature 2
test
Source
+
+
?
-
+
-
-
Feature1
-
Sink
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Machine-Learning Approach
C2
Training
Set
T2
Feature
Database
Test
Set
Input
Training Matrix
Testing Matrix
T5
Preparation
Accident
No Accident
To Be Classified
train classifier
Classifier
Classification
10
12
perience
yper-plane it belongs. In
into higher-dimensional
arable, but this did not
Sources
Sinks
Output
1st run (classification)
Fig. 2.
2nd run (categorization)
Machine learning approach
fixed semantics. The variance is simply not large enough to
justify the imprecision introduced by probabilistic approaches
Feature-Database: Classification
Feature-Database: Classification
returns a value
modifier
specific return-type
„getter“
Feature-Database: Classification
returns a value
modifier
specific return-type
„getter“
Feature-Database: Classification
returns a value
specific return-type
„getter“
modifier
data flow to return
Feature-Database: Classification
Feature-Categories:
!
‣Method name
‣Method has parameters
‣Method’s return type
‣Parameter type
‣Method modifiers
‣Modifiers of declaring class
‣Name of declaring class
!
‣Data flow to return value
‣Data flow from parameter to (abstract) sink
Feature-Database: Categorization
SMS/MMS
Location
Calendar
...
Contact
...
SMS/MMS
Bluetooth
NFC
Email
Internet
Evaluation
Ten-fold cross validation:
training
779
Android API‘s
Evaluation
Ten-fold cross validation:
training
Predict
Train
779
Android API‘s
Evaluation
Ten-fold cross validation:
training
Recall =
TP
T P +F N
P recision =
TP
T P +F P
Evaluation
Ten-fold cross validation:
training
Recall =
TP
T P +F N
P recision =
TP
T P +F P
be
r
e
t
t
Results for categorization
Categorized Sources
Categorized Sinks
Results for categorization
Categorized Sources
Categorized Sinks
On untrained APIs
Chromecast
GoogleGlass
Manual validation:
‣Google Glass API: Precision: 98% and Recall: 100%
‣Google Chromecast API: Precision and Recall: 100%
Evolution
Top Source/Sink Methods
in Android-Malware
Top Source/Sink Methods
in Android-Malware
Method
BluetoothAdapter.getAddress()
WifiInfo.getMacAddress()
Locale.getCountry()
WifiInfo.getSSID()
GsmCellLocation.getCid() GsmCellLocation.getLac() Location.getLongitude() Location.getLatitude()
Browser.getAllBookmarks() SmsManager.sendTextMessage
Log.d() URL.openConnection() TaintDroid
SCanDroid
DeD
sources
code analysis
sinks
[Arzt et al.,
PLDI 2014]
FlowDroid
report potential
privacy leaks
joint work with…
Steven Arzt, Siegfried Rasthofer,
Christian Fritz
Alexandre Bartel, Jacques Klein,
Yves Le Traon
Damien Octeau, Patrick McDaniel
joint work with…
Steven Arzt, Siegfried Rasthofer,
Christian Fritz
Alexandre Bartel, Jacques Klein,
Yves Le Traon
Damien Octeau, Patrick McDaniel
joint work with…
Steven Arzt, Siegfried Rasthofer,
Christian Fritz
Alexandre Bartel, Jacques Klein,
Yves Le Traon
Damien Octeau, Patrick McDaniel
FlowDroid
• Can analyze Android binaries or source
• Built on top of Soot
• Specialized to taint analysis but can be
extended with other kinds of Android
analyses
20
void main() {
a = new A();
b = a.g;
foo(a);
sink(b.f);
}
void foo( z ) {
x = z.g;
w = source();
x.f = w;
}
Will it lea
k?
21
Two main requirements
maximize true warnings
minimize false warnings
and do it fast!
maximize true warnings
minimize false warnings
maximizing
true warnings
Recall
Activity starts
Activity lifecycle
onCreate()
onStart()
onRestart()
onResume()
Activity is
running
onPause()
onStop()
onDestroy()
Activity is
shut down
25
Activity starts
Activity lifecycle
onCreate()
onStart()
onRestart()
Also:
• services
• broadcast receivers
• content providers
• fragments
onResume()
Activity is
running
onPause()
onStop()
onDestroy()
Activity is
shut down
25
minimize false warnings
Options for highly precise analysis
• Flow-sensitive: respect program order
• Context-sensitive: re-analyze calls to the same
methods but with different parameters
• Field-sensitive: distinguish different fields of the
same object
• Object-sensitive: distinguish different “owner
objects”
• Optional: on-demand alias analysis with same
level of precision
27
Intertwined analyses:
forward taint analysis,
backward alias analysis
void main() {
a = new A();
b = a.g;
foo(a);
sink(b.f);
}
void foo( z ) {
x = z.g;
w = source();
x.f = w;
}
Inspired by Tripp et al., FASE 2013: Andromeda: Accurate and scalable security analysis of web applications
Intertwined analyses:
forward taint analysis,
backward alias analysis
5
a.g.f
void main() {
void
a = new A();
7
b = a.g;
6
b.f
foo(a);
x.f
sink(b.f);
}
3
}
4
z.g.f
foo( z ) {
x = z.g;
source();
w = source();
x.f = w;
x.f
w
1
2
Inspired by Tripp et al., FASE 2013: Andromeda: Accurate and scalable security analysis of web applications
a = source();
x = y;
x.f = a;
leak(y.f);
29
Forward
Taint Analysis
Backward
Alias Analysis
Work Queue
Work Queue
a = source();
x = y;
x.f = a;
a
leak(y.f);
29
Forward
Taint Analysis
a = source();
x = y;
x.f = a;
Backward
Alias Analysis
x.f=a
Work Queue
a
leak(y.f);
29
Work Queue
Forward
Taint Analysis
a = source();
x = y;
x.f = a;
Backward
Alias Analysis
x.f=a
Work Queue
Work Queue
x.f
a
leak(y.f);
29
Forward
Taint Analysis
a = source();
x = y;
x.f = a;
x.f=a
Work Queue
Backward
Alias Analysis
x=y
Work Queue
x.f
a
leak(y.f);
29
Forward
Taint Analysis
a = source();
x = y;
x.f = a;
x.f=a
Backward
Alias Analysis
x=y
Work Queue
Work Queue
a
y.f
x.f
leak(y.f);
29
Forward
Taint Analysis
a = source();
x = y;
x.f = a;
x.f=a
Backward
Alias Analysis
x=y
Work Queue
Work Queue
a
y.f
x.f
leak(y.f);
CountingThreadPoolExecutor
terminates not before both queues are empty
29
Demand-driven alias analysis
30
Demand-driven alias analysis
Devil in in the details:
30
Demand-driven alias analysis
Devil in in the details:
• How exactly to coordinate the interplay
between both analysis?
30
Demand-driven alias analysis
Devil in in the details:
• How exactly to coordinate the interplay
between both analysis?
• How to maintain context- and flow sensitivity?
Both analyses use different (value) contexts
30
Demand-driven alias analysis
Devil in in the details:
• How exactly to coordinate the interplay
between both analysis?
• How to maintain context- and flow sensitivity?
Both analyses use different (value) contexts
• How to keep summaries concise? (important
for performance and memory footprint)
30
Demand-driven alias analysis
Devil in in the details:
• How exactly to coordinate the interplay
between both analysis?
• How to maintain context- and flow sensitivity?
Both analyses use different (value) contexts
• How to keep summaries concise? (important
for performance and memory footprint)
Details: see PLDI’14 paper
30
… and do it fast!
10000
1000
100
10
Time in seconds (log scale)
●●
64 cores
730 GB RAM
●●
●
●
●●
●
●●●
●●
●
●
●
●
● ●●
●
●
● ●
●
● ●
●●
●
● ●●
●
●
●
●●
●
●
●
● ●●● ●● ●
●
●
●
●
●
●
●●
●
●● ●
●
●●
●●
●
●
●
●
●
●● ●●
●
● ●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●●
●
●
●●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
● ●● ● ●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●● ●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●● ●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
● ● ●●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●● ●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●● ●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
● ●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●● ●●● ●
●
●
●
●●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
● ●
●●●●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
● ●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
● ●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●●●● ●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●●
●
●●
●
●
●●
●
●
●
●
●●
●
● ●●
●
● ● ●
●
●●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●●
●●
●
●●
●●
●●
●
50
100
500
●
5000
50000
500000
Callgraph size as # of edges (log scale)
Fig. 4. Analysis time of benign applications with respect to their call graph
sizes. All times obtained on an Intel 64-core machine with 730 GB RAM.
Chart from joint work with Gorla et al., under submission
32
frequently, the required Android
manifest was missing. We
Pay as you go…
-‐-‐aliasflowins
use flow-insensitive ahead-of-time alias analysis (Spark)
-‐-‐aplength n
restrict length of “access paths” (less object-sensitive)
-‐-‐nocallbacks
don’t model callbacks in Android lifecycle
-‐-‐nopaths
don’t record path along which taint flows
-‐-‐nostatic
don’t track static fields
34
Open question:
How to enable
full precision
efficiently
on all practical apps?
• Generalize concept of inter-connected
flow-sensitive analyses
• Fully automatic recovery of runtime values in
obfuscated apps
reflective calls, phone numbers, C&C commands, …
!
• Effective visualization of data leaks
• Tool-assisted “debugging” and reverse engineering
on the binary level
36
64 Test apps
•Complex data structures
•Inter-app communication
•Callbacks, Lifecycle
•Reflection
•Field and Object Sensitivity •Implicit flows
!
Other Static Approaches:
ScanDroid [TR 09], DeD [SEC’11], CHEX [CCS’12],
LeakMiner [WCSE’12], ScanDal [Most’12],
AndroidLeaks [TRUST’12], SAAF [SAC’13],…
CCS
http://reproducibility.cs.arizona.edu/
CCS
http://reproducibility.cs.arizona.edu/
86, 93
75
81, 61
50
tte
r
74, 50
be
Recall
FlowDroid
IBM AppScan Source
HP Fortify
100
25
0
0
25
on DroidBench 1.0
50
Precision
41
75
100
42
?
42
?
42
?
42
?
5
a.g.f
void main() {
void
a
=
new
A();
7
b = a.g;
6
b.f
foo(a);
x.f
sink(b.f);
}
3
}
4
x.f
2
42
z.g.f
foo( z ) {
x = z.g;
w = source();
x.f = w;
w
1
?
5
a.g.f
void main() {
void
a
=
new
A();
7
b = a.g;
6
b.f
foo(a);
x.f
sink(b.f);
}
3
}
4
x.f
2
42
z.g.f
foo( z ) {
x = z.g;
w = source();
x.f = w;
w
1
?
5
a.g.f
void main() {
void
a
=
new
A();
7
b = a.g;
6
b.f
foo(a);
x.f
sink(b.f);
}
3
}
4
x.f
2
42
z.g.f
foo( z ) {
x = z.g;
w = source();
x.f = w;
w
1
?
5
a.g.f
void main() {
void
a
=
new
A();
7
b = a.g;
6
b.f
foo(a);
x.f
sink(b.f);
}
3
}
4
x.f
2
sseblog.ec-spride.de/tools/
42
z.g.f
foo( z ) {
x = z.g;
w = source();
x.f = w;
w
1