SlideShare uma empresa Scribd logo

2012 04 Analysis Techniques for Mobile OS Security

Raleigh ISSA
Raleigh ISSA

2012 04 Analysis Techniques for Mobile OS Security by Dr. William Enck, Assistant Professor, NCS

Tecnologia
1 de 34
Baixar para ler offline
Analysis Techniques for Mobile Operating System Security Prof. William Enck Raleigh ISSA April 5, 2012 NC State - Prof. William Enck Page 1
A cautionary tale ... NC State - Prof. William Enck Page 2
Traditional computing vs. smartphones • Smartphones: logical conclusion of access consolidation, service decentralization, and commoditization of computing • Usage model is very different ‣ Multi-user single machine to single-user multiple machines ‣ Always on, always computing social instrument ‣ Enterprise: separate action from geography • Changing Risk ‣ Necessarily contains secrets (often high value) ‣ Collects sensitive data as a matter of operation ‣ Drifts seamlessly between “unknown” networks ‣ Highly malleable development practices, largely unknown developers NC State - Prof. William Enck Page 3
Rethinking (host) Security security == permissions security 6= users • Permissions define capabilities. • Application markets deliver functionality (free or paid) via packaged applications. • Users make permission decisions. • Applications are run within sandboxes provided by the OS. • Note: App markets don’t (and can’t) provide security for everything. NC State - Prof. William Enck Page 4
Research Questions • Questions: ‣ What permissions do applications ask for? ‣ What do applications do with the permissions? ‣ What can applications do with the permissions? NC State - Prof. William Enck Page 5
Example: Android Security • Permissions granted to applications and never changed ‣ Permissions are enforced when an application accesses a component, API, etc ‣ Runtime decisions look for assigned permissions (access is granted IFF app A assigned perm X at install) Application 1 Application 2 Permission A: ... B: l1 Permission Labels X Labels Inherit l1,... C: l2 ... Permissions • Example permissions: location, phone IDs, microphone, camera, address book, SMS, application “interfaces” NC State - Prof. William Enck Page 6
Q1: what do applications ask for? • Kirin certifies applications by vetting policies at install-time (relies on runtime enforcement) • Insight: app config and security policy is an upper bound on runtime behavior. • Kirin is a modified application installer ‣ Apps with unsafe policies are rejected New Kirin Optional Extension Kirin Application Security Security Service Rules (1) Attempt Display risk ratings Installation Pass/ to the user and (2) (3) Fail prompt for override. (4) Android Application Installer NC State - Prof. William Enck Page 7
Kirin Security Policy • Kirin enforces security invariants at install-time • Local evaluation of two manifest artifacts ‣ The collection of requested permissions (uses-permission) ‣ The types of registered Intent message listeners • Example: ‣ Do not allow an application with Location and Internet permissions and receives the “booted” event restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]            and  receive        [BOOT_COMPLETE] NC State - Prof. William Enck Page 8
hird-party “restrict”. sets of “receive” restrictions. Then, create of all The remainder of the rule is the conjunction Policy Evaluation also han- of permissions andit in R. strings received. Each set is den and place action The set R directly corresponds to her action either “permission”be formed in time respectively. size rules and can or “receive”, linear to the sem We now define the set (proof by inspection). C ⇥ R ⌅ {true, false 5.2nowKSL thewe define of configurationrules. Let fpackag Semanticsa set of configuration failsailKSL restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]   Next a          and  receive        [BOOT_COMPLETE] based on a We define Let C be the set of all application t and r be: a r tents. semantics KSL possible configurations C⇥R We⌅ {true, false} be a logic to to test if anaapplication now define a simple function represent set of rules i a package manifest. We need only capture the se to • Policy evaluationusedset satisfiability expressible At )KSL. (P encodeKSL. Let R KSL by ofLet ctrules of and the taction strings configuration fails a bethe in labels is rule. all be the configurationin target L the application (P , for invariants = ct , n applica- set oftivities, Services, O(n) Broadcastail(ctail(·)as:set of tp application t and ri be apermissionwe define f A be ithe the possible rule. Then, labelsClearly, f , r ) operates ‣ Invariant violations found in and w.r.t. policy size and Receivers. Note Section 4 (PtWet ) = cdefine,Activities, Services,Ai ⇤ Broadcast R action strings useddoesthe)semanticsactionprovide At rules. time , manifest, (Pi Ai = ri , Pi ⇤ canset and constant dyn A now t by not specify ofPt strings used by Let a of KSL ted Model: C ⇥ R ⌅ {true, false} be a function R :test tuple appl • by to receive Intents. Then, each rule ri Let F is C ⌅ R be a an to a advantag ⇥ R to ourif an (2 P Receivers; however, we to the input, as a hash table t of KSL rules.ail(·)notation in time (P , A ) to ⇧ 2R for a specific s Let operates Clearly, f the f ail : r = linear use this fact his section use in Section 7).iaWe defineLet RtTable 1: Applications ‣ We rules are tuples: KSL configuration fails KSL rule. iconfiguration whichCan appi c refer to c ⇥ as fo be the configuration a on to can provide constant time set membership checks. test if an application s. ‣ permission labelsbe isnotationstrings (Pthe set rto allail(ctPai=a application tthe ri tuple:rule. = forwe define where , r sp Configuration policy a Let FR A for We targetandfunction returning t ,rule) of, refer tot ) ) action ct Then, use and a beApplication ADescription in ⇥ a i f rules i the configurationC ⌅ R : t FR (c Ai 2R 2 .which an A )labels (P , A ) = rstrings used A ⇤ targ Rf⇧ ⇥ t , ri ) as: t , applicationand action i , PiWalkie-Talkie styl define ail(c for permission = ct ,Walki i Talkie fails: Pt by a At ‣ if (P t configuration i ⇤ i Let R where correspond toAt set2A .KSL rules. We cons R Pt ⇥ 2P and a ⇥ of Then, we say the configur Certified KSLf(ct ) = operates in to ail(ctR (c)} = input,Pthathas if {ri |riPush For linear t ) ⇧ R, f Talk , r rule let ‣t from theAt FRrules as follows. time each ito the⌃., Noteas beFR A Clearly, ail(·) i notation. i ⇤ i a th ⇤P F i ates com-all sets3of “permission” restrictions,R. Finally, theif po of as a hash tablethe standard notation 2 represent Shazam ct andUtility to identify can provide constant time set membershipand let ARbe th Then, we say the configuration ct passes a given KSL rule-set ithe We use X checks. set o the input, Let FRthat F (c ) set a function returning indicateofof r : C is the be of allin time linear to theset which installer to the ⇤. all ⌅ R operates subsets includingsize jour uld notR (call = ⌃.X, which R t Inauguration Then, create r = ( be F of t ) sets Note NC State - Prof. William Enck of “receive” restrictions. Collaborative Page 9
Studying the (early) Market • Evaluate 300+ popular Market apps (Jan 2009) ‣ 5 had both dangerous configuration and functionality (1.6%) ‣ 5 had dangerous configuration but not functionality (1.6%) (1) An application must not have the SET_DEBUG_APP permission (2) An application must not have the READ_PHONE_STATE, RECORD_AUDIO, and INTERNET permissions (3) An application must not have the PROCESS_OUTGOING_CALL, RECORD_AUDIO, and INTERNET permissions (4) An application must not have the ACCESS_FINE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (5) An application must not have the ACCESS_COARSE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (6) An application must not have the RECEIVE_SMS and WRITE_SMS permissions (7) An application must not have the SEND_SMS and WRITE_SMS permissions (8) An application must not have the INSTALL_SHORTCUT and UNINSTALL_SHORTCUT permissions (9) An application must not have the SET_PREFERRED_APPLICATION permission and receive Intents for the CALL action string NC State - Prof. William Enck Page 10
Q2: What do the applications do? • TaintDroid is a system-wide integration of taint tracking into the Android platform ‣ VM Layer: variable tracking throughout Dalvik VM ‣ Native Layer: patches state after native method invocation ‣ Binder IPC Layer: extends tracking between applications ‣ Storage Layer: persistent tracking on files Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Native System Libraries Method-level tracking File-level Network Interface Secondary Storage tracking • TaintDroid is a firmware modification, not an app NC State - Prof. William Enck Page 11
Dynamic Taint Analysis • Dynamic taint analysis is a technique that tracks information dependencies from an origin • Conceptual idea: c = taint_source() ‣ Taint source ... ‣ Taint propagation a = b + c ‣ Taint sink ... network_send(a) • Limitations: performance and granularity is a trade-off NC State - Prof. William Enck Page 12
Performance CaffeineMark 3.0 benchmark • Memory overhead: 4.4% (higher is better) 2000 Android • IPC overhead: 27% 1800 TaintDroid 1600 1400 • Macro-benchmark: 14% overhead 1200 1000 ‣ App load: 3% (2ms) 800 ‣ Address book: (< 20 ms) 600 400 5.5% create, 18% read 200 0 ‣ Phone call: 10% (10ms) sieve loop logic string float method total ‣ Take picture: 29% (0.5s) CaffeineMark score roughly corresponds to the number of Java instructions per second. NC State - Prof. William Enck Page 13
Application Study • Selected 30 applications with bias on popularity and access to Internet, location, microphone, and camera applications # permissions The Weather Channel, Cetos, Solitarie, Movies, Babble, Manga Browser 6 Bump, Wertago, Antivirus, ABC --- Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14 Stream, Ringtones Layer, Knocking, Coupons, Trapster, Spongebot Slide, ProBasketBall 6 MySpace, Barcode Scanner, ixMAT 3 Evernote 1 • Of 105 flagged connections, only 37 clearly legitimate NC State - Prof. William Enck Page 14
Findings • 15 of the 30 applications shared physical location with an ad server (admob.com, ad.qwapi.com, ads.mobclix.com, data.flurry.com) ‣ Most traffic was plaintext (e.g., AdMob HTTP GET): ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85 B717D9195A6722A9&d%5Bcoord%5D=47.6612278900 00006%2C-122.31589477&... • 7 applications sent device (IMEI) and 2 apps sent phone info (Ph. #, IMSI *, ICC-ID) to a remote server without informing the user. NC State - Prof. William Enck Page 15
Q3: What can the applications do? • Static analysis: look at the possible paths and interaction of data ‣ Very, very hard (often undecidable), but community has learned that we can do a lot with small analyses. • Step 1: ded decompiler for Android applications • Step 2: static source code analysis for both dangerous functionality and vulnerabilities ‣ What data could be exfiltrated from the application? ‣ Are developers safely using interfaces? NC State - Prof. William Enck Page 16
ded Decompiler Retargeting Process • Android applications are written CFG in Java, but compiled for the (1) DEX Parsing Construction optimized Dalvik VM language Type Inference Processing Missing Type Inference Constant Identification ‣ Non-trivial to retarget back to Java: (2) Java .class Conversion Constant Pool Conversion register vs. stack architecture, Constant Pool Translation Method Code Retargeting constant pools, ambiguous scalar types, Bytecode Reorganization null references, etc. (3) Java .class Optimization Instruction Set Translation • ded recovers source code from application package ‣ Retargeting: type inference, instruction translation, etc ‣ Optimization: use Soot to re-optimize for Java bytecode ‣ Decompilation: standard Java decompilation (Soot) • Decompiled top 1,100 free apps from Android market: over 21 million lines of source code NC State - Prof. William Enck Page 17
Studying Application Security • Queried for security properties using program analysis, followed by manual inspection to understand purpose • Used several types of analysis to design security properties specific to Android using the Fortify SCA framework Analysis for Dangerous Behavior Analysis for Vulnerabilities Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis Havesting Installed Applications Structural analysis Password Management* Data flow analysis Cryptography Misuse* Structural analysis Also studied inclusion of advertisement and Injection Vulnerabilities* Data flow analysis analytics libraries and associated properties * included with analysis framework NC State - Prof. William Enck Page 18
Phone Identifiers • We’ve seen phone identifiers (Ph.#, IMEI, IMSI, etc) sent to network servers, but how are they used? ‣ Program analysis pin-pointed 33 apps leaking Phone IDs • Finding 2 - device fingerprints • Finding 3 - tracking actions • Finding 4 - along with registration and login NC State - Prof. William Enck Page 19
Device Fingerprints (1) com.eoeandroid.eWallpapers.cartoon - SyncDeviceInfosService.getDevice_info() r1.append((new StringBuilder("device_id=")).append(tm.getDeviceId()).toString()).append((new StringBuilder("&device_software_version=")).append(tm.getDeviceSoftwareVersion()).toString()); r1.append((new StringBuilder("&build_board=")).append(Build.BOARD).toString()).append((new StringBuilder("&build_brand=")).append(Build.BRAND).toString()).append((new StringBuilder("&build_device=")).append(Build.DEVICE).toString()).append((new StringBuilder("&build_display=")).append(Build.DISPLAY).toString()).append((new StringBuilder("&build_fingerprint=")).append(Build.FINGERPRINT).toString()).append((new StringBuilder("&build_model=")).append(Build.MODEL).toString()).append((new StringBuilder("&build_product=")).append(Build.PRODUCT).toString()).append((new StringBuilder("&build_tags=")).append(Build.TAGS).toString()).append((new StringBuilder("&build_time=")).append(Build.TIME).toString()).append((new StringBuilder("&build_user=")).append(Build.USER).toString()).append((new StringBuilder("&build_type=")).append(Build.TYPE).toString()).append((new StringBuilder("&build_id=")).append(Build.ID).toString()).append((new StringBuilder("&build_host=")).append(Build.HOST).toString()).append((new StringBuilder("&build_version_release=")).append(Build$VERSION.RELEASE).toString()).append((new StringBuilder("&build_version_sdk_int=")).append(Build $VERSION.SDK).toString()).append((new StringBuilder("&build_version_incremental=")).append(Build$VERSION.INCREMENTAL).toString()); r5 = mContext.getApplicationContext().getResources().getDisplayMetrics(); r1.append((new StringBuilder("&density=")).append(r5.density).toString()).append((new StringBuilder("&height_pixels=")).append(r5.heightPixels).toString()).append((new StringBuilder("&scaled_density=")).append(r5.scaledDensity).toString()).append((new StringBuilder("&width_pixels=")).append(r5.widthPixels).toString()).append((new StringBuilder("&xdpi=")).append(r5.xdpi).toString()).append((new StringBuilder("&ydpi=")).append(r5.ydpi).toString()); r1.append((new StringBuilder("&line1_number=")).append(tm.getLine1Number()).toString()).append((new StringBuilder("&network_country_iso=")).append(tm.getNetworkCountryIso()).toString()).append((new StringBuilder("&network_operator=")).append(tm.getNetworkOperator()).toString()).append((new StringBuilder("&network_operator_name=")).append(tm.getNetworkOperatorName()).toString()).append((new StringBuilder("&network_type=")).append(tm.getNetworkType()).toString()).append((new StringBuilder("&phone_type=")).append(tm.getPhoneType()).toString()).append((new StringBuilder("&sim_country_iso=")).append(tm.getSimCountryIso()).toString()).append((new StringBuilder("&sim_operator=")).append(tm.getSimOperator()).toString()).append((new StringBuilder("&sim_operator_name=")).append(tm.getSimOperatorName()).toString()).append((new StringBuilder("&sim_serial_number=")).append(tm.getSimSerialNumber()).toString()).append((new StringBuilder("&sim_state=")).append(tm.getSimState()).toString()).append((new StringBuilder("&subscriber_id=")).append(tm.getSubscriberId()).toString()).append((new StringBuilder("&voice_mail_number=")).append(tm.getVoiceMailNumber()).toString()); i0 = mContext.getResources().getConfiguration().mcc; i1 = mContext.getResources().getConfiguration().mnc; r1.append((new StringBuilder("&imsi_mcc=")).append(i0).toString()).append((new StringBuilder("&imsi_mnc=")).append(i1).toString()); r254 = (ActivityManager) mContext.getSystemService("activity"); $r255 = new ActivityManager$MemoryInfo(); r254.getMemoryInfo($r255); r1.append((new StringBuilder("&total_mem=")).append($r255.availMem).toString()); NC State - Prof. William Enck Page 20
Device Fingerprints (2) com.avantar.wny - com/avantar/wny/PhoneStats.java public String toUrlFormatedString() { StringBuilder $r4; if (mURLFormatedParameters == null) IMEI { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); } return mURLFormatedParameters; } NC State - Prof. William Enck Page 21
Tracking com.froogloid.kring.google.zxing.client.android - Activity_Router.java (Main Activity) public void onCreate(Bundle r1) { http://kror.keyringapp.com/service.php ... IMEI = ((TelephonyManager) this.getSystemService("phone")).getDeviceId(); retailerLookupCmd = (new StringBuilder(String.valueOf(constants.server))).append("identifier=").append(Encode URL.KREncodeURL(IMEI)).append("&command=retailerlookup&retailername=").toString(); ... } com.Qunar - net/NetworkTask.java public void run() { http://client.qunar.com:80/QSearch ... r24 = (TelephonyManager) r21.getSystemService("phone"); url = (new StringBuilder(String.valueOf(url))).append("&vid=60001001&pid=10010&cid=C1000&uid=").appe nd(r24.getDeviceId()).append("&gid=").append(QConfiguration.mGid).append("&msg=").append( QConfiguration.getInstance().mPCStat.toMsgString()).toString(); ... } NC State - Prof. William Enck Page 22
Registration and Login com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback) public void onClick(View r1) IMEI { ... r7 = Host.getDeviceId(this$0.getApplicationContext()); LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ... } Is this necessarily bad? NC State - Prof. William Enck Page 23
Location • Found 13 apps with geographic location data flows to the network ‣ Many were legitimate: weather, classifieds, points of interest, and social networking services • Several instances sent to advertisers (same as TaintDroid). More on this shortly. • Code recovery error in AdMob library. NC State - Prof. William Enck Page 24
Phone Misuse • No evidence of abuse in our sample set ‣ Hard-coded numbers for SMS/voice (premium-rate) ‣ Background audio/video recording ‣ Socket API use (not HTTP wrappers) ‣ Harvesting list of installed applications NC State - Prof. William Enck Page 25
Ad/Analytics Libraries Library Path # Apps Obtains • 51% of the apps included an ad or com/admob/android/ads 320 L analytics library (many also included com/google/ads 206 - com/flurry/android 98 - custom functionality) com/qwapi/adclient/android 74 L, P, E com/google/android/apps/analytics 67 - • A few libraries were used most frequently com/adwhirl 60 L com/mobclix/android/sdk 58 L, E • Use of phone identifiers and location com/mellennialmedia/android 52 - sometimes configurable by developer com/zestadz/android 10 - com/admarvel/android/ads 8 - 1000 com/estsoft/adlocal 8 L 367 com/adfonic/android 5 - Number of libraries com/vdroid/ads 5 L, E 91 100 com/greystripe/android/sdk 4 E 32 37 1 app has com/medialets 4 L 15 8 10 8 libraries! com/wooboo/adlib_android 4 L, P, I 10 com/adserver/adview 3 L com/tapjoy 3 - com/inmobi/androidsdk 2 E 1 com/apegroup/ad 1 - 1 com/casee/adsdk 1 S 1 2 3 4 5 6 7 8 com/webtrents/mobile 1 L, E, S, I Total Unique Apps 561 Number of apps L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID NC State - Prof. William Enck Page 26
Probing for Permissions (1) com/webtrends/mobile/analytics/android/WebtrendsAndroidValueFetcher.java public static String getDeviceId(Object r0) { Context r4; String r7; r4 = (Context) r0; try { r7 = ((TelephonyManager) r4.getSystemService("phone")).getDeviceId(); if (r7 == null) { r7 = ""; Catches SecurityException } } catch (Exception $r8) { WebtrendsDataCollector.getInstance().getLog().d("Exception fetching TelephonyManager.getDeviceId value. ", $r8); r7 = null; } return r7; } NC State - Prof. William Enck Page 27
Probing for Permissions (2) com/casee/adsdk/AdFetcher.java public static String getDeviceId(Context r0) { String r1; r1 = ""; label_19: { if (deviceId != null) { if (r1.equals(deviceId) == false) { break label_19; Checks before accessing } } if (r0.checkCallingOrSelfPermission("android.permission.READ_PHONE_STATE") == 0) { deviceId = ((TelephonyManager) r0.getSystemService("phone")).getSubscriberId(); } } //end label_19: ... } NC State - Prof. William Enck Page 28
Developer Toolkits • We found identically implemented dangerous functionality in the form of developer toolkits. ‣ Probing for permissions (e.g., Android API, catch SecurityException) ‣ Well-known brands sometimes commission developers that include dangerous functionality. • “USA Today” and “FOX News” both developed by Mercury Intermedia (com/mercuryintermedia), which grabs IMEI on startup NC State - Prof. William Enck Page 29
Custom Exceptions v00032.com.wordplayer - CustomExceptionHandler.java void init() { URLConnection r3; ... r3 = (new URL("http://www.word-player.com/HttpHandler/init.sample")).openConnection(); ... try { $r27 = this.mkStr(((TelephonyManager) _context.getSystemService("phone")).getLine1Number()); } catch (Exception $r81) { break label_5; } ... Phone Number!? } NC State - Prof. William Enck Page 30
Intent Vulnerabilities • Similar analysis rules as independently identified by Chin et al. [Mobisys 2011] • Leaking information to IPC - unprotected intent broadcasts are common, occasionally contain info • Unprotected broadcast receivers - a few apps receive custom action strings w/out protection (lots of “protected bcasts”) • Intent injection attacks - 16 apps had potential vulnerabilities • Delegating control - pending intents are tricky to analyze (notification, alarm, and widget APIs) --- no vulns found • Null checks on IPC input - 3925 potential null dereferences in 591 apps (53%) --- most were in activity components NC State - Prof. William Enck Page 31
Study Limitations • The sample set • Code recovery failures • Android IPC data flows • Fortify SCA language • Obfuscation NC State - Prof. William Enck Page 32
Summary • What permissions do applications ask for? ‣ Kirin demonstrated how permission combinations can be effectively used to certify applications at install-time. • What do applications do with the permissions? ‣ TaintDroid “looks inside” of applications to understand how privacy sensitive information is being used. • What can applications do with the permissions? ‣ We used program analysis and manual inspection to characterize implemented application behavior NC State - Prof. William Enck Page 33
Thank you! William Enck Assistant Professor Department of Computer Science NC State University enck@cs.ncsu.edu http://www.enck.org NC State - Prof. William Enck Page 34

Recomendados

CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7Irsandi Hasan
 
Forecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidForecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidOpen Data Center Alliance
 
OSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsOSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsThe Linux Foundation
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsSecurity B-Sides
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Customgkelley
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 

Recomendados

CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7Irsandi Hasan
 
Forecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidForecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidOpen Data Center Alliance
 
OSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsOSSA17 - Mixed License FOSS Projects
OSSA17 - Mixed License FOSS ProjectsThe Linux Foundation
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsSecurity B-Sides
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Customgkelley
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииAndrew Petukhov
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...Nurul Haszeli Ahmad
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesYuji Kosuga
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsCODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsIsao Takaesu
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionKaashivInfoTech Company
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security applicationbharatsvnit
 
Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Karen Brooks
 
Transforming security part 1 - Cloud and virtualization
Transforming security part 1 - Cloud and virtualizationTransforming security part 1 - Cloud and virtualization
Transforming security part 1 - Cloud and virtualizationPriyanka Aash
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Novell
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
 
Managing Deployment of SVA in Your Project
Managing Deployment of SVA in Your ProjectManaging Deployment of SVA in Your Project
Managing Deployment of SVA in Your ProjectDVClub
 
Dayal rtp q2_07
Dayal rtp q2_07Dayal rtp q2_07
Dayal rtp q2_07Obsidian Software
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterUrolime Technologies
 

Mais conteúdo relacionado

Destaque

Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииAndrew Petukhov
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...Nurul Haszeli Ahmad
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesYuji Kosuga
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsCODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsIsao Takaesu
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionKaashivInfoTech Company
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security applicationbharatsvnit
 
Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Karen Brooks
 

Destaque (10)

Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsCODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryption
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security application
 
Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012
 

Semelhante a 2012 04 Analysis Techniques for Mobile OS Security

Transforming security part 1 - Cloud and virtualization
Transforming security part 1 - Cloud and virtualizationTransforming security part 1 - Cloud and virtualization
Transforming security part 1 - Cloud and virtualizationPriyanka Aash
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Novell
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
 
Managing Deployment of SVA in Your Project
Managing Deployment of SVA in Your ProjectManaging Deployment of SVA in Your Project
Managing Deployment of SVA in Your ProjectDVClub
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterUrolime Technologies
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov UpdateThe Linux Foundation
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Cisco open network environment
Cisco open network environmentCisco open network environment
Cisco open network environmentdeepers
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 

Semelhante a 2012 04 Analysis Techniques for Mobile OS Security (20)

Transforming security part 1 - Cloud and virtualization
Transforming security part 1 - Cloud and virtualizationTransforming security part 1 - Cloud and virtualization
Transforming security part 1 - Cloud and virtualization
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
Managing Deployment of SVA in Your Project
Managing Deployment of SVA in Your ProjectManaging Deployment of SVA in Your Project
Managing Deployment of SVA in Your Project
 
Dayal rtp q2_07
Dayal rtp q2_07Dayal rtp q2_07
Dayal rtp q2_07
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Scs.pptx repaired
Scs.pptx repairedScs.pptx repaired
Scs.pptx repaired
 
Cisco open network environment
Cisco open network environmentCisco open network environment
Cisco open network environment
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 

Mais de Raleigh ISSA

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh ISSA
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh ISSA
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secRaleigh ISSA
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesRaleigh ISSA
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014Raleigh ISSA
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013Raleigh ISSA
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013Raleigh ISSA
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013Raleigh ISSA
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013Raleigh ISSA
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith PiguesRaleigh ISSA
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013Raleigh ISSA
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013Raleigh ISSA
 

Mais de Raleigh ISSA (20)

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slides
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info sec
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slides
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slides
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013
 

Último

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Último (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

2012 04 Analysis Techniques for Mobile OS Security

  • 1. Analysis Techniques for Mobile Operating System Security Prof. William Enck Raleigh ISSA April 5, 2012 NC State - Prof. William Enck Page 1
  • 2. A cautionary tale ... NC State - Prof. William Enck Page 2
  • 3. Traditional computing vs. smartphones • Smartphones: logical conclusion of access consolidation, service decentralization, and commoditization of computing • Usage model is very different ‣ Multi-user single machine to single-user multiple machines ‣ Always on, always computing social instrument ‣ Enterprise: separate action from geography • Changing Risk ‣ Necessarily contains secrets (often high value) ‣ Collects sensitive data as a matter of operation ‣ Drifts seamlessly between “unknown” networks ‣ Highly malleable development practices, largely unknown developers NC State - Prof. William Enck Page 3
  • 4. Rethinking (host) Security security == permissions security 6= users • Permissions define capabilities. • Application markets deliver functionality (free or paid) via packaged applications. • Users make permission decisions. • Applications are run within sandboxes provided by the OS. • Note: App markets don’t (and can’t) provide security for everything. NC State - Prof. William Enck Page 4
  • 5. Research Questions • Questions: ‣ What permissions do applications ask for? ‣ What do applications do with the permissions? ‣ What can applications do with the permissions? NC State - Prof. William Enck Page 5
  • 6. Example: Android Security • Permissions granted to applications and never changed ‣ Permissions are enforced when an application accesses a component, API, etc ‣ Runtime decisions look for assigned permissions (access is granted IFF app A assigned perm X at install) Application 1 Application 2 Permission A: ... B: l1 Permission Labels X Labels Inherit l1,... C: l2 ... Permissions • Example permissions: location, phone IDs, microphone, camera, address book, SMS, application “interfaces” NC State - Prof. William Enck Page 6
  • 7. Q1: what do applications ask for? • Kirin certifies applications by vetting policies at install-time (relies on runtime enforcement) • Insight: app config and security policy is an upper bound on runtime behavior. • Kirin is a modified application installer ‣ Apps with unsafe policies are rejected New Kirin Optional Extension Kirin Application Security Security Service Rules (1) Attempt Display risk ratings Installation Pass/ to the user and (2) (3) Fail prompt for override. (4) Android Application Installer NC State - Prof. William Enck Page 7
  • 8. Kirin Security Policy • Kirin enforces security invariants at install-time • Local evaluation of two manifest artifacts ‣ The collection of requested permissions (uses-permission) ‣ The types of registered Intent message listeners • Example: ‣ Do not allow an application with Location and Internet permissions and receives the “booted” event restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]            and  receive        [BOOT_COMPLETE] NC State - Prof. William Enck Page 8
  • 9. hird-party “restrict”. sets of “receive” restrictions. Then, create of all The remainder of the rule is the conjunction Policy Evaluation also han- of permissions andit in R. strings received. Each set is den and place action The set R directly corresponds to her action either “permission”be formed in time respectively. size rules and can or “receive”, linear to the sem We now define the set (proof by inspection). C ⇥ R ⌅ {true, false 5.2nowKSL thewe define of configurationrules. Let fpackag Semanticsa set of configuration failsailKSL restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]   Next a          and  receive        [BOOT_COMPLETE] based on a We define Let C be the set of all application t and r be: a r tents. semantics KSL possible configurations C⇥R We⌅ {true, false} be a logic to to test if anaapplication now define a simple function represent set of rules i a package manifest. We need only capture the se to • Policy evaluationusedset satisfiability expressible At )KSL. (P encodeKSL. Let R KSL by ofLet ctrules of and the taction strings configuration fails a bethe in labels is rule. all be the configurationin target L the application (P , for invariants = ct , n applica- set oftivities, Services, O(n) Broadcastail(ctail(·)as:set of tp application t and ri be apermissionwe define f A be ithe the possible rule. Then, labelsClearly, f , r ) operates ‣ Invariant violations found in and w.r.t. policy size and Receivers. Note Section 4 (PtWet ) = cdefine,Activities, Services,Ai ⇤ Broadcast R action strings useddoesthe)semanticsactionprovide At rules. time , manifest, (Pi Ai = ri , Pi ⇤ canset and constant dyn A now t by not specify ofPt strings used by Let a of KSL ted Model: C ⇥ R ⌅ {true, false} be a function R :test tuple appl • by to receive Intents. Then, each rule ri Let F is C ⌅ R be a an to a advantag ⇥ R to ourif an (2 P Receivers; however, we to the input, as a hash table t of KSL rules.ail(·)notation in time (P , A ) to ⇧ 2R for a specific s Let operates Clearly, f the f ail : r = linear use this fact his section use in Section 7).iaWe defineLet RtTable 1: Applications ‣ We rules are tuples: KSL configuration fails KSL rule. iconfiguration whichCan appi c refer to c ⇥ as fo be the configuration a on to can provide constant time set membership checks. test if an application s. ‣ permission labelsbe isnotationstrings (Pthe set rto allail(ctPai=a application tthe ri tuple:rule. = forwe define where , r sp Configuration policy a Let FR A for We targetandfunction returning t ,rule) of, refer tot ) ) action ct Then, use and a beApplication ADescription in ⇥ a i f rules i the configurationC ⌅ R : t FR (c Ai 2R 2 .which an A )labels (P , A ) = rstrings used A ⇤ targ Rf⇧ ⇥ t , ri ) as: t , applicationand action i , PiWalkie-Talkie styl define ail(c for permission = ct ,Walki i Talkie fails: Pt by a At ‣ if (P t configuration i ⇤ i Let R where correspond toAt set2A .KSL rules. We cons R Pt ⇥ 2P and a ⇥ of Then, we say the configur Certified KSLf(ct ) = operates in to ail(ctR (c)} = input,Pthathas if {ri |riPush For linear t ) ⇧ R, f Talk , r rule let ‣t from theAt FRrules as follows. time each ito the⌃., Noteas beFR A Clearly, ail(·) i notation. i ⇤ i a th ⇤P F i ates com-all sets3of “permission” restrictions,R. Finally, theif po of as a hash tablethe standard notation 2 represent Shazam ct andUtility to identify can provide constant time set membershipand let ARbe th Then, we say the configuration ct passes a given KSL rule-set ithe We use X checks. set o the input, Let FRthat F (c ) set a function returning indicateofof r : C is the be of allin time linear to theset which installer to the ⇤. all ⌅ R operates subsets includingsize jour uld notR (call = ⌃.X, which R t Inauguration Then, create r = ( be F of t ) sets Note NC State - Prof. William Enck of “receive” restrictions. Collaborative Page 9
  • 10. Studying the (early) Market • Evaluate 300+ popular Market apps (Jan 2009) ‣ 5 had both dangerous configuration and functionality (1.6%) ‣ 5 had dangerous configuration but not functionality (1.6%) (1) An application must not have the SET_DEBUG_APP permission (2) An application must not have the READ_PHONE_STATE, RECORD_AUDIO, and INTERNET permissions (3) An application must not have the PROCESS_OUTGOING_CALL, RECORD_AUDIO, and INTERNET permissions (4) An application must not have the ACCESS_FINE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (5) An application must not have the ACCESS_COARSE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (6) An application must not have the RECEIVE_SMS and WRITE_SMS permissions (7) An application must not have the SEND_SMS and WRITE_SMS permissions (8) An application must not have the INSTALL_SHORTCUT and UNINSTALL_SHORTCUT permissions (9) An application must not have the SET_PREFERRED_APPLICATION permission and receive Intents for the CALL action string NC State - Prof. William Enck Page 10
  • 11. Q2: What do the applications do? • TaintDroid is a system-wide integration of taint tracking into the Android platform ‣ VM Layer: variable tracking throughout Dalvik VM ‣ Native Layer: patches state after native method invocation ‣ Binder IPC Layer: extends tracking between applications ‣ Storage Layer: persistent tracking on files Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Native System Libraries Method-level tracking File-level Network Interface Secondary Storage tracking • TaintDroid is a firmware modification, not an app NC State - Prof. William Enck Page 11
  • 12. Dynamic Taint Analysis • Dynamic taint analysis is a technique that tracks information dependencies from an origin • Conceptual idea: c = taint_source() ‣ Taint source ... ‣ Taint propagation a = b + c ‣ Taint sink ... network_send(a) • Limitations: performance and granularity is a trade-off NC State - Prof. William Enck Page 12
  • 13. Performance CaffeineMark 3.0 benchmark • Memory overhead: 4.4% (higher is better) 2000 Android • IPC overhead: 27% 1800 TaintDroid 1600 1400 • Macro-benchmark: 14% overhead 1200 1000 ‣ App load: 3% (2ms) 800 ‣ Address book: (< 20 ms) 600 400 5.5% create, 18% read 200 0 ‣ Phone call: 10% (10ms) sieve loop logic string float method total ‣ Take picture: 29% (0.5s) CaffeineMark score roughly corresponds to the number of Java instructions per second. NC State - Prof. William Enck Page 13
  • 14. Application Study • Selected 30 applications with bias on popularity and access to Internet, location, microphone, and camera applications # permissions The Weather Channel, Cetos, Solitarie, Movies, Babble, Manga Browser 6 Bump, Wertago, Antivirus, ABC --- Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14 Stream, Ringtones Layer, Knocking, Coupons, Trapster, Spongebot Slide, ProBasketBall 6 MySpace, Barcode Scanner, ixMAT 3 Evernote 1 • Of 105 flagged connections, only 37 clearly legitimate NC State - Prof. William Enck Page 14
  • 15. Findings • 15 of the 30 applications shared physical location with an ad server (admob.com, ad.qwapi.com, ads.mobclix.com, data.flurry.com) ‣ Most traffic was plaintext (e.g., AdMob HTTP GET): ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85 B717D9195A6722A9&d%5Bcoord%5D=47.6612278900 00006%2C-122.31589477&... • 7 applications sent device (IMEI) and 2 apps sent phone info (Ph. #, IMSI *, ICC-ID) to a remote server without informing the user. NC State - Prof. William Enck Page 15
  • 16. Q3: What can the applications do? • Static analysis: look at the possible paths and interaction of data ‣ Very, very hard (often undecidable), but community has learned that we can do a lot with small analyses. • Step 1: ded decompiler for Android applications • Step 2: static source code analysis for both dangerous functionality and vulnerabilities ‣ What data could be exfiltrated from the application? ‣ Are developers safely using interfaces? NC State - Prof. William Enck Page 16
  • 17. ded Decompiler Retargeting Process • Android applications are written CFG in Java, but compiled for the (1) DEX Parsing Construction optimized Dalvik VM language Type Inference Processing Missing Type Inference Constant Identification ‣ Non-trivial to retarget back to Java: (2) Java .class Conversion Constant Pool Conversion register vs. stack architecture, Constant Pool Translation Method Code Retargeting constant pools, ambiguous scalar types, Bytecode Reorganization null references, etc. (3) Java .class Optimization Instruction Set Translation • ded recovers source code from application package ‣ Retargeting: type inference, instruction translation, etc ‣ Optimization: use Soot to re-optimize for Java bytecode ‣ Decompilation: standard Java decompilation (Soot) • Decompiled top 1,100 free apps from Android market: over 21 million lines of source code NC State - Prof. William Enck Page 17
  • 18. Studying Application Security • Queried for security properties using program analysis, followed by manual inspection to understand purpose • Used several types of analysis to design security properties specific to Android using the Fortify SCA framework Analysis for Dangerous Behavior Analysis for Vulnerabilities Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis Havesting Installed Applications Structural analysis Password Management* Data flow analysis Cryptography Misuse* Structural analysis Also studied inclusion of advertisement and Injection Vulnerabilities* Data flow analysis analytics libraries and associated properties * included with analysis framework NC State - Prof. William Enck Page 18
  • 19. Phone Identifiers • We’ve seen phone identifiers (Ph.#, IMEI, IMSI, etc) sent to network servers, but how are they used? ‣ Program analysis pin-pointed 33 apps leaking Phone IDs • Finding 2 - device fingerprints • Finding 3 - tracking actions • Finding 4 - along with registration and login NC State - Prof. William Enck Page 19
  • 20. Device Fingerprints (1) com.eoeandroid.eWallpapers.cartoon - SyncDeviceInfosService.getDevice_info() r1.append((new StringBuilder("device_id=")).append(tm.getDeviceId()).toString()).append((new StringBuilder("&device_software_version=")).append(tm.getDeviceSoftwareVersion()).toString()); r1.append((new StringBuilder("&build_board=")).append(Build.BOARD).toString()).append((new StringBuilder("&build_brand=")).append(Build.BRAND).toString()).append((new StringBuilder("&build_device=")).append(Build.DEVICE).toString()).append((new StringBuilder("&build_display=")).append(Build.DISPLAY).toString()).append((new StringBuilder("&build_fingerprint=")).append(Build.FINGERPRINT).toString()).append((new StringBuilder("&build_model=")).append(Build.MODEL).toString()).append((new StringBuilder("&build_product=")).append(Build.PRODUCT).toString()).append((new StringBuilder("&build_tags=")).append(Build.TAGS).toString()).append((new StringBuilder("&build_time=")).append(Build.TIME).toString()).append((new StringBuilder("&build_user=")).append(Build.USER).toString()).append((new StringBuilder("&build_type=")).append(Build.TYPE).toString()).append((new StringBuilder("&build_id=")).append(Build.ID).toString()).append((new StringBuilder("&build_host=")).append(Build.HOST).toString()).append((new StringBuilder("&build_version_release=")).append(Build$VERSION.RELEASE).toString()).append((new StringBuilder("&build_version_sdk_int=")).append(Build $VERSION.SDK).toString()).append((new StringBuilder("&build_version_incremental=")).append(Build$VERSION.INCREMENTAL).toString()); r5 = mContext.getApplicationContext().getResources().getDisplayMetrics(); r1.append((new StringBuilder("&density=")).append(r5.density).toString()).append((new StringBuilder("&height_pixels=")).append(r5.heightPixels).toString()).append((new StringBuilder("&scaled_density=")).append(r5.scaledDensity).toString()).append((new StringBuilder("&width_pixels=")).append(r5.widthPixels).toString()).append((new StringBuilder("&xdpi=")).append(r5.xdpi).toString()).append((new StringBuilder("&ydpi=")).append(r5.ydpi).toString()); r1.append((new StringBuilder("&line1_number=")).append(tm.getLine1Number()).toString()).append((new StringBuilder("&network_country_iso=")).append(tm.getNetworkCountryIso()).toString()).append((new StringBuilder("&network_operator=")).append(tm.getNetworkOperator()).toString()).append((new StringBuilder("&network_operator_name=")).append(tm.getNetworkOperatorName()).toString()).append((new StringBuilder("&network_type=")).append(tm.getNetworkType()).toString()).append((new StringBuilder("&phone_type=")).append(tm.getPhoneType()).toString()).append((new StringBuilder("&sim_country_iso=")).append(tm.getSimCountryIso()).toString()).append((new StringBuilder("&sim_operator=")).append(tm.getSimOperator()).toString()).append((new StringBuilder("&sim_operator_name=")).append(tm.getSimOperatorName()).toString()).append((new StringBuilder("&sim_serial_number=")).append(tm.getSimSerialNumber()).toString()).append((new StringBuilder("&sim_state=")).append(tm.getSimState()).toString()).append((new StringBuilder("&subscriber_id=")).append(tm.getSubscriberId()).toString()).append((new StringBuilder("&voice_mail_number=")).append(tm.getVoiceMailNumber()).toString()); i0 = mContext.getResources().getConfiguration().mcc; i1 = mContext.getResources().getConfiguration().mnc; r1.append((new StringBuilder("&imsi_mcc=")).append(i0).toString()).append((new StringBuilder("&imsi_mnc=")).append(i1).toString()); r254 = (ActivityManager) mContext.getSystemService("activity"); $r255 = new ActivityManager$MemoryInfo(); r254.getMemoryInfo($r255); r1.append((new StringBuilder("&total_mem=")).append($r255.availMem).toString()); NC State - Prof. William Enck Page 20
  • 21. Device Fingerprints (2) com.avantar.wny - com/avantar/wny/PhoneStats.java public String toUrlFormatedString() { StringBuilder $r4; if (mURLFormatedParameters == null) IMEI { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); } return mURLFormatedParameters; } NC State - Prof. William Enck Page 21
  • 22. Tracking com.froogloid.kring.google.zxing.client.android - Activity_Router.java (Main Activity) public void onCreate(Bundle r1) { http://kror.keyringapp.com/service.php ... IMEI = ((TelephonyManager) this.getSystemService("phone")).getDeviceId(); retailerLookupCmd = (new StringBuilder(String.valueOf(constants.server))).append("identifier=").append(Encode URL.KREncodeURL(IMEI)).append("&command=retailerlookup&retailername=").toString(); ... } com.Qunar - net/NetworkTask.java public void run() { http://client.qunar.com:80/QSearch ... r24 = (TelephonyManager) r21.getSystemService("phone"); url = (new StringBuilder(String.valueOf(url))).append("&vid=60001001&pid=10010&cid=C1000&uid=").appe nd(r24.getDeviceId()).append("&gid=").append(QConfiguration.mGid).append("&msg=").append( QConfiguration.getInstance().mPCStat.toMsgString()).toString(); ... } NC State - Prof. William Enck Page 22
  • 23. Registration and Login com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback) public void onClick(View r1) IMEI { ... r7 = Host.getDeviceId(this$0.getApplicationContext()); LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ... } Is this necessarily bad? NC State - Prof. William Enck Page 23
  • 24. Location • Found 13 apps with geographic location data flows to the network ‣ Many were legitimate: weather, classifieds, points of interest, and social networking services • Several instances sent to advertisers (same as TaintDroid). More on this shortly. • Code recovery error in AdMob library. NC State - Prof. William Enck Page 24
  • 25. Phone Misuse • No evidence of abuse in our sample set ‣ Hard-coded numbers for SMS/voice (premium-rate) ‣ Background audio/video recording ‣ Socket API use (not HTTP wrappers) ‣ Harvesting list of installed applications NC State - Prof. William Enck Page 25
  • 26. Ad/Analytics Libraries Library Path # Apps Obtains • 51% of the apps included an ad or com/admob/android/ads 320 L analytics library (many also included com/google/ads 206 - com/flurry/android 98 - custom functionality) com/qwapi/adclient/android 74 L, P, E com/google/android/apps/analytics 67 - • A few libraries were used most frequently com/adwhirl 60 L com/mobclix/android/sdk 58 L, E • Use of phone identifiers and location com/mellennialmedia/android 52 - sometimes configurable by developer com/zestadz/android 10 - com/admarvel/android/ads 8 - 1000 com/estsoft/adlocal 8 L 367 com/adfonic/android 5 - Number of libraries com/vdroid/ads 5 L, E 91 100 com/greystripe/android/sdk 4 E 32 37 1 app has com/medialets 4 L 15 8 10 8 libraries! com/wooboo/adlib_android 4 L, P, I 10 com/adserver/adview 3 L com/tapjoy 3 - com/inmobi/androidsdk 2 E 1 com/apegroup/ad 1 - 1 com/casee/adsdk 1 S 1 2 3 4 5 6 7 8 com/webtrents/mobile 1 L, E, S, I Total Unique Apps 561 Number of apps L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID NC State - Prof. William Enck Page 26
  • 27. Probing for Permissions (1) com/webtrends/mobile/analytics/android/WebtrendsAndroidValueFetcher.java public static String getDeviceId(Object r0) { Context r4; String r7; r4 = (Context) r0; try { r7 = ((TelephonyManager) r4.getSystemService("phone")).getDeviceId(); if (r7 == null) { r7 = ""; Catches SecurityException } } catch (Exception $r8) { WebtrendsDataCollector.getInstance().getLog().d("Exception fetching TelephonyManager.getDeviceId value. ", $r8); r7 = null; } return r7; } NC State - Prof. William Enck Page 27
  • 28. Probing for Permissions (2) com/casee/adsdk/AdFetcher.java public static String getDeviceId(Context r0) { String r1; r1 = ""; label_19: { if (deviceId != null) { if (r1.equals(deviceId) == false) { break label_19; Checks before accessing } } if (r0.checkCallingOrSelfPermission("android.permission.READ_PHONE_STATE") == 0) { deviceId = ((TelephonyManager) r0.getSystemService("phone")).getSubscriberId(); } } //end label_19: ... } NC State - Prof. William Enck Page 28
  • 29. Developer Toolkits • We found identically implemented dangerous functionality in the form of developer toolkits. ‣ Probing for permissions (e.g., Android API, catch SecurityException) ‣ Well-known brands sometimes commission developers that include dangerous functionality. • “USA Today” and “FOX News” both developed by Mercury Intermedia (com/mercuryintermedia), which grabs IMEI on startup NC State - Prof. William Enck Page 29
  • 30. Custom Exceptions v00032.com.wordplayer - CustomExceptionHandler.java void init() { URLConnection r3; ... r3 = (new URL("http://www.word-player.com/HttpHandler/init.sample")).openConnection(); ... try { $r27 = this.mkStr(((TelephonyManager) _context.getSystemService("phone")).getLine1Number()); } catch (Exception $r81) { break label_5; } ... Phone Number!? } NC State - Prof. William Enck Page 30
  • 31. Intent Vulnerabilities • Similar analysis rules as independently identified by Chin et al. [Mobisys 2011] • Leaking information to IPC - unprotected intent broadcasts are common, occasionally contain info • Unprotected broadcast receivers - a few apps receive custom action strings w/out protection (lots of “protected bcasts”) • Intent injection attacks - 16 apps had potential vulnerabilities • Delegating control - pending intents are tricky to analyze (notification, alarm, and widget APIs) --- no vulns found • Null checks on IPC input - 3925 potential null dereferences in 591 apps (53%) --- most were in activity components NC State - Prof. William Enck Page 31
  • 32. Study Limitations • The sample set • Code recovery failures • Android IPC data flows • Fortify SCA language • Obfuscation NC State - Prof. William Enck Page 32
  • 33. Summary • What permissions do applications ask for? ‣ Kirin demonstrated how permission combinations can be effectively used to certify applications at install-time. • What do applications do with the permissions? ‣ TaintDroid “looks inside” of applications to understand how privacy sensitive information is being used. • What can applications do with the permissions? ‣ We used program analysis and manual inspection to characterize implemented application behavior NC State - Prof. William Enck Page 33
  • 34. Thank you! William Enck Assistant Professor Department of Computer Science NC State University enck@cs.ncsu.edu http://www.enck.org NC State - Prof. William Enck Page 34