Towards Principled Dynamic Analysis on Android

The vast amount of information and services accessible through mobile handsets running the Android operating system has led to the tight integration of such devices into our daily routines. However, their capability to capture and operate upon user data provides an unprecedented insight into our private lives that needs to be properly protected, which demands for comprehensive analysis and thorough testing. While dynamic analysis has been applied to these problems in the past, the corresponding literature consists of scattered work that often specializes on sub-problems and keeps on re-inventing the wheel, thus lacking a structured approach. To overcome this unsatisfactory situation, this dissertation introduces two major systems that advance the state-of-the-art of dynamically analyzing the Android platform. First, we introduce a novel, fine-grained and non-intrusive compiler-based instrumentation framework that allows for precise and high-performance modification of Android apps and system components. Second, we present a unifying dynamic analysis platform with a special focus on Android’s middleware in order to overcome the common challenges we identified from related work. Together, these two systems allow for a more principled approach for dynamic analysis on Android that enables comparability and composability of both existing and future work.Die enorme Menge an Informationen und Diensten, die durch mobile Endgeräte mit dem Android Betriebssystem zugänglich gemacht werden, hat zu einer verstärkten Einbindung dieser Geräte in unseren Alltag geführt. Gleichzeitig erlauben die dabei verarbeiteten Benutzerdaten einen beispiellosen Einblick in unser Privatleben. Diese Informationen müssen adäquat geschützt werden, was umfassender Analysen und gründlicher Prüfung bedarf. Dynamische Analysetechniken, die in der Vergangenheit hier bereits angewandt wurden, fokussieren sich oftmals auf Teilprobleme und reimplementieren regelmäßig bereits existierende Komponenten statt einen strukturierten Ansatz zu verfolgen. Zur Überwindung dieser unbefriedigenden Situation stellt diese Dissertation zwei Systeme vor, die den Stand der Technik dynamischer Analyse der Android Plattform erweitern. Zunächst präsentieren wir ein compilerbasiertes, feingranulares und nur geringfügig eingreifendes Instrumentierungsframework für präzises und performantes Modifizieren von Android Apps und Systemkomponenten. Anschließend führen wir eine auf die Android Middleware spezialisierte Plattform zur Vereinheitlichung von dynamischer Analyse ein, um die aus existierenden Arbeiten extrahierten, gemeinsamen Herausforderungen in diesem Gebiet zu überwinden. Zusammen erlauben diese beiden Systeme einen prinzipienorientierten Ansatz zur dynamischen Analyse, welcher den Vergleich und die Zusammenführung existierender und zukünftiger Arbeiten ermöglicht

Regulating and Securing the Interfaces Across Mobile Apps, OS and Users

Over the past decade, we have seen a swift move towards a mobile-centered world. This thriving mobile ecosystem builds upon the interplay of three important parties: the mobile user, OS, and app. These parties interact via designated interfaces many of which are newly invented for, or introduced to the mobile platform. Nevertheless, as these new ways of interactions arise in the mobile ecosystem, what is enabled by these communication interfaces often violates the expectations of the communicating parties. This makes the foundation of the mobile ecosystem untrustworthy, causing significant security and privacy hazards. This dissertation aims to fill this gap by: 1) securing the conversations between trusted parties, 2) regulating the interactions between partially trusted parties, and 3) protecting the communications between untrusted parties. We first deal with the case of mobile OS and app, and analyze the Inter-Process Communication (IPC) protocol (Android Binder in particular) between these two untrusted parties. We found that the Android OS is frequently making unrealistic assumptions on the validity (sanity) of transactions from apps, thus creating significant security hazards. We analyzed the root cause of this emerging attack surface and protected this interface by developing an effective, precautionary testing framework and a runtime diagnostic tool. Then, we study the deficiency of how a mobile user interacts with an app that he can only partially trust. In the current mobile ecosystem, information about the same user in different apps can be easily shared and aggregated, which clearly violates the conditional trust mobile user has on each app. This issue is addressed by providing two complementary options: an OS-level extension that allows the user to track and control, during runtime, the potential flow of his information across apps; and a user-level solution that allows the users to maintain multiple isolated profiles for each app. Finally, we elaborate on how to secure the voice interaction channel between two trusted parties, mobile user and OS. The open nature of the voice channel makes applications that depend on voice interactions, such as voice assistants, difficult to secure and exposed to various attacks. We solve this problem by proposing the first system, called VAuth, that provides continuous and usable authentication for voice commands, designed as a wearable security token. It collects the body-surface vibrations of a user via an accelerometer and continuously matches them to the voice commands received by the voice assistant. This way, VAuth guarantees that the voice assistant executes only the commands that originate from the voice of the owner. Overall, this thesis examined the privacy and security issues across various interfaces in the mobile ecosystem, analyzed the trust relationship between different parties and proposed practical solutions. It also documented the experience learned from tackling these problems, and can serve as a reference in dealing with similar issues in other domains.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/137033/1/huanfeng_1.pd

Program Analysis Based Approaches to Ensure Security and Safety of Emerging Software Platforms

Our smartphones, homes, hospitals, and automobiles are being enhanced with software that provide an unprecedentedly rich set of functionalities, which has created an enormous market for the development of software that run on almost every personal computing devices in a person's daily life, including security- and safety-critical ones. However, the software development support provided by the emerging platforms also raises security risks by allowing untrusted third-party code, which can potentially be buggy, vulnerable or even malicious to control user's device. Moreover, as the Internet-of-Things (IoT) technology is gaining vast adoptions by a wide range of industries, and is penetrating every aspects of people's life, safety risks brought by the open software development support of the emerging IoT platform (e.g., smart home) could bring more severe threat to the well-being of customers than what security vulnerabilities in mobile apps have done to a cell phone user. To address this challenge posed on the software security in emerging domains, my dissertation focuses on the flaws, vulnerabilities and malice in the software developed for platforms in these domains. Specifically, we demonstrate that systematic program analyses of software (1) Lead to an understanding of design and implementation flaws across different platforms that can be leveraged in miscellaneous attacks or causing safety problems; (2) Lead to the development of security mechanisms that limit the potential for these threats.We contribute static and dynamic program analysis techniques for three modern platforms in emerging domains -- smartphone, smart home, and autonomous vehicle. Our app analysis reveals various different vulnerabilities and design flaws on these platforms, and we propose (1) static analysis tool OPAnalyzer to automates the discovery of problems by searching for vulnerable code patterns; (2) dynamic testing tool AutoFuzzer to efficiently produce and capture domain specific issues that are previously undefined; and (3) propose new access control mechanism ContexIoT to strengthen the platform's immunity to the vulnerability and malice in third-party software. Concretely, we first study a vulnerability family caused by the open ports on mobile devices, which allows remote exploitation due to insufficient protection. We devise a tool called OPAnalyzer to perform the first systematic study of open port usage and their security implications on mobile platform, which effectively identify and characterize vulnerable open port usage at scale in popular Android apps. We further identify the lack of context-based access control as a main enabler for such attacks, and begin to seek for defense solution to strengthen the system security. We study the popular smart home platform, and find the existing access control mechanisms to be coarse-grand, insufficient, and undemanding. Taking lessons from previous permission systems, we propose the ContexIoT approach, a context-based permission system for IoT platform that supports third-party app development, which protects the user from vulnerability and malice in these apps through fine-grained identification of context. Finally, we design dynamic fuzzing tool, AutoFuzzer for the testing of self-driving functionalities, which demand very high code quality using improved testing practice combining the state-of-the-art fuzzing techniques with vehicular domain knowledge, and discover problems that lead to crashes in safety-critical software on emerging autonomous vehicle platform.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/145845/1/jackjia_1.pd

Bringing Balance to the Force: Dynamic Analysis of the Android Application Framework

Android's application framework plays a crucial part in protecting users' private data and the system integrity. Consequently, it has been the target of various prior works that analyzed its security policy and enforcement. Those works uncovered different security problems, including incomplete documentation, permission re-delegation within the framework, and inconsistencies in access control. However, all but one of those prior works were based on static code analysis. Thus, their results provide a one-sided view that inherits the limitations and drawbacks of applying static analysis to the vast, complex code base of the application framework. Even more, the performances of different security applications---including malware classification and least-privileged apps---depend on those analysis results, but those applications are currently tarnished by imprecise and incomplete results as a consequence of this imbalanced analysis methodology. To complement and refine this methodology and consequently improve the applications that are dependent on it, we add dynamic analysis of the application framework to the current research landscape and demonstrate the necessity of this move for improving the quality of prior results and advancing the field. Applying our solution, called Dynamo, to four prominent use-cases from the literature and taking a synoptical view on the results, we verify but also refute and extend the existing results of prior static analysis solutions. From the manual investigation of the root causes of discrepancies between results, we draw new insights and expert knowledge that can be valuable in improving both static and dynamic testing of the application framework

Dependability Assessment of Android OS

In this brave new world of smartphone-dependent society, dependability is a strong requirement and needs to be addressed properly. Assessing the dependability of these mobile system is still an open issue, and companies should have the tools to improve their devices and beat the competition against other vendors. The main objective of this dissertation is to provide the methods to assess the dependability of mobile OS, fundamental for further improvements. Mobile OS are threatened mainly by traditional residual faults (when errors spread across components as failures), aging-related faults (when errors accumulate over time), and misuses by users and applications. This thesis faces these three aspects. First, it presents a qualitative method to define the fault model of a mobile OS, and an exhaustive fault model for Android. I designed and developed AndroFIT, a novel fault injection tool for Android smartphone, and performed an extensive fault injection campaign on three Android devices from different vendors to analyze the impact of component failure on the mobile OS. Second, it presents an experimental methodology to analyze the software aging phenomenon in mobile OS. I performed a software aging analysis campaign on Android devices to identify the impacting factors on performance degradation and resource consumption. Third, it presents the design and implementation of a novel fuzzing tool, namely Chizpurfle, able to automatically test Android vendor customizations by leveraging code coverage information at run-time

Cross-vendor Security Analysis of Android Unix Domain Sockets

The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. Although the Android-specific IPC mechanisms have been studied extensively, Unix domain sockets have not been studied as much despite playing a crucial role in the IPC of highly privileged system daemons. In this thesis, we propose SAUSAGE, an efficient novel static analysis framework to study the security properties of these sockets. SAUSAGE considers access control policies implemented in the Android security model as well as authentication checks implemented by the daemon binaries. It is a fully static large-scale analysis framework specifically designed to analyze Unix domain socket usage in Android system daemons. We use this framework to analyze 200 Android images across eight popular smartphone vendors spanning Android versions 7-9. As a result, we uncover multiple access control misconfigurations and insecure authentication checks introduced by vendor customization. Our notable findings include a permission bypass in highly privileged Qualcomm system daemons and a vendor-specific daemon exposing an unprotected socket that allows an untrusted app to set the scheduling priority of other processes running on the system

DISCOVERING ANOMALOUS BEHAVIORS BY ADVANCED PROGRAM ANALYSIS TECHNIQUES

As soon as a technology started to be used by the masses, ended up as a target of the investigation of bad guys that write malicious software with the only and explicit intent to damage users and take control of their systems to perform different types of fraud. Malicious programs, in fact, are a serious threat for the security and privacy of billions of users. The bad guys are the main characters of this unstoppable threat which improves as the time goes by. At the beginning it was pure computer vandalism, then turned into petty theft followed by cybercrime, cyber espionage, and finally gray market business. Cybercrime is a very dangerous threat which consists of, for instance, stealing credentials of bank accounts, sending SMS to premium number, stealing user sensitive information, using resources of infected computer to develop e.g., spam business, DoS, botnets, etc. The interest of the cybercrime is to intentionally create malicious programs for its own interest, mostly lucrative. Hence, due to the malicious activity, cybercriminals have all the interest in not being detected during the attack, and developing their programs to be always more resilient against anti-malware solution. As a proof that this is a dangerous threat, the FBI reported a decline in physical crime and an increase of cybercrime. In order to deal with the increasing number of exploits found in legacy code and to detect malicious code which leverages every subtle hardware and software detail to escape from malware analysis tools, the security research community started to develop and improve various code analysis techniques (static, dynamic or both), with the aim to detect the different forms of stealthy malware and to individuate security bugs in legacy code. Despite the improvement of the research solutions, yet the current ones are inadequate to face new stealthy and mobile malware. Following such a line of research, in this dissertation, we present new program analysis techniques that aim to improve the analysis environment and deal with mobile malware. To perform malware analysis, behavior analysis technique is the prominent: the actions that a program is performing during its real-time execution are collected to understand its behavior. Nevertheless, they suffer of some limitations. State-of-the-Art malware analysis solutions rely on emulated execution environment to prevent the host to get infected, quickly recover to a pristine state, and easily collect process information. A drawback of these solutions is the non-transparency, that is, the execution environment does not faithfully emulate the physical end-user environment, which could lead to end up with incomplete results. In fact, malicious programs could detect when they are monitored in such environment, and thus modifying their behavior to mislead the analysis and avoid detection. On the contrary, a faithful emulator would drastically reduce the chance of detection of the analysis environment from the analyzed malware. To this end, we present EmuFuzzer, a novel testing methodology specific for CPU emulators, based on fuzzing to verify whether the CPU is properly emulated or not. Another shortcoming regards the stimulation of the analyzed application. It is not uncommon that an application exhibit certain behaviors only when exercised with specific events (i.e., button click, insert text, socket connection, etc.). This flaw is even exacerbated when analyzing mobile application. At this aim, we introduce CopperDroid, a program analysis tool built on top of QEMU to automatically perform out-of-the-box dynamic behavior analysis of Android malware. To this end, CopperDroid presents a unified analysis to characterize low-level OS-specific and high-level Android-specific behaviors