Quire: Lightweight Provenance for Smart Phone Operating Systems

Smartphone apps often run with full privileges to access the network and sensitive local resources, making it difficult for remote systems to have any trust in the provenance of network connections they receive. Even within the phone, different apps with different privileges can communicate with one another, allowing one app to trick another into improperly exercising its privileges (a Confused Deputy attack). In Quire, we engineered two new security mechanisms into Android to address these issues. First, we track the call chain of IPCs, allowing an app the choice of operating with the diminished privileges of its callers or to act explicitly on its own behalf. Second, a lightweight signature scheme allows any app to create a signed statement that can be verified anywhere inside the phone. Both of these mechanisms are reflected in network RPCs, allowing remote systems visibility into the state of the phone when an RPC is made. We demonstrate the usefulness of Quire with two example applications. We built an advertising service, running distinctly from the app which wants to display ads, which can validate clicks passed to it from its host. We also built a payment service, allowing an app to issue a request which the payment service validates with the user. An app cannot not forge a payment request by directly connecting to the remote server, nor can the local payment service tamper with the request

A CleanRoom approach to bring your own apps

Today, on mobile devices such as smartphones and tablets, hundreds of thousands of software apps provide useful services to users. Users use these apps to search and browse the web, perform financial transactions, emailing, among other functions. Besides, these apps use cloud services which gives the users the flexibility to access them from anywhere and from any device. Because of the rich functionality of these apps and ease of use of mobile devices, users (employees) often want to use their devices and preferred apps at their workplace. However, these apps not only pose risk to user's private data but also to enterprise data, when users use them within an enterprise network. For one thing, these apps come from hundreds and thousands of different app publishers, where all of them may not be trustworthy. Second, apps often need user's private data such as location, contact list, photos among others and use remote cloud to carry out their operations. In the process apps may leak a user's private or enterprise confidential data to a third party. Current practices to prevent such leaks through user enabled app permissions fall short because often user does not understand these permissions. Besides, even if a company's "Bring Your Own Device" (BYOD) policies mitigate the risk of device compromise with enterprise-approved password policies, remote wipe capabilities, and OS security upgrade policies, the apps on those devices pose their own risks. This thesis presents CleanRoom, a new app platform that prevents apps from leaking the data entrusted to them. It does not rely on users to make good decisions about Privacy, and enables enterprises to allow its employees to use their own devices and bring their preferred apps to work.Computer Science

Transparent and Precise Malware Analysis Using Virtualization: From Theory to Practice

Dynamic analysis is an important technique used in malware analysis and is complementary to static analysis. Thus far, virtualization has been widely adopted for building fine-grained dynamic analysis tools and this trend is expected to continue. Unlike User/Kernel space malware analysis platforms that essentially co-exist with malware, virtualization based platforms benefit from isolation and fine-grained instrumentation support. Isolation makes it more difficult for malware samples to disrupt analysis and fine-grained instrumentation provides analysts with low level details, such as those at the machine instruction level. This in turn supports the development of advanced analysis tools such as dynamic taint analysis and symbolic execution for automatic path exploration. The major disadvantage of virtualization based malware analysis is the loss of semantic information, also known as the semantic gap problem. To put it differently, since analysis takes place at the virtual machine monitor where only the raw system state (e.g., CPU and memory) is visible, higher level constructs such as processes and files must be reconstructed using the low level information. The collection of techniques used to bridge semantic gaps is known as Virtual Machine Introspection. Virtualization based analysis platforms can be further separated into emulation and hardware virtualization. Emulators have the advantages of flexibility of analysis tool development and efficiency for fine-grained analysis; however, emulators suffer from the transparency problem. That is, malware can employ methods to determine whether it is executing in an emulated environment versus real hardware and cease operations to disrupt analysis if the machine is emulated. In brief, emulation based dynamic analysis has advantages over User/Kernel space and hardware virtualization based techniques, but it suffers from semantic gap and transparency problems. These problems have been exacerbated by recent discoveries of anti-emulation malware that detects emulators and Android malware with two semantic gaps, Java and native. Also, it is foreseeable that malware authors will have a similar response to taint analysis. In other words, once taint analysis becomes widely used to understand how malware operates, the authors will create new malware that attacks the imprecisions in taint analysis implementations and induce false-positives and false-negatives in an effort to frustrate analysts. This dissertation addresses these problems by presenting concepts, methods and techniques that can be used to transparently and precisely analyze both desktop and mobile malware using virtualization. This is achieved in three parts. First, precise heterogeneous record and replay is presented as a means to help emulators benefit from the transparency characteristics of hardware virtualization. This technique is implemented in a tool called V2E that uses KVM for recording and TEMU for replaying and analysis. It was successfully used to analyze real-world anti-emulation malware that evaded analysis using TEMU alone. Second, the design of an emulation based Android malware analysis platform that uses virtual machine introspection to bridge both the Java and native level semantic gaps as well as seamlessly bind the two views together into a single view is presented. The core introspection and instrumentation techniques were implemented in a new analysis platform called DroidScope that is based on the Android emulator. It was successfully used to analyze two real-world Android malware samples that have cooperating Java and native level components. Taint analysis was also used to study their information ex-filtration behaviors. Third, formal methods for studying the sources of false-positives and false-negatives in dynamic taint analysis designs and for verifying the correctness of manually defined taint propagation rules are presented. These definitions and methods were successfully used to analyze and compare previously published taint analysis platforms in terms of false-positives and false-negatives

Flexible Information-Flow Control

As more and more sensitive data is handled by software, its trustworthinessbecomes an increasingly important concern. This thesis presents work on ensuringthat information processed by computing systems is not disclosed to thirdparties without the user\u27s permission; i.e. to prevent unwanted flows ofinformation. While this problem is widely studied, proposed rigorousinformation-flow control approaches that enforce strong securityproperties like noninterference have yet to see widespread practical use.Conversely, lightweight techniques such as taint tracking are more prevalent inpractice, but lack formal underpinnings, making it unclear what guarantees theyprovide.This thesis aims to shrink the gap between heavyweight information-flow controlapproaches that have been proven sound and lightweight practical techniqueswithout formal guarantees such as taint tracking. This thesis attempts toreconcile these areas by (a) providing formal foundations to taint trackingapproaches, (b) extending information-flow control techniques to more realisticlanguages and settings, and (c) exploring security policies and mechanisms thatfall in between information-flow control and taint tracking and investigating whattrade-offs they incur

Information Flow Control in Spring Web Applications

Companies rely extensively on frameworks and APIs when developing their systems, as these mechanisms are quite advantageous. Two of the most conspicuous benefits are their ease of use and workload reduction, allowing for shorter and more responsive development cycles. However, most frameworks do not provide security properties such as data confidentiality as other tools do. A prime example is a Spring. It is the most heavily used Java web development framework, hosting a vast array of functionalities, ranging from data layer functionalities (c.f. hibernate and JPA), security providers, and metrics providers to provide statistical data on the application itself as well as a layer for REST communication. However, to achieve such advanced functionalities, Spring resorts to bytecode manipulation and generation during its startup period, hindering the use of other formal analysis tools that use similar processes in their execution. In a broader sense, we provide a comprehensive approach for the static analysis of spring-based web applications. We introduce hooks in the Spring pipeline, making feasible the formal analysis and manipulation of the complete, run-time-generated appli- cation bytecode through a well-defined interface. The hooks provide not only access to the entire web application’s bytecode but also allow for the replacement of the applica- tion’s component, enabling more complex analysis requiring the instrumentation of the application. To address data confidentiality-related issues in web applications developed with this framework, we propose integrating information flow control tools in the framework’s pipeline. Namely, we combine Spring with Snitch, a tool for hybrid information flow control in Java bytecode that will be used as a case-study.As empresas apoiam-se cada vez mais em frameworks e APIs quando desenvolvem os seus sistemas, pois estas ferramentas fornecem grandes vantagens. Duas das maiores vantages destes sistemas são a sua fácil utilização/integração nos sistemas bem como a quantidade de trabalho que reduzem ao desenvolvedor, permitindo assim períodos de desenvolvimento mais curtos e responsivos. Ainda assim, a mrioria das frameworks não têm como lidar com propriedades de segurança fundamentais como confidencialidade dos dados. Um dos exemplos mais conhecidos é o Spring. É a framework mais usada em Java para desenvolvimento web, oferecendo um vasto leque de funcionalidades, variando entre uma camada que lida com dados (eg: hibernate e JPA), uma camada gestora de segurança nas aplicações, uma camada estatística que permite analisar a performance do sistema e também uma camada para comunicação REST. Para alcançar estas funcionalidades, que não são triviais, o Spring recorre a mecanismos de manipulação de bytecode e geração de código durante o seu período de inicialização, perturbando o uso de ferramentas de análise formais que recorrem a processos semelhantes na sua execução. Em geral, nós fornecemos uma nova forma de lidar com análise formal em aplicações web Spring. Aqui introduzimos hooks no processo de inicialização do Spring, tornando possível que a análise formal e a manipulação de todo o bytecode gerado da aplicação a partir duma interface cuidadosamente definida. Os hooks fornecidos fornecem acesso ao bytecode da aplicação na sua totalidade bem como permitem a substituição do componente da aplicação, permitindo assim a análise complexa e formal por parte da ferramenta que pode requerer instrumentação da aplicação. Para lidar com problemas relacionados com confidencialidade dos dados em aplicações web desenvolvidas com a framework, propomos a integração de ferramentas de controlo do fluxo de informação na prórpia framework. Assim, juntamos Spring e Snitch, uma ferramenta que analisa bytecode para verificar a segurança do fluxo de informação híbrida

Program analysis for android security and reliability

The recent, widespread growth and adoption of mobile devices have revolutionized the way users interact with technology. As mobile apps have become increasingly prevalent, concerns regarding their security and reliability have gained significant attention. The ever-expanding mobile app ecosystem presents unique challenges in ensuring the protection of user data and maintaining app robustness. This dissertation expands the field of program analysis with techniques and abstractions tailored explicitly to enhancing Android security and reliability. This research introduces approaches for addressing critical issues related to sensitive information leakage, device and user fingerprinting, mobile medical score calculators, as well as termination-induced data loss. Through a series of comprehensive studies and employing novel approaches that combine static and dynamic analysis, this work provides valuable insights and practical solutions to the aforementioned challenges. In summary, this dissertation makes the following contributions: (1) precise identifier leak tracking via a novel algebraic representation of leak signatures, (2) identifier processing graphs (IPGs), an abstraction for extracting and subverting user-based and device-based fingerprinting schemes, (3) interval-based verification of medical score calculator correctness, and (4) identifying potential data losses caused by app termination

Securing the software-defined networking control plane by using control and data dependency techniques

Software-defined networking (SDN) fundamentally changes how network and security practitioners design, implement, and manage their networks. SDN decouples the decision-making about traffic forwarding (i.e., the control plane) from the traffic being forwarded (i.e., the data plane). SDN also allows for network applications, or apps, to programmatically control network forwarding behavior and policy through a logically centralized control plane orchestrated by a set of SDN controllers. As a result of logical centralization, SDN controllers act as network operating systems in the coordination of shared data plane resources and comprehensive security policy implementation. SDN can support network security through the provision of security services and the assurances of policy enforcement. However, SDN’s programmability means that a network’s security considerations are different from those of traditional networks. For instance, an adversary who manipulates the programmable control plane can leverage significant control over the data plane’s behavior. In this dissertation, we demonstrate that the security posture of SDN can be enhanced using control and data dependency techniques that track information flow and enable understanding of application composability, control and data plane decoupling, and control plane insight. We support that statement through investigation of the various ways in which an attacker can use control flow and data flow dependencies to influence the SDN control plane under different threat models. We systematically explore and evaluate the SDN security posture through a combination of runtime, pre-runtime, and post-runtime contributions in both attack development and defense designs. We begin with the development a conceptual accountability framework for SDN. We analyze the extent to which various entities within SDN are accountable to each other, what they are accountable for, mechanisms for assurance about accountability, standards by which accountability is judged, and the consequences of breaching accountability. We discover significant research gaps in SDN’s accountability that impact SDN’s security posture. In particular, the results of applying the accountability framework showed that more control plane attribution is necessary at different layers of abstraction, and that insight motivated the remaining work in this dissertation. Next, we explore the influence of apps in the SDN control plane’s secure operation. We find that existing access control protections that limit what apps can do, such as role-based access controls, prove to be insufficient for preventing malicious apps from damaging control plane operations. The reason is SDN’s reliance on shared network state. We analyze SDN’s shared state model to discover that benign apps can be tricked into acting as “confused deputies”; malicious apps can poison the state used by benign apps, and that leads the benign apps to make decisions that negatively affect the network. That violates an implicit (but unenforced) integrity policy that governs the network’s security. Because of the strong interdependencies among apps that result from SDN’s shared state model, we show that apps can be easily co-opted as “gadgets,” and that allows an attacker who minimally controls one app to make changes to the network state beyond his or her originally granted permissions. We use a data provenance approach to track the lineage of the network state objects by assigning attribution to the set of processes and agents responsible for each control plane object. We design the ProvSDN tool to track API requests from apps as they access the shared network state’s objects, and to check requests against a predefined integrity policy to ensure that low-integrity apps cannot poison high-integrity apps. ProvSDN acts as both a reference monitor and an information flow control enforcement mechanism. Motivated by the strong inter-app dependencies, we investigate whether implicit data plane dependencies affect the control plane’s secure operation too. We find that data plane hosts typically have an outsized effect on the generation of the network state in reactive-based control plane designs. We also find that SDN’s event-based design, and the apps that subscribe to events, can induce dependencies that originate in the data plane and that eventually change forwarding behaviors. That combination gives attackers that are residing on data plane hosts significant opportunities to influence control plane decisions without having to compromise the SDN controller or apps. We design the EventScope tool to automatically identify where such vulnerabilities occur. EventScope clusters apps’ event usage to decide in which cases unhandled events should be handled, statically analyzes controller and app code to understand how events affect control plane execution, and identifies valid control flow paths in which a data plane attacker can reach vulnerable code to cause unintended data plane changes. We use EventScope to discover 14 new vulnerabilities, and we develop exploits that show how such vulnerabilities could allow an attacker to bypass an intended network (i.e., data plane) access control policy. This research direction is critical for SDN security evaluation because such vulnerabilities could be induced by host-based malware campaigns. Finally, although there are classes of vulnerabilities that can be removed prior to deployment, it is inevitable that other classes of attacks will occur that cannot be accounted for ahead of time. In those cases, a network or security practitioner would need to have the right amount of after-the-fact insight to diagnose the root causes of such attacks without being inundated with too much informa- tion. Challenges remain in 1) the modeling of apps and objects, which can lead to overestimation or underestimation of causal dependencies; and 2) the omission of a data plane model that causally links control and data plane activities. We design the PicoSDN tool to mitigate causal dependency modeling challenges, to account for a data plane model through the use of the data plane topology to link activities in the provenance graph, and to account for network semantics to appropriately query and summarize the control plane’s history. We show how prior work can hinder investigations and analysis in SDN-based attacks and demonstrate how PicoSDN can track SDN control plane attacks.Ope