A Taxonomy for Attack Patterns on Information Flows in Component-Based Operating Systems

We present a taxonomy and an algebra for attack patterns on component-based operating systems. In a multilevel security scenario, where isolation of partitions containing data at different security classifications is the primary security goal and security breaches are mainly defined as undesired disclosure or modification of classified data, strict control of information flows is the ultimate goal. In order to prevent undesired information flows, we provide a classification of information flow types in a component-based operating system and, by this, possible patterns to attack the system. The systematic consideration of informations flows reveals a specific type of operating system covert channel, the covert physical channel, which connects two former isolated partitions by emitting physical signals into the computer's environment and receiving them at another interface.Comment: 9 page

AppVeto: Securing Android Applications Thtough Resource Access Veto

Modern mobile devices and mobile operating systems are equipped with high-resolution motion and environmental sensors, camera, microphone, and other resources to support better usability and the latest features—e.g. augmented reality, personalized user experience, activity tracking etc. Apps on the modern mobile platforms can access these resources with, or without, an explicit user permission. Running multiple concurrent apps is also commonly supported. Although the Android OS generally maintains strict separation between apps, an app can still get access to another app’s private information, such as the user’s input or apps output, through numerous side-channels. This is mostly enabled by having access to permissioned or permission-less (sometimes even unrelated) resources. For example, keystrokes and swipe gestures from a victim app can be inferred indirectly from the accelerometer or gyroscope output, allowing a zero-permission app to learn sensitive inputs such as passwords from the victim’s app. Current mobile OSes has started allowing an app to defend itself in such situations only in some exceptional cases—e.g., screenshot opt-out feature of Android allows an app to self-defense itself from malicious apps trying to capture its information viewed on the screen. In this work, we propose a general mechanism for apps to self-defend themselves from any unwanted implicit or explicit interference from other concurrently running apps. Our AppVeto solution enables an app developer to easily configure an app’s requirements for a safe environment; a foreground app can request the OS to disallow access—i.e., to enable veto powers—to selected side-channel-prone resources to all other running apps for a constraint duration (also throttled for a short duration for preventing DoS), e.g., no access to the accelerometer during password input. In a sense, we enable a finer-grained access control policy than the current runtime permission model. We implement AppVeto on Android using the Xposed framework and PLT hooking techniques, without changing Android APIs. Furthermore, we show that AppVeto imposes negligible overhead, while being effective against several well-known side-channel attacks—implemented via both Android Java and/or Native APIs. We have prototyped AppVeto using runtime hooking techniques which allows AppVeto to be used and tested out of the box on any Android OS with Xposed framework installed on it. We also orchestrated our prototype to veto resource access from Android native framework which is not achievable with conventional Android’s native binary hooking techniques. We finally evaluated AppVeto against production apps and test apps. Our performance evaluation also shows AppVeto’s overhead is practical and below tolerable margin and our solution and design can be adopted in present mobile platforms

An integrated networkbased mobile botnet detection system

The increase in the use of mobile devices has made them target for attackers, through the use of sophisticated malware. One of the most significant types of such malware is mobile botnets. Due to their continually evolving nature, botnets are difficult to tackle through signature and traditional anomaly based detection methods. Machine learning techniques have also been used for this purpose. However, the study of their effectiveness has shown methodological weaknesses that have prevented the emergence of conclusive and thorough evidence about their merit. To address this problem, in this thesis we propose a mobile botnet detection system, called MBotCS and report the outcomes of a comprehensive experimental study of mobile botnet detection using supervised machine learning techniques to analyse network traffic and system calls on Android mobile devices. The research covers a range of botnet detection scenarios that is wider from what explored so far, explores atomic and box learning algorithms, and investigates thoroughly the sensitivity of the algorithm performance on different factors (algorithms, features of network traffic, system call data aggregation periods, and botnets vs normal applications and so on). These experiments have been evaluated using real mobile device traffic, and system call captured from Android mobile devices, running normal apps and mobile botnets. The experiments study has several superiorities comparing with existing research. Firstly, experiments use not only atomic but also box ML classifiers. Secondly, a comprehensive set of Android mobile botnets, which had not been considered previously, without relying on any form of synthetic training data. Thirdly, experiments contain a wider set of detection scenarios including unknown botnets and normal applications. Finally, experiments include the statistical significance of differences in detection performance measures with respect to different factors. The study resulted in positive evidence about the effectiveness of the supervised learning approach, as a solution to the mobile botnet detection problem