VSPMiner: Detec

59
Xiangyu Liu, Yi Zhang, Yang Song Alibaba Security VSPMiner: Detec<ng Security Hazards in SEAndroid Vendor Customiza<ons via Large-Scale Supervised Machine Learning

Transcript of VSPMiner: Detec

Page 1: VSPMiner: Detec

XiangyuLiu,YiZhang,YangSong

AlibabaSecurity

VSPMiner:Detec<ngSecurityHazardsinSEAndroidVendorCustomiza<onsviaLarge-ScaleSupervisedMachineLearning

Page 2: VSPMiner: Detec

Whoami

•  XiangyuLiu•  SecurityEngineer@Alibaba•  CUHKPhD(2016)•  Academic:IEEES&P,ACMCCS•  Industry:DEFCON•  Interests:IntrusionDetecMon,Mobile

security

•  Co-author:YiZhang,YangSong@Alibaba

Page 3: VSPMiner: Detec

Agenda

•  Background•  VSPMiner•  EvaluaMon•  Summary

Page 4: VSPMiner: Detec

Background-SEAndroid

•  AndroidusesSELinuxtoenforcemandatoryaccesscontrol(MAC)overallprocesses.•  AYerAndroid4.4

•  PrivilegeescalaMonbecomesmuchmoredifficult

Page 5: VSPMiner: Detec

Background-SEAndroid Framework

PolicyFiles

Macpermission

ContextFiles

SELinuxPolicyandConfigura<onFiles SecurityServer

Libselinux(supportsecuritypolicy…)

SELinuxLinuxSecurity

Module(LSM) VariousLinuxKernelServices

KernelSpace

UserSpace Lookup

Record LSMHooks

read/write

Configura<onFiles

Page 6: VSPMiner: Detec

Background-SEAndroid Framework

PolicyFiles

Macpermission

ContextFiles

SELinuxPolicyandConfigura<onFiles SecurityServer

Libselinux(supportsecuritypolicy…)

SELinuxLinuxSecurity

Module(LSM) VariousLinuxKernelServices

Lookup

Record LSMHooks

read/write

Configura<onFiles

UserSpace

KernelSpace

Page 7: VSPMiner: Detec

Background-SEAndroid Policy

•  TheeffecMvenessofSEAndroiddependsontheemployedpolicies.

•  allow/neverallowsubjectobject:object_classpermission•  sbj,obj,obj_class,perm(forshort)•  AllowrulesdefinebenignoperaMons

•  E.g.,allowappdomainapp_data_file:file{readwriteexecute}

•  NeverallowrulesdefineprivilegeescalaMon(compileMme)•  E.g.,neverallowuntrusted_appinit:file{read}

•  Securitylabels<=>Concretesubjects/objects

•  system_file<=>/system(/.*)•  system_data_file<=>/data(/.*)

Page 8: VSPMiner: Detec

Vendorsdon’tknowhowtowritepolicies @pof“DefeatSEAndroid”atDefcon2013

Page 9: VSPMiner: Detec

Background-Refine Policy

•  Usingauditlogs•  6-tupleaccesspamerns•  <concrete_sbj,sbj,concrete_obj,obj,obj_class,perm>

•  Policyengineersparsethelogstorefinepolicy

•  Logaccesseventsnotmatchedwithallowrules

Page 10: VSPMiner: Detec

Background-Challenges

•  Millionsofauditlogs

•  Expertexperience•  Allowbenignaccesses•  Preventmaliciousaccesses

•  Unknownnewmaliciousaccesspamerns

Page 11: VSPMiner: Detec

Background-Vendor CustomizaAons

•  VendorcustomizaMons•  Addapps,devicedriversandothernewfeatures

•  SmallMmewindow•  Manufacturesalwayshaveonlyabout6months(orless)tocustomizetheofficialversion

Page 12: VSPMiner: Detec

Background-Related Work

•  EASEAndroid@UsenixSecurity’16•  Samsungdevices•  Usingauditlogs•  Knownaccesspamerns,i.e.,17maliciousaccesspamerns•  Semi-supervisedmachinelearning

•  LearningunknownbasedonsemanMccorrelaMons•  Nearest-Neighbor(NN)Classifier•  Pamern-to-RuleDistanceMeasurer•  Co-OccurrenceLearner

Page 13: VSPMiner: Detec

VSPMiner

•  VulnerableSEAndroidPolicyMiner

•  Features•  All3rdpartyvendors•  Thousandsof“vulnerable”rulesacquiredfromSEAndroidpatchfiles•  Featuresareextractedfromrules•  Supervisedmachinelearning

Page 14: VSPMiner: Detec

VSPMiner •  Keyidea

•  AssumethelatestAOSPpolicyistrusted•  TherulesdeletedfromSEAndroidPatchfilesaredefinedasvulnerable•  FocusoncriMcalrules

Supervisedmachinelearning Models Detec<on

Tes<ngrules

Predic<onresults

Vulnerablerules&Benignrules

Page 15: VSPMiner: Detec

VSPMiner Architecture

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Predic<onresults

Detec<on

Trainingset

MLmodelsGBDT

XGBOOSTRFSVM

NaiveBayesLR…

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage Detec<onStage

Acquiredlarge-scalerules

Page 16: VSPMiner: Detec

VSPMiner Architecture AnalyzingSEAndroidPatchFiles

•  SEAndroidEvoluMon•  hmps://android.googlesource.com/

plarorm/system/sepolicy

•  ObtaincommitIDsfromthelogfile•  9584commitids.•  Aug113:27:322017

•  diffeachcommitIDwithitsparent•  +allow/-allowrules•  +neverallow/-neverallowrules.

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

Acquiredlarge-scalerules

TrainingStage

Page 17: VSPMiner: Detec

VSPMiner Architecture Differen<alAnalysis

•  Specificcommitid+allowrules•  Split

•  {domain-init}àdomain,–init•  ~{relabeltogetamr}à~relabelto,~getamr

•  Deletedallowrules•  Addedallowrules•  DifferenMalanalysis

•  E.g.,initkernel:securityload_policy

S−arid

S+arid

Parid = S−ar

id − S+arid

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

Acquiredlarge-scalerules

TrainingStage

Page 18: VSPMiner: Detec

VSPMiner Architecture Differen<alAnalysis

•  neverallowrules

•  Deletedneverallowrules•  Addedneverallowrules

•  DifferenMalanalysis

•  E.g.,untrusted_appinit:fileread

S+narid

S−narid

Pnarid = S+nar

id − S−narid

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 19: VSPMiner: Detec

VSPMiner Architecture CombiningDifferen<alResults

•  Combinetheresultsofallcommitids

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 20: VSPMiner: Detec

VSPMiner Architecture

SpecialSymbols

•  Specialrules•  Containsspecialsymbols:‘*’,‘-’and‘~’

•  ‘*’matchanyiteminthesamefield•  ‘-’isexceptoperaMons

•  Performedonthesubjectorobject

•  ‘~’alsoreferstoexceptoperaMons•  Usedforthepermission

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 21: VSPMiner: Detec

VSPMiner Architecture HandleSpecialSymbols

•  DefinecriMcalfieldset:subject,object,

objectclassandpermission•  ThathasappearedincommonrulesofP’r•  Ssbj,Sobj,Sobj_class,Sperm

•  Replacing•  ‘*’->allthecorrespondingcriMcalfields•  ‘-’->alltheothercriMcalsubjects/objects•  ‘~’->alltheotherpermissions

•  Prdenotestheknownvulnerablerules

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 22: VSPMiner: Detec

VSPMiner Architecture

ObtainBenignRules

•  AcquirethelatestAOSPSEAndroid

•  OnlyconsidertherulesthatconsistsofelementsinthecriMcalfieldset•  RBenign

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 23: VSPMiner: Detec

VSPMiner Architecture TrainingSet

•  Eliminatetheinference

•  PosiMvesamples

•  25467vulnerablerules

•  NegaMvesamples

•  24146benignrules

Pr −Pr∩RBenign

RBenign −Pr∩RBenign

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 24: VSPMiner: Detec

VSPMiner Architecture

FeatureExtrac<on

•  Onehotencodingforeachfield•  Notenough•  Lackin-depthunderstanding

•  WeightinformaMon(hardtodetermine)•  Fromvulnerablerules•  Fromlarge-scalerules

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 25: VSPMiner: Detec

VSPMiner Architecture

FeatureExtrac<on

•  Fromvulnerablerules

•  FrequencyinformaMon•  Countofeachfield

•  sbj_cnt,obj_cnt,obj_class_cnt,perm_cnt•  CountofcombinaMons

•  obj_perm_cnt•  NormalizaMon

•  sbj_weight,obj_weight,obj_class_weight,perm_weight,obj_perm_weight

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 26: VSPMiner: Detec

VSPMiner Architecture FeatureExtrac<on

•  Fromlarge-scalerules

•  FrequencyinformaMon•  CountofeachfieldinalldisMnctrules

•  sbj_cnt,obj_cnt,obj_class_cnt,perm_cnt•  Countofeachruleinallimages

•  rule_cnt•  NomalizaMon

•  sbj_freq,obj_freq,obj_class_freq,perm_freq,rule_freq

Trainingset

Features

OnehotWeight

Vulnerablerules

Benignrules

AOSPpatchfiles+allow…

-allow ...+neverallow...-neverallow ...

ThelatestAOSP

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 27: VSPMiner: Detec

VSPMiner Architecture ModelTraining

•  ProposedAlgorithm

•  RandomForest•  GBDT•  XGBOOST•  SVM•  NaiveBayes•  LogisMcRegression•  KNN

•  Nullvalues•  obj_perm_weight,rule_freq•  Replacedbymeanvalue

Trainingset

MLmodelsGBDT

XGBOOSTRFSVM

NaiveBayesLR…

Features

OnehotfrequencyWeight

Vulnerablerules

Benignrules

AOSPpatchfiles

+allow…-allow ...

+neverallow...-neverallow ...

ThelatestGoogle

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 28: VSPMiner: Detec

VSPMiner Architecture

Cross-Valida<on

•  Trainingset:ValidaMonset=8:2

•  Keycriteria•  Recall•  F1-score•  AUC•  KS

Trainingset

MLmodelsGBDT

XGBOOSTRFSVM

NaiveBayesLR…

Features

OnehotfrequencyWeight

Vulnerablerules

Benignrules

AOSPpatchfiles

+allow…-allow ...

+neverallow...-neverallow ...

ThelatestGoogle

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules

Page 29: VSPMiner: Detec

VSPMiner Architecture

Cross-Valida<on

Trainingset

MLmodelsGBDT

XGBOOSTRFSVM

NaiveBayesLR…

Features

OnehotfrequencyWeight

Vulnerablerules

Benignrules

AOSPpatchfiles

+allow…-allow ...

+neverallow...-neverallow ...

ThelatestGoogle

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules Classifier Recall F1-score AUC KS

GDBT 0.9927 0.9908 0.9994 0.9811

XGBOOST 0.9953 0.9939 0.9996 0.9876

RandomForest 0.9917 0.9908 0.9995 0.9812

KNN 0.9386 0.9545 0.9905 0.9096

SVM 0.8826 0.9098 0.971 0.819

Naivebayes 0.7535 0.8535 0.9089 0.7421

Logis<cRegression 0.8885 0.9112 0.9717 0.8233

Page 30: VSPMiner: Detec

VSPMiner Architecture

Cross-Valida<on

Trainingset

MLmodelsGBDT

XGBOOSTRFSVM

NaiveBayesLR…

Features

OnehotfrequencyWeight

Vulnerablerules

Benignrules

AOSPpatchfiles

+allow…-allow ...

+neverallow...-neverallow ...

ThelatestGoogle

SEAndroidpolicy

TrainingStage

Acquiredlarge-scalerules Classifier Recall F1-score AUC KS

GDBT 0.9927 0.9908 0.9994 0.9811

XGBOOST 0.9953 0.9939 0.9996 0.9876

RandomForest 0.9917 0.9908 0.9995 0.9812

KNN 0.9386 0.9545 0.9905 0.9096

SVM 0.8826 0.9098 0.971 0.819

Naivebayes 0.7535 0.8535 0.9089 0.7421

Logis<cRegression 0.8885 0.9112 0.9717 0.8233

Page 31: VSPMiner: Detec

VSPMiner Architecture Large-scaleRulesAcquisi<on

•  QianDun(钱盾)@AlibabaSecurity

•  Anonymous+useragreement•  InformaMon:

•  <Brand,model,version,sbj,obj,obj_class,perm>

•  Filecontext•  Object<=>specificcontent

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvulrules?

Cri<calrules?

Knownvulrules

Predic<onresults

Detec<on

Detec<onStage

Page 32: VSPMiner: Detec

VSPMiner Architecture

46

491

215

137141112

93113

86

160

5760

361

Google

Samsung

HTC

SONY

Huawei

Xiaomi

OPPO

VIVO

ZTE

Lenovo

Gionee

Meizu

Others

DataSource•  Theotherscontains:Coolpad,LG,

DOOV,SmaMsan,Meitu,OnePlus,TCL,Leeco,Nubia,Qiku

•  22brand,2072differentimages•  4870838disMnctrules

Page 33: VSPMiner: Detec

VSPMiner Architecture DataFiltering

•  SelecMngcriMcalrules•  RemovingGoogle•  UsingthecriMcalfieldinformaMon

•  Filteroutknownvulnerablerules•  Usingdataintrainingset

•  233235tesMngrules

•  TherulesthatbelongtoknownvulnerableruleswillbeinvesMgatedlater.

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Detec<on

Detec<onStage

Predic<onresults

Page 34: VSPMiner: Detec

VSPMiner Architecture Predic<on

•  Modelsareusedseparately

•  GBDT,XGBOOST,RF

•  ConservaMveapproach•  Therulesarepredictedasvulnerablein

allthethreemodels

•  132702rulesarepredictedasvulnerable•  2832problemaccesspamerns(object,

permission)arefirstrevealed.

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Detec<on

Detec<onStage

Predic<onresults

Page 35: VSPMiner: Detec

EvaluaAon Brand #ofvulrules #oftes<ngrules Percent COOLPAD 2919 10983 0.27 DOOV 1858 5785 0.32 GIONEE 3001 9472 0.32 HTC 13294 20523 0.65

HUAWEI 3223 11729 0.27 LEECO 8734 12607 0.69 LENOVO 3369 9196 0.37 LGE 2111 6297 0.34

MEITU 4032 12726 0.32 MEIZU 3855 9349 0.41 NUBIA 8924 12854 0.69

ONEPLUS 7640 10242 0.75 OPPO 11172 18093 0.62 QIKU 581 2009 0.29

SAMSUNG 123729 210249 0.59 SMARTISAN 277 717 0.39

SONY 11073 17312 0.64 TCL 2367 6334 0.37 VIVO 2483 6949 0.36

XIAOMI 10491 16420 0.64 ZTE 2758 7311 0.38

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Detec<on

Detec<onStage

Predic<onresults

Page 36: VSPMiner: Detec

EvaluaAon Brand #ofvulrules #oftes<ngrules Percent COOLPAD 2919 10983 0.27 DOOV 1858 5785 0.32 GIONEE 3001 9472 0.32 HTC 13294 20523 0.65

HUAWEI 3223 11729 0.27 LEECO 8734 12607 0.69 LENOVO 3369 9196 0.37 LGE 2111 6297 0.34

MEITU 4032 12726 0.32 MEIZU 3855 9349 0.41 NUBIA 8924 12854 0.69

ONEPLUS 7640 10242 0.75 OPPO 11172 18093 0.62 QIKU 581 2009 0.29

SAMSUNG 123729 210249 0.59 SMARTISAN 277 717 0.39

SONY 11073 17312 0.64 TCL 2367 6334 0.37 VIVO 2483 6949 0.36

XIAOMI 10491 16420 0.64 ZTE 2758 7311 0.38

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Detec<on

Detec<onStage

Predic<onresults

Page 37: VSPMiner: Detec

EvaluaAon Brand #ofvulrules #oftes<ngrules Percent COOLPAD 2919 10983 0.27 DOOV 1858 5785 0.32 GIONEE 3001 9472 0.32 HTC 13294 20523 0.65

HUAWEI 3223 11729 0.27 LEECO 8734 12607 0.69 LENOVO 3369 9196 0.37 LGE 2111 6297 0.34

MEITU 4032 12726 0.32 MEIZU 3855 9349 0.41 NUBIA 8924 12854 0.69

ONEPLUS 7640 10242 0.75 OPPO 11172 18093 0.62 QIKU 581 2009 0.29

SAMSUNG 123729 210249 0.59 SMARTISAN 277 717 0.39

SONY 11073 17312 0.64 TCL 2367 6334 0.37 VIVO 2483 6949 0.36

XIAOMI 10491 16420 0.64 ZTE 2758 7311 0.38

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Detec<on

Detec<onStage

Predic<onresults

Page 38: VSPMiner: Detec

EvaluaAon

Permission /data /system /dev /mnt /adb_keys /sys /cache /charger /efs /sdcard /proc link 7622 378 186 307 274 22 27 9 22 10 1 unlink 6842 312 133 257 247 21 17 12 11 11 0 create 6403 288 125 204 230 20 12 16 4 8 0 append 5572 253 97 211 194 20 12 10 4 5 0 write 5322 236 272 227 171 38 22 20 8 11 23 read 4296 234 226 175 144 27 23 3 10 10 0 open 2132 199 123 61 43 25 6 3 0 7 0

execute 363 119 193 34 5 29 16 17 11 5 3 ioctl 495 50 101 24 5 21 5 2 0 3 0

execmod 359 73 178 29 6 27 6 6 8 3 4

execute_no_trans 169 94 170 7 3 16 9 10 9 4 4 lock 322 36 60 24 1 19 2 2 0 4 0

search 261 81 23 18 6 5 2 0 0 1 0

Thedistribu<onofproblemaccesspamerns•  WeusetheinformaMonoffilecontexttodoatransformaMon

Page 39: VSPMiner: Detec

EvaluaAon

Permission /data /system /dev /mnt /adb_keys /sys /cache /charger /efs /sdcard /proc link 7622 378 186 307 274 22 27 9 22 10 1 unlink 6842 312 133 257 247 21 17 12 11 11 0 create 6403 288 125 204 230 20 12 16 4 8 0 append 5572 253 97 211 194 20 12 10 4 5 0 write 5322 236 272 227 171 38 22 20 8 11 23 read 4296 234 226 175 144 27 23 3 10 10 0 open 2132 199 123 61 43 25 6 3 0 7 0

execute 363 119 193 34 5 29 16 17 11 5 3 ioctl 495 50 101 24 5 21 5 2 0 3 0

execmod 359 73 178 29 6 27 6 6 8 3 4

execute_no_trans 169 94 170 7 3 16 9 10 9 4 4 lock 322 36 60 24 1 19 2 2 0 4 0

search 261 81 23 18 6 5 2 0 0 1 0

Thedistribu<onofproblemaccesspamerns•  WeusetheinformaMonoffilecontexttodoatransformaMon

Page 40: VSPMiner: Detec

EvaluaAon Thedistribu<onofproblemaccesspamerns(process)Permission Obj_class Num dyntransi<on process 319 transi<on process 308 getamr process 107 ptrace process 91

execstack process 86 execheap process 79 sigchld process 79 sigkill process 61 signal process 59

setsched process 55 setsockcreate process 49 getsched process 47 execmem process 47 seoscreate process 46 setexec process 46

noatsecure process 45 share process 44

setcurrent process 44 sigstop process 37 signull process 34 getpgid process 32 setpgid process 29 fork process 24

Page 41: VSPMiner: Detec

EvaluaAon

•  EASEAndroid•  {transiMon,dyntransiMon}process

Permission Obj_class Num dyntransi<on process 319 transi<on process 308 getamr process 107 ptrace process 91

execstack process 86 execheap process 79 sigchld process 79 sigkill process 61 signal process 59

setsched process 55 setsockcreate process 49 getsched process 47 execmem process 47 seoscreate process 46 setexec process 46

noatsecure process 45 share process 44

setcurrent process 44 sigstop process 37 signull process 34 getpgid process 32 setpgid process 29 fork process 24

Thedistribu<onofproblemaccesspamerns(process)

Page 42: VSPMiner: Detec

EvaluaAon

•  EASEAndroid•  {transiMon,dyntransiMon}process

•  VSPMiner•  Morepamerns

Permission Obj_class Num dyntransi<on process 319 transi<on process 308 getamr process 107 ptrace process 91

execstack process 86 execheap process 79 sigchld process 79 sigkill process 61 signal process 59

setsched process 55 setsockcreate process 49 getsched process 47 execmem process 47 seoscreate process 46 setexec process 46

noatsecure process 45 share process 44

setcurrent process 44 sigstop process 37 signull process 34 getpgid process 32 setpgid process 29 fork process 24

Thedistribu<onofproblemaccesspamerns(process)

Page 43: VSPMiner: Detec

EvaluaAon

Typicalexploitpamerns

Permission Obj_class Num dyntransi<on process 319 transi<on process 308 getamr process 107 ptrace process 91

execstack process 86 execheap process 79 sigchld process 79 sigkill process 61 signal process 59

setsched process 55 setsockcreate process 49 getsched process 47 execmem process 47 seoscreate process 46 setexec process 46

noatsecure process 45 share process 44

setcurrent process 44 sigstop process 37 signull process 34 getpgid process 32 setpgid process 29 fork process 24

Thedistribu<onofproblemaccesspamerns(process)

Page 44: VSPMiner: Detec

EvaluaAon Permission Obj_class Num dac_read_search capability 13

sys_boot capability 11 sys_my_congfig capability 10 dac_override capability 10

ipc_lock capability 10 setpcap capability 9 sys_<me capability 9 sys_rawio capability 9 sys_admin capability 9 audit_write capability 9

fse<d capability 8 net_broadcast capability 8

net_bind_service capability 8 net_admin capability 8 sys_module capability 8 sys_chroot capability 8 fowner capability 7 chown capability 7

sys_resource capability 7 sys_ptrace capability 7 sys_nice capability 7 net_raw capability 7 mknod capability 7 kill capability 6

setgid capability 6 setuid capability 6

Thedistribu<onofproblemaccesspamerns(capability)

Page 45: VSPMiner: Detec

EvaluaAon Permission Obj_class Num dac_read_search capability 13

sys_boot capability 11 sys_my_congfig capability 10 dac_override capability 10

ipc_lock capability 10 setpcap capability 9 sys_<me capability 9 sys_rawio capability 9 sys_admin capability 9 audit_write capability 9

fse<d capability 8 net_broadcast capability 8

net_bind_service capability 8 net_admin capability 8 sys_module capability 8 sys_chroot capability 8 fowner capability 7 chown capability 7

sys_resource capability 7 sys_ptrace capability 7 sys_nice capability 7 net_raw capability 7 mknod capability 7 kill capability 6

setgid capability 6 setuid capability 6

Thedistribu<onofproblemaccesspamerns(capability)

•  EASEAndroid•  {kill,sys_admin,sys_ptrace,sys_chroot,setuid,setgid}capability

Page 46: VSPMiner: Detec

EvaluaAon Permission Obj_class Num dac_read_search capability 13

sys_boot capability 11 sys_my_congfig capability 10 dac_override capability 10

ipc_lock capability 10 setpcap capability 9 sys_<me capability 9 sys_rawio capability 9 sys_admin capability 9 audit_write capability 9

fse<d capability 8 net_broadcast capability 8

net_bind_service capability 8 net_admin capability 8 sys_module capability 8 sys_chroot capability 8 fowner capability 7 chown capability 7

sys_resource capability 7 sys_ptrace capability 7 sys_nice capability 7 net_raw capability 7 mknod capability 7 kill capability 6

setgid capability 6 setuid capability 6

•  EASEAndroid•  {kill,sys_admin,sys_ptrace,sys_chroot,setuid,setgid}capability

•  VSPMiner•  Morepamerns

Thedistribu<onofproblemaccesspamerns(capability)

Page 47: VSPMiner: Detec

EvaluaAon

Subject Object Object_class permission init ion_device process dyntransi<on logd ion_device chr_file execute logd ion_device chr_file mounton init gpu_device process transi<on

shared_app gpu_device chr_file execute system_server gpu_device chr_file execute appdomain input_device chr_file write healthd input_device chr_file write

untrusted_app input_device chr_file write appdomain audio_device chr_file getamr

shell audio_device dir search untrusted_app audio_device dir search

Theexamplesofvulnerableaccesspamerns(devices)

Page 48: VSPMiner: Detec

EvaluaAon

Subject Object Object_class permission init ion_device process dyntransi<on logd ion_device chr_file execute logd ion_device chr_file mounton init gpu_device process transi<on

shared_app gpu_device chr_file execute system_server gpu_device chr_file execute appdomain input_device chr_file write healthd input_device chr_file write

untrusted_app input_device chr_file write appdomain audio_device chr_file getamr

shell audio_device dir search untrusted_app audio_device dir search

Theexamplesofvulnerableaccesspamerns(devices)

Page 49: VSPMiner: Detec

EvaluaAon

Subject Object Object_class permission init ion_device process dyntransi<on logd ion_device chr_file execute logd ion_device chr_file mounton init gpu_device process transi<on

shared_app gpu_device chr_file execute system_server gpu_device chr_file execute appdomain input_device chr_file write healthd input_device chr_file write

untrusted_app input_device chr_file write appdomain audio_device chr_file getamr

shell audio_device dir search untrusted_app audio_device dir search

Theexamplesofvulnerableaccesspamerns(devices)

Page 50: VSPMiner: Detec

EvaluaAon

Subject Object Object_class permission init ion_device process dyntransi<on logd ion_device chr_file execute logd ion_device chr_file mounton init gpu_device process transi<on

shared_app gpu_device chr_file execute system_server gpu_device chr_file execute appdomain input_device chr_file write healthd input_device chr_file write

untrusted_app input_device chr_file write appdomain audio_device chr_file getamr

shell audio_device dir search untrusted_app audio_device dir search

Theexamplesofvulnerableaccesspamerns(devices)

Page 51: VSPMiner: Detec

EvaluaAon

Subject Object Object_class permission init ion_device process dyntransi<on logd ion_device chr_file execute logd ion_device chr_file mounton init gpu_device process transi<on

shared_app gpu_device chr_file execute system_server gpu_device chr_file execute appdomain input_device chr_file write healthd input_device chr_file write

untrusted_app input_device chr_file write appdomain audio_device chr_file getamr

shell audio_device dir search untrusted_app audio_device dir search

Theexamplesofvulnerableaccesspamerns(devices)

Page 52: VSPMiner: Detec

EvaluaAon

Casestudy:Assistprivilegeescala<on

•  allowsystem_serversystem_data_file:fileexecute

•  Suchruleisveryhelpfulifwecontrolsystem_server•  ExploiMngCVE-2015-1528,CVE-2016-5195orCVE-2016-6707

•  Otherwise,theexploitwillbemuchmorecomplex•  Forexample,weneedinjecttheexpintothememoryofsystem_serverprocess.

Page 53: VSPMiner: Detec

EvaluaAon

Object Filecontext Permission #ofrules Examples system_file

/system(/*.)?

execute_no_trans

14

allowuntrusted_appsystem_file:fileexecute_no_trans;

allowshelldomainsystem_file:fileexecute_no_trans;

allowdebuggerdsystem_file:fileexecute_no_trans;

system_data_file

/data(/.)?

execute

27

allowshellsystem_data_file:fileexecute;

allowuntrusted_appsystem_data_file:fileexecute;

allowsystem_serversystem_data_file:fileexecute;

Typicalexploitpamerns

•  obj:system_file,permission:execute_no_trans•  obj:system_data_file,permission:execute

Page 54: VSPMiner: Detec

EvaluaAon •  TherulehasbeendeletedintheAOSP•  Butitalsoexistsinanewervendorversion

Brand #oflaterrules COOLPAD 287 DOOV 44 GIONEE 286 HTC 128

HUAWEI 34 LEECO 106 LENOVO 136 LGE 64

MEITU 416 MEIZU 11122 NUBIA 109

ONEPLUS 86 OPPO 87 QIKU 17

SAMSUNG 233 SMARTISAN 47

SONY 124 TCL 84 VIVO 91

XIAOMI 11130 ZTE 11086

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Predic<onresults

Detec<on

Detec<onStage

Page 55: VSPMiner: Detec

EvaluaAon •  TherulehasbeendeletedintheAOSP•  Butitalsoexistsinanewervendorversion

Brand #oflaterrules COOLPAD 287 DOOV 44 GIONEE 286 HTC 128

HUAWEI 34 LEECO 106 LENOVO 136 LGE 64

MEITU 416 MEIZU 11122 NUBIA 109

ONEPLUS 86 OPPO 87 QIKU 17

SAMSUNG 233 SMARTISAN 47

SONY 124 TCL 84 VIVO 91

XIAOMI 11130 ZTE 11086

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Predic<onresults

Detec<on

Detec<onStage

Page 56: VSPMiner: Detec

EvaluaAon •  TherulehasbeendeletedintheAOSP•  Butitalsoexistsinanewervendorversion

Brand #oflaterrules COOLPAD 287 DOOV 44 GIONEE 286 HTC 128

HUAWEI 34 LEECO 106 LENOVO 136 LGE 64

MEITU 416 MEIZU 11122 NUBIA 109

ONEPLUS 86 OPPO 87 QIKU 17

SAMSUNG 233 SMARTISAN 47

SONY 124 TCL 84 VIVO 91

XIAOMI 11130 ZTE 11086

Featuresoftes<ngrules

Rulesfromthird-partyimages

Endusers

Knownvul

rules?

Cri<calrules?

Knownvulrules

Predic<onresults

Detec<on

Detec<onStage

Page 57: VSPMiner: Detec

EvaluaAon

Casestudy:Assistprivilegeescala<on

•  allowinitkernel:securityload_policy•  DeletedsinceAndroid6.0•  ButitisalsoexistsinSamsungS7withAndroid6.xorlater

•  AYercontrollinginit,wecanloadanewpolicy

Page 58: VSPMiner: Detec

Summary

•  Anin-depthanalysisonthestate-of-the-artSEAndroidpolicyrefiningtechniquesandrevealtheirlimitaMons.

•  Anewpolicyanalysistool,VSPMiner,todetectvulnerableSEAndroidpoliciesinthewildbyleveragingsupervisedmachinelearning.

•  TheresultsofVSPMinersuggestitispromising.

•  Asshowcases,wedemonstratehowtoabusevulnerablerulestoassistprivilegeescalaMon.

Page 59: VSPMiner: Detec

Thanks