AuDroid:PreventingAttacksonAudioChannels inMobileDevices · 2019-07-16 ·...
Transcript of AuDroid:PreventingAttacksonAudioChannels inMobileDevices · 2019-07-16 ·...
AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
31st Annual Computer Security Applications ConferenceDecember 10, 2015
Los Angeles, CA
Giuseppe [email protected]
Yuqiong [email protected]
Ahmad [email protected]
Trent [email protected]
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
¤ Communication Channels conveying Audio Signals
¤ Allow two parties (e.g., process and user) to communicate via audio signals (e.g., voice)
¤ 2 Endpoints (Microphone and Speaker) on Mobile Devices
¤ 3 Types¤ Type 1 – Device’s Speaker à Device’s Microphone¤ Type 2 – Device’s Speaker à External Party (e.g., user or other device)¤ Type 3 – External Party à Device’s Microphone
Audio Channels Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
¤ How Audio Channels can be Exploited¤ We discuss 2 of the 6 attacks analyzed (Demo)
¤ How we can Defend against Attacks on Audio Channels¤ Proposal of AuDroid extension to SELinux Reference Monitor
¤ Contributions:¤ Attack Prevention (6 attacks)¤ System Functionality (17 well-‐known apps)
¤ Performance Overhead¤ Unnoticeable for the User (Microphone and Speaker accessed in microseconds)
Overview Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Attack Scenarios
¤ 6 Attack Scenarios ¤ One Eavesdropping and one Confused Deputy attack
for each of the 3 Types of Audio Channels
UnsafeFlow
MaliciousProcess
Attack Scenario 1
BenignProcess
UnsafeFlowMalicious
Process
Attack Scenario 2
BenignProcess
Attack Scenario 3
BenignProcess
MaliciousProcess
Unsafe Flow
UnsafeFlow
MaliciousProcess
Attack Scenario 4
MaliciousUser
UnsafeFlow
Attack Scenario 5
MaliciousUser
BenignProcess
UnsafeFlow
Attack Scenario 6
Device Owner
MaliciousProcess
Audio Channel Type 1 Audio Channel Type 2 Audio Channel Type 3
Confused Deputy
Eavesdropping
[Diao et al. SPSM’14]
[Jang et al. CCS’14]
[Schlegel et al. NDSS’11][Keylogger] [Speak Out]
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Attack
¤ Two Internal parties
¤ Discussed in previous Research ¤ Credit: A11y Attacks: Exploiting Accessibility in OS [CCS 2014]
¤ Only Internal Parties (2 Processes)
¤ Keylogger¤ Enable Text-‐to-‐Speech (TTS) service¤ Record Security-‐Sensitive Info (Password)
¤ Attack Conditions:¤ TTS enabled in accessibility services¤ Speak Passwords option selected in Accessibility Services
¤ Malware runs as background service
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
¤ An External party involved
¤ Speak Out ¤ Collect Security-‐Sensitive Info ¤ Speak them out when Device Owner is away
(Phone Calls, Voice Messages, Memos)¤ Bypass Screen Lock
¤ Attack Conditions:¤ Malware runs as background service on Target
(Fake Voice Memo App)¤ Attacker controls Malware on Target Device through Internet (Speak Out App)
> DEMO (https://youtu.be/Sx-‐hZyFrgmM)
Attack Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Attack Systems and Internet Infrastructure Security
SourceTarget
Trojan
Used by Adversary to control Trojan
Goal: Steal Security-‐Sensitive data from target and speak them out when the device owner is not around (Avoid Data Transfer)
DEMO (https://youtu.be/Sx-‐hZyFrgmM)
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Attack Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
What can we do?
¤ Idea! ¤ Tape our microphone as we tape our cameras …
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Challenges
¤ Dynamic Creation of Audio Channels
¤ External Parties involved in the communication via Audio Channels¤ Identity and Intention Unknown
¤ Functional Requirements in contrast with Security Requirements
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Background
¤ Android Permission only regulate Microphone accesses (Package Manager)
¤ Every request from apps goes through the Media Server
¤ Nomechanism to securely manage information flows though audio channels
JNI
SDK API
Android Framework
Binder
Native Libraries HAL Native Daemons
Linux Kernel
Speaker Access
Microphone Access Market AppSystem App
Microphone Speaker
Media Server
Package Manager
System Services
Legend: App Layer Middleware Layer Native Libraries Layer Kernel Layer
Media Server
Microphone Speaker
Package ManagerKeyloggerSteals SpokenPasswords
Talk to Speech
P4$$w0rd
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Threat Model
¤ Two Sources of Threats¤ Internal to the Mobile Device
¤ Market Apps (Unknown Source)
¤ External to the Mobile Device
¤ Nearby Devices¤ Users≠ Device Owner
UnsafeFlow
MaliciousProcess
Attack Scenario 1
BenignProcess
UnsafeFlowMalicious
Process
Attack Scenario 2
BenignProcess
Attack Scenario 3
BenignProcess
MaliciousProcess
Unsafe Flow
UnsafeFlow
MaliciousProcess
Attack Scenario 4
MaliciousUser
UnsafeFlow
Attack Scenario 5
MaliciousUser
BenignProcess
UnsafeFlow
Attack Scenario 6
Device Owner
MaliciousProcess
Audio Channel Type 1
Audio Channel Type 2 Audio Channel Type 3
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Trust Model
¤ Linux kernel and Android OS booted securely (Verified Boot)
¤ System Services and System Apps run approved code (Shipped with OS)
¤ SELinux running in Enforcing Mode from boot time
¤ Market Apps might contain Native Code¤ SELinux Rules to prevent undesired accesses
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Channels Identification
Mobile Device
Media ServerP1
P2
Speaker
Micro-‐phone
Channel Type 1
Channel Type 2
ChannelType 3
Android Permission
EP3
EP4
Legend:Pn Internal PartyEPn External PartyPn Internal PartyLn Security Level
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Information Flow Control (Labeling)
Mobile Device
Media ServerP1
P2
Speaker
Micro-‐phone
L2
L1 L3
EP3
L4
EP4
Channel Type 1
Channel Type 2
ChannelType 3
Android Permission
Legend:Pn Internal PartyEPn External PartyPn Internal PartyLn Security Level
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Identification of Security Levels:¤ Static Labels for Internal Parties (Process)
¤ PID¤ Market App à Low Secrecy Low Integrity (LS,LI)
¤ Dynamic Labels for Channels
¤ Channels have two endpoints¤ The label of each endpoint depends on who controls that endpoint¤ An endpoint controlled by an internal party is labeled using that internal party’s
label¤ An endpoint controlled by an external party is labeled using that external party’s
label¤ How to determine the external party’s label?
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Identification of Security Levels:¤ External Parties
¤ Initial Label¤ Speaker – Low Secrecy, High Integrity¤ Microphone – High Secrecy, Low Integrity
¤ After Device Owner Authentication (e.g., Screen Lock Passcode)¤ High Secrecy, High Integrity
Systems and Internet Infrastructure Security
Mobile Device
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Information Flow Control (Enforcement)
Media ServerP1
P2
Speaker
Micro-‐phone
L2
L1 L3
EP3
L4
EP4
Channel Type 1
Channel Type 2
ChannelType 3
Legend:Pn Internal PartyEPn External PartyPn Internal PartyLn Security Level
AuDroid IFC
Media ServerP1
P2L2
L1
Android Permission
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Prevention of Unsafe Information Flows:
¤ No flow from High-‐Secrecy Party to Low-‐Secrecy Party (BLP)
¤ No flow from Low-‐Integrity Party to High-‐Integrity Party (Biba)
¤ No flow among Low-‐Secrecy Low-‐Integrity Party (Isolation of Market Apps)
Secrecy ViolationHS LS
Integrity ViolationLI HI
(HS,HI)
Integrity ViolationLI {C1} LI {C2}
Keylogger
Speak Out (Leak)
Speak Out (Eavesdrop)
Systems and Internet Infrastructure Security
Mobile Device
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Resolve Information Flow Errors (Resolution)
¤ Examples:¤ No Ring Tone on Incoming Call from System App¤ No Sound on Message Received form Market App
Media ServerP1
P2
Speaker
Micro-‐phone
L2
L1 L3
EP3
L4
EP4
Channel Type 1
Channel Type 2
ChannelType 3
Legend:Pn Internal PartyEPn External PartyPn Internal PartyLn Security Level
AuDroid IFC Resolvers
Android Permission
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Design
¤ Resolution of Unsafe Information Flows:¤ Two Mechanisms:
¤ Call Back (similar to ASM) to System Services or System App ¤ Resolver Example: Play only pre-‐approved Audio Files
¤ Device Owner Approval when a High-‐Secrecy High-‐Integrity External Party (e.g., Device Owner) involved in the communication
¤ Supported by Microphone Icon and Notification Light
Neither User or System Apps/Services can chance Policy under Enforcement
Systems and Internet Infrastructure Security
¤ Workflow:
Mobile Device
Media ServerP1
P2
Speaker
Micro-‐phone
L2
L1 L3
EP3
L4
EP4
Channel Type 1
Channel Type 2
ChannelType 3
AuDroid IFC Resolvers
Android Permission
1
2
3 4
5 6
67
Voice RecorderApp(LS,LI)
Google Voice Search(HS,HI)
Device Owner(HS,HI)
AuDroid Design
Legend:Pn Internal PartyEPn External PartyPn Internal PartyLn Security Level
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Implementation
¤ AuDroid Prototype¤ Android OS version 5.0.1_r1 from AOSP¤ Tested On Nexus 5¤ ~520 LOC C++¤ ~130 LOC C¤ ~120 LOC Java
https://github.com/gxp18/AuDroid
¤ 4 Audio Hooks in Audio System
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ Attack Prevention¤ 6 Attacks -‐ One for each Attack Scenario
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ Attack Prevention¤ Simple Isolation à No Simultaneous Access to Microphone and Speaker by 2
different processes
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ Attack Prevention¤ Previously Proposed Solutions à Partially solve subset of attacks
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ Attack Prevention¤ 6 Attacks -‐ One for each Attack Scenario
(LS,LI) ↛ (HS,HI) (LS,LI) ↛ (LS,HI) (HS,HI) ↚ (HS,LI)
(HS,HI) ↛ (LS,LI) (LS,LI) ↛ (LS,HI) (LS,LI) ↚ (HS,LI)
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ 7 System Apps and 10 Market Apps
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ Simple Isolation à No Interaction among Apps (e.g, Pandora and Voice Recorder)
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ AnDroid MLS à Breaks some Apps
(HS,HI) ↛ (LS,HI) Incoming calls and messagesPhone User ≠ Device Owner(LS,LI) ↛ (LS,HI) Music and Notifications
(LS,LI) ↛ (LS,HI) Notifications and (LS,LI) ↚ (HS,HI) Device Owner Speaking
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ User Approval
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ Resolver 1 = Play pre-‐approved Ring Tones and Notification Sounds for System Apps
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ Resolver 2 = Play pre-‐approved Sound Tracks, Ring Tones and Notification Sounds for
Market Apps
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ System Functionality¤ Combining Resolvers
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ Performance Overhead
¤ 1st Experiment¤ Avg. over 10,000 requests
Android OS AuDroid AuDroid + Notifications
Microphone 25.36 ± 2.01 𝜇𝑠 30.11 ± 1.99 𝜇𝑠 38.43 ±2.11 𝜇𝑠Speaker 20.35 ± 1.90 𝜇𝑠 24.47 ± 1.86 𝜇𝑠 24.47 ± 1.86 𝜇𝑠
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
AuDroid Evaluation
¤ Performance Overhead
¤ 2nd Experiment¤ 11 Well-‐known Apps:
¤ 3rd Experiment¤ Stress Test – Voice Recorder App
¤ 5 times for 1 Minute ¤ Access Microphone and Speaker as fast as possible
¤ No noticeable effect for user experience
Android OS AuDroid
591 ± 21.93 𝑠 591 ± 23.01 𝑠
Systems and Internet Infrastructure Security
ACSAC 2015 AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Summary and Conclusion
¤ 3 Types of Dynamically-‐Created Audio Channels ¤ Must Enforce Control over all 3 Types of Channels¤ Take into account External Parties
¤ AuDroid prevents 6 types of Attacks
¤ Tested AuDroid over 17 apps for Security and Functional Requirements¤ 3 Resolvers are sufficient for 12 apps
¤ Performance Overhead unnoticed by the User
Systems and Internet Infrastructure Security
Questions?
Thank You for your AttentionGiuseppe Petracca
[email protected]/~gxp18
https://github.com/gxp18/AuDroid