TaintART:APrac-calMul--levelInforma-on-FlowTrackingSystemforAndroidRunTime
MingshenSun,TaoWei,JohnC.S.Lui
SudeepNanjappaJayakumar
Agenda• AndroidBasics• Introduc-on• Contribu-ons• SDKDownloads–Google• Background• Environments• Comparison–AndroidDalvik&ARTEnvironment• SystemDesign-TaintART• TainttagStorage• TaintPropaga-onLogic• Implementa-on• CaseStudy• MacrobenchmarksandMicrobenchmarks• Comparisonofinstruc-onnumbersfordifferenttypes• Limita-ons&relatedwork
AndroidBasics
WhatisAndroid?• Free,opensourcemobileplaUorm
o SourcecodeathVp://source.android.com
• Anyhandsetmanufacturerorhobbyistcancustomize
• Anydevelopercanuseo SDKathVp://developer.android.com
Background
AndroidOverview:• AndroidOSisbasedontheLinuxKernel.• Androidhasmiddlewarecalledapplica-onframeworkwhichisbasedondatabaseandApprun-me
libraries.• Theapplica-onframeworkprovidesvariousAPIsforappsdevelopers-ac-vitymanagement,content
management,andviewsystem.• AndroidappsaremainlywriVeninjava,buttoenhancetheperformance,developerscanembedC/
C++anduseJavaNa-veInterface(JNI)tointeractwithappsandframeworkAPIs.• Eachapprunsinanisolatedenvironment.Appscanalsocommunicatewithotherappsandservices
throughaspecificinter-processcommunica-onmechanismcalledthebinder.
Introduc-on• TaintDroidweredesignedforthelegacyDalvikenvironmentusedforDynamictaintanalysisfor
Androidapps.• ItcustomizesAndroidrun-me(DalvikVirtualMachine)toachievetaintstorageandtaint
propaga-on.• LatestAndroidversionnolongersupportTaintDroidbecauseofthecompa-bilityandperformance
issues.• TaintART–Dynamicmul-levelinforma-onflowtrackingsystem.• SupportsthelatestAndroidrun-meenvironments.• TaintARTu-lizesprocessorregistersfortaintstorage.ComparedtoTaintDroidwhichneedsatleast
twomemoryaccesses• Mul--leveltaintanalysistechniquetominimizethetainttagstorage.• Mul-levelprivacyenforcementisdonetoprotectsensi-vedatafromleakage.
Contribu-ons• Methodology:
Efficientlytrackdynamicinforma-onflowsontheAndroidmobileopera-ngsystemwithahead-of--mecompila-onstrategy.Herethemul-levelanalysisisdoneontheop-mizedcodethandoingontheoriginalbytecodeoftheapplica-on.
• Implementa7on: TaintART is implemented on Android Marshmallow. TaintART can track mul-level informa-on
flowswithinthemethod,acrossthemethodandalsodatatransmiVedbetweenthedifferentapps.
Contribu-onsContd…• Performance:
Macrobenchmarks,microbenchmarksandcompa-bilitytestareperformedontheTaintART.Italsoachieves 2.5% and 99.7% faster for overall performance compared to quick compiler backend ARTrun-meandDalvikVMinAndroid4.4.
TaintARTcananalyzeappswithoutcompa-bilityissues.
• Applica7ontoprivacyleakageanalysis:PrivacyleakageissueshavebeenaddressedonthepopularappsinAndroid6.0.
SDKDownloads-Google
Environments1. DalvikEnvironment:
– Dalvikadoptsvirtualmachineinterpreta-onstrategyatrun-me.– Dexopt tool will op-mize original dex bytecode and at run-me, Dalvik virtual machine will
interpretbytecodeandexecutearchitecturespecificna-vecode.– DalvikVMmaintainsaninternalstackforlocalvariablesandarguments.
2.ARTEnviroment:– FirstintroducedasexperimentalenvironmentwithAndroid4.4– ReplacedDalvikandwasmadeasdefaultenvironment– ARTadoptsahead-of--me(AOT)compila-onstrategyinsteadofvirtualmachineinterpreta-on.– dex2oat toolwill directly compile dex bytecode into na-ve code during app’s installa-on and
thenstoreasanoatfile.– Dex2oatcompilerperformsmul-ple-mestoachievebeVerperformance.
Comparison–AndroidDalvik&ARTEnvironment
SystemDesign-TaintART
• TaintARTu-lizesdynamictaintanalysistechniqueandcantrackdatabyinser-ngtrackinglogic.• TaintARTemploysamul--leveltainttagmethodologytominimizetaintstoragesothattagscanbe
storedinprocessorregistersforfastaccess.• ARTcompileriscustomizedtoretaintheoriginalaheadof-meorganiza-ons.• TaintART’smul-leveldatatrackingstrategyisusedforpolicyenforcementondataleakage.• Indynamictaintanalysis,sensi-vedataistargetedatanysensi-vefunc-oncalledtaintsourceand
tainttagwillbelabeledonthesensi-vedatafortracking.• Whenthedataiscopiedortransformedtoanotherplace,itstainttagwillpropagatetothenew
place.
SystemDesign-TaintART• Thetainttagstatusfortrackingdatawillbestoredintainttagstorage.• Ifanytainteddataleavesthesystematsomespecifiedfunc-onscalledtaintsinks.
TainttagStorage
• BuiltonGoogleNexus5–32bitARMplaUorm.• 16CPUregisters,eachwith32bits.• RegisterR5isreservedfortaintstorage.• Register allocator of TaintARTwill ensure R5 is not
assignedforotherpurposessuchasvariablestorage.• Firstsixteenbits(frombit0tobit15)willbeusedfor
storing taint tags of sixteen registers (from R0 toR15).
• Theremainingsixteenbitsareusedforstoringtainttagoffloa-ngpointregisters(fromS0toS15).
TaintPropaga-onLogic
• TaintART introduces much less instruc-ons onhandlingthetaintstatuschanges.
• There are two registers involved R5 as the taintstorageregister&R12registerforthetemporaryusage.
• Involves 4 steps: clear des-na-on bit, maskingtaintedbit,shiqingbits,andmergingtaintedbits.
• TaintART needs only three data processinginstruc-onswithoutmemoryaccess toefficientlypropagateataintlabel.
• This will be good to track the run-me and theperformanceimpacts.
Implementa-on
Taintsourcesandsinks:• TaintARTcanalsobeusedtoenforcepolicyonsensi-vedataleakage. • Fourtypesofdatafromfiqeensourcesaretrackedanditiscategorizedintodeviceiden-ty,sensor
data,sensi-vecontentandloca-ondata.• Taintsourcelogicisplacedincorrespondingclassestotrackthesedata.• When it comes to device iden-ty apps can acquire telephony data by sending the request to
telephonymanagerandinreturnthetaintsourcelogicwillaVachataginthebinderparcel.• loca-ondataandsensi-vecontentsuchasmessages,contactlistsandcalllogsarecategorizedinthe
thirdlevel.Thesedataareconsideredaslevelthreedataandasmostsensi-vedata.
Taintsourcesandprivacyleakagelevels
Implementa-on
TaintAnalysisInterface:• Twobasicinterfacescanbedevelopedfortaintanalysis.• addTaint()&getTaint()–Thesecanbeusedtoupdatetainttagofaspecificlocalvariablesorobjects
andinspecttainttaglater.• Thesetwointer• facesareimplementedinordertoachievebeVerperformance.
Implementa-on&Deployment
• TheprototypeofTaintARTisimplementedonAndroid6.0.1MarshmallowforNexus5.• ARTcompilerandARTrun-mesourcesarecustomizedtoimplementtainttagpropaga-on.• BinderrelatedsourcesarealsocustomizedinAndroidframework.• Theyprovidecustomizedbinaryandlibrariessuchasdex2oat,libart.soandlibart-compiler.so• SincethecodebaseofARTenvironmentisstableaqerAndroid5.0,theimplementa-onisgeneric
forAndroid5.0and6.0versions.• Analystscanoverwriteourcustomizedbinaryandlibrariestoatargetdevicewithrootprivilege.
Thereisnoneedofreinstallingthecustomizedsystemsfromscratch.
CaseStudy
ExperimentalSetup–TaintDroidisdownloadedandcompiledwhichisbasedonAndroid4.3.
– TaintARTisrunonAndroid6.0.1&appsusedinthecasestudyweredownloadedfromtheGoogleplayinMay2016.
PrivacyTracking–Popularappsweretestedandpoten-alprivacyleakagewaschecked.– TheymanuallyinteractedwitheachappinTaintDroidandTaintARTandrecordedthereportsof
privacyleakage.
PrivacyLeakageAnalysis
CaseStudyPolicyEnforcement–SinceTaintARtsupportslatestAndroidrun-meitiseasytodeploythepolicyenforcement.- Hereuserscanpre-definemul--levelpolicyrules.
- Foreachleveluserscandefinedifferentpolicies.
Macrobencmarks• TaintARTisageneralframeworkthatcanbeusedbyend-userstoprotecttheir
privacy.• Severalmacrobenchmarkswereperformedtomeasuretheoverheadfornormal
usageoftheapplica-ons.
MicrobenchmarksCompilerBenchmarks–Byadop-ngtheTaintARTthecompila-on-meisincreasedby336.076millisecondsto403.064millisecondsandintroducesabout19.9%overhead.-Thebelowfigureillustratesthecompila-on-mefor80built-inapps.
Comparisonofinstruc-onnumbersfordifferenttypes
• Thetotalnumberofinstruc-onsincreasesabout21%.
• The increases are mainly in data processinginstruc-ons (Type II) including arithme-cinstruc-ons (ADD, SUB), logical instruc-ons (ORR,AND),movementinstruc-ons(MOV,MVN).
• TaintART compiler only introduces about 0.8 %moreinstruc-ons.
• This means that TaintART can achieve beVerrun-me performance than the VM-basedTaintDroid with the gains of AOT compila-onstrategyinthenewARTenvironment.
Limita-ons
• TaintARTcannottrackspecificdataflows.• Allimplicitleakagecannotbetracked.• ComplexmalwarescandetectthepresenceofTaintARTandcanhidetheirac-vi-es
withfewsomean-analysistechniquestodetecthostdevices.• Malwareanalysis,analystsneedtomanuallytriggerthebehaviors
RelatedWork
• Therearemany systemswhichdynamicallymonitor the run-me informa-on indifferent layersofthe systemand fewof themareDroidScope,BareCloudandCopperDroid introspectDalvikVM tocapturedynamicinforma-onforreconstruc-ngmalwarebehaviors.
• Therearemanysystemswhichs-llusethesta-canalysissystemfordisassembledcodeandtrytopreciselymodelrun-mebehavioranduseprogramanalysistechniquetoresolveinforma-onflowsandfewofthemareAndroidLeaksandFlowdroid.
• Also therearemanysystems todetect suspiciousbehaviorsandpreventpoten-alprivacy leakageand few of them are Aurasium and RetroSkeleton which can add enforcement policies and fine-grainedmandatoryaccesscontrolonsensi-veAPIinvoca-onsbyrewri-ngandrepackagingapps.
Thank you
Top Related