a presentation of taintdroid & related topics
DESCRIPTION
A Presentation Of TaintDroid & Related Topics. Based on the OSDI’10 paper “ TaintDroid : An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones” Presented by Toby Tobkin for CAP6135 Spring 2013. Paper Information. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/1.jpg)
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
1
A Presentation OfTaintDroid & Related TopicsBased on the OSDI’10 paper “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”Presented by Toby Tobkinfor CAP6135 Spring 2013
![Page 2: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/2.jpg)
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
2
Paper InformationTaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones9th USENIX Symposium on Operating Systems Design and ImplementationAuthors:
William Enck The Pennsylvania State UniversityPeter Gilbert Duke UniversityByung-Gon Chun Intel LabsLandon P. Cox Duke UniversityJaeyeon Jung Intel LabsPatrick McDaniel The Pennsylvania State UniversityAnmol N. Sheth Intel Labs
![Page 3: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/3.jpg)
3
Presentation Overview• Introduction 15 slides• TaintDroid 5 slides• Experiment 5 slides• Concluding Remarks 4 slides
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
![Page 4: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/4.jpg)
4
IntroductionMotivation, Taint Analysis
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 5: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/5.jpg)
5
Motivation• Historical problem with
computer software: privacy violations Unwitting users
• Problem exacerbated by smartphones Almost ubiquitously store
private information Large array of sensors Monetization pressures to
detriment of user privacy Cited by paper: [12, 19,
35]
Android’s coarse-grained privacy control
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 6: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/6.jpg)
6
Motivation• Current privacy control
methods arguably inadequate
• Idea: Can’t change the current
system without repercussions
Instead, create a method to audit untrusted applications
• Execution: Must be able to detect
potential misuses of private information, and
be fast enough to be usable
Android’s coarse-grained privacy control
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 7: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/7.jpg)
7
Dynamic Taint Analysis• The mechanism by which TaintDroid operates• Basic idea: keep track of what some input does• Considered a type of data flow analysis• Done on concrete executions
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 8: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/8.jpg)
8
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
• Example sourced from CMU ECE Source
• Will show the basic approach of dynamic taint analysis
• Two concrete executions will be presented
• Goal: evaluate whether control can be hijacked by [malicious] user input
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 9: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/9.jpg)
9
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 10: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/10.jpg)
10
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 6 true
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 11: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/11.jpg)
11
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 6 truetwo 2 false
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 12: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/12.jpg)
12
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 6 truetwo 2 false
j 8 true
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 13: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/13.jpg)
13
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 6 truetwo 2 false
j 8 truel 8 true
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 14: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/14.jpg)
14
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 15: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/15.jpg)
15
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 7 true
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 16: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/16.jpg)
16
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 7 truetwo 2 false
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 17: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/17.jpg)
17
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 7 truetwo 2 falsek 4 false
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 18: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/18.jpg)
18
Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;
} else {k = two*two;l = k;
}jmp l;
Variable Value
Taint Status
i 7 truetwo 2 falsek 4 falsel 4 false
Intr
oduc
tion
| Ta
intD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 19: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/19.jpg)
19
TaintDroidTaintDroid Architecture
Intro
duct
ion
| Tai
ntD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 20: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/20.jpg)
20
TaintDroid Architecture
Source: TaintDroid Paper
Intro
duct
ion
| Tai
ntD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 21: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/21.jpg)
21
TaintDroid ArchitectureBinder IPC
Source: TaintDroid Paper
Intro
duct
ion
| Tai
ntD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 22: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/22.jpg)
22
TaintDroid ArchitectureDalvik VM Interpreter
Source: TaintDroid Paper
Intro
duct
ion
| Tai
ntD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 23: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/23.jpg)
23
TaintDroid ArchitectureAndroid Middleware
Source: TaintDroid Paper
Intro
duct
ion
| Tai
ntD
roid
| Ex
perim
ent |
Con
cludi
ng R
emar
ks
![Page 24: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/24.jpg)
24
ExperimentExperimental Setup, Experimental Results
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
![Page 25: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/25.jpg)
25
Experimental Setup• Sample set of popular Android applications: 1100
applications• 358 of 1100 required Internet permissions plus one
or more of the following data access permissions: location camera camera
• Of these 358, 30 applications randomly selected for examination
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
![Page 26: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/26.jpg)
26
Experimental Setup• Each application manually exercised and monitored
using TaintDroid• Results verified by comparing TaintDroid logs to
network packet capture• Also noted whether applications asked user consent
for information used
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
![Page 27: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/27.jpg)
27
Experimental ResultsObserved Behavior (# of apps)
Details
Phone Information to Content Servers (2)
2 apps sent out the phone number IMSI, and ICC-ID along with geo-coordinates to the app’s content server
Device ID to Content Servers (7)*
2 social, 1 shopping, 1 reference and 3 other apps transmitted the IMEI number to the app’s content server
Location to Advertisement Servers (15)
5 apps sent geo-coordinates to ad.qwapi.com, 5 apps to admob.com,2 apps to ads.mobclix.com (1 sent location both to admob.com andads.mobclix.com) and 4 apps sent locationyto data.flurry.com
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
![Page 28: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/28.jpg)
28
Experimental Results• TaintDroid produced no false positives on the
application set tested• 1/2 of applications shared location data with
advertising servers• ~1/3 expose device ID• Authors claim no perceived latency in using
interactive applications• TaintDroid shown to be qualitatively useful
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
cludi
ng R
emar
ks
![Page 29: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/29.jpg)
29
Concluding Remarks
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
clud
ing
Rem
arks
![Page 30: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/30.jpg)
30
Contributions• TaintDroid produced useful results for every
application tested• A useful privacy analysis tool was implemented
produced no false positives in experiments completed high performance in design also, released to public
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
clud
ing
Rem
arks
![Page 31: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/31.jpg)
31
Weaknesses• Mentioned by Enck et al.:
TaintDroid can be circumvented by implicit information flow
TaintDroid cannot tell if tainted information re-enters the phone after leaving
• Interactive application latency was reported anecdotally, but could have been measured more formally perhaps like this: “Project Butter”
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
clud
ing
Rem
arks
![Page 32: A Presentation Of TaintDroid & Related Topics](https://reader036.vdocuments.mx/reader036/viewer/2022062310/5681650d550346895dd7849a/html5/thumbnails/32.jpg)
32
Improvements• Mentioned on last slide: certain performance
metrics could have been reported more formally
Intro
duct
ion
| Tai
ntDr
oid
| Exp
erim
ent |
Con
clud
ing
Rem
arks