80 - enhancing stealthiness & efficiency of android trojans and defense possibilities (ensead)
Post on 06-Apr-2018
214 Views
Preview:
TRANSCRIPT
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
1/22
1
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
2/22
Enhancing Stealthiness &Enhancing Stealthiness & EfficiencyEfficiencyofof
Android TrojansAndroid Trojans
andand Defense PossibilitiesDefense Possibilities
((EnSEADEnSEAD))
HumayunHumayun AliAli
Mohammad AliMohammad AliZahidZahid AnwarAnwar
(humayun.ali, 10msccsmali, zahid.anwar)@seecs.edu.pk(humayun.ali, 10msccsmali, zahid.anwar)@seecs.edu.pk
National University of Sciences and Technology (NUST),
Islamabad, Pakistan
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
3/22
Slide Map
About Speaker
Objective
Domain Background and Motivation
Enhancements
CONTACT ARCHIVER Our Android Trojan
Discusing Defense and Future Work
3
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
4/22
About Speaker
Humayun AliBE Information and Communication Systems Engineering (2006 10)
MS Computer and Communication Security (2010 12)
About NUST NUST was established as an Engineering
University in 1991.
Has expanded scope to Basic, Medical, Management
and Social Sciences.
Was originally based on the concept of multiple
campuses in different cities.
Now all the campuses consolidated into a single
campus in Islamabad.
4
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
5/22
Objective
To Enhance:1) Stealth Capabilities of Android Trojans
Stealthiness in Communication
2) Efficiency Compressing the data to be transferred
3) & Discussing a Defense Architecture (Future Work) How to Block our attacks/enhancements
5
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
6/22
Domain Background
and Motivation
A cutting edge Android Trojan with few and innocuous permissions that can extract asmall amount of targeted private information from the audio sensor of the phone.
(profiling and then frequency analysis)
Performs efficient, stealthy local extraction, thereby greatly reducing the communication
cost for delivering stolen data.
Soundcomber automatically infers the destination phone number by analyzing audio.
Circumvents known security defenses, and conveys information remotely without direct
network access.
Soundcomber: A Stealthy and Context-Aware SoundTrojan for Smartphones
18th Annual Network & Distributed System Security Symposium (NDSS '11)
pp. 17--33, San Diego, CA, February 6--9, 2011.
6
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
7/22
How?
Purpose is to develop a Trojan to steal sensitiveinformation (credit cards numbers, pins, contactnumbers, messages etc.) from Android Phone
And transmit to remote malicious master server.
Two major steps involved: Collect/grab target sensitive information
Transmit this information to malicious master server.
7
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
8/22
Possible WaysPlan A
Only One App on Android Phone
An App:
Grabs Information
Transmits it outside phone to the attacker.
Plan B
Two Apps on Android Phone
App 1:
Grab the target information.
Send this info. to App 2, detectably, through any legitimate method, e.g.
IPC or common files.
Any other General App like Browser :
Transmit this information over internet.
8
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
9/22
Problems Plan A
Plan A:
User can see the permissions asked by App
User can reject/delete such application (askingpermission for both microphone and internet)
In recent proposals, a reference monitor could deny
installation: apps asking for both mic/contacts accessand other dangerous permissions
Ref:W. Enck,M. Ongtang, and P.McDaniel. On lightweight mobile phone application certification. In CCS09: Proceedings of the 16th ACM conference on Computer and communications security-
Show on AVD
9
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
10/22
Problems Plan B
Plan B:
Java written apps are compiled into byte-code.
Each application executes in a separate Dalvik virtual machineinterpreter instance running as a unique user identity.
From underlying Linux system perspective, apps are seeminglyisolated. (kind of sandboxing)
Still dependent on kernel and IPC between apps are regulated by manyrecent proposals:
SAINT at ACSAC 09
TaintDroid at OSDI 10
Ref:1. Independent Security Evaluators, Exploiting android,http://securityevaluators.com/content/case-studies/android/index.jsp2. M. Ongtang, S. E. McLaughlin, W. Enck, and P. D. Mc-Daniel. Semantically rich application-centric security in android. In ACSAC, pages 340349. IEEE ComputerSociety, 2009.
3. W. Enck, P. Gilbert, B.-g. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-ow tracking system for realtime privacy monitoring on smartphones. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), Vancouver,October 2010.
10
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
11/22
Then How Soundcomber
did it?
Soundcomber uses Plan B, rather
modified Plan B : A special architecture.
Ref:"Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphone, In Proceedings of the 18thAnnual Network & Distributed System Security Symposium (NDSS '11)
11
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
12/22
Nature of Covert Channels
1. Vibration Settings
2. Volume Settings
3. Screen Brightness Settings
4. File Locks
12
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
13/22
Defense Against
Soundcomber
Good defense but only good for Soundcomber:
1:Reference Monitor checks the
number to whichcallis made and
decides whether it issensitive
number or not.
2:Ifdialedno. issensitive then
Reference Monitor notifiescontroller
about that
3:Controller communicates to Audio
Flinger Service andit stopsgiving
voice from microphone andsends
silence to anyapplication that asks
for it
13
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
14/22
ENHANCEMENTSENHANCEMENTSANDAND
DEVELOPMENT OF A TROJANDEVELOPMENT OF A TROJAN
Our Work
14
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
15/22
Enhancements
Enhancing:
Stealthiness in communication by Identifying a
new: Covert Channel
Efficiency by employing compression
Taking whole number and converting to bits.
Hybrid compression technique (future work).
15
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
16/22
Enhancements contd.
Covert Channel:
Uses file permissions to transmit bits.
Owner App can change permission of a file asmany times it likes to do.
User dont know
Kernel knows but dont care.
CovertChannelAnimation.swf
16
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
17/22
Enhancements contd.
Efficiency: 4 bits per digit used:
As 0 to 9 are 10 digits and 24 = 16 possibilities.
So Credit Card No.: 16 Digits = 16*4 = 64 bits per number
And Contact No.: 9 Digits = 9*4 = 36 bits per number. So efficiency can be achieved using famous compression
techniques:
Shannon Fano Coding
Huffman Encoding
Arithmetic Coding
AEP (Asymptotic Equi-partition Property) LZ77, LZ78, LZW, QuickLZ
Our Own Customized Techniques
But All of them failed, Why? Non Availability of Probability Distribution
Shannon Limit
17
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
18/22
Enhancements contd.
Still we managed to compress: 16*4 = 64 bits
But 254 = 18014398509481984 which is greater than all 16 digitnumber.
So we managed to bring 64 bits to 54 bits = 10 bits compressionper credit card number.
In case of contacts:
9*4 = 36 bits
But 2
30
= 107
37
41824 which is greater than all 9 digit numbers.So compression of 6 bits per contact no.
Or our own hybrid technique (Future Work) Explanation if required.
18
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
19/22
CONTACT ARCHIVERCONTACT ARCHIVER
An Android Trojan that uses:
Architecture from Soundcomber - 2 Apps, little permissions
Enhancements from us
Apparently:
It asks user to save its contacts and backup whenrequired
Actually:
Harvests contacts and transmit outside
To use for spam messaging
19
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
20/22
Evaluation and ResultsTrojan&
Channel
Name:
SoundcombersChannel with
Highest Bandwidth:
File Locking Channel
Contact Archivers Channel with
Highest Bandwidth:
File Permissions Channel
Band-
width:685 bps 692.5 bps
20
COMPARISON OF SOUNCOMBER
AND CONTACT ARCHIVER COVERT
CHANNELS IN TERMS OF BANDWITH
No. of
Files10 20 30
Band-
width:692.5 bps 1250 bps 1807.5 bps
CHANGE IN BANDWIDTH OF COVERT
CHANNEL BY INCREASING NUMBER OFFILES INVOLVED IN COMMUNICATION
0
100
200
300
400
500
600
7 10 30 50 100
42 60
180
300
600
No.ofbits
ofcom
pression
Number of Contacts
COMPRESSION ACHIEVED AS
NUMBER OF CONTACTS
INCREASE
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
21/22
Discussing Defense
& Future Work
Defense proposed by soundcomber team only stops soundcomber:
We discuss to fail our Trojan.
To Block Covert Channel:
Only owner can delete its file, no other app can do.
A generic, open, robust tainting utility.
Able to taint known and unknown covert channels in malicious
communications
Hybrid compression technique to increase efficiency of Android Trojans.
21
-
8/3/2019 80 - Enhancing Stealthiness & Efficiency of Android Trojans and Defense Possibilities (EnSEAD)
22/22
Thank you
top related