scippa: system-centric ipc provenance on android · binder transaction protocol • binder ipc...
TRANSCRIPT
![Page 1: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/1.jpg)
Scippa: System-Centric IPC Provenance on Android
Michael Backes, Sven Bugiel, Sebastian Gerling Saarland Univeristy, Germany
1
Presenter: Qi Wang
2014 Annual Computer Security Applications Conference
![Page 2: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/2.jpg)
Android application separation
• One Linux User ID per App
• File system access control via UID
• Permissions bound to App UID
2
![Page 3: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/3.jpg)
Android app components
• Activities – A single screen with a user interface.
• Services – A component that runs in the background to perform long-
running operations.
• Broadcast Receivers – A component that responds to system-wide broadcast
announcements.
• Content Providers – Manage a shared set of app data. Through the content provider,
other apps can query or even modify the data.
3
![Page 4: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/4.jpg)
Inter-app communication on Android
4Wi-Fi
Se,ngsAppSe,ngsWidget “TurnoffWi-Fi”[Bluetooth,GPS,…]
Turnoff
![Page 5: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/5.jpg)
Inter-process communication on Android
5
Wi-Fi
UIComponent
ReceiverComponent
UIDA UIDB
![Page 6: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/6.jpg)
Inter-process communication on Android
6
Wi-Fi
ProcessBoundary
ProcessBoundary
UIComponent
ReceiverComponent
ReceiverComponent
UIDA UIDBUIDS
IPCMechanismmustprovidemessageprovenanceinformaRon.
![Page 7: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/7.jpg)
Binder
• A lightweight IPC mechanism on Android. • The primary channel for inter-app communication.
7
![Page 8: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/8.jpg)
Binder transaction protocol
• Binder IPC provides receiver process with UID/PID of sender process.
8
AppProcessA(Sender) BinderKernelModule
AppProcessS(Receiver)
1. transaction = {recv, payloadA}
2. transaction = {payloadA, UID=A}
If two-way transaction
3. reply = {payloadS}
4. reply = {payloadS}
![Page 9: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/9.jpg)
Losing provenance information
• Cause 1: Message dispatching between threads
9
AppProcessA(Sender)
AppProcessB(Receiver)
IPC Thread Main Thread
BinderKernelModule
calling UID = A
1. trans
2. trans = {P, UID=A}
Dispatch Payload
calling UID =
![Page 10: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/10.jpg)
Losing provenance information
• Cause 2: Indirection communication
10
Intentsender
IntentReceiver
AcRvityMassagerService
A BS
sendintent deliverintent
FirstbindertransacRon
SecondbindertransacRon
![Page 11: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/11.jpg)
Attacks
• Confused deputy attack – A malicious app with an insufficient set of permissions for
its malign purpose tricks a privileged app into executing its privileges on behalf of the malicious app.
• Intent hijacking – A malicious app can intercept an implicit Intent simply by
declaring an Intent filter with all of the actions, data, and categories listed in the Intent.
• Intent spoofing – A malicious app can launch an Intent spoofing attack by
sending an Intent to an exported component that is not expecting Intents from that application.
11
![Page 12: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/12.jpg)
IPC provenance requirements
• Availability of provenance information
• Building system-centric IPC call-chains
• Returning call-chains to senders
• Tagging asynchronous messages – Sticky Broadcast Intents are kept in the system and
are delivered even to recipients that register after the broadcast was sent.
12
![Page 13: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/13.jpg)
Scippa
• System-centric approach to remedy the situation • Extend Binder kernel module and Android’s
message handlers • Build call-chains across multiple app processes • Provide call-chains to all application components • Return call-chains to senders
13
![Page 14: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/14.jpg)
Scippa: idea
14
IPCThread MainThread
callingUID=[A,S]
AppProcessA(Sender) BinderKernelModule SystemProcess
AppProcessB(Receiver)
1stTransacRon
1. transA-S2. transA-SUID=[A]
2ndTransacRon
3. transS-B
4. transS-B={P,UID=[A,S]}DispatchPDispatchUID=[A,S]
![Page 15: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/15.jpg)
Linking nested transactions
15
IPCTransacRonStack:
Trans#1 Trans#1Trans#2 Trans#2
Trans#3 Trans#3
AppA AppB AppC
Trans#1
Trans#2
AppD
Trans#3
UID=[A,B]
UID=[A,B,C]
UID=[A]
ExtendthetransacRondatastructuretoholdcall-chain.
![Page 16: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/16.jpg)
Linking one-way transactions
16
App
IncomingTrans#1
OutgoingTrans#1
OutgoingTrans#2
AppExecuGonState
WaiRngforIPC
ExecuRngincomingtrans#1
ExecuRngincomingtrans#2
Forwardcall-chainfromTrans#2WaiRngforIPC
Storecall-chainfromTrans#1
Forwardcall-chainfromTrans#1
WaiRngforIPCIncomingTrans#2
Storecall-chainfromTrans#2
![Page 17: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/17.jpg)
Further techniques
• Intra-appcall-chainpropagaRon– ExtendedMessage andHandler classesandThread life-cyclefuncRonsofapplicaRonrunRmeenvironment
• TaggingPendingIntentsandsRckyBroadcastIntents– ExtendingIntentclassandBroadcastsubsystem:RestoreIPCcontextfromIntentobjectbeforesending
• Accessingcall-chainsfromuser-space– NewAPIfuncRons:getCallingUids /getCallingPids
• Returningcall-chainstosender– ExtendedBinderprotocolwithBR_CALLCHAIN toreturnfinishedchainbranches
17
![Page 18: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/18.jpg)
Transaction microbenchmark
• Measure 52777 Binder transactions – Weighted average overhead: 2.23%
18
45560
0
1
10
100
1,000
10,000
100,000
0.00%
0.50%
1.00%
1.50%
2.00%
2.50%
32 36 40
Payloa
dFreq
uency
(512BBins)
Performan
ceOverhead
0 4 8 12 16 20 24 28MessagePayload(KB)
Frequency
Overhead
![Page 19: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/19.jpg)
User space benchmark
• Measure the overhead from the app layer perspective
19
3.70-25.33%overhead 12.70-26.73%overhead
![Page 20: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/20.jpg)
Call-chain statistics
20
General Branching Dispatching
#Call-chains:54,670 #Chainswithbranches:54,670(100%)
#Chainswithdispatching:3,237(5.91%)
Chainlength:1.56±0.01
#Branches(total):141,330 #Dispatches(total):24,966
Maxlength:13 #Branches(perchain):2.59±0.08
#Dispatches(perchain):7.71±1.92
![Page 21: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/21.jpg)
IPC provenance evaluation
21
10048:1574:1585
1000:403:698
10048:1574:1574
10045:1679:1690
10044:1658:1677
1000:403:777
10044:1658:1658
10046:1419:1430
10045:1679:1679
10047:1520:1531
10047:1520:1520
1000:403:420
10043:1698:1698
10046:1419:1419 Parallel Broadcast
Ordered Broadcast
Binder IPC
Message Dispatch
IPC Thread
Main Thread Receiver App
System Server Thread
Main Thread Sender App
UID:PID:TID 1000:403:777
![Page 22: Scippa: System-Centric IPC Provenance on Android · Binder transaction protocol • Binder IPC provides receiver process with UID/PID of sender process. 8 App Process A (Sender) Binder](https://reader034.vdocuments.mx/reader034/viewer/2022050312/5f7498c80f4c3336635c14f8/html5/thumbnails/22.jpg)
Discussion
• What’s the contribution of this paper? • What’s the limitation of Scippa? • Could the feedback mechanism in Scippa violate
privacy? • Call sender&receiver vs. call chain? • What other data can be collected to provide
more sufficient IPC provenance information? • How data provenance could be used in Android
or other areas?
22