Security and Programming Language
Work on SmartPhones
Karthik Dantu and Steve Ko
CHEX: Motivation
• Wide-spread app development leads to large variance in
app quality and security vulnerabilities
• One example of vulnerability is the component hijacking
vulnerability in Android
• Many applications implement access control improperly
on external requests or accidentally leak private data or
privileges
• Need a scalable vulnerability filtering system for app
markets
Component Hijacking Attacks
• An unauthorized app, issuing requests to one or more
public components in a vulnerable app, seeks to:
• READ sensitive data
• WRITE to critical region
• Perform a
combination
Challenges
• Reliably discovering all types of entry points (or event
handlers) in their completeness
• Soundly modeling the asynchronous invocations of entry
points for analysis
• Assessing the collective side-effects of individual dataflows and identifying converged flows of interest
• Tracking data flows across splits and components
• Analyzing framework code is hard: Just model it wrt
data flow
Entry-point Discovery
Handling Split Flows
• Sources
• SensSrc
• InputSrc
• Sinks
• PublicSink
• SpecifiedSink
• CriticalSink
SDS and PDS
• PDS generated by two simple operations – link and unlink
an SDS
• Data-flow edges
• Heap variables sharing the same location-key tuple
• Framework API pairs that transit data among splits
• Tag_TransSink, Tag_TransSrc
• Depth-first search for pruning
Implementation
Dalysis : APK  IR
DexLib: Programmatically read embedded data
WALA: Static analysis framework for Java (used for IR)
Chose 180 sources and sinks that match tags defined by
policies 1-3
• Create Data Dependence Graphs for PDS analysis
•
•
•
•
Selective Instrumentation Framework
• Performance analysis as well as security motivate the
need for app instrumentation
• Selective instrumentation useful for performance
• Permit path inspection between specified codepoints
• Accurately estimate the instrumentation overhead
• Three main mechanisms
• Source code instrumentation
• Runtime instrumentation
• Binary instrumentation
App Instrumentation in Mobile Space
• Instrumentation to analyze the critical path e.g.,
AppInsight
• Enable fine-grained permission checking
• Sensor auditing for security reasons e.g., CHEX
SIF
• Inputs
• App binary
• SIFScript
• Workload Description
• Instrumenter
• Overhead Estimator
• Log output
SIFScript: Codepoint Set
• Codepoint Set: Encapsulates a set of instructions that
share one or more attributes
•
•
•
•
•
setMethod
setByteCode
setPermissions
setLoops
Instrumenter.place:
Before, After, At,
PlaceLoops()
SIFScript: Path Set
• Path Set: Encapsulates a set of dynamically traversed
paths that satisfy a user-specified constraint
• Path: Collection of paths traversed by the app when it is
executed
• Contains: All intra-procedural
paths that contains atleast one
of the specified codepoints
• Sequence: All paths that
contain all specified
codepoints
• Report: stacktrace
SIF Design: Control Flow Analysis
• Incorporates Efficient Path Profiling – Ball and Larus
• Assign weights to edges on a CFG such that each unique
traversal returns a unique sum along edges thereby
identifying the unique execution path
• Single counter per method sufficient for instrumentation
• Key idea: Instrument path segments
SIF Design: Codepoint Abstraction
• Three steps
• Find target instrumentation positions
• Enable access to local data variables
• Insert user-defined code
• Instrumentation done as callbacks
• Contains – straightforward
• Sequence – complicated
• Perform reachability analysis
• Instrument all possible paths
• Include all exception handlers in reachability analysis
SIF Design: Overhead Estimator
• Two sources
• Instructions inserted by SIF components
• User-defined instrumentation code
• User provides workflow description
• App only instrumented with Ball-Larus profiler
• User executes regular workload
• Output is the workflow for overhead estimation
SIF Implementation
• Language abstractions implemented as an extension to
Java
• Apktool  dex2jar  converts app to java bytecode
• BCEL library used to read and modify java bytecode
• Android SDK used to convert java bytecode to dalvik
bytecode and re-package app
• Does not handle reflection and dynamically loaded code
• No visibility into native code