外文翻译原文-统一的安全架构增强了Android操作系统

JSupercomput(2014)67:738756DOI10.1007/s11227-013-0991-yUnifiedsecurityenhancementframeworkfortheAndroidoperatingsystemChanheeLeeJonghwaKimSeong-jeChoJongmooChoiYeongungParkPublishedonline:6August2013SpringerScience+BusinessMediaNewYork2013AbstractInthesedaystherearemanymaliciousapplicationsthatcollectsensitiveinformationownedbythird-partyapplicationsbyescalatingtheirprivilegestothehigherlevelontheAndroidoperatingsystem.Anattackofobtainingtheroot-levelprivilegeintheAndroidoperatingsystemcanbeaseriousthreattousersbecauseitcanbreakdownthewholesystemsecurity.ThispaperproposesanewAndroidsecurityframeworkthatcanmeetthefollowingthreegoals:(1)preventingprivilegeescalationattacks,(2)maintainingsystemintegrity,and(3)protectingusersper-sonalinformation.Toachievethesegoals,ourproposedframeworkintroducesthreemechanisms:RootPrivilegeProtection(RPP),ResourceMisuseProtection(RMP),andPrivateDataProtection(PDP).RPPkeepstrackofalistoftrustedprogramswithroot-levelprivilegesandcandetectandrespondtomalwarethatillegallytriestoacquireroot-levelprivilegesbyexploitingsystem-levelvulnerabilities.RMPkeepstrackofalistofcriticalsystemresourcesandcanprotectsystemresourcesfromil-legalmanipulationbymaliciousapplications.PDPkeepspersonalinformationsafebyenforcingstrictaccesscontrolssothatevenprivilegedapplicationscannotaccessusersprivatedataiftheapplicationsviolatetheleastprivilegerule.TheframeworkC.LeeJ.KimS.-j.Cho(B)J.ChoiDepartmentofComputerScience,DankookUniversity,Yongin-si,Gyeonggi-do,Koreae-mail:sjchodankook.ac.krC.Leee-mail:lchan12dankook.ac.krJ.Kime-mail:zcbm4321dankook.ac.krJ.Choie-mail:choijmdankook.ac.krY.ParkTheAttachedofETRI,Jeonmin-dong,Yuseong-gu,Daejeon,Koreae-mail:santaparkensec.re.krUnifiedsecurityenhancementframeworkfortheAndroidoperating739isverifiedusingexperimentsontheAndroidoperatingsystem,whichshowsthatourframeworkachievedthegoalswithprocessingoverheadsof25.33%onaverage.KeywordsSmartphonesecurityAndroidPrivilegeescalationattacksSystemintegrityPrivacyprotectionUnifiedsecurityframework1IntroductionAssmartphoneusageincreases,moredevelopersbecomeinvolvedinimplementingapplicationsforsmartphones(alsocalledasApps).ThenumberofAppsintheAp-plesAppstorehasbeenreportedtobemorethan3billion1,andAndroidAppsareexpectedtobemorethanthatnumbersinceithastheopen-platformstrategy.How-ever,thisexplosiveincreaseinthenumberofapplicationsmakesAndroidsecurityevenmoreimportant.Inthispaper,wediscusssecuritythreatsrelatedtosmartphonesandproposeanovelsecurityframeworkespeciallyfortheAndroidoperatingsystem(OS).Sincemanyapplicationsaredevelopedbyvariousthird-partydevelopersandcom-panies,theAndroidOStreatsallapplicationsaspotentiallymalicious.TheAndroidOSprovidestwosecurityenforcingfeatures:sandboxingandtheprivilege-basedac-cesscontrol.Eachapplicationrunsinitsownvirtualmachinesothatitsexecutionisisolated,andtheprivilege-basedaccesscontrolorchestratesdatatobereferencedonlybyapplicationsthathavetherelevantpermissions.However,theAndroidOSssecuritymodelhasbeenshowntobestillvulnerabletoapplication-levelprivilegeescalationattacks26includingconfuseddeputyat-tacksandcollusionattacks.TheAndroidOSdoesnotdealwithtransitiveprivilegeusages,whichallowsapplicationstobypassrestrictionsimposedbythepermissionmodel.Therefore,thepermission-basedsecuritymodelcannotfullyprotectuserspersonalinformationunderprivilegeescalationattacksand,asaresult,avarietyofprivilegeescalationattackshavebeenreportedontheAndroidOS.ManystudieshaveshownthatmaliciousapplicationscanbeinstalledontheAndroidOSandcanstealusersprivatedatathroughtraditionalattacksorprivilegeescalationattacks(see,forexample,theBaseBridge6,DroidKungFu4,6,7,DroidDream4,6,8,andGingerMaster9).IntheAndroidOS,ifanapplication(orprocess)obtainstherootprivilege,theapplicationhasfullaccessestothefilesystem(werefertothisapplicationasapriv-ilegedapplication).Sinceaprivilegedapplicationhasafullaccesspermissiontothesystem,privilegeescalationattacksgrantmalwareorunauthorizedapplicationswiththefullaccesspermissiontothesystem.Ifanattackercanillegallyelevatehim-self/herselftorootprivileges,he/shecangainaccessestoanysensitivedataontheuserssmartphone.Tocountermeasureagainstprivilegeescalationattacksandtoprotectpersonalin-formation,varioussecurityextensionsandenhancementstotheAndroidOShavebeenproposed,suchasXManDroid2,3,RGBDroid5,Kirin10,Saint11,Apex12,TaintDroid1,QUIRE13,andsoon.However,aswewillelaborateinfurtherdetailsonrelatedworkinSect.2,noneoftheexistingsolutionssufficiently740C.Leeetal.andefficientlyprotectusersprivateinformationfromprivilegeescalationattacks.Someapproachescannotdetecttransitivepermissionusageattacksorfailtoprotectthesystemagainstmalwareandsophisticatedrun-timeattacks.Othersrelyontheuserstotakesecuritydecisionsortosufferinefficiency.Inthispaper,weproposeaunifiedandeffectivekernel-levelsecurityframeworkinorderto(1)preventprivilegeescalationattacks,(2)prohibitmaliciousapplicationsfrommanipulatingcriticalsystemresources,and(3)protectusersprivatedatafromillegallyprivilegedprogramsintheAndroidenvironment.OurproposedframeworkcansecuretheAndroidOSbyintroducingthreemechanisms:RootPrivilegeProtec-tion(RPP),ResourceMisuseProtection(RMP),andPrivateDataProtection(PDP).TheRPPmechanismmakesuseofadatastructure,calledpWhiteList,whichkeepstrackofalistoftrustedprogramswithrootprivileges.AnyprogramnotrecordedinpWhiteListcannotrunwithrootlevelprivileges.Aftergainingrootlevelprivilegesviaprivilegeescalationattacks,ifanymalwareorapplicationnotonthelisttriestoopen,read,orwritefileswithoutrelevantpermissions,ourframeworkwilldetectandpreventtheaccessesusingtheRPPmechanism.TheRMPmechanismkeepstrackofimportantsystemresources,usingtheCriticalListdatastructure,thatarevitalintheAndroidOS.Thismechanismpreventssuchcriticalresourcesfrombeingmodifiedbyevenaprocesswithroot-levelprivileges.Tosecurepersonalinformationincludingprivatedatainsmartphones,ourPDPmechanismdisallowstrustedprogramstoaccesssensitivedatathroughenforcingtheleastprivilegeprincipleinthepermission-basedaccesscontrol.Anattackerormal-warecanevadetheRPPmechanismbydirectlyexploitingvulnerabilitiesintrustedprogramswithroot-levelprivilegesorescalatingprivileges.ThePDPmechanismcandefeatthisevasionbyprohibitinguncontrolledaccesstoprivatedatathroughthesystemcallinspection.Ourframeworkusessystem-centricapproachesbyallowingthekerneltoenforcesecuritydecisionsbasedonfilesanduserIDofapplications.Soitdoesnotrequireapplicationdeveloperstoaddsecurityfeaturestotheirapplications.Wedemonstratethattheproposedframeworkefficientlydetectsprivilegeescalationattacks,keepstheAndroidOSconsistent,andmitigatestheeffectsoftheattacksbyprovidingextraprivacyprotectionmeasuresforprivatedata.Theremainderofthispaperisorganizedasfollows.AfterdiscussingrelatedworkinSect.2,weproposeasecurityframeworktopreventprivilegeescalationattacks,maintainsystemintegrity,andprotectusersprivateinformationinSect.3.InSect.4,wepresenttheeffectivenessofourproposedframeworkthroughsomeexperimentsusingrealisticprivilege-relatedattackscenarios.Section5evaluatesperformanceoftheproposedframework,andconclusionsandfutureworkarediscussedinSect.6.2BackgroundsandrelatedworkInthissection,wefirstexplorehowthesecuritysensitiveinformationhasbeenleakedthroughtheprivilegeescalationattacksintheAndroidOS.Then,wesurveyseveralsecurityenforcementtechniquestoprotectsuchleakagesanddiscusshowthoseap-proachesdifferfromours.UnifiedsecurityenhancementframeworkfortheAndroidoperating7412.1InformationleakagethroughprivilegeescalationattacksTheAndroidOSsupportsseveralsecurityfeaturessuchastheprivilege-basedaccesscontrolandsandboxing14.Theprivilege-basedaccesscontrolorchestratesdatatobereferencedonlybyapplicationsthathavetherelevantpermissions.However,col-laborationsamongmultipleapplicationswithdifferentprivileges,whichoccurfre-quentlyinAndroidenvironments,maycauseprivilegeescalationattacks2,3,5,6.Typicalexamplesoftheprivilegeescalationattacksaretheconfuseddeputyattackandthecollusionattack.Theconfuseddeputyattackincludescasessuchthatama-liciousapplicationexploitsthevulnerableinterfacesofanotherprivileged(butcon-fused)application.Thecollusionattackisthatmaliciousapplicationsthatcolludetocombinetheirpermissionsallowthemtoperformactionsbeyondtheirindividualprivileges.Therealproblemoftheprivilegeescalationattacksisthattheattackscanbeex-ploitedtostealprivatedata,asreportedinseveralpapersorarticles,suchasBase-Bridge6,DroidKungFu4,6,7,DroidDream4,6,8,andGingerMaster6,9.BaseBridge6performstheprivilegeescalationattacktoelevateitsprivilegessothatitcandownloadandinstalladditionalapplicationsontoauserssmartphone.Whenaninfectedapplicationisinstalled,malwareattemptstoexploittheudevNetlinkMes-sageValidationPrivilegeEscalationVulnerability9inordertoobtainroot-levelprivileges.TheBaseBridgemalwareusestheHTTPprotocoltocommunicatewithacentralserverandtransmitpersonalinformation.BaseBridgecanalsosendpremium-rateSMSmessagestopredeterminednumbersthatisthereasonofitsnicknameasAdSMS.DroidDream,whichhasappearedintheGooglesAndroidmarket6,8,stealspersonalinformationusingthesimilarmechanismtothatofthetraditionalTrojansobservedintheWindowsoperatingsystems.SomeresearchershavereferredtheDroidDreamvariantsasmobilebotnets.Moreadvancedmalwarehasappearedinthird-partymarkets.OneexampleisDroidKungFu6,7,whichtakesadvantageofprivilegeescalationexploits,called“RageagainsttheCage.”Atleastfourwell-knownprivilegeescalationvulnerabilitieshavebeenused.TheDroidKungFumalwarecollectspersonalinformationofsmart-phonessuchasIMEI(InternationalMobileEquipmentIdentity),DeviceIDandSDKversion,andsendsthemtoaremoteserver,thentriestoobtainarootshell.TherootshellobtainedbythemalwarereceivescommandsfromaC&C(CommandandCon-trol)server,andinstallsahiddenbackdoorapplication.Asaresult,thesmartphoneinfectedwithDroidKungFubecomesabotorazombie.GingerMaster6,10issimilartoDroidKungFu.ItinfectsnormalAndroidappli-cations.Onceanapplicationisinfected,theinfectedapplicationregistersaservice,collectspersonaldataonthedevice,sendstheinformationtoaremoteserverandtriestoobtainarootshell.TherootshellinstallsanothermaliciousapplicationthatreceivescommandsfromaC&Cserver.2.2SecurityenforcementtechniquesRecently,varioustechniqueshavebeenproposedtoenforcetightersecurityontheAndroidOStopreventprivilegeescalationattacks.Examplesofthesetechniques742C.Leeetal.includeKirin11,Saint12,Apex1,TaintDroid13,QUIRE15,XManDroid2,3,andRGBDroid5.TheKirinsystemisanextensiontotheAndroidsapplicationinstallerthatsup-portssecurity-basedinstallationdecisions11.TheAndroidOSisequippedwithalotofextensiveAPIs(ApplicationProgrammingInterfaces)includingAPIstoaccesshardware,configurations,anduserdata.Theusagesofthesecurity-relatedAndroidAPIscanbemonitoredandcontrolledbyaninstallmanagementsystem.TheKirinsystemdeniestheinstallationofapplicationsthatencompassasetofAPIswhicheventuallyhaveapotentialtoviolateagivensystempolicy.ItcheckspermissionstoinfertheusagesofAPIsandmaintainspredefinedsecurityrulestomatchdanger-ouscombinationsofpermissionsusedbyapplications.AstheKirinsystemanalyzeseachindividualapplicationseparatelywithstaticrules,itcannotprotectusersfromapplicationsthatcollaboratetoleak.Saint12extendsthefunctionalitiesoftheKirinsystemtoallowrun-timein-spectionofthefullsystempermissionstatesbeforelaunchingagivenapplication.Itadoptsafine-grainedaccesscontrolmodelandgovernsinstall-timepermissionas-signmentsandrun-timeuses.Inordertopreventprivilegeescalationattacks,Saintrequiresapplicationdeveloperstoassignappropriatesecuritypoliciesontheirappli-cationsinterfacesandtoaddsecurityfeaturestotheirapplications.Sinceapplicationdevelopersmightfailtoconsiderallsecuritythreats,developer-definedpermissionsystemsaremorelikelytobeerror-pronethansystem-centricapproaches.Apex1presentsanothersolutionforthesameproblemwheretheuserisrespon-siblefordefiningrun-timeconstraintsonthetopoftheexistingAndroidpermissionfacility.Apexdoesnotaddressprivilegeescalationattackswherepermissionsaresplitovermultipleapplications.LikeSaint,itunfortunatelyreliesontheusertotakesecuritydecisions.TheseSaintandApexapproachesallowuserstospecifystaticpoliciestoshieldthemselvesfrommaliciousapplications,butdonotallowapplica-tionstomakedynamicpolicydecision.TaintDroid13presentsadynamictaintanalysistechniquetopreventunautho-rizedleakageofsensitivedataandrun-timeattacks.Thisframeworkattemptstotagobjectswithmetadatainordertotrackinformationflowsandtoenforcepoliciesbasedonthepaththatdatahastakenthroughthesystem.TaintDroidenforcesitstaintpropagationsemanticsbyinstrumentinganapplicationsDEXbytecodetotageveryvariable,pointer,andInter-ProcessCommunication(IPC)messagethatflowthroughthesystemwithataintvalue.Itrestrictstransmittingtainteddatatoaremoteserverbymonitoringtheoutboundnetworkconnections.TaintDroidhasashortcomingthatthesystemmainlyaddressesdataflows,whereasprivilegeescalationattacksalsoin-volvewithcontrolflows.TrackingthecontrolflowswithTaintDroidwilllikelyresultinmuchhigherperformancepenalties.Besides,itcannotdetectattacksthatexploitcovertchannelstoleaksensitiveinformation2,3.QUIRE15isaframeworkdesignedtoovercometheprivilegeescalationat-tacksthatexploitstheconfuseddeputyattacks.Itisfocusedonprovidingprove-nanceinformationwithalightweightmannerandpreventingaccessesofsensitivedata,ratherthanrestrictingdirectionsofdataflows.WhenthereisanIPCrequestbe-tweenAndroidapplications,itforcestheapplicationstooperatewithareducedpriv-ilegeofitscallerbytrackingthecallchainofIPCs.QUIREsapproachrequiresonlyUnifiedsecurityenhancementframeworkfortheAndroidoperating743theIPCsubsystemtobemodifiedwithnorelianceoninstrumentedcode,thereforeQUIREcanworkwithapplicationsthatusenativelibrariesandcanavoidoverheadimpartedbyinstrumentingcodetopropagatetaintvalues.However,thisapproachisapplication-centricnotsystem-centric,andQUIREdoesnotaddressprivilegeesca-lationattacksthatarebasedonmaliciouslycolludingapplications.SincetheInter-ComponentCommunication(ICC)callchainisforwardedandpropagatedbytheap-plicationsthemselves,colludingapplicationsmayforcetheICCcallchaintoobscuretheoriginatingapplication,andhence,circumventtheQUIREsdefensemechanism.Furthermore,theunexpecteddenialofaccessesbythereceiverofthecallchainmightleadtoapplicationdysfunction/crashonthecallersside2,3.XManDroid(eXtendedMonitoringonAndroid)isasystem-levelsecurityframe-workthatallowstheAndroidOStomonitorapplicationcommunicationchannelsbothinthemiddlewarelevel2andintheunderlyingLinuxKernellevel3.Theframeworkcomplieswithasystem-centricsecuritypolicyatrun-time.TheauthorsconductaheuristicanalysisofAndroidssystembehaviors(withpopularapplica-tions)toidentifyattackpatternsandtoclassifydifferentadversarymodels,andpointoutthechallengestobetackled.TheyestablishsemanticlinksbetweenIPCsanden-ablethereferencemonitortoverifythecall-chainatthemiddlewarelevel,andrealizemandatoryaccesscontrolonthefilesystemandlocalInternetsocketsatthekernellevel.Theyalsoprovideacallbackchannelbetweenthekernelandthemiddleware.Theirapproachdiffersfromoursinthattheyarefocusingonpreventionwhileoursonreaction.RGBDroid(RootingGoodByeonDroid)5,ourpreviouswork,isanewAndroidsecurityenforcementtechniquewhichdetectsandrespondstotheattacksassociatedwithescalationorabuseofprivileges.RGBDroidhasintroducedtwodatastructures,calledpWhiteListandCriticalList.Theformerisalistoftrustedprogramswhilethelatterisalistofcriticalresourcesthatevenprivilegedapplicationcannotmodify.Thecriticalresourcesaredefinedasasetofresourceswhere,iftheresourcesaremodified,consistencyoftheAndroidOSisbrokenwhicheventuallyaffectsthebehaviorsofAndroidframeworkanduserapplications.WealsohaveproposedaninnovativemechanismforRGBDroidin16.Asma-liciousapplicationsbeingevolvedtactfully,someofthemcanevadethepreviousRGBDroidsprotectionsbyexploitingvulnerabilitiesoftrustedprogramswithrootprivileges.Toovercomethisdifficulty,theauthorsin16havedevisedakernel-levelPrivateDataProtection(PDP)mechanismthatrestrictsroot-privilegedprogramsfromaccessingresourcesownedbyuser-levelapplications.Inthispaper,weintegrateallsuggestionsdevisedin5and16intoaunifiedsystematicframework,whichisonedifferencebetweenthispaperandourpreviousones.ThetwoessentialpartsthatplayacoreroleintheAndroidsecuritymodelareapplications(orprocesses)andresources.Inourunifiedframework,privilegedappli-cationsandcriticalresourcesareregulatedbyRootPrivilegeProtection(RPP)andResourceMisuseProtection(RMP)mechanisms,respectively.Notethatthesemech-anismsareowingtoourobservationthattheinteractionsbetweenapplicationsandresourcescanbecontrolledandmanagedbywell-definedsecurityrules.Also,wecarefullyarguethat,intheAndroidOS,thetraditionalconceptthatmore-privileged744C.Leeetal.applicationscanaccessdataownedbyless-privilegedapplicationsisofteninade-quate.OurarguingisassessedwiththePrivateDataProtection(PDP)mechanism.Wealsoconductimplementation-basedexperimentsandanalyzetheperformanceef-fectsofthisintegrationinarealAndroiddevice,whichisanotherdifferencebetweenthispaperandthepreviousones.3SecurityenhancementframeworkTheAndroidOSprovidesseveralbasicsecuritymechanismssuchassandboxingandfileaccesscontrolsusingUID(UserID)andGID(GroupID).However,itisbasedontheUNIX-likeaccesscontrolmodel,soaroot-privilegedapplicationcanaccessanyresourcesincludingprivacy-sensitiveinformation.Hence,attackersandmaliciousap-plicationsnaturallyfocusonobtainingtherootprivilege.Theyconducttheprivilegeescalationattacks,suchasinstallingunauthorizedapplicationsbyacquiringtherootshelloraccessinginformationthroughotherlegitimateapplications,tocompromisethetargetsystemandtostealprivateinformation.Inthispaper,weproposeaunifiedframeworktopreventtheprivilegeescalationattacks,tomaintainsystemintegrity,andtoprotectuserssensitiveinformation.Theprivilegeescalationattackisdefinedasanattackthatattackers(ormaliciousapplica-tions)exploitvulnerabilitiesofatrustedprogramwiththerootprivilegesothattheycontrolstheprogram,oratypeofintrusionthattakesadvantageofvulnerabilitiesofsystemprogramstograntattackerselevatedaccessestothesystem.Forinstance,vold(VolumeManagerDaemon),thatisaprocessexecutedwiththerootprivile