DCert: Find the Leak in Your Pocket

DCert: Find the Leak in Your Pocket

Mohamed Nassim Seghir University College London
Abstract

Static data-flow analysis has proven its effectiveness in assessing security of applications. One major challenge it faces is scalability to large software. This issue is even exacerbated when additional limitations on computing and storage resources are imposed, as is the case for mobile devices. In such cases the analysis is performed on a conventional computer. This poses two problems. First, a man-in-the-middle attack can tamper with an analyzed application. So once on the mobile device, what guarantees that the actual version is not corrupt. Second, the analysis itself might be broken leading to an erroneous result. As a solution, we present DCert a tool for checking and certifying data-flow properties that consists of two components: a (heavyweight) analyzer and a (lightweight) checker. The analyzer is deployed on a conventional computer. It verifies the conformance of a given application to a specified policy and generates a certificate attesting the validity of the analysis result. It suffices then for the checker, on a mobile device, to perform a linear pass in the application size to validate or refute the certificate as well as the policy. This allows us to separate the verification and the checking process while ensuring a trust relationship between them via the certificate. We describe DCert and report on experimental results obtained for real-world applications.

I Introduction

Mobile devices are playing a more and more important part in daily life, they are used to perform several tasks and store a variety of information: personal, financial, industrial, etc. Therefore, security and privacy are becoming major concerns. While the security model on Android already provides resource protection via permissions, it also incurs some rigidity on user choices. For example, a photo app obviously requires the CAMERA permission but also might require the INTERNET permission to receive and display some ads. A possible malicious behaviour of that app is to send taken pictures through the Internet without user consent. Android model allows us either to grant or deny permissions which might impede app normal functionality. Ideally, we want to know if there is a link between the CAMERA and the INTERNET permission. Based on that, we decide whether or not to install the app. Static taint analysis permits to check the presence of data-flow paths from the API function for taking pictures (source), to the API function for sending files through the Internet (sink). It has proven its effectiveness in assessing the security of Android applications [fuchs:cs-tr-4991, flowdroid, WeiROR14, GordonKPGNR15, BarrosJMVDdE15, ErnstJMDPRKBBHVW14, 0029BBKTARBOM15].

A main issue with static analysis is scalability. This problem is even exacerbated when additional limitations on computing and storage resources are imposed, as is the case for mobile devices. In case of the previously mentioned tools, the analysis is performed on a conventional computer. This poses two problems. First, a man-in-the-middle attack can tamper with an analyzed application. So once on the mobile device, what guarantees that the actual version is not corrupt. Second, the analysis itself might be broken leading to an erroneous result.

We present a Proof-Carrying-Code inspired solution [NeculaL96] that advises the usage of a certificate as an audit for the accountability of the static analysis algorithm. It consists of splitting the analysis process between two parties: a (heavyweight) analyzer and a (lightweight) checker. The analyzer is deployed on a conventional computer. It verifies the conformance of a given application to a specified (data-flow) property and generates a certificate attesting the validity of the analysis result. It suffices then for the checker, on a mobile device, to perform a linear pass in the application size to validate or refute the certificate as well as the property. This allows us to separate the verification and the checking process while ensuring a trust relationship between them via the certificate. We have implemented our approach in a tool called DCert (Droid Certifier) and successfully applied it to real-world applications. In what follows, we describe its main ingredients and report on experimental results.

Ii DCert in Action

We illustrate the functionalities of DCert’s main ingredients through an example. Consider the simple code in Figure 1 as part of an Android application. To ease the presentation, we omit irrelevant details. We have the root procedure foo which makes call to function bar which, in turn, calls procedures getId, Send and getNumber. Function getId reads the device identifier using the API method getDeviceId at line 4. Similarly, function getNumber returns the number of the actual phone via API method getLine1Number at line 4. Finally, procedure Send is used to send the string it takes as argument as an SMS via API method sendTextMessage at line 5. Both methods getDeviceId and getLine1Number represent sources and sendTextMessage is a sink. We want to verify that the app does not leak information from certain sources to certain sinks and generate a checkable certificate attesting the outcome. For this we have three ingredients.

1String foo() 2{ 3  String x = bar(); 4  return x; 5} 1String getId() 2{ 3  TelephonyManager tm = ...; // get manager 4  String x = tm.getDeviceId(); 5  return x; 6}

1String bar() 2{ 3  String x = getId(); 4  Send(x); 5  String y = getNumber(); 6  return y; 7}
1String getNumber(String x) 2{ 3  TelephonyManager tm = ...; // get manager 4  String x = tm.getLine1Number(); 5  return x; 6}
1void Send(String x) 2{ 3  String num =  "..."; // destination phone number 4  SmsManager SM = ...; // get manager 5  SM.sendTextMessage(num, null, x, null, null); 6}
Fig. 1: Simple Java example illustrating potential data flows from sources to sinks. Method getDeviceId is an Android method for obtaining the device identifier, method getLine1Number permits to obtain the phone number and sendTextMessage allows to send text messages (SMS).

Ii-a Property

The first step in our approach is to specify data paths that should not be present in the considered application. Let us use id and num to respectively refer to the sources getDeviceId and getLine1Number. We also write sms for the sink sendTextMessage. We want to express the absence of information leak from sources to sinks in procedure foo. This is done via:

Each pair expresses a data-flow from to and the symbol represents a negation. Hence, the policy says that there should be no path reading the phone ID and sending it via SMS (in the first pair) and the same applies to the phone number (second pair). If no property is specified, the implicit property (by default) is that no data-flow from any source to any sink is allowed. The next step is to analyse the app to verify the validity of the specified property.

Ii-B Analyzer

Fig. 2: DCert main components.

Figure 2 illustrates the key parts of DCert. The analyzer takes an app and a property as input and answers whether the property is satisfied by the app, and eventually outputs a certificate corroborating the outcome of the analysis. The analyzer implements an inter-procedural data-flow analysis. For each function, it computes a summary which consists of a set of pairs expressing the existence of a data-flow from to . A summary of a given procedure only includes elements visible outside of it. Hence, local variables will not appear in a summary. During the analysis, when a function is invoked from another one, its summary is used instead of re-analysing it. This process is iterated until a fix-point is reached. For illustration, consider Figure 3. It shows the summary computed for the different methods of our previous example (Figure 1) at each iteration. Initially (iteration 0), all function summaries are empty.

After iteration 1, empty summaries are still associated with procedures foo and bar, however, summaries for procedures getId, getNumber and Send are updated. The symbol models the return value of a method. Hence, summaries and , respectively, express flows of the phone identifier (in getId) and the phone number (in getNumber) to a return statement. Similarly, expresses the presence of a data-flow from the argument of procedure to the sink .

After iteration 2, the summary for procedure is updated as summaries associated with its callees changed in the previous step (iteration 1), meaning potential new data paths. For example, is due to the path in procedure , when procedures and are substituted with their summaries.

Finally, the last iteration (3) updates the summary for by just propagating ’s summary. At this state a fix-point is reached and no further changes will be induced. The presence of in the summary associated with implies the violation of one rule, namely , but the other rule, , is not violated.

The final map (iteration 3) represents the certificate. It will be returned by the analyser together with a report indicating rules from the policy that are violated.

Iteration
0 1 2 3
 : - - -
: - -
: -
: -
: -
Fig. 3: Iterative computation of function summaries. A pair models a data-flow from to .

Ii-C Checker

Now the question is how can a client of the analysis trust its claim? The analysis might contain errors or, even worst, an attacker can claim app safety without applying the analysis at all. For this, the computed map will serve as a certificate. To test its validity, we just need to locally check that the summary of each method is valid by assuming the validity of the summaries of its callees. For example, assuming the summary for is , the summary for must be , which is the case, otherwise we have an inconsistency. This is performed by the checker which takes as input a certificate (computed map) a property and an app, and answers whether the certificate is valid. In addition, if the certificate is valid, it also verifies whether the certificate entails the property.

Certificate checking is lighter than certificate generation as we do not need to compute a fix-point. Instead, it is performed in a single pass. It has a linear complexity in the number of map entries (functions) and a constant space complexity as we just perform checks without generating information that need to be stored.

Ii-D About Certificate Resilience

Let us test the resilience of the previously generated certificate with respect to possible tampering scenarios.

We first omit from the entries corresponding to both foo and bar. While this will not be detected when checking foo as consistency is not broken, it will be detected when checking bar. Indeed, consistency of the certificate implies that must be associated with as a consequence of and associated with getId and Send respectively.

Let us have a more extreme scenario where we remove from all entries. This case is also detected as id refers to the API method getDeviceId which represents a seed for the analysis. Hence, consistency implies that must be associated with getId as it directly invokes getDeviceId.

How about suppressing all the entries? Our analysis will detect this case as the first step in the certificate integrity check is to make sure that all methods used in the program have entries in the map.

Now, let us modify the code but preserve the certificate as it is, sot that it does not exhibit the changes. Assume we add the call Send(y) just before the return statement at line 6 in procedure bar (Figure 1). While the checker does not detect inconsistencies with respect to the entry of procedure foo, it finds out that the certificate is no longer valid with respect to the entry of bar. Indeed, should have been present in bar’s entry.

Iii Implementation and Experiments

DCert is written in Python and uses Androguard111https://github.com/androguard as front-end for parsing and decompiling Android applications. It accepts Android applications in bytecode format (APK), so it does not require source code. One can simply download an app from a store of choice and analyse it. As mentioned previously, DCert has two main components: Analyser and Checker.

The analyser runs on a conventional desktop computer. It takes as input an app and a property and returns, as output, a report about the analysis result together with a certificate. Concretely speaking, the property consists of a file containing all sources and sinks that should be taken into account.

The checker accepts an application, a certificate and a property as input, and answers whether the certificate is valid with respect to the application taken as input. If the certificate is valid, it also reports on whether the property is fulfilled. The checker can run either on a mobile device or a conventional machine. The mobile device version is provided as An android app. As it is written is Python, we use kivy222https://kivy.org to facilitate its deployment.

Real-world Applications.

We were able to successfully apply DCert to two popular and largely used applications: Facebook and FacebookMessenger. We downloaded both directly from the Google Play store333https://play.google.com/store/apps. The two apps are of decent size with each of them containing more than 6000 methods.

In our experiments, we used a typical Linux desktop to run the verifier and a Samsung J5 mobile phone ( Exynox7870 Octa 1.6GHz processor, 2GB RAM), running Android, to host the checker. We analysed both apps with respect the default property, i.e., find all data leaks between any source and any sink.

First, we call the analyser to verify the validity of the property and to generate a certificate. In a second step, the checker is invoked to check the generated certificate. As a result, no leaks where found in both apps, and the checker was able to confirm the validity of the generated certificate. The whole running time for the checker is around 39 minutes for the Facebook app and 44 minutes for FacebookMessenger. While runtime difference is huge between running the checker on a mobile device and on a desktop computer, these results are encouraging given the size of the considered applications and the limitations of mobile devices. Moreover, we identified regions in our code and in the used front-end that we can optimise to reduce execution time.

Iv Related Work

Android security is an active area of investigation, many tools for analyzing security aspects of Android have emerged. Some rely on dynamic analysis [aurasium, EnckGCCJMS10, reina:copperdroid, ZhangYXYGNWZ13, BackesGHMS13]. Other tools are based on static analysis [flowdroid, scandal, FahlHMSBF12, AuZHL12, ChinFGW11, ChenJDDMMWRS13, JeonMVFRFM12]. We are interested in the last category (static analysis) as our aim is to certify the absence of bad behaviors. Our work is a complement to these tools as we are not only interested in analyzing applications, but also to return a verifiable certificate attesting the validity of the analysis result.

The idea of associating proofs with code was initially proposed by Necula under the moniker Proof-Carrying Code (PCC) [NeculaL96, Necula97]. It was then used to support resource policies for mobile code [AspinallM05, BartheCGJP07]. Furthermore, Desmet et al. presented an implementation of PCC for the .NET platform [DesmetJMPPSV08]. While the tool EviCheck [SeghirA15, Seghir0M16] is also based on a similar idea and targets Android, it is unable to analyse data-flow properties. Cassandra also applies PCC to Android [LortzMSBSW14]. Their approach proposes a type system to precisely track information flows. While precision is an advantage, it is hard to assess the practicability of their approach as no experiments involving real-world applications are reported. Our approach is applicable to real-world large applications.

V Conclusion and Further Work

We presented DCert a tool for analysing and certifying data-flows, inspired by the proof-carrying-code paradigm. DCert allows to analyse applications on mobile devices by splitting the certification process between two components: a (heavyweight) analyzer and a (lightweight) checker, and using a certificate as a mechanism for ensuring trust between the two parties. We described DCert’s implementation and reported on experimental results obtained for real-world applications. DCert represents an outlook for future app stores, where apps are equipped with contracts (policies) and checkable evidence (certificate). We are not aware of any other tool that implements a similar certification scheme and is scalable to real-world applications.

References

Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
267870
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description