Download
1 / 34
340 likes | 464 Vues
This paper presents a systematic study on the effectiveness of bytecode rewriting to enforce API-level access control in Android applications. The authors analyze the method invocation instructions in Android and demonstrate how static analysis can be utilized to identify sensitive API calls. By focusing on fine-grained access control, the study highlights various attack vectors against bytecode rewriting, provides insights into defending against them, and makes recommendations to strengthen application security. The findings contribute to the discourse on network and information security in mobile environments.
E N D
On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android Presenter: Lu Gong
Authors • Students: Hao Hao, Vicky Singh • Professor: Wenliang (Kevin) Du • Dept. of EE & CS, Syracuse University, New York
The Conference • AsiaCCS: • ACM Symposium on Information, Computer and Communications Security • Rank C in the CCF recommendation list • Network and Information Security
The paper • The first systematic study on the effectiveness of using bytecode rewriting for API-level access control • Cited by: • Structural detection of android malware using embedded call graphs (AISec ’13) • Compac: Enforce Component-Level Access Control in Android (ACM CodaSpy ’14)
Background (1/3) • Bytecode rewriting • Use static analysis to identify sensitive API calls • Instrument bytecode to control access • Aim at implement fine-grained access control
Background (2/3) • API-Level Access Control
Background (3/3) • Method invocation instructions: • invoke-virtual: used to invoke a normal virtual method • invoke-direct: used to invoke either a private instance method or a constructor • invoke-static: used to invoke a static method • invoke-interface: used to invoke an interface method on an object whose concrete class is not known • invoke-super: used to invoke the closest superclass’ virtual method
Scoping (1/5) • Two kinds of byte-code rewrite mechanisms: • Put the reference monitor in another service • Put the reference monitor within the application • Only focus on the second approach • Because the first one is fail-safe
Scoping (2/5) • Assumption • The application either do not have native code or their native code is blocked from being executed • Reasons • Native code is running in the same process space as DVM • With native code, the app can easily tamper the DVM state, thus byte-code rewriting is useless
Scoping (3/5) • Privileged resources • Hardware devices • Kernel data • Data from another process space • Ways to access them • System calls • Inter-process communication
Scoping (5/5) • Concealing API usage (the 4th attack) is possible • Java reflection • Dynamic binding
Prelude (1/2) • Byte-code rewriting for a non-final class
Prelude (2/2) • Byte-code rewriting for a final class
Methodology • Study all possible attacks against bytecode rewriting • Give deeper insight into the attacks • Make recommendations on how to defend against these attacks
The problem MyClass.my_Func() Java_MyClass_my_1Func MyClass.my.1Func()
Recommendations • If any names starts with numbers, bytecoderewriter should remove the digit as it is illegal.
Recommendations • Stop application’s Java code from reloading preloaded Android core classes • BaseDexClassLoader.findClass() • DexFile.loadClass()
Recommendation • Apply API-level access control on android.os.ServiceManager.getService() • Alternative: rewrite android.os.Binder
Conclusion • Although all problems are fixable, more static analysis and dynamic checking should be performed while byte-code rewriting
