AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf ·...
Transcript of AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf ·...
![Page 1: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/1.jpg)
AirBag: Boosting Smartphone Resistance to Malware Infection
Chiachih Wu, Yajin ZhouHunal Patel, Xuxian Jiang
NC State University
Zhenkai LiangNational University of
Singapore
Chiachih Wu, Yajin ZhouHunal Patel, Xuxian Jiang
NC State University
Presented By:William Hollingsworth
![Page 2: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/2.jpg)
Problem Definition
http://www.theguardian.com/technology/2012/may/16/android-smartphone-market-50-percent
![Page 3: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/3.jpg)
Problem Definition
● Mobile malware increasingly common● Three solution types
– Server-side● Analyze apps in Marketplace and as they come in
![Page 4: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/4.jpg)
Problem Definition
● Mobile malware increasingly common● Three solution types
– Client-side● Traditional Anti-Malware programs● Repackage apps to enforce access control● Extend permissions systems
![Page 5: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/5.jpg)
Problem Definition
● Mobile malware increasingly common● Three solution types
– Virtualization-based● Multiple virtual phones● Multi-user support
![Page 6: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/6.jpg)
Problem Definition
● Want: app-centric, lightweight virtualization● AirBag:
– Untrusted apps disallowed from direct interaction with Android
– App Isolation Runtime (AIR)● Incognito● Profiling● Normal
![Page 7: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/7.jpg)
Outline
●Problem Definition●System Design–Threat Model–Enabling Techniques
●Implementation (AirBag)●Evaluation●Limitations ●Conclusion
![Page 8: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/8.jpg)
System Design: Current
![Page 9: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/9.jpg)
System Design: Threat Model
● Users will install malicious applications– Not necessarily intended
● Assume a trusted phone OS (TCB)
![Page 10: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/10.jpg)
System Design: Goals
1. Reliably isolate untrusted apps
a) Challenge: Open design of Android
2. Provide a safer user experience
3. Incur minimal overhead
![Page 11: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/11.jpg)
System Design: Proposed
![Page 12: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/12.jpg)
Outline
●Problem Definition●System Design–Threat Model–Enabling Techniques
●Implementation (AirBag)●Evaluation●Limitations ●Conclusion
![Page 13: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/13.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)● Namespace/Filesystem Isolation● Context-Aware Device Virtualization
![Page 14: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/14.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)– Normally all apps share the same runtime– AIR provides an independent runtime
● Seperate implementation of Android framework● Return faked sensitive information
● Namespace/Filesystem Isolation● Context-Aware Device Virtualization
![Page 15: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/15.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)● Namespace/Filesystem Isolation● Context-Aware Device Virtualization
![Page 16: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/16.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)● Namespace/Filesystem Isolation
– Prevent communication between runtimes– Accomplished using a cgroup
● Context-Aware Device Virtualization
![Page 17: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/17.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)● Namespace/Filesystem Isolation● Context-Aware Device Virtualization
![Page 18: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/18.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)● Namespace/Filesystem Isolation● Context-Aware Device Virtualization
– Contention for hardware resources ● Ex: SurfaceFlinger
– Allow access only to the active runtime
![Page 19: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/19.jpg)
Enabling Techniques
● Decoupled App Isolation Runtime (AIR)● Namespace/Filesystem Isolation● Context-Aware Device Virtualization
![Page 20: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/20.jpg)
Outline
●Problem Definition●System Design–Threat Model–Enabling Techniques
●Implementation (AirBag)●Evaluation●Limitations ●Conclusion
![Page 21: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/21.jpg)
Implementation
![Page 22: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/22.jpg)
Implementation
● To launch the app stub:– Prepare a separate filesystem root– Run airbag_init– Create network device
● Forward network and phone requests
– Determine namespace via:task_struct->nsproxy->current
![Page 23: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/23.jpg)
Implementation
![Page 24: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/24.jpg)
Implementation
![Page 25: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/25.jpg)
Implementation
![Page 26: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/26.jpg)
Implementation
● Telephony support is partly dependent on vendor– Service daemon: rild– Vendor library: libhtc_ril.so– Java class: com.android.internal.telephony.RIL
![Page 27: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/27.jpg)
Implementation
![Page 28: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/28.jpg)
Implementation
● To update the screen, allocate a separate framebuffer
● Driver reads framebuffer matching current namespace
![Page 29: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/29.jpg)
Implementation
![Page 30: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/30.jpg)
Outline
●Problem Definition●System Design–Threat Model–Enabling Techniques
●Implementation (AirBag)●Evaluation●Limitations ●Conclusion
![Page 31: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/31.jpg)
Evaluation: Effectiveness
GoldDream● Reads received SMS messages● Uploads them to a remote server
![Page 32: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/32.jpg)
Evaluation: Effectiveness
HippoSMS
● Sends messages to premium-rate numbers
![Page 33: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/33.jpg)
Evaluation: Performance
![Page 34: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/34.jpg)
Evaluation: Performance
![Page 35: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/35.jpg)
Evaluation: Performance
![Page 36: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/36.jpg)
Evaluation: Power/Memory
● Fully-charged device (Nexus 7)– 24 hours, no workload
● Stock: 91%● AirBag: 89%
![Page 37: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/37.jpg)
Evaluation: Power/Memory
● Memory footprint– 4 hours, no workload
● Stock: 59.31%● AirBag: 60.87%
– 4 hours, repeated audio● Stock: 60.25%● AirBag: 63.70%
![Page 38: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/38.jpg)
Outline
●Problem Definition●System Design–Threat Model–Enabling Techniques
●Implementation (AirBag)●Evaluation●Limitations ●Conclusion
![Page 39: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/39.jpg)
Limitations
● Apps cannot migrate between each runtime
![Page 40: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/40.jpg)
Limitations
● Apps cannot migrate between each runtime● No incoming calls/messages in AIR
![Page 41: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/41.jpg)
Limitations
● Apps cannot migrate between each runtime● No incoming calls/messages in AIR
http://www.imdb.com/title/tt0479968/
![Page 42: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/42.jpg)
Limitations
● Apps cannot migrate between each runtime● No incoming calls/messages in AIR● One runtime for all untrusted apps● Malicious app may detect sand-boxing
![Page 43: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/43.jpg)
Outline
●Problem Definition●System Design–Threat Model–Enabling Techniques
●Implementation (AirBag)●Evaluation●Limitations ●Conclusion
![Page 44: AirBag: Boosting Smartphone Resistance to Malware Infectionksun/csci780-f14/notes/19-airbag.pdf · android-smartphone-market-50-percent. Problem Definition ... Telephony support is](https://reader033.fdocuments.us/reader033/viewer/2022042410/5f2770c59b271c73aa4a0a40/html5/thumbnails/44.jpg)
Conclusion
● AirBag – Lightweight OS-level virtualization for Android– Provides a separate application runtime– Prevent leakage of sensitive information