ASM: A Programmable Interface for Extending Android Security
Stephan Heuser,
Ahmad-Reza Sadeghi
Intel Collaborative Research Institute for
Secure Computing at TU Darmstadt,
Germany
Adwait Nadkarni,
William Enck
NC State University, USA
Android Security Extensions (selected)
9/26/2014 ASM - Android Security Modules 2
Security extensions focus on specific use cases and/or security and privacy models
Context-based Apps
CRePE, ConXSense
Privacy TaintDroid, AppFence, MockDroid
Type Enforcement
SEAndroid, FlaskDroid
Fine-Grained
Permissions APEX, CRePE
Permission Constraints
Kirin
App Communication Saint, XManDroid,
TrustDroid, Aquifer
IPC Provenance QUIRE,
IPC Inspection
Mock Data
MockDroid, TISSA, AppFence
System Apps
Android Security Extensions
9/26/2014 ASM - Android Security Modules 3
Access control (hooks) are embedded in sensitive components
Linux DAC, SELinux/SEAndroid
3rd Party App
System ContentProviders
(e.g. contacts)
Activity Manager Service
3rd Party App
Framework Libraries Package Manager
Service
Applications
Linux Kernel
Android OS
System Apps
Android Security Extensions
9/26/2014 ASM - Android Security Modules 3
Access control (hooks) are embedded in sensitive components
Linux DAC, SELinux/SEAndroid
3rd Party App
System ContentProviders
(e.g. contacts)
Activity Manager Service
3rd Party App
Framework Libraries Package Manager
Service
Applications
Linux Kernel
Android OS Access Control
Access Control
Access Control (Inlined Reference
Monitor)
Research Question
9/26/2014 ASM - Android Security Modules 4
Is it possible to provide a programmable and generic security architecture on top of which many of these solutions can be
instantiated?
Observations
9/26/2014 ASM - Android Security Modules 5
Diverse Goals, but use similar security hooks and mechanisms System Android
ICC Package Manager
Sensors / Phone
Info
Fake Data
System Content
Providers
File Access
Network Access
3rd Party Hooks
MockDroid
XManDroid
TrustDroid
FlaskDroid
CRePE
Quire
TaintDroid
Kirin
IPC Inspection
AppFence
Aquifer
APEX
Saint
SEAndroid
TISSA
Observations
9/26/2014 ASM - Android Security Modules 5
Diverse Goals, but use similar security hooks and mechanisms System Android
ICC Package Manager
Sensors / Phone
Info
Fake Data
System Content
Providers
File Access
Network Access
3rd Party Hooks
MockDroid
XManDroid
TrustDroid
FlaskDroid
CRePE
Quire
TaintDroid
Kirin
IPC Inspection
AppFence
Aquifer
APEX
Saint
SEAndroid
TISSA
Android OS
Linux Kernel
High-level Idea of ASM
9/26/2014 ASM - Android Security Modules 6
Android
3rd Party App
Android OS
Linux Kernel
High-level Idea of ASM
9/26/2014 ASM - Android Security Modules 6
A modular access control architecture supporting multiple stakeholders
Enterprise
User
Platform Provider
Android
3rd Party App
Android OS
Linux Kernel
High-level Idea of ASM
9/26/2014 ASM - Android Security Modules 6
A modular access control architecture supporting multiple stakeholders
Deploy Android Security Modules (ASMs) as apps
Enterprise
User
Platform Provider
Android
3rd Party App
ASM Enterprise
ASM User
ASM Provider
Android OS
Linux Kernel
High-level Idea of ASM
9/26/2014 ASM - Android Security Modules 6
A modular access control architecture supporting multiple stakeholders
Deploy Android Security Modules (ASMs) as apps
Enterprise
User
Platform Provider
Access Control
Access Control
Android
3rd Party App
ASM Enterprise
ASM User
ASM Provider
Challenges
9/26/2014 ASM - Android Security Modules 7
Fine-grained access control on all abstraction layers
Handle the semantics and pecularities of each layer
Preserve existing security invariants
Don‘t overrule denials by default Android access control
Data modification by ASMs only in well-defined bounds
Efficiency
Only activate hooks when they are required
Whitelisting for root processes and system apps
Policy Reconcilliation
Handle decision conflicts (currently consensus strategy)
Design
System ContentProviders
(e.g. contacts)
System Services (e.g. ActivityManager)
ASM Framework
ASM - Android Security Modules 9
ASM User
ASM Provider
ASM Enterprise
Ho
ok
Ho
ok
Applications
Linux Kernel
Android OS
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
9/26/2014
ASM Framework
ASM - Android Security Modules 9
1. Register Callback Service
ASM User
ASM Provider
ASM Enterprise Applications
Linux Kernel
Android OS
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
9/26/2014
ASM Framework
ASM - Android Security Modules 9
1. Register Callback Service
ASM User
ASM Provider
ASM Enterprise Applications
Linux Kernel
Android OS
ASM Bridge
Reference Monitor
3rd Party App WhatsApp
ASM LSM SELinux LSM
9/26/2014
ASM Framework
ASM - Android Security Modules 9
2. Query Hooks
ASM User
ASM Provider
ASM Enterprise Applications
Linux Kernel
Android OS
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
9/26/2014
Hook Invocation
9/26/2014 ASM - Android Security Modules 10
Applications
Linux Kernel
ASM User
ASM Provider
ASM Enterprise
System ContentProviders
(e.g. contacts)
System Services (e.g. ActivityManager) H
oo
k
Ho
ok
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
Android OS
Hook Invocation
9/26/2014 ASM - Android Security Modules 10
Applications
Linux Kernel
ASM User
ASM Provider
ASM Enterprise
System ContentProviders
(e.g. contacts)
Query
Ho
ok
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
Android OS
Hook Invocation
9/26/2014 ASM - Android Security Modules 10
Applications
Linux Kernel
ASM User
ASM Provider
ASM Enterprise
System ContentProviders
(e.g. contacts)
Query
Protection Event (query contacts)
Ho
ok
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
Android OS
Hook Invocation
9/26/2014 ASM - Android Security Modules 10
Applications
Linux Kernel
ASM User
ASM Provider
ASM Enterprise
System ContentProviders
(e.g. contacts)
Query Callback
Protection Event (query contacts)
Ho
ok
ASM Bridge
3rd Party App WhatsApp
ASM LSM SELinux LSM
Android OS
System ContentProviders
(e.g. contacts)
Support for 3rd-Party Hooks
9/26/2014 ASM - Android Security Modules 11
ASM User
ASM Provider
ASM Enterprise
ASM aware 3rd Party App
Ho
ok
Applications
Linux Kernel
Android OS
ASM Bridge
ASM LSM SELinux LSM
System ContentProviders
(e.g. contacts)
Support for 3rd-Party Hooks
9/26/2014 ASM - Android Security Modules 11
ASM User
ASM Provider
ASM Enterprise
ASM aware 3rd Party App
Ho
ok
Ho
ok
Applications
Linux Kernel
Android OS
ASM Bridge
ASM LSM SELinux LSM
System ContentProviders
(e.g. contacts)
Support for 3rd-Party Hooks
9/26/2014 ASM - Android Security Modules 11
ASM User
ASM Provider
ASM Enterprise
Register 3rd-party Hook
ASM aware 3rd Party App
Ho
ok
Ho
ok
Applications
Linux Kernel
Android OS
ASM Bridge
ASM LSM SELinux LSM
Evaluation
Experiment Setup
9/26/2014 ASM - Android Security Modules 13
LG Nexus 4
Android 4.4 (with ASM extensions), Linux MSM Kernel 3.4
Evaluated aspects include User Interface (Activity), Contact, File and Socket operations
Considered impact of a plain ASM
Automated Test Suite
Performance Overhead: Java System.nanotime()
Power Consumption: Qualcomm Trepn Profiler
Performance
9/26/2014 ASM - Android Security Modules 14
0
10
20
30
40
50
60
70
Stock Android
No ASM active
One ASM active
Activity Start
Contacts Query
File Read
Socket Connect
Avg
. tim
e in
ms
Power Consumption
9/26/2014 ASM - Android Security Modules 15
0
100
200
300
400
500
600
700
800
Stock Android No ASM active One ASM active
670.42 mW 692.83 mW 732.98 mW
Avg
. po
wer
co
nsu
mp
tio
n in
mW
Example Use Case
ConXSense Context Aware Access Control
9/26/2014 ASM - Android Security Modules 17
• Goal: Context-aware access control
ConXSense [ASIACCS 2014]
ConXSense
ConXSense Context Aware Access Control
9/26/2014 ASM - Android Security Modules 17
• Goal: Context-aware access control
• Context-aware access control enforcing policies by user context profiling
• Includes access control on sensors (e.g., GPS and camera), sensitive information (e.g., contacts) and apps
Context Profiler
User Interface
Location Info
BT Sensing
User Input
WiFi Sensing
ConXSense [ASIACCS 2014]
ConXSense
ConXSense Context Aware Access Control
9/26/2014 ASM - Android Security Modules 17
• Goal: Context-aware access control
• Context-aware access control enforcing policies by user context profiling
• Includes access control on sensors (e.g., GPS and camera), sensitive information (e.g., contacts) and apps
• ASM based implementation:
ConXSense ASM
Context Profiler
User Interface
ASM Callback Service Location Info
BT Sensing
User Input
WiFi Sensing System
ContentProviders
ActivityManager Service
CameraService
LocationManager Service
Ho
ok
Ho
ok
Ho
ok
Ho
ok
ConXSense [ASIACCS 2014]
Conclusion
9/26/2014 ASM - Android Security Modules 18
ASM greatly simplifies use-case specific solutions
Developers don‘t need to modify system components
Implementation of security solutions as apps
Currently working on further use-cases
Dual Persona Phone
Dynamic Application Behaviour Analysis
Port to new Android versions
Push ASM to device vendors, AOSP
Google, OEMs – please call us
Thank you!
Questions?
http://www.androidsecuritymodules.org