Luca Verderame

Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures)

We present a previously undisclosed vulnerability of Android OS which can be exploited by mounting a Denial-of-Service attack that makes devices become totally unresponsive. We discuss the characteristics of the vulnerability – which affects all versions of Android – and propose two different fixes, each involving little patching implementing a few architectural countermeasures. We also provide experimental evidence of the effectiveness of the exploit as well as of the proposed countermeasures.

Breaking and fixing the Android Launching Flow

The security model of the Android OS is based on the effective combination of a number of well-known security mechanisms (e.g. statically defined permissions for applications, the isolation offered by the Dalvik Virtual Machine, and the well-known Linux discretionary access control model). Although each security mechanism has been extensively tested and proved to be effective in isolation, their combination may suffer from unexpected security flaws. We show that this is actually the case by presenting a severe vulnerability in Android related to the application launching flow. This vulnerability is based on a security flaw affecting a kernel-level socket (namely, the Zygote socket). We also present an exploit of the vulnerability that allows a malicious application to mount a severe Denial-of-Service attack that makes the Android devices become totally unresponsive. Besides explaining the vulnerability (which affects all versions of Android up to version 4.0.3) we propose two fixes. One of the two fixes has been adopted in the official release of Android, starting with version 4.1. We empirically assess the impact of the vulnerability as well as the efficacy of the countermeasures on the end user. We conclude by extending our security analysis to the whole set of sockets, showing that other sockets do not suffer from the same vulnerability as the Zygote one.

Enabling BYOD through secure meta-market

Mobile security is a hot research topic. Yet most of available techniques focus on securing individual applications and therefore cannot possibly tackle security weaknesses stemming from the combined use of one or more applications (e.g. confused deputy attacks). Preventing these types of attacks is crucial in many important application scenarios. For instance, their prevention is a prerequisite for the widespread adoption of the BYOD paradigm in the corporate setting. To this aim, in this paper we propose a secure meta-market which supports the specification and enforcement of security policies spanning multiple applications. Moreover, the meta-market keeps track of the security state of devices and -through a functional combination of static analysis and code instrumentation techniques- supervises the installation of new applications thereby ensuring the enforcement of the security policies. Also, we developed a prototype implementation of the secure meta-market and we used it for validating a wide range of popular Android applications against a security policy drawn from the US Government BYOD Security Guidelines. Experimental results obtained by running the prototype confirm the effectiveness of the approach.

An Empirical Evaluation of the Android Security Framework

The Android OS consists of a Java stack built on top of a native Linux kernel. A number of recently discovered vulnerabilities suggests that some security issues may be hidden in the interplay between the Java stack and the Linux kernel. We have conducted an empirical security evaluation of the interaction among layers. Our experiments indicate that the Android Security Framework (ASF) does not discriminate the caller of invocations targeted to the Linux kernel, thereby allowing Android applications to directly interact with the Linux kernel. We also show that this trait lets malicious applications adversely affect the user’s privacy as well as the usability of the device. Finally, we propose an enhancement in the ASF that allows for the detection and prevention of direct kernel invocations from applications.

Android vs. SEAndroid

Android has a layered architecture that allows applications to leverage services provided by the underlying Linux kernel. However, Android does not prevent applications from directly triggering the kernel functionalities through system call invocations. As recently shown in the literature, this feature can be abused by malicious applications and thus lead to undesirable effects. The adoption of SEAndroid in the latest Android distributions may mitigate the problem. Yet, the effectiveness of SEAndroid to counter these threats is still to be ascertained. In this paper we present an empirical evaluation of the effectiveness of SEAndroid in detecting malicious interplays targeted to the underlying Linux kernel. This is done by extensively profiling the behavior of honest and malicious applications both in standard Android and SEAndroid-enabled distributions. Our analysis indicates that SEAndroid does not prevent direct, possibly malicious, interactions between applications and the Linux kernel, thus showing how it can be circumvented by suitably-crafted system calls. Therefore, we propose a runtime monitoring enforcement module (called Kernel Call Controller) which is compatible both with Android and SEAndroid and is able to enforce security policies on kernel call invocations. We experimentally assess both the efficacy and the performance of KCC on actual devices.

Trusted host-based card emulation

Near Field Communication (NFC) promises to boost mobile transactions and payments. Indeed, NFC-enabled devices can emulate smartcards, so allowing payments, loyalty programs, card access, transit passes and other custom services, through a mobile phone. Although many modern mobile devices mount a NFC transceiver, card emulation is still a rare feature. The main reason is that the two available card emulation frameworks, namely Card Emulation and Host-based Card Emulation, have known limitations in terms of usability and security (respectively). This paper proposes a novel approach to card emulation called Trusted Host-based Card Emulation (THCE). THCE relies on the Trusted Execution Environment, currently deployed on most of the CPUs for mobile devices, and implements a secure and usable card emulation framework. Through comparisons, we show that THCE overcomes the limitations of the existing solutions. Moreover, we formally verify that the initialization protocol, used to deploy access credentials on a THCE-enabled device, is not vulnerable to known exploits.

Formal modeling and automatic enforcement of Bring Your Own Device policies

The emerging Bring Your Own Device (BYOD) paradigm is pushing the adoption of employees’ personal mobile devices (e.g., smartphones and tablets) inside organizations for professional usage. However, allowing private, general purpose devices to interact with proprietary, possibly critical infrastructures enables obvious threats. Unfortunately, current mobile OSes do not seem to provide adequate security support for dealing with them. In this paper, we present a formal modeling and assessment of the security of mobile applications. In particular, we propose a security framework for verifying and enforcing BYOD security policies on Android devices. Interestingly, our approach is non-invasive and only requires minor platform modifications at application level. Finally, we provide empirical evidence of the practical feasibility of the approach by means of a prototype which we used to validate a set of real Android applications.

Security considerations related to the use of mobile devices in the operation of critical infrastructures

An increasing number of attacks by mobile malware have begun to target critical infrastructure assets. Since malware attempts to defeat the security mechanisms provided by an operating system, it is of paramount importance to understand the strengths and weaknesses of the security frameworks of mobile device operating systems such as Android. Many recently discovered vulnerabilities suggest that security issues may be hidden in the cross-layer interplay between the Android layers and the underlying Linux kernel. This paper presents an empirical security evaluation of the interactions between Android layers. The experiments indicate that the Android Security Framework does not discriminate between callers of invocations to the Linux kernel, thereby enabling Android applications to directly interact with the kernel. This paper shows how this trait allows malware to adversely affect the security of mobile devices by exploiting previously unknown vulnerabilities unveiled by analyses of the Android interplay. The impact of the resulting attacks on critical infrastructures is discussed. Finally, an enhancement to the Android Security Framework is proposed for detecting and preventing direct kernel invocations by applications, thereby dramatically reducing the impact of malware.

Automatic security verification of mobile app configurations

The swift and continuous evolution of mobile devices is encouraging both private and public organizations to adopt the Bring Your Own Device (BYOD) paradigm. As a matter of fact, the BYOD paradigm drastically reduces costs and increases productivity by allowing employees to carry out business tasks on their personal devices. However, it also increases the security concerns, since a compromised device could disruptively access the resources of the organization. The current mobile application distribution model based on application markets does not cope with this issue. In a previous work the concept of secure meta-market has been introduced as a mean to distribute mobile applications always guaranteed to comply with any given BYOD policy. This is achieved through a suitable combination of static analysis (i.e.model checking) and code instrumentation techniques. Although crucial, enforcing security policies over individual applications is not sufficient in general. Indeed, several well documented threats arise from the malicious interaction among applications which are harmless if isolated. In this paper, a novel technique for the security verification of groups of mobile app is proposed. The approach relies on partial model checking (PMC) to extend the existing security guarantees to groups of applications. The experimental results demonstrate the viability of the approach. Moreover, we show through a case study that even a fairly simple security policy can be violated by applications which are compliant if considered one by one. A practical approach to the validation of groups of mobile apps is presented.The approach relies on partial model checking for mitigating state explosion.Experiments on real applications show that the technique scales on real systems.The solution is integrated with a prototype of the Secure Meta-Market (SMM).

Developing a NATO BYOD security policy

Mobile devices have an important role to play in the private as well as the professional activities of working people. However, their use can pose a serious threat to the security of the working environment. Many organizations therefore establish a specific bring your own device (BYOD) policy. This paper presents a proposal for how to foster a secure, policy-aware BYOD work environment. Our solution involves enforcement of fine-grained security policies for personal devices while relieving owners of having to make critical decisions and take responsibility for behavior of applications installed on their devices. We report our experience in developing and applying a security policy based on the existing guidelines of the NATO Communications and Information Agency (NCI Agency).