Toshihiro Yamauchi

Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS

Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.

VMM-Based Log-Tampering and Loss Detection Scheme

Logging information about the activities that placed in a computer is essential for understanding its behavior. In Homeland Security, the reliability of the computers used in their activities is of paramount importance. However, attackers can delete logs to hide evidence of their activities. Additionally, various problems may result in logs being lost. These problems decrease the dependability of Homeland Security. To address these problems, we previously proposed a secure logging scheme using a virtual machine monitor (VMM). The scheme collects logs and isolates them from the monitored OS. However, the scheme cannot store them automatically. Thus, logs in memory are lost when the computer is shutdown. Further, if the logs are not stored, it is impossible to detect incidents of tampering by comparing the logs of the monitored OS with those of the logging OS. To address these additional problems, this paper proposes a log-storing module and a tamper detection scheme. The log-storing module automatically stores logs collected by the logging module, and tamper detection is realized by comparing these stored log files with those of the monitored OS. We implemented the log-storing module and realized the tamper detection scheme. Evaluations reveal the effectiveness of the tamper detection scheme.

SELinux Security Policy Configuration System with Higher Level Language

Security policy for SELinux is usually created by customizing a sample policy called refpolicy. However, describing and verifying security policy configurations is difficult because in refpolicy, there are more than 100,000 lines of configurations, thousands of elements such as permissions, macros and labels. The memory footprint of refpolicy which is around 5MB, is also a problem for resource constrained devices. We propose a security policy configuration system SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes label configurations. SPDL tools generate security policy configurations from access logs and tool users knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semiautomated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and the memory footprint in the embedded system is less than 500KB.

CSDA: Rule-based complex sensor data aggregation system for M2M gateway

To reduce the server load and communication cost of machine-to-machine (M2M) systems, sensor data are aggregated in M2M gateways. The C language is typically used for programming the aggregation logic, and the program is embedded into the firmware. However, developing aggregation programs is difficult for M2M service providers because it requires gateway-specific knowledge, and consideration must be given to CPU and memory resources. In addition, modifying aggregation logic requires firmware updates, which are risky. We propose a rule-based sensor data aggregation system, called the complex sensor data aggregator (CSDA) for M2M gateways. Data aggregation is categorized into filtering, statistical calculation, and concatenation. The proposed CSDA supports this aggregation process in three steps: the input, data processing, and output steps. The behaviors of these steps are configured by an XML based rule. The CSDA also supports update modules, which download and overwrite aggregation rules from the server when the modification of data aggregation logic is required. In this case, firmware updates are not necessary. The proposed system is evaluated in an M2M gateway experimental environment. Results show that developing CSDA configurations is much easier than using C because the configuration amount decreases by 10%. In addition, the performance evaluation demonstrates the proposed systems ability to operate on M2M gateways. CPU usage was less than 10%, even with a heavy load, and memory consumption was 128 Kbytes.

Proposal of Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

Attacks on computer systems have become more frequent in recent years. Attacks using kernel root kits pose a particularly serious threat. When a computer system is infected with a kernel root kit, attack detection is difficult. Because of this, handling the attack will be delayed causing an increase in the amount of damage done to the computer system. This paper proposes a new method to detect kernel root kits by monitoring the branch records in kernel space using hardware features of commodity processors. Our method utilizes the fact that many kernel root kits make branches that differ from the usual branches. By introducing our method, it is possible to detect kernel root kits immediately and, thereby, reduce damages to a minimum.

Design and Evaluation of a Diffusion Tracing Function for Classified Information Among Multiple Computers

In recent years, the opportunity to deal with classified information in a computer has increased, so the cases of classified information leakage have also increased. We have developed a function called “diffusion tracing function for classified information” (tracing function), which has the ability to trace the diffusion of classified information in a computer and to manage which resources might contain classified information. The classified information exchanged among the processes in multiple computers should be traced. This paper proposes a method which traces the diffusion for classified information among multiple computers. Evaluation results show the effectiveness of the proposed methods.

DroidTrack: Tracking Information Diffusion and Preventing Information Leakage on Android

An app in Android can collaborate with other apps and control personal information by using the Intent or user’s allowing of permission. However, users cannot detect when they communicate. Therefore, users might not be aware information leakage if app is malware. This paper proposes DroidTrack, a method for tracking the diffusion of personal information and preventing its leakage on an Android device. DroidTrack alerts the user of the possibility of information leakage when an app uses APIs to communicate with outside. These alerts are triggered only if the app has already called APIs to collect personal information. Users are given the option to refuse the execution of the API if it is not appropriate. Further, by illustrating how their personal data is diffused, users can have the necessary information to help them decide whether the API use is appropriate.

VMBLS: virtual machine based logging scheme for prevention of tampering and loss

Logging information is necessary in order to understand a computers behavior. However, there is a possibility that attackers will delete logs to hide the evidence of their attacking and cheating. Moreover, various problems might cause the loss of logging information. In homeland security, the plans for counter terrorism are based on data. The reliability of the data is depends on that of data collector. Because the reliability of the data collector is ensured by logs, the protection of it is important problem. To address these issues, we propose a system to prevent tampering and loss of logging information using a virtual machine monitor (VMM). In this system, logging information generated by the operating system (OS) and application program (AP) working on the target virtual machine (VM) is gathered by the VMM without any modification of the OS. The security of the logging information is ensured by its isolation from the VM. In addition, the isolation and multiple copying of logs can help in the detection of tampering.

Evaluation of Performance of Secure OS Using Performance Evaluation Mechanism of LSM-Based LSMPMON

Security focused OS (Secure OS) is attracting attention as a method for minimizing damage caused by various intrusions. Secure OSes can restrict the damage due to an attack by using Mandatory Access Control (MAC). In some projects, secure OSes for Linux have been developed. In these OSes, different implementation methods have been adopted. However, there is no method for easily evaluating the performance of the secure OS in detail, and the relationship between the implementation method and the performance is not clear. The secure OS in Linux after version 2.6 has often been implemented by Linux Security Modules (LSM). Therefore, we determine the effect of introducing the secure OS on the performance of the OS, and a characteristic by the difference of the implementation method by using the overhead measurement tool, the LSM Performance Monitor (LSMPMON); the LSMPMON can be used to evaluate three different secure OSes.

HeapRevolver: Delaying and Randomizing Timing of Release of Freed Memory Area to Prevent Use-After-Free Attacks

Recently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attack-prevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.