Yaoqi Jia

DroidVault: A Trusted Data Vault for Android Devices

Mobile OSes and applications form a large, complex and vulnerability-prone software stack. In such an environment, security techniques to strongly protect sensitive data in mobile devices are important and challenging. To address such challenges, we introduce the concept of the trusted data vault, a small trusted engine that securely manages the storage and usage of sensitive data in an untrusted mobile device. In this paper, we design and build Droid Vault - the first realization of a trusted data vault on the Android platform. Droid Vault establishes a secure channel between data owners and data users while allowing data owners to enforce strong control over the sensitive data with a minimal trusted computing base (TCB). We prototype Droid Vault via the novel use of hardware security features of ARM processors, i.e., Trust Zone. Our evaluation demonstrates its functionality for processing sensitive data and its practicality for adoption in the real world.

Web-to-Application Injection Attacks on Android: Characterization and Detection

Vulnerable Android applications (or apps) are traditionally exploited via malicious apps. In this paper, we study an underexplored class of Android attacks which do not require the user to install malicious apps, but merely to visit a malicious website in an Android browser. We call them web-to-app injection (or W2AI) attacks, and distinguish between different categories of W2AI side-effects. To estimate their prevalence, we present an automated W2AIScanner to find and confirm W2AI vulnerabilities. We analyze real apps from the official Google Play store and found 286 confirmed vulnerabilities in 134 distinct applications. This findings suggest that these attacks are pervasive and developers do not adequately protect apps against them. Our tool employs a novel combination of static analysis, symbolic execution and dynamic testing. We show experimentally that this design significantly enhances the detection accuracy compared with an existing state-of-the-art analysis.

Man-in-the-browser-cache

In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a users HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chromes HTML5 AppCache and has fixed the problem according to our suggestion.

You Can't Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers

Once a web application authenticates a user, it loosely associates all resources owned by the user to the web session established. Consequently, any scripts injected into the victim web session attain unfettered access to user-owned resources, including scripts that commit malicious activities inside a web application. In this paper, we establish the first explicit notion of user sub-origins to defeat such attempts. Based on this notion, we propose a new solution called UserPath to establish an end-to-end trusted path between web application users and web servers. To evaluate our solution, we implement a prototype in Chromium, and retrofit it to 20 popular web applications. UserPath reduces the size of client-side TCB that has access to user-owned resources by 8x to 264x, with small developer effort.

Detecting injected behaviors in HTML5-based Android applications

HTML5-based mobile applications (or apps) are built by using standard web technologies such as HTML5, JavaScript and CSS. Due to their cross-platform support, HTML5-based mobile apps are getting more and more popular. However, similar to traditional web apps, they are often vulnerable to script-injection attacks. It results in new threats to code integrity and data privacy. Compared to traditional web apps, HTML5-based mobile apps have more possible channels to inject code, e.g., contacts, SMS, files, NFC, and cameras. Even worse, the injected scripts may gain much more powerful privileges from the mobile apps than those in the traditional web apps. In this paper, we propose an approach to detect injected behaviors in HTML5-based Android apps. Our approach monitors the execution of apps, and generates behavior state machines to describe the apps’ runtime behaviors based on the execution contexts of apps. Once code injection happens, the injected behaviors will be detected based on deviation from the behavior state machine of the original app. We prototyped our approach and evaluated its effectiveness using existing code injection examples. The result demonstrates that the proposed method is effective in code injection detection for real-world HTML5-based Android apps.

Anonymity in Peer-assisted CDNs: Inference Attacks and Mitigation

Abstract The peer-assisted CDN is a new content distribution paradigm supported by CDNs (e.g., Akamai), which enables clients to cache and distribute web content on behalf of a website. Peer-assisted CDNs bring significant bandwidth savings to website operators and reduce network latency for users. In this work, we show that the current designs of peer-assisted CDNs expose clients to privacy-invasive attacks, enabling one client to infer the set of browsed resources of another client. To alleviate this, we propose an anonymous peer-assisted CDN (APAC), which employs content delivery while providing initiator anonymity (i.e., hiding who sends the resource request) and responder anonymity (i.e., hiding who responds to the request) for peers. APAC can be a web service, compatible with current browsers and requiring no client-side changes. Our anonymity analysis shows that our APAC design can preserve a higher level of anonymity than state-of-the-art peer-assisted CDNs. In addition, our evaluation demonstrates that APAC can achieve desired performance gains.

Toward Exposing Timing-Based Probing Attacks in Web Applications

Timing attacks in web applications have been known for over a decade. Recently, new attacks have been reported to exploit timing techniques to probe sensitive information from web applications. In this paper, we present a tool to detect timing-based probing attacks in web applications. The main idea of our approach is to monitor the browser behaviors and identify anomalous timing behaviors. We prototyped our approach in the Google Chrome browser, and demonstrated its effectiveness.