ppt - Cyber-Physical Systems by yantingting

VIEWS: 0 PAGES: 24

									TAINTDROID:
AN INFORMATION-FLOW
TRACKING SYSTEM FOR
REALTIME PRIVACY
MONITORING ON
SMARTPHONES

         20123743 HYOUNG HO CHOI
         20123239 SEOK HYEON MUN
TABLE OF CONTENTS
1. INTRODUCTION
2. CHALLENGE
3. GOAL
4. TAINT TRACKING
5. TAINTDROID
6. PERFORMANCE
7. FINDINGS
8. CONCLUSION
INTRODUCTION
In smartphone, we use third-party applications such as
       - Google map, Angry bird … etc

More than 10Billion Apps
Because it’s useful.


But can you trust that
they don’t use
your privacy Data?
phoneNumber,location …
CHALLENGE
 General Challenge : Balance fun and utility of apps with
  privacy.


For this purpose, we can look inside of applications to watch
how applications use privacy sensitive data.
- locations, phone identifiers, microphone…




To overcome these challenges,
               let’s clearly define our goal
GOAL
 General Goal : Monitor application behavior to determine
  when privacy sensitive information leaves the phone.
  - MONITOR SENSTIVIE INFORMATION




 Solution : Track data with taint marking.
                      It’s called Taint Tracking.
TAINT TRACKING
 Scenario
  - You are a cowboy. You have many cows but some of
    them are sick and you want to trace sick cows.
  - How can you trace sick cows in lumberyard?




 Simple Solution
  - Attach a tag/ring/sensor to cow to be traced
  - Make alarm when sick cow go out from lumberyard.
TAINT TRACKING
 Marking(TAG) particular data(COW) & Trace it.
 HOW WORKS
1. To track privacy sensitive data -phone number..-
   we should attach something to data.
                              The something is called TAG.
         The attachment occuring place is TAINT SOURCE.
2. After attachment, tracking system trace the data.
   we can know when the data move off from our smart
   phone.
3. When privacy sensitive data move to outside smartphone,
   taint tracking system makes event.
       The place which event happen is called TAINT SINK.
TAINT TRACKING
Privacy Data

                           <Application>
                 Data              Taint Tag
                                                      EVENT!
                                                     (Message)
                             ...
                                                    Privacy data
*Data = Cow
*Taint Tag = TAG
                                       Data + Tag
*SmartPhone = lumberyard
                                                         Network
           We should implement this in Smartphone
TAINT TRACKING
CHALLENGES
Monitoring network disclosure of privacy sensitive information
on smartphones presents several challenges.


1.   Smartphones are resource constrained.
     - small overhead is needed.
2.   Third-party applications are entrusted with several types of
     privacy sensitive information.
     - Taint in various place corresponds to several type.
     - Make “taint source” in multi place
3.   Context-based privacy sensitive information is dynamic and
     can be difficult to identify.
     - We must consider context to define sensitive data.
4.   Applications can share information.
     - track data while information sharing
TAINTDROID
TaintDroid is a system-wide integration of taint traking into the
Android platform
    •   Variable tracking throughout Dalvik VM environment
    •   Patches state after native method invocation
    •   Extends tracking between applications and to storage




TaintDroid is a firmware modification, no an app
VM VARIABLE-LEVEL
TRACKING
One taint tag per each variable
   • Where to store taint tags


Tracking the variable propagation
   • D = S + 1 (Need to propagate the taint tag from S to D)
   • How to propagate taint tags along with variable


Modifies the Dalvik VM interpreter to store and propagate
taint tags on variables.
WHERE TO STORE
TAINT TAGS
Store taint tags adjacent to variable in memory, providing
spatial locality

Local variables and args
    •  Taint tags stored adjacent to variables on the
       internal execution stack
Class fields
    •    Similar to locals, but inside static and
         instance field heap objects
Arrays
    •    One taint tag per array to minimize overhead

Need more room for variables
HOW TO PROPAGATE
TAINT TAGS
Need to track taint tag propagation.

                D=S                    move vD, vS


                     D             S
                    TAG           TAG


Modifies move instruction for adding function to copy tag.
DEX PROPAGATION
LOGIC
Data flow : propagate source regs to destination reg
METHOD-LEVEL
TRACKING
Applications execute native methods through the Java Native
Interface(JNI).
      • Is it possible to modify instructions like Dalvik VM?
      • How can you track sensitive data passed from VM?


Modifies some native methods
      • To copy taint tag when copying the contents of sensitive
        data to another
void copy(void *dst, void *src, int len)   void copy(void *dst, int dtag, void *src, int stag, int len)
{                                          {
…                                          …
           memcpy(dst,src,len);                       memcpy(dst,src,len);
…                                                     dtag = stag;
}                                          …
                                           }
METHOD-LEVEL
TRACKING
Find these methods using a combination of heuristics and
method profiles


Applications are restricted to only invoking native methods
in system-provided libraries.
IPC AND FILE-LEVEL
TRACKING
Why is it necessary to track messages and files?
    •   Persistent

One taint tag per message/file like array
    •   To minimize overhead
             var1    tag1   var2   tag2   var3   tag3


                     var1   var2   var3   tag3

What’s the problem with this approach?
    •   More false positives
    •   One of several variables may not be sensitive data.
DEMO
PERFORMANCE

              •   Memory overhead: 4.4%


              •   IPC overhead: 27%


              •   Macro-benchmark:
                  •   App load: 3% (2ms)
                  •   Address book: (< 20 ms)
                      5.5% create, 18% read
                  •   Phone call: 10% (10ms)
                  •   Take picture: 29% (0.5s)
APPLICATION STUDY
Selected 30 applications with bias on popularity and access to
Internet, location, microphone, and camera




Of 105 flagged connections, only 37 clearly legitimate
FINDINGS
PHONE INDENTIFIERS
7 applications sent IMEI and 2 apps sent phone info(Ph. #,
IMSI*, ICC-ID) to a remote server without informing the user.


One app sent phone information every time the phone booted.
   • This app also transmitted phone data immediately after
     install, before first use.


Appeared to be sent to app developers.
FINDINGS
LOCATION
15 of the 30 applications shared physical location with an ad
server
   • admob.com, ad,qwapi.com, ads.mobclix.com,
     data.flurry.com


Most traffic was plaintext(e.g.,AdMob HTTP GET):

   ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85
   B717D9195A6722A9&d%5Bcoord%5D=47.6612278900
   00006%2C-122.31589477&...


In no case was sharing obvious to user or in EULA
CONCLUSIONS
TaintDroid provides efficient, system-wide, dynamic taint
tracking and analysis for Android


TaintDroid is intergrated four granularities of taint
propagation(variable-level, message-level, method-level, and
file-level) to achieve a 14% performance overhead.


20 of the 30 studied applications share information in a way
that was not expected.
QnA
QnA

								
To top