Self-Protection of Android Systems from Inter-Component Communication Attacks
Android is widely used for the development and deployment of autonomous and smart systems, including software targeted for IoT and mobile devices. Security of such systems is an increasingly important concern. Although Android is the predominant mobile platform, it is also the most targeted platform by malware authors resulting in millions of malicious apps distributed in numerous app stores. Android relies on a permission model to secure the system's resources and apps. In Android, since the permissions are granted at the granularity of apps, and all components in an app inherit those permissions, an app's components are over-privileged, i.e., components are granted more privileges than they actually need. Systematic violation of least-privilege principle in Android is the root cause of many types of Inter-Component Communication (ICC) attacks that can lead to serious security and privacy risks.
Due to the increasing use of code obfuscation in Android apps, the current security mechanisms for Android apps, both static and dynamic analysis approaches, are insufficient for detection and prevention of the increasingly dynamic and sophisticated security attacks.
Static analysis approaches suffer from false positives whereas dynamic analysis approaches suffer from false negatives. Moreover, they all lack the ability to efficiently analyze systems with incremental changes---such as adding/removing apps, granting/revoking permissions, and dynamic components' communications. Each time the system changes, the entire analysis needs to be repeated, making the existing approaches inefficient for practical use.
To mitigate these issues, this dissertation presents a novel self-protecting Android software system that automatically determines and continuously maintains the least-privilege architecture of an Android system, incrementally and efficiently analyzes its security posture, and dynamically enforces the maintained least-privilege architecture at runtime. The approach, entitled SALMA, protects the system against ICC attacks at all times in spite of changes at runtime.
The least-privilege architecture limits the privileges granted to apps without the need to modify them or breaking their functionalities. Static program analysis techniques have been utilized to extract the exact privileges each component needs for providing its functionality.
A Multiple-Domain Matrix representation of the system's least-privilege architecture is then kept in sync with the running system to reason about it at runtime. Every time the system changes, SALMA determines (1) the impacted part of the system, and (2) the subset of the security analyses that need to be performed, thereby greatly improving the performance and the scalability of the approach.
All conducted experiments on hundreds of real-world apps corroborate the scalability and efficiency of the proposed approach in reducing the attack surface of Android systems as well as its ability to detect and prevent security attacks at runtime with minimal disruption.