research-article

SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android

Authors:

Yueqiang ChengAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 612 - 624

https://doi.org/10.1145/3052973.3052991

Published: 02 April 2017 Publication History

Abstract

SEAndroid is a mandatory access control (MAC) framework that can confine faulty applications on Android. Nevertheless, the effectiveness of SEAndroid enforcement depends on the employed policy. The growing complexity of Android makes it difficult for policy engineers to have complete domain knowledge on every system functionality. As a result, policy engineers sometimes craft over-permissive and ineffective policy rules, which unfortunately increased the attack surface of the Android system and have allowed multiple real-world privilege escalation attacks. We propose SPOKE, an SEAndroid Policy Knowledge Engine, that systematically extracts domain knowledge from rich-semantic functional tests and further uses the knowledge for characterizing the attack surface of SEAndroid policy rules. Our attack surface analysis is achieved by two steps: 1) It reveals policy rules that cannot be justified by the collected domain knowledge. 2) It identifies potentially over-permissive access patterns allowed by those unjustified rules as the attack surface.

We evaluate SPOKE using 665 functional tests targeting 28 different categories of functionalities developed by Samsung Android Team. SPOKE successfully collected 12,491 access patterns for the 28 categories as domain knowledge, and used the knowledge to reveal 320 unjustified policy rules and 210 over-permissive access patterns defined by those rules, including one related to the notorious libstagefright vulnerability. These findings have been confirmed by policy engineers.

References

[1]

Android Testing. http://developer.android.com/tools/testing/index.html.

[2]

AWS Device Farm of Mobile App Testing. https://aws.amazon.com/device-farm/.

[3]

EMMA: a free Java code coverage tool. http://emma.sourceforge.net.

[4]

Google Play Store Beta Testing. http://developer.android.com/distribute/googleplay/developer-console.html.

[5]

Joshua Drake, Stagefright: Scary Code in the Heart of Android. https://www.blackhat.com/us-15/briefings.

[6]

Profiling with Traceview. http://developer.android.com/tools/debugging/debugging-tracing.html.

[7]

Security-Enhanced Linux in Android. https://source.android.com/security/selinux.

[8]

SELinux Access Vector Rules. http://selinuxproject.org/page/AVCRules.

[9]

SELinux Policy Analysis Tools. https://github.com/TresysTechnology/setools.

[10]

SELinux Type Statements. http://selinuxproject.org/page/TypeStatements.

[11]

Testdroid. http://testdroid.com/.

[12]

M. Alam, J.-P. Seifert, Q. Li, and X. Zhang. Usage Control Platformization via Trustworthy SELinux. In ASIACCS '08, pages 245--248. ACM, 2008.

Digital Library

[13]

K. Beck. Test-driven development: by example. Addison-Wesley Professional, 2003.

Digital Library

[14]

K. Burr and W. Young. Combinatorial test techniques: Table-based automation, test generation and code coverage. In Proc. of the Intl. Conf. on Software Testing Analysis & Review. San Diego, 1998.

[15]

H. Chen, N. Li, and Z. Mao. Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems. In NDSS '09, 2009.

[16]

W. Choi, G. Necula, and K. Sen. Guided GUI Testing of Android Apps with Minimal Restart and Approximate Learning. In OOPSLA '13, pages 623--640, New York, NY, USA, 2013. ACM.

Digital Library

[17]

R. DeMilli and A. J. Outt. Constraint-based automatic test data generation. Software Engineering, IEEE Transactions on, 17(9): 900--910, 1991.

Digital Library

[18]

W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM Trans. Comput. Syst., 32(2):5:1--5:29, June 2014.

Digital Library

[19]

N. Friedman, D. Geiger, and M. Goldszmidt. Bayesian network classifiers. Machine Learning, 29(2): 131--163.

Digital Library

[20]

N. Friedman, I. Nachman, and D. Peér. Learning Bayesian Network Structure from Massive Datasets: The Sparse Candidate Algorithm. In UAI'99, pages 206--215. Morgan Kaufmann Publishers Inc., 1999.

Digital Library

[21]

B. Hicks, S. Rueda, and L. S. Clair. A logical specification and analysis for SELinux MLS policy. ACM Transactions on Information and System Security (TISSEC), 13(3): 1--31, 2010.

Digital Library

[22]

V. J. Hodge and J. Austin. A survey of outlier detection methodologies. Artificial Intelligence Review, 22(2):85--126.

Digital Library

[23]

M. Howard, J. Pincus, and J. M. Wing. Measuring relative attack surfaces. Springer, 2005.

[24]

T. Jaeger, R. Sailer, and U. Shankar. PRIMA: Policy-reduced Integrity Measurement Architecture. In SACMAT '06, pages 19--28, 2006.

Digital Library

[25]

T. Jaeger, R. Sailer, and X. Zhang. Analyzing Integrity Protection in the SELinux Example Policy. In USENIX Security '03, 2003.

Digital Library

[26]

T. Jaeger, R. Sailer, and X. Zhang. Resolving constraint conflicts. In SACMAT '04, pages 105--114, New York, New York, USA, 2004. ACM Press.

Digital Library

[27]

C. S. Jensen, M. R. Prasad, and A. Møller. Automated testing with targeted event sequence generation. In ISSTA '13, pages 67--77. ACM, 2013.

Digital Library

[28]

P. Loscocco and S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System. In USENIX Annual Technical Conference '01, number February, pages 29--42, 2001.

Digital Library

[29]

A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An Input Generation System for Android Apps. In ESEC/FSE '13, pages 224--234, 2013.

Digital Library

[30]

P. K. Manadhata and J. M. Wing. An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371--386, 2011.

Digital Library

[31]

D. McCullough. Specifications for multi-level security and a hook-up. In Security and Privacy, 1987 IEEE Symposium on, pages 161--161. IEEE, 1987.

[32]

P. McMinn. Search-based software test data generation: A survey. Software Testing Verification and Reliability, 14(2): 105--156, 2004.

Digital Library

[33]

N. Mirzaei, S. Malek, C. S. Păsăreanu, N. Esfahani, and R. Mahmood. Testing android apps through symbolic execution. SIGSOFT Softw. Eng. Notes, 37(6):1--5, Nov. 2012.

Digital Library

[34]

E. Reshetova, F. Bonazzi, T. Nyman, R. Borgaonkar, and N. Asokan. Characterizing SEAndroid Policies in the Wild. ArXiv e-prints arXiv:1510.05497, Oct. 2015.

[35]

J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), Sept. 1975.

[36]

A. Sasturkar, S. D. Stoller, C. R. Ramakrishnan, C. Science, and S. Brook. Policy Analysis for Administrative Role Based Access Control. In CSFW '06, 2006.

Digital Library

[37]

S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In NDSS '13, 2013.

[38]

S. Smalley, C. Vance, and W. Salamon. Implementing selinux as a linux security module. NAI Labs Report, 1(43):139, 2001.

[39]

K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. Copperdroid: Automatic reconstruction of android malware behaviors. In NDSS '15, 2015.

[40]

H. Vijayakumar, G. Jakka, S. Rueda, J. Schiman, and T. Jaeger. Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies. In ASIACCS '12, pages 75--76, 2012.

Digital Library

[41]

W. Visser, S. Corina, and S. Khurshid. Test input generation with java pathfinder. ACM SIGSOFT Software Engineering Notes, 29(4): 97--107, 2004.

Digital Library

[42]

R. Wang, W. Enck, D. Reeves, X. Zhang, P. Ning, D. Xu, W. Zhou, and A. M. Azab. EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning. In In USENIX Security '15, pages 351--366, Aug. 2015.

Digital Library

[43]

W. Xu, M. Shehab, and G.-J. J. Ahn. Visualization based policy analysis: case study in SELinux. In Proceedings of the 13th ACM Symposium on Access control models and technologies, pages 165--174, 2008.

Digital Library

[44]

L. K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security '12, pages 29--29, 2012.

Digital Library

[45]

Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In CCS '13, pages 1043--1054, 2013.

Digital Library

Cited By

Yue HWang XChen RJiang ZFu YJiang J(2024)HRTC: A Triplet Joint Extraction Model Based on Cyber Threat IntelligenceKnowledge Science, Engineering and Management10.1007/978-981-97-5489-2_19(214-223)Online publication date: 27-Jul-2024
https://doi.org/10.1007/978-981-97-5489-2_19
Lu SShi WLu SShi W(2024)Sensing and Data Acquisition TechniquesVehicle Computing10.1007/978-3-031-59963-7_4(103-133)Online publication date: 11-May-2024
https://doi.org/10.1007/978-3-031-59963-7_4
Lee YGeorge RChen HChan KJaeger T(2023)Triaging Android Systems Using Bayesian Attack Graphs2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00031(171-183)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00031
Show More Cited By

Index Terms

SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android
1. Information systems
  1. Information systems applications
    1. Decision support systems
      1. Data analytics
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Analysis of SEAndroid Policies: Combining MAC and DAC in Android
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Android has become a dominant computing platform, and its popularity has coincided with a surge of malware. The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform. While SEAndroid adds ...
An Historical Analysis of the SEAndroid Policy Evolution
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Android adopted SELinux's mandatory access control (MAC) mechanisms in 2013. Since then, billions of Android devices have benefited from mandatory access control security policies. These policies are expressed in a variety of rules, maintained by Google ...
AppPolicyModules: Mandatory Access Control for Third-Party Apps
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Android has recently introduced the support for Mandatory Access Control, which extends previous security services relying on the Android Permission Framework and on the kernel-level Discretionary Access Control. This extension has been obtained with ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
457
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yue HWang XChen RJiang ZFu YJiang J(2024)HRTC: A Triplet Joint Extraction Model Based on Cyber Threat IntelligenceKnowledge Science, Engineering and Management10.1007/978-981-97-5489-2_19(214-223)Online publication date: 27-Jul-2024
https://doi.org/10.1007/978-981-97-5489-2_19
Lu SShi WLu SShi W(2024)Sensing and Data Acquisition TechniquesVehicle Computing10.1007/978-3-031-59963-7_4(103-133)Online publication date: 11-May-2024
https://doi.org/10.1007/978-3-031-59963-7_4
Lee YGeorge RChen HChan KJaeger T(2023)Triaging Android Systems Using Bayesian Attack Graphs2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00031(171-183)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00031
Ma YChen YWang YYu JLi YLu JWang Y(2023)The Advancement of Knowledge Graphs in Cybersecurity: A Comprehensive OverviewComputational and Experimental Simulations in Engineering10.1007/978-3-031-42987-3_6(65-103)Online publication date: 1-Dec-2023
https://doi.org/10.1007/978-3-031-42987-3_6
Hung HLiu YSani A(2022)SifterProceedings of the 28th Annual International Conference on Mobile Computing And Networking10.1145/3495243.3560548(623-635)Online publication date: 14-Oct-2022
https://dl.acm.org/doi/10.1145/3495243.3560548
Yu DYang GMeng GGong XZhang XXiang XWang XJiang YChen KZou WLee WShi W(2021)SEPAL: Towards a Large-scale Analysis of SEAndroid Policy CustomizationProceedings of the Web Conference 202110.1145/3442381.3450007(2733-2744)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450007
Zhang QZhong HCui JRen LShi W(2021)AC4AV: A Flexible and Dynamic Access Control Framework for Connected and Autonomous VehiclesIEEE Internet of Things Journal10.1109/JIOT.2020.30169618:3(1946-1958)Online publication date: 1-Feb-2021
https://doi.org/10.1109/JIOT.2020.3016961
Shi WLiu LShi WLiu L(2021)Computing Framework for Autonomous DrivingComputing Systems for Autonomous Driving10.1007/978-3-030-81564-6_2(19-55)Online publication date: 30-Jul-2021
https://doi.org/10.1007/978-3-030-81564-6_2
Hernandez GTian DYadav AWilliams BButler KCapkun SRoesner F(2020)BIGMACProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489228(271-287)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489228
Ding YDong PLi ZTan YHuang CWei LZuo Y(2020)SLR-SELinux: Enhancing the Security Footstone of SEAndroid with Security Label RandomizationWireless Communications and Mobile Computing10.1155/2020/88669962020(1-12)Online publication date: 26-Oct-2020
https://doi.org/10.1155/2020/8866996
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents