Topics: Access control, Android, Android Market Pages: 53 (14924 words) Published: January 8, 2013
¨ Technische Universitat Darmstadt
Center for Advanced Security Research Darmstadt

Technical Report TR-2011-04

XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi

System Security Lab Technische Universit¨t Darmstadt, Germany a

Technische Universit¨t Darmstadt a Center for Advanced Security Research Darmstadt D-64293 Darmstadt, Germany

TR-2011-04 First Revision: April 30, 2011 Last Update: June 30, 2011

XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks Sven Bugiel

Lucas Davi

Alexandra Dmitrienko

Thomas Fischer

Ahmad-Reza Sadeghi

System Security Lab Center for Advanced Security Research Darmstadt (CASED) Germany

Google Android has become a popular mobile operating system which is increasingly deployed by mobile device manufactures for various platforms. Recent attacks show that Android’s permission framework is vulnerable to applicationlevel privilege escalation attacks, i.e., an application may indirectly gain privileges to perform unauthorized actions. The existing proposals for security extensions to Android’s middleware (e.g., Kirin, Saint, TaintDroid, or QUIRE) cannot fully and adequately mitigate these attacks or detect Trojans such as Soundcomber that exploit covert channels in the Android system. In this paper we present the design and implementation of XManDroid (eXtended Monitoring on Android), a security framework that extends the monitoring mechanism of Android to detect and prevent application-level privilege escalation attacks at runtime based on a systemcentric system policy. Our implementation dynamically analyzes applications’ transitive permission usage while inducing a minimal performance overhead unnoticeable for the user. Depending on system policy our system representation allows for an effective detection of (covert) channels established through the Android system services and content providers while simultaneously optimizing the rate of false positives. We evaluate the effectiveness of XManDroid on our test suite that simulates known application-level privilege escalation attacks (including Soundcomber), and demonstrate successful detection of attacks that use Android’s inter-component communication (ICC) framework (standard for most attacks). We also performed a usability test to evaluate the impact of XManDroid on the user-experience with third party applications. Moreover, we analyze sources of false positives and discuss how this rate can be further significantly reduced.

to control access to (sensitive) resources. The standard Android permission system limits access to sensitive data (SMS, contacts, etc.), resources (battery or log files) and to system interfaces (Internet connection, GPS, GSM). Once granted (by the end-user) the assigned permissions cannot be changed afterwards, and they are checked by the Android’s reference monitor at runtime. This approach restricts the potential damage imposed by compromised applications. However, Android’s security framework exhibits serious shortcomings: On the one hand, the burden of approving application permissions is delegated to the end-user who in general does not have the appropriate skills. Hence, malware and Trojans can be installed on end-user devices as shown by very recent Android Trojans: such as unauthorized sending of text messages [25], malicious game updates [21], or location tracking and leaking of sensitive data in the background of running games [27]. On the other hand, Android’s security framework is vulnerable to privilege escalation attacks at the application-level which are the main focus of this paper.

Application-level privilege escalation attacks.
The recent privilege escalation attacks [13, 8, 26, 37] show that in contrast to the...
Continue Reading

Please join StudyMode to read the full document

Become a StudyMode Member

Sign Up - It's Free