Towards Taming Privilege-Escalation Attacks on Android 论文

摘要

Android’s security framework has been an appealing sub-ject of research in the last few years. Android has been shown to be vulnerable to application-level privilege esca-lation attacks, such as confused deputy attacks, and more recently, attacks by colluding applications. While most of the proposed approaches aim at solving confused deputy at-tacks, there is still no solution that simultaneously addresses collusion attacks. In this paper, we investigate the problem of designing and implementing a practical security framework for Android to protect against confused deputy and collusion attacks. We realize that defeating collusion attacks calls for a rather system-centric solution as opposed to application-dependent policy enforcement. To support our design decisions, we conduct a heuristic analysis of Android’s system behavior (with popular apps) to identify attack patterns, classify dif-ferent adversary models, and point out the challenges to be tackled. Then we propose a solution for a system-centric and policy-driven runtime monitoring of communication chan-nels between applications at multiple layers: 1) at the mid-dleware we control IPCs between applications and indirect communication via Android system components. Moreover, inspired by the approach in QUIRE, we establish semantic links between IPCs and enable the reference monitor to ver-ify the call-chain; 2) at the kernel level we realize mandatory access control on the file system (including Unix domain sockets) and local Internet sockets. To allow for runtime, dynamic low-level policy enforcement, we provide a callback channel between the kernel and the middleware. Finally, we evaluate the efficiency and effectiveness of our framework on known confused deputy and collusion attacks, and discuss future directions. 1.