【 摘 要 】

Android is an open source platform derived from Linux OS. It utilizes aplethora of resources both local and external. Most of its local resources(e.g procfs nodes) were inherited from Linux with some of them being even-tually removed, while new ones were added to meet the requirements of amobile multi-purpose platform. Moreover, such a platform compels the in-troduction of external resources which can be used in tandem with a varietyof sensors (e.g Bluetooth and NFC) that the device is equipped with. Thisthesis demonstrates the subtlety involved in this adaptation which, if notperformed correctly, can lead to severe information leaks stemming from un-protected local and external resources. It also presents new defense solutionsand mitigation strategies that successfully tackle the found vulnerabilities.In particular, this thesis unearths three new side channels on Android OS.Prior to this work, these side channels were considered to be innocuous buthere we illustrate that they can be used maliciously by an adversary to infera user’s identity, geo-location, disease condition she is interested in, invest-ment information and her driving route. These information leaks, stem fromlocal resources shared among all installed apps on Android: per-app data-usage statistics; ARP (Address Resolution Protocol) information;and speaker status (on or off). While harmless on a different setting, thesepublic local resources can evidently disclose private information on a mobileplatform and thus we maintain that they should not be freely available to allthird-party apps installed on the system. To this end, we present mitigationstrategies which strike a balance between the utility of apps that legitimatelyneed to access such information and the privacy leakage risk involved.Unfortunately the design assumptions made while adapting Linux to cre-ate Android is not the only flaw of the latter. Specifically this work is alsoconcerned with the security and privacy implications of using external to theOS resources. Such resources generate dynamic, hard to mediate channelsof communication between the OS and an external source through usually awireless protocol. We explore such implications in connecting smartphoneswith external Bluetooth devices. This thesis posits that Android falls short inproviding secure Bluetooth connections with external devices; ergo its appli-cation in privacy critical domains is at the very least premature. We presenta new threat, defined as external-device mis-bonding or DMB for short.To demonstrate the severity of the threat, we perform realistic attacks onpopular medical Bluetooth devices. These attacks delineate how an unau-thorized app can capture private data from Bluetooth external devices andhow it can help an adversary spoof those devices and feed erroneous datato legitimate applications. Furthermore, we designed an OS-level defensemechanism dubbed Dabinder, that addresses the system’s shortcomings,by guaranteeing that a Bluetooth connection is established only between alegitimate app and its respective accessory.Nevertheless, Bluetooth is not the only inadequately protected externalresource with grave privacy ramifications. We have also studied NFC, Au-dio and SMS as potential channels of communication with alarmingly lowconfidentiality guarantees. We show with real world attacks, that Android’spermission model is too coarse-grained to safeguard such channels while pre-serving the utility of the apps. To better understand the prevalence of theproblem we perform a measurement study on the Android ecosystem anddiscuss our findings.Finally this work presents SEACAT, a novel defense strategy, enhancingAndroid with flexible security capabilities. SEACAT is a scalable, effectiveand efficient solution, built on top of SELinux on Android, that enables theprotection of channels used to communicate with external to Android re-sources. It achieves both MAC and DAC protection through straightforwardand SELinux-compatible policies as the policy language and structure used,is in accordance with the current policy specifications. The system’s designencompasses mirror caching on both the kernel and the middleware layerwhich facilitates rapid policy enforcement through appropriate and carefullypositioned hooks in the system.

【 预 览 】

附件列表

Files	Size	Format	View
Android at risk: current threats stemming from unprotected local and external resources	2934KB	PDF	download