Mitigation of Privilege Escalation Attacks on Android
Google Android has become one of the most popular operating systems for mobile platforms with a growing market share. Concerning security and privacy aspects, Android deploys enhanced security mechanisms including application sandboxing to isolate applications from each other and from system resources and a permission framework to limit application privileges.
It has been shown that the Android permission framework is subject to application-level privilege escalation attacks. Prominent examples are confused deputy and collusion attacks. Confused deputy attacks concern scenarios where a malicious application exploits the vulnerable interfaces of another privileged (but confused) application. These attacks range from unauthorized phone calls and text message sending to illegal toggling of WiFi or GPS service state. In contrast, collusion attacks concern malicious applications that collude to combine their permissions, allowing them to perform actions beyond their individual privileges. Colluding applications can communicate directly, or exploit covert or overt channels in the Android core system components, like Trojan Soundcomber.
Previous research works such as QUIRE and IPC Inspection address the problem of confused deputy attacks. On the other hand, the TaintDroid framework (developed for detection of privacy leaks) can be applied to address a subclass of collusion attacks, namely those that result in data leakage. However, none of the existing approaches satisfactorily addresses all classes of application-level privilege escalation attacks at once. Moreover, existing solutions also have drawbacks such as incompatibility to legacy applications (IPC Inspection), application-driven policy enforcement relying on potential confused deputies to make security decisions (QUIRE), or induce significant overhead (TaintDroid).
The project goal is to investigate the problem of application-level privilege escalation attacks on Android and to propose a general solution against all classes of application-level privilege escalation attacks, including confused deputy attacks and attacks by colluding applications. We aim at a solution which is legacy compliant, system-centric rather than application-driven, and efficient.
We propose the design and implementation of XManDroid (eXtended Monitoring on Android), a security framework that extends the Android operating system at different abstraction layers to detect and prevent privilege escalation attacks at runtime based on a system-centric security policy.
XManDroid architecture. The architecture of XManDroid is depicted in Figure 1. The framework extends Android’s middleware and deploys mandatory access control (MAC) on the kernel level to enforce access control to the file system (files, Unix domain sockets) and Internet sockets. Our framework relies on a system-centric policy enforcement and uses an appropriate high-level policy language at the middleware layer. At the kernel level, we have adopted TOMOYO Linux to enforce MAC. We provide a callback channel between the kernel and middleware to dynamically map the policies of the middleware to low-level TOMOYO policies.
XManDroid system representation. XManDroid represents the state of the Android system as a graph (as depicted in Figure 2). Graph vertices represent entities such as application sandboxes, Android system components, files and Internet sockets. Edges represent inter-process communication (IPC) calls among applications and access links (e.g., access to Internet sockets and files). A new edge can be added into the system graph if and only if the resulting new system state is compliant to the system-centric security policy. The security policy consists of security rules, where each rule expresses a high-level security goal in the form of attack states. Our policy language is inspired by VALID, a formal security assurance language developed for virtualized infrastructure topologies.
Our reference implementation of XManDroid is based on the Android 2.2.1 sources. It is legacy compliant and imposes only minimal performance overhead.
No publications could be found for the current query.
Sven Bugiel, Alexandra Dmitrienko