SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications
作者: Daoyuan Wu , Yao Cheng , Debin Gao , Yingjiu Li , Robert H Deng
DOI:
关键词:
摘要: Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, threat called component hijacking also introduced. By vulnerable in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand mitigate this issue, but no defense being deployed wild, largely due deployment difficulties performance concerns. In paper we present SCLib, secure library that performs in-app mandatory access control behalf of components. It does not require firmware modification or repackaging previous works. The library-based nature makes SCLib more accessible developers, enables them produce components first place over fragmented Android devices. As proof concept, design six policies overcome unique implementation challenges attacks originated from both system weaknesses common developer mistakes. Our evaluation using ten high-profile open source apps shows protect their 35 risky with negligible code footprint (less than 0.3% stub code) nearly slowdown normal intra-app communications. worst-case overhead stop about 5%.
harvard.edu
arxiv.org参考文章(40)
Sven Bugiel, Ahmad-Reza Sadeghi, Stephan Heuser, Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies usenix security symposium. pp. 131- 146 ,(2013)
Philipp Von Styp-Rekowsky, Oliver Schranz, Sven Bugiel, Christian Hammer, Michael Backes, Boxify: full-fledged app sandboxing for stock android usenix security symposium. pp. 691- 706 ,(2015)
Ross Anderson, Hassen Saïdi, Rubin Xu, Aurasium: practical policy enforcement for Android applications usenix security symposium. pp. 27- 27 ,(2012)
Damien Octeau, Yves Le Traon, Eric Bodden, Alexandre Bartel, Patrick McDaniel, Jacques Klein, Somesh Jha, Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis usenix security symposium. pp. 543- 558 ,(2013)
William Enck, Ahmad-Reza Sadeghi, Adwait Nadkarni, Stephan Heuser, ASM: a programmable interface for extending android security usenix security symposium. pp. 1005- 1019 ,(2014)
Daoyuan Wu, Rocky K. C. Chang, Analyzing Android Browser Apps for file:// Vulnerabilities international conference on information security. pp. 345- 363 ,(2014) , 10.1007/978-3-319-13257-0_20
Alexander Moshchuk, Adrienne Porter Felt, Helen J. Wang, Erika Chin, Steven Hanna, Permission re-delegation: attacks and defenses usenix security symposium. pp. 22- 22 ,(2011)
Michael Backes, Sven Bugiel, Sebastian Gerling, Philipp von Styp-Rekowsky, Android security framework: extensible multi-layered access control on Android annual computer security applications conference. pp. 46- 55 ,(2014) , 10.1145/2664243.2664265
Wu Zhou, Yajin Zhou, Xuxian Jiang, Peng Ning, Detecting repackaged smartphone applications in third-party android marketplaces Proceedings of the second ACM conference on Data and Application Security and Privacy - CODASKY '12. pp. 317- 326 ,(2012) , 10.1145/2133601.2133640
Michael Backes, Sven Bugiel, Sebastian Gerling, Scippa: system-centric IPC provenance on Android annual computer security applications conference. pp. 36- 45 ,(2014) , 10.1145/2664243.2664264