Self-programmed C and JAVA

We program C applications sharing a tainted data array between processes and transmitting this tainted data to the Internet through the HTTP POST request and the HTTP GET request. The HTTP POST request is the way that malware usually transmits sensitive information to a specific remote server. We also program JAVA applications accessing sensitive information (IMEI, IMSI, ICC-ID and GPS) and transmitting sensitive information to the Internet through the HTTP request. These two experiments help us to test our DroidTracking system. The taint source subsystem records sensitive information reading events when the applications access sensitive

26 applications, DroidTracking analyzes instructions to record system-wide information flow for the tested applications. Taint tags in taint metadata (including memory metadata and register metadata) is also propagated by DroidTracking. Therefore, we could tracks system-wide behaviors of the tested applications. When tainted memory space is sent out by the HTTP POST request or the HTTP GET request, the taint sink subsystem records sensitive information stealing events. According to our process identification logging, we could identify the process that steals sensitive information.

The tested self-programmed C and JAVA help us to understand the correctness of information propagation in sophisticated instruction analysis. Our DroidTracking system could detect sensitive information stealing correctly.

27

In order to demonstrate our evaluation precisely, we take a Bowling Time as an example. There is the memory working set shown in Table 5.4 for Bowling Time evaluation. The first, we start our emulator-based DroidTracking. There is sensitive information such as IMEI, IMSI and GPS are read to memory by Android OS during the booting time. The second, we use our Android emulator normally. Browser is opened to browse lots of web pages. Because a browser does not access sensitive information, a percentage of sensitive information has no huge changes in memory.

The following steps, we run Bowling Time and check the memory working set. In our finding, a percentage of GPS is about two thousand times the bytes of the past in memory. In fact, Bowling Time logs GPS frequently. However, there is no GPS sent out by Bowling Time. Next, there is an events in Table 5.4 occurred. Almost in the same time, there is an advertisement downloaded and taint sink events occurred. A percentage of IMEI is about twelve times the bytes of the past in memory. In fact, Bowling Time accesses IMEI frequently. Table 5.3 shows partial processes.

DroidTracking logs process identifications, program counters, instructions, destination operands, source operands, and status changes for instruction analysis. It is the evidence that IMEI is accesses by Bowling Time. Behaviors of Bowling Time change the memory status and the register status in taint metadata. After all,

28

DroidTracking finds that lots of bytes with IMEI taint tag are sent to a remote server.

Therefore, DroidTracking finds an IMEI stealing in this evaluation.

Table 5.3: Instruction Analysis – Bowlingtime

Table 5.4: Memory Working Set – Bowlingtime

29

Figure 5.1: Bowling Time

To know DroidDream more, we also evaluate the majority of applications listed in Table 5.2. In our findings, Sensitive information such as IMEI, IMSI and GPS is accessed by these applications. So far as DroidTracking analyzing, behaviors of stealing sensitive information are revealed. According to process identification logging, malicious application is confirmed and identified by the system.

In our findings, DroidTracking analyzes the DroidDream with root capability.

Detailed system-wide information is listed for analyst by the system. DroidTracking keeps analyzing correctly, Even if malware downloads new applications and infects the Android OS. Because of emulated-based analysis system, it prevents our system from being circumvented. Our findings demonstrate the effectiveness with

emulated-based analysis tools such as DroidTracking.

30

Chapter 6

Conclusion

DroidDream and others malware could get the root access in Android OS even if Android OS beforehand denies the application permission to have root access.

OS-based analysis system fails to protect or detect behaviors of stealing sensitive information. Our primary goals are to prevent DroidTracking from being attacks and to support accurate analysis results. To achieve this, we present DroidTracking, a fine-grained, system-wide information flow tracking that can reveal behaviors of stealing sensitive information (GPS, IMEI, IMSI, ICC-ID and other sensitive information presented in future). A key design concept of DroidTracking is that we equip Android emulator with information flow tracking capability and byte-granularity system object tracking capability.

We run a lot of Android applications injected with DroidDream in Android emulator quipped with DroidTracking. It is the fact that DroidDream accesses sensitive information while an advertisement is downloaded by DroidDream. There is a sequential of information flow in whole memory space and registers. In the course of program execution, several packets with sensitive information are transmitted to the Internet. DroidDream keeps track of memory space sent by malware, sensitive information, the process of information flow and malware’s process ID for malware analysis. Our findings demonstrate the Android analysis platform monitoring the whole Android OS and prevent the system from being attacks.

31

Reference

[1] Android Project. http://source.android.com

[2] Android Developer. http://developer.android.com/index.html [3] ARM. http://www.arm.com

[4] Lookout Mobile Security. http://www.mylookout.com

[5] A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, and S. Dolev. Google Android: A State-of-The-Art Review of Security Mechanisms. CoRR, abs/0912.5101. 2009.

[6] W. Enck, M. Ongtang, and P. McDaniel. Understanding Android security. IEEE Security & Privacy Magazine, 7(1):10–17, 2009.

[7] A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer. Google Android: A Comprehensive Security Assessment. IEEE Security & Privacy, vol.

8, no. 2, 2010, pp. 35–44.

[8] C.W. Wang and S.P. Shieh. SWIFT: Decoupling System-Wide Information Flow Tracking for Malware Analysis. 2011.

[9] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In Proceedings of ACM Computer and Communications Security. 2007.

[10] F. Qin, C. Wang, Z. Li, H. Kim, Y, Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks.

Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, 2006.

[11] D. Chandra and M. Franz. Fine-Grained Information Flow Analysis and Enforcement in a Java Virtual Machine. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) , 2007.

[12] R. Whelan and D. Kaeli. Toward Whole-System Dynamic Analysis for ARM-Based Mobile Device. In Proceedings of the 13th International Conference

32

on Recent Advances in Intrusion Detection, 2011.

[13] W Enck, P Gilbert, B Chun, LP Cox, J Jung, P McDaniel, and AN Sheth.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2010.

[14] M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC ’09.

[15] W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. CCS ’09 : Proceedings of the 16th ACM Conference on Computer and Communications Security.

[16] A. Fuchs, A. Chaudhuri, and J. Foster. SCanDroid: Automated Security Certification of Android Applications. Proceedings of the 31st IEEE Symposium on Security and Privacy, 2010.

[17] W. Enck, M. Ongtang, and P. McDaniel. Mitigating Android Software Misuse Before It Happens. Technical Report NAS-TR-0094-2008, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA, November 2008.

[18] A. Chaudhuri. Language-based Security on Android. In PLAS’09: Programming Languages and Analysis for Security, pages 1-7. ACM, 2009.

[19] J. Howell and S. Schechter. What You See is What they Get: Protecting users from unwanted use of microphones, camera, and other sensors. Proceedings of Web 2.0 Security and Privacy Workshop, 2010.