Mobile OS Security Tools

Mobile OS Security

Smartphones—phones that allow users to download and install third-party applications from the Internet—present new security and privacy risks to users and network providers. My research has investigated the limitations of current security in smartphones and how to improve the state of the art. My efforts have been directed at the Android platform, as it is representative of the functionality available in popular smartphone operating systems, and it is open source, which allows the creation of proof-of-concept prototypes for evaluation and experimentation.

Kirin: The Kirin project provides lightweight certification of applications at the time of install by looking at configuration metadata such as requested permissions, which accompanies Android applications. From this metadata, Kirin infers potential functionality and compares it against a ruleset of potentially dangerous properties. If any rule fails, the application is not installed. A set of Kirin security rules was created using security requirements engineering and evaluated against over 300 popular applications. The results indicate Kirin can provide a practical security enhancement to Android, with minimal cases where user override is necessary. [Download Kirin]

TaintDroid: The TaintDroid project provides realtime analysis to watch how applications use different types of privacy sensitive information. TaintDroid uses dynamic taint analysis to track taint markings assigned to data when it is accessed from application programming interfaces. When information leaves the phone's network interface, TaintDroid records any present taint markings. To provide realtime analysis on smartphones, TaintDroid has a carefully designed architecture, trading tracking granularity for performance. We used TaintDroid to study the behavior 30 popular Android applications. Of the 30 applications, 15 shared location information with advertisement servers, and 7 shared device and phone identifiers with remote servers without the user's knowledge. These results indicate that smartphone applications do not always behave as we expect, and that users should be more vigilant when installing new applications. [Download TaintDroid]

ded: Smartphone applications are frequently incompletely vetted, poorly isolated, and installed by users without restraint. Such behavior is fraught with peril: applications containing malicious logic or critical vulnerabilities are likely to be identified only after substantial damage has already occurred. Unfortunately, the limitations of application markets make them a poor agent for certifying that applications are secure. ded is a project which aims at decompiling Android applications. The ded tool retargets Android applications in .dex format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications. We used ded to perform a large scale analysis of Android applications. We decompiled the 1,100 most popular applications using ded. We then analyzed the source code of the applications using a battery of custom program analysis tests designed to identify both vulnerabilities and malicious behavior. While this analysis did not reveal any malware, we found that phone identifiers and other personally identifiable information were widely used by Android applications. We also found that many applications insecurely use Android APIs. [Download ded]

Related Publications

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security, Proceedings of the 20th USENIX Security Symposium, August, 2011. San Francisco, CA.
(acceptance rate=17.2%) [pdf]

Patrick McDaniel and William Enck, Not So Great Expectations: Why Application Markets Haven't Failed Security. IEEE Security & Privacy Magazine, 8(5):76--78, September/October, 2010. (Secure Systems issue column).

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox , Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), October 2010. Vancouver, BC.
(acceptance rate=16.1%) [pdf]

Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically Rich Application-Centric Security in Android. Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), December 2009. Honolulu, HI. (best paper).
(acceptance rate=19.0%) [pdf]

William Enck, Machigar Ongtang, and Patrick McDaniel. On Lightweight Mobile Phone Application Certification. Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), November 2009. Chicago, IL.
(acceptance rate=18.4%) [pdf]

William Enck, Machigar Ongtang, and Patrick McDaniel, Understanding Android Security. IEEE Security & Privacy Magazine, 7(1):10--17, January, 2009.

William Enck, Machigar Ongtang, and Patrick McDaniel, Mitigating Android Software Misuse Before It Happens. Technical Report NAS-TR-0094-2008, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA, September 2008. Updated November 2008. [pdf]

PinUP

Users commonly download, patch, and use applications such as email clients, office applications, and media-players from the Internet. Such applications are run with the user's full permissions. Because system protections do not differentiate applications from each other, any malcode present in the downloaded software can compromise or otherwise leak all user data. Interestingly, our investigations show that inter-application sharing is well-defined, following recognizable workflows. The degenerate and most frequent workflow exists when files are only access by the application that creates them; however more complex workflows can be modeled as stages in the lifetime of data (e.g., writing, compiling, linking, and executing an application). We have also found that inter-user sharing, commonly done between systems, follows predictable patterns. This reality represents an opportunity for new protection schemes. We propose the PinUP access control overlay system that "pins" files to specific applications. More information can be found on the SIIS Lab PinUP Page along with source code for our implementation.

Related Publications

William Enck, Patrick McDaniel, and Trent Jaeger. PinUP: Pinning User Files to Known Applications. Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC), December 2008. Anaheim, CA.
(acceptance rate=24.3%) [pdf]

William Enck, Sandra Rueda, Yogesh Sreenivasan, Joshua Schiffman, Luke St. Clair, Trent Jaeger, and Patrick McDaniel. Protecting Users from "Themselves". Proceedings of the 1st ACM Computer Security Architectures Workshop, November 2007. Alexandria, VA.
(acceptance rate=30%) [pdf]

Telecommunications Security

Securing national infrastructure such as the telecommunications network is of utmost importance. We discovered vulnerabilities in the celluar phone network that allow a careful attacker to deny voice service to metropolitain areas the size of Manhattan with little more than a cable modem by sending SMS messages from the Internet. We extended our original analysis by building a detailed GSM simulator. Through a combination of simulation and mathematical modeling, we derived a deeper understanding of the necessary preconditions for an attack, as well as an array of mitigation techniques. This work was the primary focus of my Masters thesis.

Related Publications

Patrick Traynor, William Enck, Patrick McDaniel, and Tom La Porta, Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks. IEEE/ACM Transactions on Networking (TON). (to appear).
(extends teml06)

Patrick Traynor, William Enck, Patrick McDaniel, and Tom La Porta, Exploiting Open Functionality in SMS-Capable Cellular Networks. Journal of Computer Security, 16(6), December, 2008.
(extends etml05)

Patrick Traynor, William Enck, Patrick McDaniel, and Tom La Porta. Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks. Proceedings of the Twelfth Annual International Conference on Mobile Computing and Networking (MobiCom), September 2006. Los Angeles, CA.
(acceptance rate=11.7%) [pdf]

William Enck, Patrick Traynor, Patrick McDaniel, and Tom La Porta. Exploiting Open Functionality in SMS-Capable Cellular Networks. Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pages 393--404, November 2005. Alexandria, VA.
(acceptance rate=15.0%) [pdf]

Secure Non-Volatile Main Memory

Non-volatile memories provide energy efficiency, tolerance against power failure, and "instant-on" power-up. These memories are likely to replace traditional volatile memory in next-generation laptops and desktops. However, the move to non-volatile memory introduces new vulnerabilities; sensitive data such as passwords and keys residing in main memory persists across reboots and can be probed during hardware suspension.

We propose a Memory Encryption Control Unit (MECU) to address the vulnerabilities introduced by non-volatile memories. The MECU encrypts all memory transfers between the level 2 cache and main memory. The keys used to encrypt memory blocks are derived from secret information present on removable authentication tokens, e.g., smart card, or other similar secure storage devices. This provides protection against physical attacks in absence of the token.

We evaluated a MECU-enhanced architecture using the SimpleScalar hardware simulation framework on several hardware benchmarks. The performance analysis shows that we can secure non-volatile memories with minimal overhead---the majority of memory accesses are delayed by less than 1 ns, with limited degradation subsiding within 670 milliseconds of a system resume. In effect, we provide zero-cost steady state confidentiality for main memory.