TU Darmstadt / ULB / TUbiblio

DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android

Heuser, Stephan ; Negro, Marco ; Pendyala, Praveen Kumar ; Sadeghi, Ahmad-Reza (2016)
DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android.
Report, Bibliographie

Kurzbeschreibung (Abstract)

Smart mobile devices process and store a vast amount of security- and privacy sensitive data. To protect this data from mali- cious applications mobile operating systems, such as Android, adopt fine- grained access control architectures. However, related work has shown that these access control architectures are susceptible to application- layer privilege escalation attacks. Both automated static and dynamic program analysis promise to proactively detect such attacks. Though while state-of-the-art static analysis frameworks cannot adequately ad- dress native and highly obfuscated code, dynamic analysis is vulnerable to malicious applications using logic bombs to avoid early detection. In contrast, the long-term observation of application behavior could help users and security analysts better understand malicious apps. In this pa- per we present the design and implementation of DroidAuditor, which observes application behavior on real Android devices and generates a graph-based representation. It visualizes this behavior graph, which en- ables users to develop an intuitive understanding of application inter- nals. Our solution further allows security analysts to query the behavior graph for malicious patterns. We present the design of the DroidAudi- tor framework and instantiate it using the Android Security Modules (ASM) access control architecture. We evaluate its capability to detect application-layer privilege escalation attacks, such as confused deputy and collusion attacks. In addition, we demonstrate how our architecture can be used to analyze malicious spyware applications.

Typ des Eintrags: Report
Erschienen: 2016
Autor(en): Heuser, Stephan ; Negro, Marco ; Pendyala, Praveen Kumar ; Sadeghi, Ahmad-Reza
Art des Eintrags: Bibliographie
Titel: DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android
Sprache: Englisch
Publikationsjahr: 28 Januar 2016
Ort: Darmstadt
Verlag: Technische Universität
Reihe: Technical Report
Zugehörige Links:
Kurzbeschreibung (Abstract):

Smart mobile devices process and store a vast amount of security- and privacy sensitive data. To protect this data from mali- cious applications mobile operating systems, such as Android, adopt fine- grained access control architectures. However, related work has shown that these access control architectures are susceptible to application- layer privilege escalation attacks. Both automated static and dynamic program analysis promise to proactively detect such attacks. Though while state-of-the-art static analysis frameworks cannot adequately ad- dress native and highly obfuscated code, dynamic analysis is vulnerable to malicious applications using logic bombs to avoid early detection. In contrast, the long-term observation of application behavior could help users and security analysts better understand malicious apps. In this pa- per we present the design and implementation of DroidAuditor, which observes application behavior on real Android devices and generates a graph-based representation. It visualizes this behavior graph, which en- ables users to develop an intuitive understanding of application inter- nals. Our solution further allows security analysts to query the behavior graph for malicious patterns. We present the design of the DroidAudi- tor framework and instantiate it using the Android Security Modules (ASM) access control architecture. We evaluate its capability to detect application-layer privilege escalation attacks, such as confused deputy and collusion attacks. In addition, we demonstrate how our architecture can be used to analyze malicious spyware applications.

Freie Schlagworte: ICRI-SC, Secure Things
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
Hinterlegungsdatum: 04 Aug 2016 10:13
Letzte Änderung: 15 Aug 2023 13:04
PPN:
Zugehörige Links:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen