PolyScope: Multi-Policy Access Control Analysis to Triage Android Systems

Android filesystem access control provides a foundation for Android system integrity. Android utilizes a combination of mandatory (e.g., SEAndroid) and discretionary (e.g., UNIX permissions) access control, both to protect the Android platform from Android/OEM services and to protect Android/OEM services from third-party apps. However, OEMs often create vulnerabilities when they introduce market-differentiating features because they err when re-configuring this complex combination of Android policies. In this paper, we propose the PolyScope tool to triage the combination of Android filesystem access control policies to vet releases for vulnerabilities. The PolyScope approach leverages two main insights: (1) adversaries may exploit the coarse granularity of mandatory policies and the flexibility of discretionary policies to increase the permissions available to launch attacks, which we call permission expansion, and (2) system configurations may limit the ways adversaries may use their permissions to launch attacks, motivating computation of attack operations. We apply PolyScope to three Google and five OEM Android releases to compute the attack operations accurately to vet these releases for vulnerabilities, finding that permission expansion increases the permissions available to launch attacks, sometimes by more than 10X, but a significant fraction of these permissions (about 15-20%) are not convertible into attack operations. Using PolyScope, we find two previously unknown vulnerabilities, showing how PolyScope helps OEMs triage the complex combination of access control policies down to attack operations worthy of testing.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Tomer Hertz,et al.  Portably Solving File TOCTTOU Races with Hardness Amplification , 2008, FAST.

[3]  Eugene Tsyrklevich,et al.  Dynamic Detection and Prevention of Race Conditions in File Accesses , 2003, USENIX Security Symposium.

[4]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Amir Rahmati,et al.  ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem , 2018, USENIX Security Symposium.

[6]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[7]  Shai Halevi,et al.  Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation , 2010, NDSS.

[8]  Xiao Zhang,et al.  Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References , 2015, CCS.

[9]  Trent Jaeger,et al.  JIGSAW: Protecting Resource Access by Inferring Programmer Expectations , 2014, USENIX Security Symposium.

[10]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[11]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[12]  Trent Jaeger,et al.  Integrity walls: finding attack surfaces from mandatory access control policies , 2012, ASIACCS '12.

[13]  Antonio Ken Iannillo,et al.  Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations , 2017, 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE).

[14]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[15]  Peng Ning,et al.  EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning , 2015, USENIX Security Symposium.

[16]  Hong Chen,et al.  Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems , 2009, NDSS.

[17]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[18]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[19]  Narseo Vallina-Rodriguez,et al.  An Analysis of Pre-installed Android Software , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[20]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[21]  Xiang Cai,et al.  Exploiting Unix File-System Races via Algorithmic Complexity Attacks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[22]  Trent Jaeger,et al.  Managing access control policies using access control spaces , 2002, SACMAT '02.

[23]  Jongwoon Park,et al.  RPS: An Extension of Reference Monitor to Prevent Race-Attacks , 2004, PCM.

[24]  Sencun Zhu,et al.  Designing System-Level Defenses against Cellphone Malware , 2009, 2009 28th IEEE International Symposium on Reliable Distributed Systems.

[25]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[26]  Calton Pu,et al.  Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems , 2010, Comput. Secur..

[27]  Ninghui Li,et al.  SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android , 2017, AsiaCCS.

[28]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[29]  Trent Jaeger,et al.  Process firewalls: protecting processes during resource access , 2013, EuroSys '13.

[30]  Arnab Ray,et al.  Preventing race condition attacks on file-systems , 2005, SAC '05.

[31]  William S. McPhee Operating System Integrity in OS/VS2 , 1974, IBM Syst. J..

[32]  Ninghui Li,et al.  Analysis of SEAndroid Policies: Combining MAC and DAC in Android , 2017, ACSAC.

[33]  PuCalton,et al.  Modeling and preventing TOCTTOU vulnerabilities in Unix-style file systems , 2010 .

[34]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[35]  Trent Jaeger,et al.  Toward Automated Information-Flow Integrity Verification for Security-Critical Applications , 2006, NDSS.

[36]  Trent Jaeger,et al.  An access control model for simplifying constraint expression , 2000, CCS.

[37]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .

[38]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[39]  Kevin R. B. Butler,et al.  BigMAC: Fine-Grained Policy Analysis of Android Firmware , 2020, USENIX Security Symposium.

[40]  Trent Jaeger,et al.  STING: Finding Name Resolution Vulnerabilities in Programs , 2012, USENIX Security Symposium.

[41]  Olga Gadyatskaya,et al.  Small Changes, Big Changes: An Updated View on the Android Permission System , 2016, RAID.

[42]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[43]  Crispin Cowan,et al.  RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities , 2001, USENIX Security Symposium.

[44]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].