Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation

摘要

With the proliferation of mobile and IoT devices, malicious application developers seize the opportunity to spread malicious applications threatening the security and privacy of users' information assets. In this dissertation, we work towards understanding and mitigating a unique type of threat, non-invasive privilege escalation attacks, posed by malicious applications to vulnerable mobile and IoT system interfaces. Unlike more invasive attacks that usually gain elevated access through altering the memory or files belonging to the system or other applications, a non-invasive attack leverages legitimate yet vulnerable system interfaces to gain access to system resources, other application resources or to infer sensitive user information, which is usually difficult to detect without in-depth understanding of the vulnerable systems.;In particular, this dissertation reports a systematic study on this understudied type of threat, from the hidden weaknesses inside the operating system, to the risks introduced by the mobile ecosystem and to a new user-computing interfaces. Specifically, we studied a runtime-information-gathering (RIG) threat which exploits design weaknesses of the operating system, e.g., shared communication channels such as Bluetooth, and side channels such as memory and network-data usages, on Android and Android-based IoT devices. To defend against this new category of attacks, we propose a novel approach, App Guardian, that changes neither the operating system nor the target apps, and provides immediate protection as soon as an ordinary app is installed. Our experimental studies show that this new technique defeated all known RIG attacks, with small impacts on the utility of legitimate apps and the performance of the operating system.;Then we discover hanging attribute references (Hares), a type of vulnerabilities never investigated before, which often have serious security implications: when an attribute is used on a device but the party defining it has been removed during vendor customization, a malicious app can fill the gap to acquire critical system capabilities, by simply disguising as the owner of the attribute. We further design and implement Harehunter , a new tool for automatic detection of Hares. By using it, we discover 21,557 likely Hare flaws on the factory images of 97 most popular Android devices, demonstrating the significant impacts of the problem.;Finally, we conduct the first security analysis on Voice Personal Assistant (VPA) ecosystems and related popular IoT devices, which leads to the discovery of serious security weaknesses in their Voice User Interfaces (VUIs) and skill vetting. We present two new attacks, voice squatting and voice masquerading, both of which are demonstrated to pose realistic threats to a large number of VPA users from remote and both have serious security and privacy implications. We also design and implement new techniques that make the first step towards protecting VPA users from these voice-based attacks.