ABSTRACT
Nowadays, SEAndroid has been widely deployed in Android devices to enforce security policies and provide flexible mandatory access control (MAC), for the purpose of narrowing down attack surfaces and restricting risky operations. Generally, the original SEAndroid security policy rules are carefully and strictly written and maintained by the Android community. However, in practice, mobile device manufacturers usually have to customize these policy rules and add their own new rules to satisfy their functionality extensions, which breaks the integrity of SEAndroid and causes serious security issues. Still, up to now, it is a challenging task to identify these security issues due to the large and ever-increasing number of policy rules, as well as the complexity of policy semantics.
To investigate the status quo of SEAndroid policy customization, we propose SEPAL, a universal tool to automatically retrieve and examine the customized policy rules. SEPAL applies the NLP technique and employs and trains a wide&deep model to quickly and precisely predict whether one rule is unregulated or not. Our evaluation shows SEPAL is effective, practical and scalable. We verify SEPAL outperforms the state of the art approach (i.e., EASEAndroid) by 15% accuracy rate on average. In our experiments, SEPAL successfully identifies 7,111 unregulated policy rules with a low false positive rate from 595,236 customized rules (extracted from 774 Android firmware images of 72 manufacturers). We further discover the policy customization problem is getting worse in newer Android versions (e.g., around 8% for Android 7 and nearly 20% for Android 9), even though more and more efforts are made. Then, we conduct a deep study and discuss why the unregulated rules are introduced and how they can compromise user devices. Last, we report some unregulated rules to seven vendors and so far four of them confirm our findings.
- 2020. A usb privilege escalation. https://www.exploit-db.com/exploits/45379.Google Scholar
- 2020. Android MTK. https://androidmtk.com.Google Scholar
- 2020. Checkpolicy. https://github.com/SELinuxProject/selinux/tree/master/checkpolicy.Google Scholar
- 2020. Convert sparse Android data image (.dat) into filesystem ext4 image. https://github.com/xpirt/sdat2img.Google Scholar
- 2020. Extacy: NLP, before and after spaCy. https://github.com/chartbeat-labs.Google Scholar
- 2020. Mobile & Tablet Android Share Worldwide. https://gs.statcounter.com/.Google Scholar
- 2020. A policy classification model. https://github.com/ydsldy/SEPAL_Model.Google Scholar
- 2020. Project Treble. https://source.android.com/devices/architecture.Google Scholar
- 2020. Regex4dummies: A NLP library to find SVO triplets, implemented in Python. https://github.com/DarkmatterVale/regex4dummies.Google Scholar
- 2020. SELinux Project. http://selinuxproject.org.Google Scholar
- 2020. SETools. https://github.com/SELinuxProject/setools.Google Scholar
- 2020. Spacy.https://spacy.io/.Google Scholar
- 2020. Splitting UPDATE.APP. https://github.com/jenkins-84/split_updata.pl.Google Scholar
- 2020. Tensorflow.https://www.tensorflow.org/guide/estimator.Google Scholar
- 2020. Writing SELinux Policy. https://source.android.com/security/selinux/''.Google Scholar
- 2020. XDA-developers. https://www.xda-developers.com/.Google Scholar
- Lee Badger, Daniel F Sterne, David L Sherman, Kenneth M Walker, and Sheila A Haghighat. 1995. Practical domain and type enforcement for UNIX. In Proceedings 1995 IEEE Symposium on Security and Privacy. IEEE, 66–77.Google ScholarCross Ref
- Haining Chen, Ninghui Li, William Enck, Yousra Aafer, and Xiangyu Zhang. 2017. Analysis of SEAndroid Policies: Combining MAC and DAC in Android. In Proceedings of the 33rd Annual Computer Security Applications Conference (Orlando, FL, USA) (ACSAC 2017). ACM, New York, NY, USA, 553–565.Google ScholarDigital Library
- Heng-Tze Cheng, Levent Koc, Jeremiah Harmsen, Tal Shaked, Tushar Chandra, Hrishi Aradhye, Glen Anderson, Greg Corrado, Wei Chai, Mustafa Ispir, 2016. Wide & deep learning for recommender systems. In Proceedings of the 1st workshop on deep learning for recommender systems. ACM, 7–10.Google ScholarDigital Library
- Wenrui Diao, Xiangyu Liu, Zhou Li, and Kehuan Zhang. 2016. No pardon for the interruption: New inference attacks on android through interrupt timing analysis. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 414–432.Google ScholarCross Ref
- Dave Jing Tian Grant Hernandez, Anurag Swarnim Yadav, Byron J Williams, and Kevin RB Butler. 2020. BIGMAC: Fine-Grained Policy Analysis of Android Firmware. In 29th USENIX Security Symposium. USENIX Association, 271–287.Google Scholar
- Huifeng Guo, Ruiming Tang, Yunming Ye, Zhenguo Li, and Xiuqiang He. 2017. DeepFM: a factorization-machine based neural network for CTR prediction. (2017), 1725–1731.Google Scholar
- Joshua D Guttman, Amy L Herzog, John D Ramsdell, and Clement W Skorupka. 2005. Verifying information flow goals in security-enhanced Linux. Journal of Computer Security 13, 1 (2005), 115–134.Google ScholarDigital Library
- Boniface Hicks, Sandra Rueda, Luke St Clair, Trent Jaeger, and Patrick McDaniel. 2010. A logical specification and analysis for SELinux MLS policy. ACM Transactions on Information and System Security (TISSEC) 13, 3(2010), 26.Google ScholarDigital Library
- Bumjin Im, Ang Chen, and Dan S Wallach. 2018. An Historical Analysis of the SEAndroid Policy Evolution. In Proceedings of the 34th Annual Computer Security Applications Conference. ACM, 629–640.Google ScholarDigital Library
- Trent Jaeger, Reiner Sailer, and Umesh Shankar. 2006. PRIMA: policy-reduced integrity measurement architecture. In Proceedings of the eleventh ACM symposium on Access control models and technologies. ACM, 19–28.Google ScholarDigital Library
- Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. 2003. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th conference on USENIX Security Symposium-Volume 12. USENIX Association, 5–5.Google ScholarDigital Library
- Suman Jana and Vitaly Shmatikov. 2012. Memento: Learning secrets from process footprints. In 2012 IEEE Symposium on Security and Privacy. IEEE, 143–157.Google ScholarDigital Library
- Nick Kralevich. 2017. Honey, I Shrunk the Attack Surface. In Blackhat Us.Google Scholar
- Daryl Mccullough. 1987. Specifications for Multi-Level Security and a Hook-Up. (1987), 161–161.Google Scholar
- Guozhu Meng, Matthew Patrick, Yinxing Xue, Yang Liu, and Jie Zhang. 2019. Securing Android App Markets via Modelling and Predicting Malware Spread between Markets. IEEE Transactions on Information Forensics and Security 14, 7 (Jul 2019), 1944–1959.Google ScholarCross Ref
- Guozhu Meng, Yinxing Xue, Zhengzi Xu, Yang Liu, Jie Zhang, and Annamalai Narayanan. 2016. Semantic Modelling of Android Malware for Effective Malware Comprehension, Detection, and Classification. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 306–317.Google ScholarDigital Library
- Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg S Corrado, and Jeff Dean. 2013. Distributed representations of words and phrases and their compositionality. In Advances in neural information processing systems. 3111–3119.Google Scholar
- George A Miller. 1998. WordNet: An electronic lexical database. MIT press.Google Scholar
- MITRE. 2020. CVE-2020-0069. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0069.Google Scholar
- Elena Reshetova, Filippo Bonazzi, Thomas Nyman, Ravishankar Borgaonkar, and N Asokan. 2015. Characterizing SEAndroid policies in the wild. arXiv preprint arXiv:1510.05497(2015).Google Scholar
- Ravi Sandhu. 1993. Lattice-based access control models. IEEE Computer 26, 3 (1993), 9–19.Google ScholarDigital Library
- Ravi S Sandhu. 1998. Role-based access control. In Advances in computers. Vol. 46. Elsevier, 237–286.Google Scholar
- Beata Sarna-Starosta and Scott D Stoller. 2004. Policy analysis for security-enhanced linux. In Proceedings of the 2004 Workshop on Issues in the Theory of Security (WITS). 1–12.Google Scholar
- Amit Sasturkar, Ping Yang, Scott D Stoller, and CR Ramakrishnan. 2006. Policy analysis for administrative role based access control. In 19th IEEE Computer Security Foundations Workshop (CSFW’06). IEEE, 13–pp.Google ScholarDigital Library
- Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, and Z Morley Mao. 2016. The Misuse of Android Unix Domain Sockets and Security Implications. (2016).Google Scholar
- Laurent Simon, Wenduan Xu, and Ross Anderson. 2016. Don’t interrupt me while I type: Inferring text entered through gesture typing on Android keyboards. Proceedings on Privacy Enhancing Technologies 2016, 3(2016), 136–154.Google ScholarCross Ref
- Stephen Smalley and Robert Craig. 2013. Security Enhanced (SE) Android: Bringing Flexible MAC to Android.. In NDSS, Vol. 310. 20–38.Google Scholar
- ThomasKing. 2018. KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. In BlackhatAsia.Google Scholar
- Ruowen Wang, Ahmed M Azab, William Enck, Ninghui Li, Peng Ning, Xun Chen, Wenbo Shen, and Yueqiang Cheng. 2017. Spoke: Scalable knowledge collection and attack surface analysis of access control policy for security enhanced android. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 612–624.Google ScholarDigital Library
- Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Dingbang Xu, Wu Zhou, and Ahmed M Azab. 2015. Easeandroid: Automatic policy analysis and refinement for security enhanced android via large-scale semi-supervised learning. In 24th {USENIX} Security Symposium.Google Scholar
- Giorgio Zanin and Luigi Vincenzo Mancini. 2004. Towards a formal model for security policies specification and validation in the selinux system. In Proceedings of the ninth ACM symposium on Access control models and technologies. ACM.Google ScholarDigital Library
- Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed, and XiaoFeng Wang. 2014. The peril of fragmentation: Security hazards in android device driver customizations. In 2014 IEEE Symposium on Security and Privacy. IEEE, 409–423.Google ScholarDigital Library
- SEPAL: Towards a Large-scale Analysis of SEAndroid Policy Customization
Recommendations
Analysis of SEAndroid Policies: Combining MAC and DAC in Android
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceAndroid has become a dominant computing platform, and its popularity has coincided with a surge of malware. The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform. While SEAndroid adds ...
An Historical Analysis of the SEAndroid Policy Evolution
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications ConferenceAndroid adopted SELinux's mandatory access control (MAC) mechanisms in 2013. Since then, billions of Android devices have benefited from mandatory access control security policies. These policies are expressed in a variety of rules, maintained by Google ...
Android vs. SEAndroid
Android has a layered architecture that allows applications to leverage services provided by the underlying Linux kernel. However, Android does not prevent applications from directly triggering the kernel functionalities through system call invocations. ...
Comments