VSPMiner: Detecting Security Hazards in SEAndroid Vendor Customizations via Large-Scale Supervised Machine Learning

Presented at Black Hat Asia 2018, March 23, 2018, 10:15 a.m. (60 minutes)

Starting from Android 4.3, Android employs SEAndroid (SELinux in Android) to enforce mandatory access control (MAC) over all processes, thus is capable of enhancing Android security by confining privileged processes. However, the effectiveness of SEAndroid enforcement depends on the employed policies.

Unfortunately, policy development is error prone and requires lengthy refinement using audit logs from deployed systems. So, in practice, policy engineers always craft over-permissive rules, which significantly increase the attack surfaces and even lead to real-world privilege escalation attacks.

In this talk, we present a new policy analysis tool, VSPMiner, to detect vulnerable SEAndroid policies in the wild through supervised machine learning. Particularly, we construct the training set via differential analysis and optimize the classification of VSPMiner by leveraging several basic classifiers, i.e., GDBT
, XGBoost and random forests. The cross validation performed on the training set shows that VSPMiner is very promising, e.g., the mean value of F1-score and AUC are above 0.98 and 0.99 respectively.

We evaluate VSPMiner on the policy rules belonging to more than 2000 images with different tuple information (brand, model, android version), that cover the 22 most popular vendors. As a result, we successfully find as many as 132,702 “vulnerable” policy rules, and in which 2,832 problem access patterns (object, permission) are first revealed. In addition to revealing new attack surfaces, we also demonstrate how to abuse the vulnerable policy rules to facilitate Android rooting.


Presenters:

  • Yi Zhang - Senior Engineer, Pandora Lab of Ali Security, Alibaba Group
    Yi Zhang obtained his master degree of software engineering from South China University of Technology in 2014. After graduation, he joined Alibaba as a senior engineer in Pandora Lab of Ali Security. He has a deep understanding of Android, and his current attention is focused on architecture designing and developing mobile security products.
  • Yang Song - Senior Security Specialist, Pandora Lab of Ali Security, Alibaba Group
    Yang Song received his Ph.D. degree in Computer Science from University of Chinese Academy of Sciences. He is a security researcher in Pandora Lab of Ali Security, focusing on mobile vulnerability hunting and exploitation and has reported several vulnerabilities in Android.
  • Xiangyu Liu - Security Engineer, Alibaba Inc.
    Xiangyu Liu is a senior security engineer of Alibaba security. He received his Ph.D. degree of information engineering from the Chinese University of Hong Kong in 2016. His current research focuses on applying AI techniques to solve problems in cyber security, and he is also very interested in mobile security. He has published several top-tier papers in both academic and industrial conferences, including IEEE S&P, ACM CCS and DEF CON.

Links:

Similar Presentations: