An Attack-Defense Model for the Binder on the Android Kernel Level

  • Majid Salehi Sharif University of Technology Tehran, Iran
  • Mohammad Hesam Tadayon Iran Telecommunication Research Center (ITRC) Tehran, Iran
  • Farid Daryabar Iran Telecommunication Research Center (ITRC) Tehran, Iran
Keywords: smartphone security, android security, android penetration testing, binder component, kernel level attack

Abstract

In this paper, we consider to seek vulnerabilities and we conduct possible attacks on the crucial and essential parts of Android OSs architecture including the framework and the Android kernel layers. As a regard, we explain the Binder component of Android OS from security point of view. Then, we demonstrate how to penetrate into the Binder and control data exchange mechanism in Android OS by proposing a kernel level attack model based on the hooking method. In addition, we provide a method to detect these kinds of attacks on Android frameworks and the kernel layer. As a result, by implementing the attack model, it is illustrated that the Android processes are detectable and the data can be extracted from any process and system calls. On the other hand, by using our detection proposed method the possibility of using this attack approach in the installed applications on the Android smartphones will be sharply decreased.

Downloads

Download data is not yet available.

Author Biographies

Majid Salehi, Sharif University of Technology Tehran, Iran

Majid Salehi received his B.Sc. degree in computer engineering from Isfahan University, Isfahan, Iran in 2010, and his M.Sc. degree in computer engineering from Sharif University of Technology, Tehran, Iran in 2016. He is currently a researcher with the DNS Laboratory at Sharif University of Technology. His research interests include Malware detection, OS security, and information forensics.

Mohammad Hesam Tadayon, Iran Telecommunication Research Center (ITRC) Tehran, Iran

Mohammad Hesam Tadayon received his M.Sc. degree in mathematics from the University of Tarbiat Modares,Tehran, Iran, in 1997, and his Ph.D. degree in applied mathematics (coding and cryptography) from the University of Tarbiat Moallem of Tehran (Kharazmi), Tehran, Iran, in 2008. He has been holding an Assistant Professorship position with Iran Telecommunication Research Center (ITRC) since 2008. He is a member of national councils in the Iranian Ministry of Science and Technology. He has served in many research and industrial projects. His research interests include information theory, error-control coding and data security.

Farid Daryabar, Iran Telecommunication Research Center (ITRC) Tehran, Iran

Farid Daryabar is a cybersecurity researcher-developer with Iran telecommunication Research Center. He graduated from the University Putra Malaysia with a Master of Science (Cybersecurity/Forensic). He has (co)authored several publications in Cybersecurity area. Farid has awarded a silver and two bronze medals in R&D Invention/Innovation (PRPI12 and MTE13), CEH and CHFI.

References

[1] N. Samet, A. Ben Letaifa, M. Hamdi, and S. Tabbane, “Forensic investigation in Mobile Cloud environment,” 2014, pp. 1–5.
[2] F. Daryabar, A. Dehghantanha, B. Eterovic-Soric, and K.-K. R. Choo, “Forensic investigation of OneDrive, Box, GoogleDrive and Dropbox applications on Android and iOS devices,” Aust. J. Forensic Sci., pp. 1–28, 2016.
[3] N. Artenstein and I. Revivo, “Man in the binder: He who controls ipc, controls the droid,” Eur. BlackHat Conf, 2014.
[4] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011, pp. 3–14.
[5] K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro, “CopperDroid: Automatic Reconstruction of Android Malware Behaviors.,” in NDSS, 2015.
[6] R. Raveendranath, V. Rajamani, A. J. Babu, and S. K. Datta, “Android malware attacks and countermeasures: Current and future directions,” in Control, Instrumentation, Communication and Computational Technologies (ICCICCT), 2014 International Conference on, 2014, pp. 137–143.
[7] I. Lookout, “Lookout Mobile Threat Report August 2011,” 2011.
[8] J. Crussell, C. Gibler, and H. Chen, “Attack of the clones: Detecting cloned applications on android markets,” in Computer Security–ESORICS 2012, Springer, 2012, pp. 37–54.
[9] W. Zhou, X. Zhang, and X. Jiang, “AppInk: watermarking android apps for repackaging deterrence,” in Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, 2013, pp. 1–12.
[10] W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smartphone applications in third-party android marketplaces,” in Proceedings of the second ACM conference on Data and Application Security and Privacy, 2012, pp. 317–326.
[11] R. Potharaju, A. Newell, C. Nita-Rotaru, and X. Zhang, “Plagiarizing smartphone applications: attack strategies and defense techniques,” in Engineering Secure Software and Systems, Springer, 2012, pp. 106–120.
[12] S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song, “Juxtapp: A scalable system for detecting code reuse among android applications,” in Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2012, pp. 62–81.
[13] M. Zheng, M. Sun, and J. Lui, “DroidRay: a security evaluation system for customized android firmwares,” in Proceedings of the 9th ACM symposium on Information, computer and communications security, 2014, pp. 471–482.
[14] L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang, “The impact of vendor customizations on android security,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, pp. 623–634.
[15] W. Enck, M. Ongtang, and P. McDaniel, “Understanding android security,” IEEE Secur. Priv., no. 1, pp. 50–57, 2009.
[16] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM conference on Computer and communications security, 2011, pp. 627–638.
[17] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, “Pscout: analyzing the android permission specification,” in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 217–228.
[18] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A Study of Android Application Security.,” USENIX Secur. Symp., vol. 2, p. 2, 2011.
[19] S. Jana and V. Shmatikov, “Memento: Learning secrets from process footprints,” in Security and Privacy (SP), 2012 IEEE Symposium on, 2012, pp. 143–157.
[20] J. Jeon et al., “Dr. Android and Mr. Hide: fine-grained permissions in android applications,” in Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, 2012, pp. 3–14.
[21] M. Conti, V. T. N. Nguyen, and B. Crispo, “CRePE: context-related policy enforcement for android,” in Information Security, Springer, 2010, pp. 331–345.
[22] S. Bugiel, S. Heuser, and A.-R. Sadeghi, “Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies.,” in Usenix security, 2013, pp. 131–146.
[23] M. Salehi, F. Daryabar, and M.H. Tadayon, “Welcome to Binder: A kernel level attack model for the Binder in Android operating system.,” in 8th International Symposium on Telecommunications (IST), 2016.
Published
2017-06-30
How to Cite
Salehi, M., Tadayon, M. H., & Daryabar, F. (2017, June 30). An Attack-Defense Model for the Binder on the Android Kernel Level. International Journal of Information & Communication Technology Research, 9(2), 11-17. Retrieved from http://journal.itrc.ac.ir/index.php/ijictr/article/view/2
Section
Information Technology