QRCloud: Android Vulnerability Query and Push Services Based on QR Code in Cloud Computing

Transcription

1 Journal of Computational Information Systems 11: 11 (2015) Available at QRCloud: Android Vulnerability Query and Push Services Based on QR Code in Cloud Computing Jingzheng WU 1,2,, Yanjun WU 1,2, Mutian YANG 1, Zhifei WU 1, Tianyue LUO 1, Yongji WANG 1,2 1 Institute of Software, Chinese Academy of Sciences, Beijing , China 2 State Key Laboratory of Computer Sciences, Beijing , China Abstract The highest market share makes Android a target for attacking by exploiting vulnerabilities. However, because of the complexity and specialization of the vulnerabilities, only a few users can relate them to their phones. In this paper, we propose QRCloud, which is a private cloud providing Android vulnerability query and push services based on QR code. We first construct an Android vulnerability database by referring the public repositories and vulnerability detection, and automatically generate a QR code for each item. And then, an Android application is developed and scans the QR code to query whether the phone is injured. On the other hand, the identical information of the Android phone is sent to the cloud, and the vulnerabilities tips are pushed back to the application. Finally, the vulnerabilities are fixed following the patches, update suggestion or further URLs packed in the pushed tips. The experiment shows that it is convenient for users to query Android vulnerabilities and get pushed information. It is also believed that after small extension, other smartphone operating systems will be serviced in the cloud. Keywords: Android Vulnerability; Cloud Computing; QR Code; Query; Push 1 Introduction Android is the most successful operating system, which is being widely used in daily life, working, learning, communicating, and amusing. However, the highest market share makes Android system a target for secure attacking by exploiting vulnerabilities [1, 2]. Android vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that can be exploited by one or more threats. The ultimate purposes of the exploits are user privacy, sniffing, denial of service, and overbilling. Android vulnerabilities can be found in the public repositories, and they fall into one of a set of categories: buffer overflows, unvalidated input, race conditions, access-control problems, Project supported by the National Nature Science Foundation of China (No and No ). Corresponding author. address: jingzheng08@iscas.ac.cn (Jingzheng WU) / Copyright 2015 Binary Information Press DOI: /jcis14033 June 1, 2015

2 3876 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) weaknesses in authentication, authorization, or cryptographic practices, etc. Unfortunately, only a few users can relate the vulnerabilities to their own smartphones because of the complexity and specialization. In this paper, we build a private cloud, which provides Android vulnerability query and push services based on QR code (Quick Response Code). The distinguished contributions made in this paper are as follows: Complete Vulnerabilities. The sources of Android vulnerabilities database in QRCloud are from both the public repositories and the detected results, and each item includes the properties of patches, update suggestion and detail descriptions. Query and push services. Whether an Android phone is injured can be queried by scanning the QR code of the vulnerability, and the relative vulnerabilities can be pushed back to the phone as customized service. Scalability. The vulnerability storage, the query and push processes are executed in cloud, where the computing resources can be realtime rescheduled as needed. 2 Background Android is an operating system designed for smartphones providing execution environment for mobile applications. Android consists of Linux kernel, native libraries, Android runtime, application framework and applications. The customized embedded Linux system drives the phone hardwares, and the native libraries provide APIs for application framework. Each application is executed within a sandbox environment implemented as Dalvik Virtual Machine [3]. The basic security policies of Android are permission and sanbox model, but the incorrect permission and privilege may cause potential vulnerabilities and privacy leaks [2, 4]. PScout is designed to extract the permission specification from the Android source code using static analysis and determine whether it is redundant [5]. Stowaway is a tool to detects over privilege in applications by mapping the called API to permissions [6]. DroidChecker searches capabilities transitive vulnerability by using control flow graph searching and static taint checking to detect exploitable data paths in an Android application [7]. 2.1 Vulnerabilities of Android Although the sandbox provides separating mechanism between applications, Android is not immune to the attacks caused by vulnerabilities. Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that can be exploited by one or more threats. These exploits will result in a security breach or violation of the system s security policy causing information leakage or economic losses. Android system is as vulnerable as traditional computers to virus, worm, Trojan, rootkits, and botnet. Some of the vulnerabilities are exploited as malwares to collect confidential data stealthily, send a large number of malicious SMS, deny of application services, and deny of network services. Until Dec , 272 vulnerabilities have been presented in NVD (National Vulnerability Database). The vulnerability numbers are 2, 10, 20, 60, 180 posted during the year , which obviously increase year by year [8].

3 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Vulnerability detection Most of the prior works on Android vulnerability detection have focused on the application layer detection using static and dynamic methods [9, 10]. For example, CHEX is a static analysis method to automatically vet Android applications for component hijacking vulnerabilities [11]. CHEX analyzes the applications and detects possible hijack-enabling flows by conducting reachability tests on system dependence graphs modeled from a data-flow analysis perspective of the vulnerabilities. CHEX found 254 potential component hijacking vulnerabilities from 5,486 real Android application. RiskRanker is a proactive scheme to spot zero-day Android malware by assessing potential security risks and analyzeing whether a particular application exhibits dangerous behavior [12]. Although many static analysis and dynamic analysis methods have been presented, vulnerability detection is always a difficult task. Static analysis is to detect vulnerabilities in computer software by evaluating its source code without actually executing it [13, 14]. Some static analysis methods have been implemented as automated tools such as Flawfinder [15], ITS4 [16], Checkmarx, etc., which can detect different vulnerability categories including buffer overflow, cross-site scripting and SQL injection. However, static analysis tools produce numerous false positives meaning the reported vulnerabilities not really exist. To identify the real vulnerabilities, the output results should be audited manually, which is time consuming and knowledge intensive. Unlike static analysis, dynamic analysis detects vulnerabilities by observing the executing behavior of the computer softwares [17]. When the tested program is running under certain configuration and environment, some code slices of the program cannot be covered. So, dynamic analysis is susceptible to false negatives meaning some real vulnerabilities are missed in detection. The output results are low false positive, and they are potential vulnerabilities that should be taken further analysis. It is believed that static and dynamic analysis complement each other s disadvantages. If the static results are tested by dynamic analysis, some vulnerabilities may appear in running. But, a single execution may not trigger the appearance because of the inadequate coverage. The ideal scheme is enlarge the test cases for a certain potential code slice, and runs all the cases to trigger the vulnerabilities. 3 Design of QRCloud QRCloud is a cloud computing based architecture designed to service vulnerability query and push. Its design is to deal with the following challenges: complete vulnerability database, customized services and scalability. 3.1 Overview of QRCloud Fig. 1 shows the overview of QRCloud, which includes two parts: the Android vulnerability database in cloud and the Android application in smartphone. In the cloud part, QRCloud first initializes the database by referring the public data from the NVD (National Vulnerability Database) [18], CVE (Common Vulnerabilities and Exposures),

4 3878 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Fig. 1: High-level overview of QRCloud CNNVD (China National Vulnerability Database of Information Security). And then, the Android system is statically, dynamically and fuzzing analyzed, and the detected results are added to the database after determining. In the smartphone part, the QRCloud application scans a QR code of a vulnerability, which tells the phone is whether injured or not. If an Android phone has registered in QRCloud, the relative vulnerabilities information will be pushed back to it timely. Then, the users browse the detail pushed information, and decide to adopt the recommend schemes to fix the vulnerabilities. 3.2 Android vulnerability database in QRCloud Each vulnerability collected from the public repositories includes the properties: name, number, description, threat level, type, infected version, patch info, detail URL, fix methods, etc. On the other hand, vulnerability detection methods have been adopted in QRCloud. For example, static analysis tools such as Flawfinder, ITS4, RATS, Checkmarx, Canalyze are used to detect buffer overflow, cross-site scripting and SQL injection. Dynamic analysis tools such as Kmemcheck, Kmemleak, Valgrind are used to realtime monitor execution and catch the exceptions and crashes. Fuzzing is also used to automatically test invalid, unexpected, or random cases as application input to detect the vulnerabilities. When all these vulnerabilities have been stored in database, QR code is generated for each item and displayed on web page. QR code is a type of matrix barcode, and the maximum storage characters of Alphanumeric is 4,296. Because of the space limit only the vulnerability name, infected version, patch info, detail URL and fix method URL are encoded into the QR code as follows, QR vul = encode(φnameφverionφpatchφdetailφfixφ). where the final vulnerability QR code QR vul is expressed as a two-dimensional digital image.

5 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Query service in QRCloud The QRCloud application scans a QR code displayed on the web page, and decodes the QR code to get the vulnerability information. And then, the information is matched with the Android system and all the applications to determine whether the Android is injured, expressed as res = match(decode(qr vul ), (system, app)). If res is true, the detail information and the fix methods are recommended to the users. 3.4 Push service in QRCloud To get customized service, information of Android system and the applications is collected and sent to QRCloud, id = [φnameϕhash(version)ϕhash(patch)] +. where hash() hashes version and patch, and the final id consists of one or more hashed applications. If the system changes, the id will be recomputed and sent again timely. The QRCloud stores id for each customer, and matches it in cloud. If a vulnerability is matched, the corresponding information will be pushed to the customer. When a new vulnerability is added, the match process executes again. 4 Implementation and Evaluation The prototype of QRCloud is implemented in servers with 2 physical Intel Xeon X Hz CPU, 16GB main memory and 320GB hard disk, and the resources are dynamically rescheduled as needed. 290 Android vulnerabilities collected from NVD are stored in QRCloud as shown in Table 1, and more types will be stored to support other systems [8]. QRCloud application have also been implemented in Android system. Fig. 2(a) shows the query result of a vulnerability, where the details information is displayed. Fig. 2(b) shows the QRCloud push service, where the vulnerable applications are identified. Fig. 2(c) shows the recommended information for a certain vulnerability, which includes a list of URL. Following the URLs, the vulnerability can be fixed. 5 Conclusion In this paper, QRCloud is proposed as a a private cloud providing Android vulnerability query and push services based on QR code. The QRCloud application is developed to query and get pushed information by referring the Android vulnerability database. It is convenient for users to determine their Android phone whether injured and fix the vulnerabilities. The computing resources can be realtime rescheduled in QRCloud, and it will server other smartphone operating systems after small extension.

6 3880 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Table 1: Top-10 categories of Android vulnerabilities Vulnerability Types Number 1 Buffer Errors 79 2 Insufficient Information 66 3 Permissions, Privileges, and Access Control 38 4 Information Leak / Disclosure 23 5 Input Validation 21 6 Numeric Errors 17 7 Cross-Site Scripting 6 8 Code Injection 6 9 Cryptographic Issues 4 10 Resource Management Errors 3 (a) Query (b) Push (c) Recommend Fig. 2: Query and push services in cloud computing Acknowledgements This work is supported by the National Natural Science Foundation of China No , No , and the National Science and Technology Major Project No. 2012ZX References [1] W. Z. X. J. Yajin Zhou, Zhi Wang, Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets, in NDSS, [2] M. Grace, Y. Zhou, Z. Wang, and X. Jiang, Systematic detection of capability leaks in stock

7 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) android smartphones, in Proceedings of the 19th Annual Symposium on Network and Distributed System Security, [3] A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer, Google android: A comprehensive security assessment, Security Privacy, IEEE, vol. 8, no. 2, pp , march-april [4] C. Mann and A. Starostin, A framework for static detection of privacy leaks in android applications, in Proceedings of the 27th Annual ACM Symposium on Applied Computing, ser. SAC 12. ACM, 2012, pp [5] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, Pscout: analyzing the android permission specification, in Proceedings of the 2012 ACM conference on Computer and communications security, ser. CCS 12. New York, NY, USA: ACM, 2012, pp [6] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, Android permissions demystified, in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS 11. New York, NY, USA: ACM, 2011, pp [7] P. P. Chan, L. C. Hui, and S. M. Yiu, Droidchecker: analyzing android applications for capability leak, in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, ser. WISEC 12. New York, NY, USA: ACM, 2012, pp [8] R. Scandariato and J. Walden, Predicting vulnerable classes in an android application, in Proceedings of the 4th international workshop on Security measurements and metrics, ser. MetriSec 12. ACM, 2012, pp [9] M. La Polla, F. Martinelli, and D. Sgandurra, A survey on security for mobile devices, Communications Surveys Tutorials, IEEE, vol. PP, no. 99, pp. 1 26, [10] T.-E. Wei, C.-H. Mao, A. B. Jeng, H.-M. Lee, H.-T. Wang, and D.-J. Wu, Android malware detection via a latent network behavior analysis, in TrustCom, 2012, pp [11] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, Chex: statically vetting android apps for component hijacking vulnerabilities, in Proceedings of the 2012 ACM conference on Computer and communications security, ser. CCS 12. ACM, 2012, pp [12] M. C. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, Riskranker: scalable and accurate zero-day android malware detection, in MobiSys, 2012, pp [13] J. Walden and M. Doyle, Savi: Static-analysis vulnerability indicator, Security Privacy, IEEE, vol. 10, no. 3, pp , may-june [14] J. Wu, L. Ding, Y. Wang, and W. Han, Identification and evaluation of sharing memory covert timing channel in Xen virtual machines, in IEEE CLOUD, Washington DC, USA, 2011, pp [15] C. Cowan, Software security for open-source systems, Security Privacy, IEEE, vol. 1, no. 1, pp , jan.-feb [16] J. Viega, J. Bloch, Y. Kohno, and G. McGraw, Its4: a static vulnerability scanner for c and c++ code, in Computer Security Applications, ACSAC th Annual Conference, dec 2000, pp [17] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones, in Proceedings of the 9th USENIX conference on Operating systems design and implementation, ser. OSDI 10. Berkeley, CA, USA: USENIX Association, 2010, pp [18] National Vulnerability Database, 2013,