SSyyrraaccuussee UUnniivveerrssiittyy SSUURRFFAACCEE Dissertations - ALL SURFACE December 2016 UUnnddeerrssttaannddiinngg aanndd IImmpprroovviinngg SSeeccuurriittyy ooff tthhee AAnnddrrooiidd OOppeerraattiinngg SSyysstteemm Edward Paul Ratazzi Syracuse University Follow this and additional works at: https://surface.syr.edu/etd Part of the Engineering Commons RReeccoommmmeennddeedd CCiittaattiioonn Ratazzi, Edward Paul, "Understanding and Improving Security of the Android Operating System" (2016). Dissertations - ALL. 592. https://surface.syr.edu/etd/592 This Dissertation is brought to you for free and open access by the SURFACE at SURFACE. It has been accepted for inclusion in Dissertations - ALL by an authorized administrator of SURFACE. For more information, please contact [email protected]. ABSTRACT Successfulrealizationofpracticalcomputersecurityimprovementsrequiresanunderstanding andinsightintothesystem’ssecurityarchitecture,combinedwithaconsiderationofend-users’ needsaswellasthesystem’sdesigntenets.InthecaseofAndroid,asystemwithanopen, modulararchitecturethatemphasizesusabilityandperformance,acquiringthisknowledgeand insightcanbeparticularlychallengingforseveralreasons.InspiteofAndroid’sopensource philosophy,thesystemisextremelylargeandcomplex,documentationandreferencematerials arescarce,andthecodebaseisrapidlyevolvingwithnewfeaturesandfixes.Tomakematters worse,thevastmajorityofAndroiddevicesinusedonotruntheopensourcecode,butrather proprietaryversionsthathavebeenheavilycustomizedbyvendorsforproductdifferentiation. Proposingsecurityimprovementsormakingcustomizationswithoutsufficientinsightintothe systemtypicallyleadstoless-practical,less-efficient,orevenvulnerableresults.Pointsolutionsto specificproblemsriskleavingothersimilarproblemsinthedistributedsecurityarchitecture unsolved.Far-reachinggeneral-purposeapproachesmayfurthercomplicateanalreadycomplex system,andforceend-userstoenduresignificantperformanceandusabilitydegradations regardlessoftheirspecificsecurityandprivacyneeds.Inthecaseofvendorcustomization, uninformedchangescanintroduceaccesscontrolinconsistenciesandnewvulnerabilities.Hence, thelackofmethodologiesandresourcesavailableforgaininginsightaboutAndroidsecurityis hinderingthedevelopmentofpracticalsecuritysolutions,soundvendorcustomizations,and end-userawarenessoftheproprietarydevicestheyareusing. Addressingthisdeficiencyisthesubjectofthisdissertation.Newapproachesforanalyzing, evaluatingandunderstandingAndroidaccesscontrolsareintroducedandusedtocreatean interactivedatabaseforusebysecurityresearchersaswellassystemdesignersandend-user productevaluators.Casestudiesusingthenewtechniquesaredescribed,withresultsuncovering problemsinAndroid’smultiuserframeworkandvendor-customizedSystemServices.Finally,the newinsightsareusedtodevelopandimplementanovelvirtualization-basedsecurity architecturethatprotectssensitiveresourceswhilepreservingAndroid’sopenarchitectureand expectedlevelsofperformanceandusability. UNDERSTANDING AND IMPROVING SECURITY OF THE ANDROID OPERATING SYSTEM by Edward Paul Ratazzi B.S.,RensselaerPolytechnicInstitute,1987 M.S.,SyracuseUniversity,1992 M.S.,RensselaerPolytechnicInstitute,2006 DISSERTATION Submittedinpartialfulfillmentoftherequirementsforthedegreeof DoctorofPhilosophyinElectrical&ComputerEngineering SyracuseUniversity December2016 ThisisaworkoftheU.S.GovernmentandisnotsubjecttocopyrightprotectionintheUnited States.Foreigncopyrightsmayapply. DISCLAIMER Theviewsexpressedinthisdissertationarethoseoftheauthoranddonotreflecttheofficial policyorpositionoftheUnitedStatesAirForce,DepartmentofDefense,ortheU.S.Government. v Dedicatoamiononno,EdwardRatazzi,Sr. — Dedicatedtomygrandpop,HenryPaul,Jr. vi Acknowledgments Mydeepestgratitudegoestothosearoundmewhomadecompletingthisdissertationpossible. First,tomyadvisor,Prof.WenliangDu.EventhoughImetyouwithacareer’sworthofexperience alreadybehindme,yourinsightsaboutconductingresearch,distillingproblemsandcritical thinkinghavechangedmyprofessionallife.IwillconsidermyselfagreatsuccessifIcanpassalong toothersevenafractionofwhatIlearnedfromyou.Iamespeciallythankfulforyourpatience, approachability,friendlystyle,andunderstandingofmyoutsidecommitmentstoworkandfamily. Tomydefensecommittee,Prof.JoonPark,Prof.Shiu-KaiChin,Prof.JianTang,Prof.YuzheTang, andProf.HengYin,fortakingtimeoutofyourbusyschedulestoreadthisdissertation,provide valuablefeedbackandserveonmycommittee. TotheInformationDirectorateoftheAirForceResearchLaboratoryforitscommitmentto career-longlearningandprofessionaldevelopment.Tomypastandpresentcolleaguesthere, includingDr.WarrenDebany,Jr.,Dr.KamalJabbour,Dr.DavyBelk,JoeCamera,Lt.Col.David Bibighaus,Dr.DanPease,andDr.LokYan.Yousupportedandguidedmyreturntograduate school,andprovidedmuch-neededencouragementalongtheway.Iamparticularlyindebtedto mysupervisorandfriend,JimPerretta.Forthelastfouryearsyouhaveshelteredmefrommany day-to-daydistractionssothatIcouldfocusonconductinganddocumentingmyin-house research.NowthatIamdone,Ihopetorisetothenewchallengesandopportunitiesyour leadershipbringstome. TothecurrentandformerstudentsoftheComputerSecurityResearchGroupatSyracuse, vii especiallyAmitAhlawat,FrancisAkowuah,AshokBommisetti,NianJi,Dr.YousraAafer,Dr.Xiao Zhang,JiamingLiu,KailiangYing,YifeiWang,HaoHao,HaichaoZhang,andLushaWang.Iamin aweofyourtechnicalskillsandgratefulforthecountlesshoursofdiscussionswe’vehad,bothin groupmeetingsandone-on-one.Iwishyouallthebestandhopewecancollaborateagaininthe future. ToeveryoneattheGriffissInstitute,especiallyBillWolf,ReganJohnson,TracyDiMeo,Dr.Josh White,andJimHanna.Youprovidedacomfortable,quietandwell-connectedenvironmentin whichtostudy,research,collaborate,andwrite.Withoutyoursupport,completingthis dissertationwouldhavebeentremendouslymoredifficultandlengthy. Tomyparents,RandaandEdRatazzi.Byexample,youtaughtmethevalueofeducation,theneed forperseverance,andtheimportanceofoptimism,allingredientsIfoundtobeessentialfor completingmystudies. Finallyandmostimportantly,tomywifeShirleyandchildrenEmilyandNicholas.Youencouraged mewhenthingsweretough,cheeredmysuccesses,andmadecountlesssacrificesalongtheway. Yourloveandconfidencearethecornerstoneofthisandallotheraccomplishmentsofmine. Syracuse,NewYork December2016 viii Contents Abstract i ListofFigures xiv ListofTables xvi 1 Introduction 1 1.1 Securityenhancementsproposedbythescientificliterature . . . . . . . . . . . . . . 3 1.2 Securityenhancementsavailabletoend-users . . . . . . . . . . . . . . . . . . . . . 4 1.3 ThesisandContributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4 Dissertationorganization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2 Background 10 2.1 UniquenessofMobileDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 TutorialonAndroidSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.1 Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.2 Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.4 Run-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.5 Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3 AndroidAccessControlEvaluationMethodology 20 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.1.1 ThreatModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ix