Mobile Netw Appl
DOI10.1007/s11036-013-0482-7
Quantifying and Classifying Covert Communications on Android
Raquel Hill·Michael Hann·Veer Singh
©Springer Science+Business Media New York2013
forgivenessAbstract By exploiting known covert channels,Android applications today are able to bypass the built-in permis-sion system and share data in a potentially untraceable manner.The channels have sufficient bandwidth to trans-mit nsitive information,such as GPS locations,in real-time to collaborating applications with Internet access.In this paper,we extend previous work involving an appli-cation layer covert communications detector.We measure the stability of the volume and vibration channels on the Android emulator,HTC G1,and Motorola Droid.In addi-tion,we quantify the effect that our detector has on chan-nel capacities for stealthy malicious applications using a theoretical model.Lastly,we introduce a new classifica-tion of covert and overt communication for the Android platform.
Keywords Covert communication·Android smartphones·Security
1Introduction
Android-bad smartphones are ubiquitous today,making them a salient target for malware authors.Through the Google Play store,urs can download and install applica-tions from developers around the world.Despite having a strong built-in permissions system,malicious applications on Android can u covert channels to share data in a potentially untraceable manner.Covert channels u system events to conceal the transfer of data between process[14, 15].The channels are easy to exploit,and may allow R.Hill( )·M.Hann·V.Singh
Indiana University,Bloomington,US
e-mail:ralhill@indiana.edu malicious applications to transmit nsitive information in ,credit card numbers,social-curity numbers, GPS coordinates,etc.).As shown in previous work[12], the vibration and volume channels alone are able to sustain transfer rates of at least80-100bits per cond with virtu-ally no data loss.While not enough to transfer videos or photos,the bandwidths are sufficient for streaming GPS coordinates(64-bits per coordinate)or browsing history URLs(hundreds of bits per URL)in real-time to a malicious collaborator.If the collaborator has Internet access,this n-sitive information can then be nt to a rver,even in the prence of smartphone curity systems like Kirin[10]and TaintDroid[9].
Schlegel et al.[19]developed an Android application that extracts credit card information from the tones that are emitted by a phone dialer,and they demonstrated that the credit card data could be nt via covert channels.In prior work,we designed and implemented an application-layer covert communications detector for Android smartphones that detected Schlegel’s application and any application that ud volume,vibration and wakelock ttings[12].Our detector ud a simple thresholding algorithm to determine when system ttings are being changed in an anomalous manner.Our limiting assumption for the detector is that the OS is not compromid and that it properly reports all changes to system ttings.
Since our detector resides at the application layer,it is able to detect and disrupt covert communications,but unable to prevent malicious applications from trying to establish covert channels.Therefore,the goal of this paper is determine how our detector can be ud to reduce the capacity of a channel,thereby making it less attractive for transferring data.To this end,in this paper,we define a the-oretical model that allows us to change the parameters of our thresholding algorithm and quantify how the
未名天
changes
Mobile Netw
balcony
音标下载
Appl
Fig.1Using a covert channel,applications can subvert the reference monitor and communicate regardless of permissions
achieves
affect channel capacity.We also introduce a software stack-bad classification of covert and overt channels for the Android platform.This categorization denotes where in the software stack an efficient detection mechanism would need to application layer,OS kernel,virtual machine). Finally,we measure the stability of the vibration and vol-ume channels across veral platforms,and
demonstrate the effects of background noi on channel capacity.
2Background and related work
2.1Android operating system
The Android OS was designed to address the problems of traditional malware.First,process run within their vir-tual machine environment,thereby limiting how they may impact other applications.Inter-application communication is achieved through an intermediary component known as the reference monitor.Applications must explicitly request permission from the ur at install time to access each dangerous component.1Process isolation and permissions alone do not prevent malicious applications from using covert channels to bypass the reference monitor(Fig.1).
Urs should carefully consider an application’s per-mission requests to avoid obvious malware,such as a “game”that wants to record audio from the microphone during phone calls as well as access the Internet.Ong-tang et al.have developed a curity system on top of Android that automatically identifies dangerous permission combinations,allowing for the pre-installation blocking of potentially malicious software[18].
As an example of two colluding applications,consider a calendar that requests access to your phone’s contacts and an online newspaper reader that requests access to the Internet.Individually,it makes perfect n to grant the permissions.If the two applications are malicious,how-ever,they could collude and transfer the names,phone numbers,and e-mail address of everyone in your contacts 1For more details on Android curity,e Enck et al.[10].list out to a malware rver.If this communication were done overtly through a content provider,the file system, or some other inter-process communication(IPC)mecha-nism,it would be possible to u preventative measures and block the transmission of this nsitive information. No such measures exist for covert channels,which by def-inition are unintended methods of communication.Using our thresholding algorithm(e Section4.1),we can limit the transmission rate of easily exploitable covert chan-nels,making them an impractical target for stealthy mal-ware that require transmission rates above a few bits per cond.
2.2Related work
Covert channels have been classified historically as either storage or timing channels.Timing channels require syn-chronization with a shared clock,while storage channels do not.A new method for classifying covert channels is prented by Wang and Lee[21].They show that a covert channel
氛围英语may exist if a nder is either able to invoke a change that is visible by the receiver or change an object bad on whether the receiver has obrved the object.The four class of covert channels they prent are value-bad spatial and temporal channels,and transition-bad spatial and temporal channels.Value-bad spatial channels and transition-bad temporal channels are similar to the stor-age and timing channels described by Lampson[16].The transition-bad spatial channel demonstrates that a covert storage channel can be created without the nder having the ability to control the value of the object.With value-bad temporal channels,the nder predicts or learns the value of an object,and is able to control when the receiver reads the object.
Holloway and Beyah introduce a new medium for a covert timing channel with a high level of accuracy and speed[13].They u the IEEE802.11carrier n multi-ple access and collision avoidance(CSMA/CA)mechanism to transmit data.CSMA/CA us a random back-off to avoid multiple collisions,and Holloway and Beyah are able to modulate this back-off data.Both the nder and receiver maintain a pre-defined code-book which includes a code for each possible back-off time.Their method had99%accuracy when the throughput was5000bps or less.
To prevent communication on traditional covert chan-nels,Wray[22]us“fuzzy time”.This method introduces random variations into the visible timing of events,making preci measurement of event t
ime impossible.A similar method could be applied in Android at the operating system level.This would make changes to system ttings visible only after some random delay;imperceptible to the ur, but destructive to malicious applications that rely on event
Mobile Netw Appl
timing.Gianvecchio and Wang[11]prent an approach for detecting covert timing channels inside a network using entropy.They claim a change in the entropy of a process is key in determining that a covert timing channel has been created or exists.They show that their process is more effective than previous methods for detecting covert timing channels.We are interested in detecting covert storage chan-nels on Android,since the channels are usually bad on a system-wide tting and event(which do not depend on preci timing).However,entropy-bad measures may be uful for future work in detecting unusual communication patterns over storage channels.
In prior work[12],we u event counting and threshold-ing to detect covert communications that u system ttings to construct a channel.We define a t of sliding windows and compare the counts to their corresponding thresholds.
A count value that exceeds its threshold indicates covert communication.See Sections4.1and4.2for a
detailed description of the algorithm.
Ongtang et al.prent Saint,a framework for run-time enforcement of curity policies[18].Saint mediates com-munication between an application and the Android ref-erence monitor.This allows the application to add more specific requirements,such as being connected to a trusted Wi-Fi network.Such requirements must be met before another application can communicate with it or u its resources.This method would not prevent covert or overt communication between two malicious applications.Some of the concepts prented in the run-time enforcement pol-icy,however,could be ud in a covert channel detection scheme to determine the likelihood of covert communica-tion between two by considering the state of the phone).
Introduced by Enck et al.,Kirin is an install-time policy system for blocking the installation of potentially mali-cious applications[10].It provides a lightweight mechanism for certifying an application at install-time bad on its requested permissions.This certification is done using a t of rules that are meant to detect questionable config-urations of permissions which the ur might otherwi icrophone and Internet access).Kirin would not be effective,though,if two different applications with “normal”permissions decided to communicate covertly or overtly.As long as both applications had a permission t that was successfully certified by Kirin,nothing would pre-v
ent them from communicating and acting together as a single malicious program.
Enck et al.have also created an information-flow track-ing system called TaintDroid that is capable of detecting nsitive information leaks[9].By using“dynamic taint analysis”,the authors are able to track nsitive data at the virtual machine instruction level.This approach would be very uful for ensuring that applications are not commu-nicating nsitive information,even overtly(e Section5). TaintDroid could rve as a foundation for a detector of language/runtime channels by tracking data as it flows through a content provider and out to other applications. Since TaintDroid does not propagate taint labels into native code,however,covert channels over system ttings will remove the labels.2Even with native code label propa-gation,TaintDroid alone is not sufficient to detect covert channels due to the high chance of fal positives from data nt over system-wide events.
Mulliner that wireless devices,such as smart-phones,combine many different wireless technologies like IEEE802.11,cell networks,Bluetooth and GPS[17].Since it is possible for the rvices to interact,an attacker can leverage their interaction for a special class of attacks that may end up costing the ur money.They create a cross-rvice attack to demonstrate how this can be done,and demonstrate how to combat such exploits with a mecha-nism that labels process and system resources.Labels are divided into3categories:interfaces,process and resources.Whenever
a process attempts to access an inter-face or u a resource,the existing policy is examined to determine if the interaction should be granted.In evaluat-ing their approach they show that a process that creates a socket for Wi-Fi communication is unable to then establish a GSM connection,which is not allowed in the policy they u.They point out however that their approach fails in sit-uations where two rvices may be using a Bluetooth headt during a cellular call).Such an approach would not be helpful for us as it deals solely with what a single process can access.The approach will not affect how two process interact.
XManDroid(eXtended Monitoring on Android)is a curity framework developed by Bugiel et al.that extends the Android reference monitor to prevent privilege esca-lation attacks[5].By analyzing the transitive permission usage of applications at runtime and applying system poli-cies,XManDroid can detect attacks that u Android’s ICC(inter-component communication)framework.How-ever,many of the covert channels we describe are bad on Android system ttings.It would be very difficult to define a policy that successfully restricts malicious communication over the channels while allowing legitimate applications to monitor necessary ttings.
minar
Developed by Dietz et al.,Quire is a provenance system for the Android OS that provides a mechanism for pro-cess to verify data that was received[7].Quire is able to provide authentication
and verification for two untrusting applications to communicate,and also aids an application 2Many ttings live in native code drivers,such as the media volume and vibration ttings.
Mobile Netw Appl
in defending against confud deputy attacks.This method provides a system that will primarily benefit application developers eking to have verification of the information received from other applications.Such a system is not uful when two applications want to act together as a malicious entity.
Several initiatives[1,6,8,20],developed machine learn-ing bad intrusion detection schemes that profile how urs interact with smartphones and u specific applications. The profiles are then ud to either authenticate a ur, limit access to the device and its applications,and detect malicious activity on the devices.In addition,other more generic intrusion detection schemes ud dynamic and static code analysis techniques to detect malicious software at the OS and virtual machine layer[4,23].The latter schemes could be ud to detect the prence of instructions that change system wide ttings in an abnormal manner.
Zhou et al.[24]provide a mechanism for the ur to t a policy regarding nsitive information like c
all logs, contacts,etcs.This policy is ud to determine whether applications that have been given access to this data should be allowed to access the data.If the policy says no,then fake data may be nt to the requesting application.This work helps the problem of information leakage becau it enables the ur to restrict access to nsitive information.The work compliments our detector scheme,but it doesnt address the problem of an application that has access and wants to share the data via a covert channel.
3Covert channels on android
A malicious Android application can create a covert channel by using a ContentObrver to listen for changes in a variety of system ttings[2].3Schlegel et al.ud the vibration,volume,and wake-lock ttings,as well as file locks to create covert channels on Android[19].
Of the three ttings-bad channels,vibration and vol-ume do not require any explicit permission from the ur at install time to exploit.Wake-lock requires an additional permission from the ur(WAKE LOCK),so we do not con-sider it to be as stealthy or vere as the other two channels. In addition,this channel depends on a latency in the elec-tronics of the device,and therefore may become unusable on future hardware without this latency[19].Regardless, our detection algorithm(S
ection4.1)and proof-of-concept detector(Section4.2)accurately identifies covert commu-nications on the vibration,volume and wake-lock channels. By using a ContentObrver that monitors all system 3Our preliminary investigation found that virtually none of the ttings were changed by popular applications in the Android Mar-ket.Thus,malicious applications would not have to worry about overcrowded ings,our prototype can be extended to detect and disrupt many other covert channels.
会计与审计The file-lock channel is the most vere in terms of band-width alone.Schegel ported that more than685bits per cond could be transmitted on a G1phone.However, this channel requires that both colluding applications have access to external storage.By default,Android applications cannot access each other’s files and are unable modify exter-nal he SD card)without prompting the ur for permission at install time.4Since the lock state of every file on the external storage device would need to be contin-uously monitored,detecting the u of the file-lock channel from outside the OS would not be practical or foolproof. While one possible solution is to u our simple event-counting algorithm inside the OS itlf(e Section4.1),we believe the danger prented by this channel is caud by the coar nature of the current external storage permission (applications get read or write access to the entire file sys-tem).Indeed,applications from a wide varie
ty of domains request write access to external storage[3],perhaps indi-cating the need to refine the permission by only granting access to specific directories.If colluding applications had to request write access to a particular t of files or a direc-tory on external storage to covertly communicate via the file-lock channel,it could make the task of identifying them easier.Malware detectors could then flag applications from largely different domains that request access to the same external directory.The file-lock channel is difficult to detect outside of the Android OS,and we believe that much of its verity is due to the permission t being too coar.There-fore,we do not consider the file-lock channel further in this paper.
The vibration and volume channels can be classified as either storage or timing channels depending on what we define as a“clock”[22].Since it us a system-wide notification event,we classify the vibration channel as stor-age.In contrast,no specific event exists for the volume channel,making it highly dependent on the system clock and thus a timing channel.This categorization has practi-cal implications,since system noi from the ur or other applications will impact storage and timing channels differ-ently.For storage channels that are bad on a notification event(vibration,wake-lock),data loss is possible only if a new event overwrites a previous one before the receiver has a chance to inspect it.Android does not appear to maintain event history,so data loss is always possibl
e with-out additional synchronization iver acknowledgement over a condary channel).Timing chan-nels(like volume)are not only vulnerable to data loss from noi,but also race conditions where the nder and receiver 4Applications are currently able to mark their own files on internal storage as world readable/writable,which we e as potential curity hole.
Mobile Netw
Appl
(a)(b)
Fig.2Vibration channel (left )and volume channel (right )receive time for all platforms and loads (L =100events).Standard error is reported for N =10trials
get out of sync.As with storage channels,additional syn-chronization mechanisms can help mitigate the problems at the expen of channel bandwidth.A condary channel may also be ud,at the risk of making the application more vulnerable to detection.3.1Channel evaluation
In previous work,we implemented a pair of applications called CovertSender and CovertReceiver to
communicate a fixed-length message over the vibration and volume chan-nels of an HTC G1,a Motorola Droid,and the Android emulator [12].Figure 2compares the performance of the vibration and volume channels.We tested the effect of
noi on communication performance under the following conditions:1.Idle
–
The device was idle during communication (CovertSender in foreground or background).
2.Video
–
We played a standard definition video (480x352,H.264,MPEG-4).
3.Download
–
We downloaded a large file (≈50MB)over the phone’s Wifi connection.
Fig.3Settings screen for Android 2.3.3vibration (left )and volume (right
大勇)
Mobile Netw Appl
4Managing covert channels
4.1Threshold detection
Detecting covert communication requires categorizing the u of a channel as malicious or as expected within some margin of error.Once malicious u is detected,we must decide on an appropriate respon,such as blocking or dis-rupting communication,alerting the ur,or taking steps to unmask the malicious applications.
We u event counting and thresholding to detect covert communications that u the vibration,volume,wake-lock and any ttings with similar structure.For vibration and volume ttings changes,we maintain a history of events. Using a sliding window,we simply count the number of events within our window and compare this to a threshold (called the“burst”threshold b).A count value that is greater than or equal to b indicates covert communication.To detect applications that try to consistently communicate below b, we u a lower threshold s,called the“sustained”threshold. Each time the event count inside a window exceeds s,we mark the window as“bad”and report when a t number of concutive time windows are bad.The two thresholds are meant to capture two k
inds of malicious behavior:(b) a large burst of communication over a short period of time, and(s)sustained communication below b.
The vibration tting on Android phones,for example, is normally t by the ur through the Settings applica-tion(Fig.3).Changing this tting requires veral steps on recent Android 2.3.3).In our tests,it was vir-tually impossible to alter this tting more than three times a cond on the Android emulator and the Motorola Droid. The volume tting could be changed at most18times per cond via the Droid’s external buttons,which is less than half the number of events that our test application was able to generate through software.
4.2Detector implementation
Our detector application monitors the vibration and volume channels using the thresholding algorithm described above. On the main screen(Fig.4),the ur can t the threshold parameters for either channel independently as well as the combined vibration+volume channel(e details below). For testing purpos,the sliding time window is fixed at one cond,although this could easily be expod as a tting to the ur.
The vibration channel detector is a Broadcast Receiver registered to listen for the appropriate event f
rom the built-in AudioManager.The volume channel detector polls the STREAM NOTIFICATION tting from the AudioManager continuously and counts an event whenever the tting changes.In addition to monitoring the individual channels,we sum the event counts of both chan-nels and consider the combined vibration+volume channel as a parate channel with distinct parameters.This is done to prevent stealthy applications from splitting up communi-cation over multiple independent channels,each kept below the burst and sustained thresholds.
We included two possible respons to covert communi-cation:
–The“Alert”respon posts a notification message for the ur with the appropriate details,such as time of detection and channel name(Fig.4).The names of all currently running process on the system are recorded and stored in a databa.Ideally,this list would be fil-tered to remove known system process and compared to past lists in order to identify culprits.
–The“Inject Noi”respon randomly changes the t-tings for the identified channel,attempting to disrupt communication.
To evaluate our approach,we ud our detector applica-tion to monitor and expo covert communication between two proof-of-concept Sender and Receiver applications. The applications
were designed to pass a test message from nder to receiver over a single covert channel as quickly as ,using the maximum channel capac-ity).
We were able to detect covert communication between our proof-of-concept applications100percent of the time over the vibration and volume channels.There were no fal positives becau the applications nd data in bursts that exceed the rate at which a real ur would change the ttings.Our detector was able to disrupt communica-tion by purpoly changing the tting values and injecting noi into the channel.In Section3.1we evaluated how noi from regular system u affects the robustness and throughput of the vibration and volume channels.
4.3Theoretical model
When a covert application transmits at channel capacity,our prototype quickly detects the communication.In an actual malicious application who author is trying to be stealthy, the application would limit its throughput to try and stay below the thresholds.We can model the average capacity of the channel from the perspective of a stealthy malicious application as follows.
Let w be the length of our detector’s time window in c-onds,and n be the number of past time windows that we will consider(including the current window).Let b be the burst threshold(number of e
vents counted in w at which we alert), s be the sustained threshold(number of events counted in w at which we mark the current window as“bad”),and q be the number of bits that can be transmitted per event(1.6for the
>aihui
