Android Access Control System Test and Evaluation

5.1Tutorial Scheme

Through the above sections, this article describes that the current Android platform's malware is dominated by "Privacy theft" and "malicious fee deduction, the objective of this study is to prevent malware from "Privacy theft" and "malicious fee deduction". Therefore, this experiment selects benign software and malware, test and analyze the behaviors of dialing, sending text messages, connecting to the Internet, accessing the SD card, accessing the address book, and viewing text messages. In the test case, select Baidu Address Book, 360 Address Book, cool dog music, And droiddream. The experiment environment is ubuntu10.04, android4.0 simulator, and the corresponding goldfish kernel.

5.2Experiment Process

1. Test 360 address book

You can call or send text messages to the 360 address book. Therefore, the "game" role is assigned to the 360 address book. Because the "game" role cannot call or send text messages, when you open the 360 Address Book, if none of these functions are available, the results are as expected. The test is as follows:

Figure 5.1360 Address Book Test 1-text message and address book cannot be viewed

2. test Baidu address book

The function of Baidu address book is similar to that of 360 address book. In this case, the "Contact" role is assigned to Baidu address book. If it can call and send text messages, the effect is as expected. The test is as follows:

3. Test codoy music

Codoon music can be played by reading SD card music files. Therefore, it is assigned a "mediaplayer" role to codoon music, but it is not set to read/write SD card files, if it cannot play the SD card music file, the expected effect is met. The test is as follows:

4. Test droiddream-Advanced file manager and super ringtone maker.

Droiddream [18] is a well-known malware on the Android platform. one of its biggest features is the background networking, which exposes user privacy. Advanced file manager and superringtone marker are two types of malware in the droiddream series. They are used for file management, SD card access, ringtone production, and Internet access. Create a new role "malware" and grant this role only one camera access permission. Assign the role "malware" to advancedfile manager and super ringtone.
Maker. The test is as follows:

5.3 Experiment Analysis

1. 360 Test and Analysis of address book

Because a "game" role is assigned to the 360 Address Book, the smack rule associated with this role has disabled the app that assumes the "game" role from making phone calls, sending text messages, and accessing the address book, therefore, you cannot use the 360 address book to view the address book, text message, and other content. To use "ADB shell" to view the content in/smack/load:

Figure 5.8smack rules in smack/load after the android simulator is started

The UID of the 360 address book is 10034. It can be seen that the smack rule "10034 1001-" has disabled communication with the radio process. Therefore, the 360 Address Book cannot send text messages. If you use the 360 address book to send text messages, the 360 address book will prompt the message "failed to send". The Android logcat will display the following information:

As we can see, the smack label is "10034". The 360 Address Book process cannot communicate with radio in binderdriver, so the 360 Address Book process cannot send text messages.

When a user enters a number not in the address book on the keyboard, the dial-up screen is displayed, because this topic has enabled access control for radio, calls and text messages from phone numbers that are not in the address book are blocked. The dialing interface is displayed when a call is made, because although the "10034 1001-" file is written to the/smack/Load file, the dialing activity is running in the 1001 process, if you use the smackload tool to write the smack rule "1001 _-" In/smack/load, the second reading behavior on the dial-up interface is terminated and the phone cannot be called. This is because access control is added to the IPC, while the call is to communicate with the rild process in the binder, and the rild (radiointerface
Layer Daemon) The security label of a process is "_". Therefore, if a rule such as "1001 _-" does not allow communication between radio and rild, the dialing process is terminated. If the user does not give the "game" Call permission, 360 still cannot be called. This is because the RBAC mechanism at the framework layer plays a role, before the dial-up activity is enabled, it checks the UID and applied permissions for the activity. If this component has no call permission, the dial-up activity does not appear.

2. Baidu Address Book Test and Analysis

The UID of the Baidu address book is 10037, And the UID of the address book process is 10000. Because/smack/load has the rule "10037 10000 rwxa", you can see the address book in the Baidu address book. Because 181 is not the number in the address book, it will fail to send text messages to this number using the Baidu address book. Because 666 is the number in the address book, the text message sent to this number using the Baidu address book will be successful.

3. Test and Analysis of codoy music

Because the files in the SD card are labeled with an "sdcard" security label, and codoy music is not assigned a read/write SD card role, codoy music cannot open the music in the SD card.

4. Test and Analysis of droiddream

Since the "malware" role only has one permission to access the camera, the app that assumes the "malware" role cannot use other permissions except the camera. From the test results, we can see that the file length in the SD card is 0 B using File Manager, which indicates that file manager cannot access the SD card. Similarly, a function of super ringtone maker is to search for the Internet, and this function cannot be used. The RBAC at the framework layer has denied the corresponding permissions, the content in "ADB logcat" is as follows:

System Evaluation

1. Function Evaluation

Through the above experiments, the system can not only restrict permissions by customizing roles, but also use smack rules to implement mandatory access control for Kernel processes, therefore, the system can protect user privacy data and prevent "malicious fee deduction" and other behaviors. The following table compares the typical Android security reinforcement technology achievements in foreign countries with the functions of the system:

 

 

Table 5.1 Comparison of foreign technical achievements with the functions of the system

	Customizable security policies	Restrict Permissions	Kernel reinforcement	Context support	Block Elevation of Privilege attacks
Crepe	Yes	Yes	No	Yes	No
Apex	Yes	Yes	No	Yes	No
Seandroid	Yes	Yes	Yes	No	Yes
This system	Yes	Yes	Yes	No	No

The security mechanisms of crepe and apex are jointly characterized by the android permission check mechanism. Therefore, their security mechanisms can be directly bypassed by malware by exploiting Android system vulnerabilities or using Linux system calls, this topic not only implements RBAC based on Android permissions, but also uses the smack module to control Linux processes. Therefore, the system has higher security than crepe and apex. Seandroid is a "heavyweight" Android security enhancement system that requires high smartphone configurations and is not suitable for ordinary Android mobile phone users, the system uses the Lightweight Access Control Module smack as the access control mechanism of the android kernel. Because smack has little performance loss on the Android system, the system has a better performance than seandroid, although the system has the above advantages, the system also has some defects:

First, some of the access control policies in this system are based on the zygote module, but zygote does not repeat the processes with the same UID as "fork". Therefore, when you customize security policies, the system's mandatory access control may not take effect in a timely manner. For example, when an app is started, its process will always exist, instead of being repeatedly "fork" by zygote ", therefore, the smack rule of this app will not be updated. Only by restarting the simulator will the zygote process reload the smack security policy;

Second, the context environment is not taken into account in the system. When a user develops a security policy, the situation "allow or deny" occurs. Therefore, the next step of the system is to take the context into account;

Third, the access control of the system becomes invalid for privileged processes. Because the smack security module cannot block all actions of Linux superusers or processes, when the Android phone is "root", the access control of the system will become invalid;

Fourth, the system does not consider auditing. Audit is an important means to ensure the security of the computer system. The smack kernel itself provides the audit function. If the system designs an intrusion detection module on this basis, the security of the Android system will be further enhanced.