You are here
PRIV: a Permission Re-delegation vulnerability detection framework
Thursday, 4 May, 2017 - 16:00
Biniam Fisseha Demissie
Abstract: Previously, I presented a work in progress on permission re-delegation vulnerability detection framework. In this seminar, I will talk about the complete work and results we obtained. Permission re-delegation is a kind of privilege escalation where one software component performs privileged action on behalf of another component that does not hold the required permission. Static analysis is the de facto technique used to identify this kind of vulnerability by extracting execution paths from entry-point to sensitive sinks. However, not all execution paths represent vulnerabilities. That is, most of the reports might represent legitimate re-delegation intended by the developer or paths that are infeasible. In this work, we present a fully automated framework to identify permission re-delegation vulnerabilities (in Android apps) that complements the state-of-the-art detection techniques by introducing the Oracle. Moreover, for reported vulnerabilities, the framework provides test inputs (proof-of-concept) that executes the (sensitive) privileges sink. We tested the framework on 187 open source apps. We found 3 true positives, 1 true negative and 2 false positives. We then compare the results with FlowDroid, state-of-the-art static analysis tool for Android apps.