Research On Detection Of Covert Channel Attacks In Android

Covert channels are information channels that exist in network environment or operating systems, and they are not designed for the transmission of information. Covert channels can be exploited by malicious applications to implement the covert data transmission, which threatens the safety of the system. In the smartphone operating system Android, covert channels widely exist in multiple levels of the OS. The malicious applications can leverage covert channels to bypass the system's security mechanism, leak users' sensitive data to applications which don't have relative permissions, thus compromise security of users' data. Covert channel attacks are good for concealment, thus they are difficult to be identified and contained by common security programs in Android.Since covert channel attacks usually achieve data transmission by tuning properties of system shared resources, we propose a framework which audits the status of system shared resources in real time in Android. It can effectively detect and suppress attacks from known covert channels. At the application level, the framework intercepts API calls which access system shared resources while at the kernel level the framework uses auditd to monitor system calls so as to get the identities of target objects, the pid of related process, the process privileges, the timestamp and other information of each API call or system call. Then audit the records of those operations which have accessed system shared resources, and assesses the amount of data transmitted between applications which have different permissions to access sensitive data. When covert channel attacks are found, the framework will delay the executions of related operations or inject noise into the status of shared resources in order to undermine the data transmission capabilities of covert channels.Test results show that the covert channel attack detection framework can effectively inhibit covert channel attacks from Android application layer and system layer. The additional memory overhead for each third-party application caused by the framework is negligible.