A study on Android games : 3G energy consumption, CPU-utilization and system calls

Almquist, Mathias, Almquist, Viktor

January 2015

The popularity of mobile games has increased drastically during the recent years andmany people use them as their main source of entertainment. Mobile gamescommunicate with other devices over the network which consumes a lot of energy,especially when connected to cellular networks (e.g., 3G). This high energy expensecan feel unjustified to the player since always-on network connectivity is not requiredin order to play most games.Furthermore, the number of malware-infected applications in offical applicationstores has increased significantly in the recent years. These malware-infectedapplications can gain unrestricted access and control of users phones which can be athreat to security. Information about the behaviour characteristics of games can beused to develop or improve systems for detecting malware applications.In this thesis, 20 popular Android games are analysed with a focus on the datacommunication, CPU utilization and system call behaviour. The main subject of thedata communication study is the 3G communication energy consumed by games. Thesystem call study aims at quantifying the number and type of calls used by games.This may be useful in a further study of harmful behaviour by apps.The profiling results presented in this report show that the communication energyvaries drastically among games. Games with a very similar gameplay can consumevery different amounts of energy which indicates that there is room for improvementsin many of the games. Ad-free games consume significantly less energy than gamesthat use in-app advertisements. The results show that improving the advertisementfetching policy could reduce the energy consumption of these games. The majority ofthe games can be played without network connectivity and therefore thecommunication energy consumed could be completely avoided. The thesis alsoshows that games use a wide variety of system calls and that many of the system callsare common among the games.

3G

Energy

Android

Games

CPU

System calls

Nástroj pro vyvolávání chyb založený na infrastrukuře Systemtap / A Fault Injection Bug Hunting Tool Based on Systemtap

Zelinka, Martin

January 2011

This work describes different methods of fault injection, the principles of system calls in operating system Linux and the Systemtap tool. The main aim of thesis is design and implementation of the application that work on the principle of fault injection into the system calls using Systemtap tool. Implemented application automatically identifies the existing system calls with the error return values, which are then replaced the original system calls return value.

Design and Implementation of the VirtuOS Operating System

Nikolaev, Ruslan

21 January 2014

Most operating systems provide protection and isolation to user processes, but not to critical system components such as device drivers or other systems code. Consequently, failures in these components often lead to system failures. VirtuOS is an operating system that exploits a new method of decomposition to protect against such failures. VirtuOS exploits virtualization to isolate and protect vertical slices of existing OS kernels in separate service domains. Each service domain represents a partition of an existing kernel, which implements a subset of that kernel's functionality. Service domains directly service system calls from user processes. VirtuOS exploits an exceptionless model, avoiding the cost of a system call trap in many cases. We illustrate how to apply exceptionless system calls across virtualized domains. To demonstrate the viability of VirtuOS's approach, we implemented a prototype based on the Linux kernel and Xen hypervisor. We created and evaluated a network and a storage service domain. Our prototype retains compatibility with existing applications, can survive the failure of individual service domains while outperforming alternative approaches such as isolated driver domains and even exceeding the performance of native Linux for some multithreaded workloads. The evaluation of VirtuOS revealed costs due to decomposition, memory management, and communication, which necessitated a fine-grained analysis to understand their impact on the system's performance. The interaction of virtual machines with multiple underlying software and hardware layers in virtualized environment makes this task difficult. Moreover, performance analysis tools commonly used in native environments were not available in virtualized environments. Our work addresses this problem to enable an in-depth performance analysis of VirtuOS. Our Perfctr-Xen framework provides capabilities for per-thread analysis with both accumulative event counts and interrupt-driven event sampling. Perfctr-Xen is a flexible and generic tool, supports different modes of virtualization, and can be used for many applications outside of VirtuOS. / Ph. D.

operating systems

hypervisor

microkernel

driver isolation

profilers

perfctr

Xen

virtualization

IOMMU

exceptionless system calls

One kernel to rule them all : An experimental study inspecting the Meltdown patch effects on the costs of system calls in systemd-nspawn containers / En kärna att härska över dem alla : En experimental studie som inspekterar effekterna av Meltdown uppdateringen i samband med systemd-nspawn containers

Kooijman, Ben

January 2018

Context. The paradigm of virtualization is rapidly changing due to hardware optimization and capabilities, while also due to rapid development and deployment strategies used in the modern day IT industry. Just like the positive changes, negative effects are necessary to occur in order to improve modern day technologies.This final year project takes a look at both the positive and negatives by exploring how containers are relevant to modern day computing and how they are affected by the patch that mitigates the Meltdown CPU vulnerabilities discovered in mid-2017 in terms of performance. Looking at the trade-off between information security and performance by taking an in-depth approach with a take on the core functionalities of the Linux Kernel. This paper succeeded to identify system call costs that between a secure and non-secure Linux kernel in the context of a containerized environment. Objectives. This study examines the effects of the KAISER security patch aimed to mitigate microprocessor vulnerabilities related to Meltdown. The investigated effect is the performance as the cost of system calls under the condition of a non-KAISER and a KAISER enabled Linux kernel. The intent is to increase the transparency of how a major security patch such as KAISER affects the system. Methods. A quantitative experimental study is conducted. One single Debian Stretch node is used with two different treatments. First micro-benchmarks are run without a KAISER enabled kernel which later is compared with a KAISER enabled kernel. The measuring point is the time one single system call takes in a sequence of 1 000 000 system calls. Results. First macro-benchmarks were conducted to see what a performance loss would look like on an application level. This proved to introduce many superfluous factors which made it difficult to use system calls as a measuring point. In the end a comparison between the two kernels was done. This indicated that the cost per system differed roughly 29% in time. Conclusions. The results indicate that a large performance loss is identified. However, this does not indicate that all activities on a computer will suffer from this loss. The performance loss the end-user will experience all depends on the amount of system calls generated from one single set of instructions. The performance loss can be neglected if these instructions generating a low amount of system calls. These results should notbe used as evidence to favor performance over information security in real life applications and implementations but rather as a motivation to meet the two aspects. / Kontext. Användning kring virtualisering håller snabbt på att förändras tack vare bättre hårdvaruoptimeringar och förmågor. Samtidigt ändras många olika utplaceringstrategier av datorresurser iden moderna IT industrin. Likväl alla positiva förändringar så introduceras det även effekter med negativa följder. Det här är ett examensarbete som ämnar att utforska båda dessa positiva och negativa effekter. Genom att titta på hur den populära virtualiserings tekniken som består av containers påverkas av uppdateringen som ska lösa sårbarhter i moderna processorer som går under namnet Meltdown. Påverkningarna definieras i form av prestanda vilket tillåter en djupare inspektering av de fundementala funktioner av Linux kärnan, där systemanrop kan användas som mätningspunkt. Metoden samt resultat i det här examensarbetet har med framgång lyckats hitta en kostnads skillnad per systemanrop under förhållandetav en osäker samt en säker Linux kärnna i en miljö som består av containers. Mål. Examensarbetet tittar på effekterna av uppdateringen som ska åtgärda sårbarheterna i moderna mikroprocessorer relaterade till Meltdown. De investigerade effekterna är definierade som prestandan där kostanden av systemanrop används som mätningspunkt. Meningen med det här examensarbetet att öka transparansen av vad en stor säkerhetsuppdatering gör med ett modernt datorsystem. Metod. En kvantitativ experimental studie utförs där en Debian Stretch nod används för att observera två olika behandlingar. Till början så körs det ”mikrobenchmarks” under förhållandet av en osäker Linux kärna. Sedan så följs detta upp med en säker Linux kärna. Till slut jämförs de olika resultat med varandra för att identifera hur mycket ett system anrop kostar under en sekvens av 10’000’000 systemanrop. Resultat. Som pilot studie utfördes det en rad olika tester som använder många olika verktyg för att se om det går att identifiera en prestanda förlust på applikations nivå. Genom att utföra tester utav den karaktären blev det tydligt att överflödiga faktorer förhindrade ett utfall som ansågs vara tillräcklig. Till slut hittades rätt typ av verktyg för att få fram ett utfall som visade att en prestanda skillnad på ~29% existerade mellan en osäker samt en säker Linux kärna. Sammanfattning. Resultatet indikerar att en prestanda förlust existerar. Dock påverkas inte den generella prestandan nödvändigtvis. Prestanda förlusten en slutanvändare kommer att uppleva beror helt på av hur stort antal systemanrop som genereras under sekvensen av aktiviteten som utförs. Resultatet som redovisas i detta examensarbete bör inte användas som motivation att prioritera prestanda över informations säkerhet i produktions miljöer men hellre som en motivation att kunna bemöta båda aspekterna.

Linux

containers

systemd-nspawn

Meltdown

KAISER

system calls

Linux

containers

systemd-nspawn

Meltdown

KAISER

systemanrop

Computer Sciences

Datavetenskap (datalogi)

Intrusion Detection System for Android : Linux Kernel System Salls Analysis

Borek, Martin

January 2017

Smartphones provide access to a plethora of private information potentially leading to financial and personal hardship, hence they need to be well protected. With new Android malware obfuscation and evading techniques, including encrypted and downloaded malicious code, current protection approaches using static analysis are becoming less effective. A dynamic solution is needed that protects Android phones in real time. System calls have previously been researched as an effective method for Android dynamic analysis. However, these previous studies concentrated on analysing system calls captured in emulated sandboxed environments, which does not prove the suitability of this approach for real time analysis on the actual device. This thesis focuses on analysis of Linux kernel system calls on the ARMv8 architecture. Given the limitations of android phones it is necessary to minimise the resources required for the analyses, therefore we focused on the sequencing of system calls. With this approach, we sought a method that could be employed for a real time malware detection directly on Android phones. We also experimented with different data representation feature vectors; histogram, n-gram and co-occurrence matrix. All data collection was carried out on a real Android device as existing Android emulators proved to be unsuitable for emulating a system with the ARMv8 architecture. Moreover, data were collected on a human controlled device since reviewed Android event generators and crawlers did not accurately simulate real human interactions. The results show that Linux kernel sequencing carry enough information to detect malicious behaviour of malicious applications on the ARMv8 architecture. All feature vectors performed well. In particular, n-gram and co-occurrence matrix achieved excellent results. To reduce the computational complexity of the analysis, we experimented with including only the most commonly occurring system calls. While the accuracy degraded slightly, it was a worthwhile trade off as the computational complexity was substantially reduced. / Smartphones ger tillgång till en uppsjö av privat information som potentiellt kan leda till finansiella och personliga svårigheter. Därför måste de vara väl skyddade. En dynamisk lösning behövs som skyddar Android-telefoner i realtid. Systemanrop har tidigare undersökts som en effektiv metod för dynamisk analys av Android. Emellertid fokuserade dessa tidigare studier på systemanrop i en emulerad sandbox miljö, vilket inte visar lämpligheten av detta tillvägagångssätt för realtidsanalys av själva enheten. Detta arbete fokuserar på analys av Linux kärnan systemanrop på ARMv8 arkitekturen. Givet begränsningarna som existerar i Android-telefoner är det väsentligt att minimera resurserna som krävs för analyserna. Därför fokuserade vi på sekvenseringen av systemanropen. Med detta tillvägagångssätt sökte vi en metod som skulle kunna användas för realtidsdetektering av skadliga program direkt på Android-telefoner. Vi experimenterade dessutom med olika funktionsvektorer för att representera data; histogram, n-gram och co-occurrence matriser. All data hämtades från en riktig Android enhet då de existerande Android emulatorerna visade sig vara olämpliga för att emulera ett system med ARMv8 arkitekturen. Resultaten visar att Linus kärnans sekvensering har tillräckligt med information för att upptäcka skadligt beteende av skadliga applikationer på ARMv8 arkitekturen. Alla funktionsvektorer presterade bra. N-gram och cooccurrence matriserna uppnådde till och med lysande resultat. För att reducera beräkningskomplexiteten av analysen, experimenterade vi med att enbart använda de vanligaste systemanropen. Fast noggrannheten minskade lite, var det värt uppoffringen eftersom beräkningskomplexiteten reducerades märkbart.

Android

security

malware

detection

system calls

ARM

Android

säkerhet

malware

detektion

systemanrop

Computer and Information Sciences

Data- och informationsvetenskap

Practical Exploit Mitigation Design Against Code Re-Use and System Call Abuse Attacks

Jelesnianski, Christopher Stanislaw

09 January 2023

Over the years, many defense techniques have been proposed by the security community. Even so, few have been adopted by the general public and deployed in production. This limited defense deployment and weak security has serious consequences, as large scale cyber-attacks are now a common occurrence in society. One major obstacle that stands in the way is practicality, the quality of being designed for actual use or having usefulness or convenience. For example, an exploit mitigation design may be considered not practical to deploy if it imposes high performance overhead, despite offering excellent and robust security guarantees. This is because achieving hallmarks of practical design, such as minimizing adverse side-effects like performance degradation or memory monopolization, is difficult in practice, especially when trying to provide a high level of security for users. Secure and practical exploit mitigation design must successfully navigate several challenges. To illustrate, modern-day attacks, especially code re-use attacks, understand that rudimentary defenses such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) will be deployed moving forward. These attacks have therefore evolved and diversified their angles of attack to become capable of leveraging a multitude of different code components. Accordingly, the security community has uncovered these threats and maintained progress in providing possible resolutions with new exploit mitigation designs. More specifically though, defenses have had to correspondingly extend their capabilities to protect more aspects of code, leading to defense techniques becoming increasingly complex. Trouble then arises as supporting such fine-grained defenses brings inherent disadvantages such as significant hardware resource utilization that could be otherwise used for useful work. This complexity has made performance, security, and scalability all competing ideals in practical system design. At the same time, other recent efforts have implemented mechanisms with negligible performance impact, but do so at the risk of weaker security guarantees. This dissertation first formalizes the challenges in modern exploit mitigation design. To illustrate these challenges, this dissertation presents a survey from the perspective of both attacker and defender to provide an overview of this current security landscape. This includes defining an informal taxonomy of exploit mitigation strategies, explaining prominent attack vectors that are faced by security experts today, and identifying and defining code components that are generally abused by code re-use. This dissertation then presents two practical design solutions. Both defense system designs uphold goals of achieving realistic performance, providing strong security guarantees, being robust for modern application code-bases, and being able to scale across the system at large. The first practical exploit mitigation design this dissertation presents is MARDU. MARDU is a novel re-randomization approach that utilizes on-demand randomization and the concept of code trampolines to support sharing of code transparently system-wide. To the best of my knowledge, MARDU is the first presented re-randomization technique capable of runtime code sharing for re-randomized code system-wide. Moreover, MARDU is one of the very few re-randomization mechanisms capable of performing seamless live thread migration to newly randomized code without pausing application execution. This dissertation describes the full design, implementation, and evaluation of MARDU to demonstrate its merits and show that careful design can uphold all practical design goals. For instance, scalability is a major challenge for randomization strategies, especially because traditional OS design expects code to be placed in known locations so that it can be reached by multiple processes, while randomization is purposefully trying to achieve the opposite, being completely unpredictable. This clash in expectations between system and defense design breaks a few very important assumptions for an application's runtime environment. This forces most randomization mechanisms to abandon the hope of upholding memory deduplication. MARDU resolves this challenge by applying trampolines to securely reach functions protected under secure memory. Even with this new calling convention in place, MARDU shows re-randomization degradation can be significantly reduced without sacrificing randomization entropy. Moreover, MARDU shows it is capable of defeating prominent code re-use variants with this practical design. This dissertation then presents its second practical exploit mitigation solution, BASTION. BASTION is a fine-grained system call filtering mechanism aimed at significantly strengthening the security surrounding system calls. Like MARDU, BASTION upholds the principles of this dissertation and was implemented with practicality in mind. BASTION's design is based on empirical observation of what a legitimate system call invocation consists of. BASTION introduces System Call Integrity to enforce the correct and intended use of system calls within a program. In order to enforce this novel security policy, BASTION proposes three new specialized contexts for the effective enforcement of legitimate system call usage. Namely, these contexts enforce that: system calls are only invoked with the correct calling convention, system calls are reached through legitimate control-flow paths, and all system call arguments are free from attacker corruption. By enforcing System Call Integrity with the previously mentioned contexts, this dissertation adds further evidence that context-sensitive defense strategies are superior to context-insensitive ones. BASTION is able to prevent over 32 real-world and synthesized exploits in its security evaluation and incurs negligible performance overhead (0.60%-2.01%). BASTION demonstrates that narrow and specialized exploit mitigation designs can be effective in more than one front, to the point that BASTION not only revents code re-use, but is capable of defending against any attack class that requires the utilization of system calls. / Doctor of Philosophy / Limited security defense deployment and weak security has serious consequences, as large scale cyber-attacks are now a common occurrence. This may be surprising since many defense techniques have been proposed; yet in reality, few have become dopted by the general public. To elaborate, designing an ideal defense that is strong security-wise but does not use any computer resources is challenging. In practice, there is no free lunch, and therefore a design must consider how to best balance security with performance in an effort to be practical for users to deploy their defense. Common tradeoffs include adverse side-effects such as slowing down user applications or imposing significant memory usage. Therefore, practical and strong defense design is important to promote integration into the next generation of computer hardware and software. By sustaining practical design, the needed jump between a proof-of-concept and implementing it on commodity computer chips is substantially smaller. A practical defense should foremost guarantee strong levels of security and should not slow down a user's applications. Ideally, a practical defense is implemented to the point it seems invisible to the user and they don't even notice it. However, balancing practicality with strong security is hard to achieve in practice. This dissertation first reviews the current security landscape - specifically two important attack strategies are examined. First, code re-use attacks, are exactly what they sound like; code re-use essentially reuse various bits and pieces of program code to create an attack. Second, system call abuse. System calls are essential functions that ordinarily allow a user program to talk with a computer's operating system; they enable operations such as a program asking for more memory or reading and writing files. When system calls are maliciously abused, they can cause a computer to use up all its free memory or even launch an attacker-written program. This dissertation goes over how these attacks work and correspondingly explains popular defense strategies that have been proposed by the security community so far. This dissertation then presents two defense system solutions that demonstrate how a practical defense system could be made. To that end, the full design, implementation, and evaluation of each defense system, named MARDU and BASTION, is presented. This dissertation leverages attack insights as well as compiler techniques to achieve its goal. A compiler is an essential developer tool that converts human written code into a computer program. Moreover, compilers can be used to apply additional optimizations and security hardening techniques to make a program more secure. This dissertation's first defense solution, MARDU, is a runtime randomization defense. MARDU protects programs by randomizing the location of code chunks throughout execution so that attackers cannot find the code pieces they need to create an attack. Notably, MARDU is the first randomization defense that is able to be seamlessly deployed system-wide and is backwards compatible with programs not outfitted with MARDU. This dissertation's second defense solution, BASTION, is a defense system that strictly focuses on protection of system calls in a program. As mentioned earlier, system calls are security critical functions that allow a program to talk a computer operating system. BASTION protects the entire computer by ensuring that every time a system call is called by a user program, it was rightfully requested by the program and not maliciously by an attacker. BASTION verifies this request is legitimate by confirming that the current program state meets a certain set of criteria.

Exploit Mitigation

Practical Design

System Software

Randomization

Runtime Defense

Return-Oriented Programming

Code Re-use Attacks

System Calls

System Call Specialization