Clearscope: Full Stack Provenance Graph Generation for Transparent Computing on Mobile Devices
Abstract
The ClearScope project associates a provenance history graph for each value of Android application via a custom build of the Android operating system. Provenance provides a history of the sensitive sources and sinks that influenced a value, including the temporal order of the operations, and details of the operations (e.g., file names, IP addresses, data values, the calling program and user, etc.). This information can be employed to improve the accuracy and efficiency of malware and APT detection, forensics, and policy enforcement. The ClearScope project combines multiple instrumentation systems to provide unprecedented coverage for an Android system at low overhead. Performance experiments with the Caffeine Mark benchmarks demonstrate 14% overhead. Additionally, we demonstrate only a 1% overhead for Firefox browser benchmarks. For the TC engagements, we captured all in-bounds malicious actions performed by TA4 (the red team). For TC, we are the only system to track and report fine-grained and value-precise data-provenance. We have robust ClearScope builds for Android 5, 6, 7, and 8 for multiple devices. We also published our work in major conferences and technical reports.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jul 08, 2020
- Accession Number
- AD1103275
Entities
People
- Anthony Eden
- Henny Sipma
- Jeffrey Perkins
- Jordan Eikenberry
- Malavika Samak
- Martin Rinard
- Michaell Gordon
Organizations
- Massachusetts Institute of Technology