Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks.We design and implement AuDroid, an extension to the SELinux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.
翻译:语音控制是操作移动设备的一种流行方式,使用户能够将请求告知其设备。然而,对手可以利用语音控制来操纵移动设备,将手机控制用于执行泄露秘密或修改关键信息的命令。当代移动操作系统无法防止此类袭击,因为他们根本无法控制对发言者的访问,而且当不信任的应用程序可能使用麦克风时也无法控制这些袭击,使授权应用程序能够创建可开发的通信渠道。在本文件中,我们提议一个安全机制,明确跟踪音频通信频道的创建,并控制这些频道的信息流动,以防止多种类型的袭击。我们设计和实施AUDroid,将SELinux参考监视器纳入安卓操作系统,以针对系统音频资源的动态变化使用实施拉蒂安全政策。为了增强灵活性,在发现信息流动错误时,设备所有人、系统应用程序和服务将有机会使用已知的方法解决信息流错误,使AUDroid能够安全运行许多配置。我们评价了17个广泛使用麦克风和扬声器的应用程序的做法,我们发现AUDroid防止六类袭击情景在不使用音频轨道上有效运行,同时允许所有AVAVAA公司运行。