Clearscope: Full Stack Provenance Graph Generation for Transparent Computing on Mobile Devices

The ClearScope project associates a provenance history graph for each value of Android application via a custom build of the Android operating system. Provenance provides a history of the sensitive sources and sinks that influenced a value, including the temporal order of the operations, and details of the operations eg, file names, IP addresses, data values, the calling program and user, etc.. This information can be employed to improve the accuracy and efficiency of malware and APT detection, forensics, and policy enforcement. The ClearScope project combines multiple instrumentation systems to provide unprecedented coverage for an Android system at low overhead. Performance experiments with the Caffeine Mark benchmarks demonstrate 14 overhead. Additionally, we demonstrate only a 1 overhead for Firefox browser benchmarks. For the TC engagements, we captured all in-bounds malicious actions performed by TA4 the red team. For TC, we are the only system to track and report fine-grained and value-precise data-provenance. We have robust ClearScope builds for Android 5, 6, 7, and 8 for multiple devices. We also published our work in major conferences and technical reports.Descriptors: