ClearScope

ClearScope is a robust system for precise and comprehensive provenance tracking of sensitive information that flows through Android devices (for example, location, PII, call data, text data). In contrast to previous systems, ClearScope tracks the complete path that data takes through the device, from its initial entry into the device through to its exit point, including applications, files, and IPC that the data traverses along this path, as well as tracking flows in both the Dalvik Android Runtime (ART) and code executing outside of the runtime (native code). ClearScope can also track up to 2^32 combinations of information sources and intermediate information traversal points. Previous systems, in contrast, can track only a small fixed number of information sources. The information that ClearScope delivers has unprecedented precision, including the time of data traversal events, the precise location in the application where data traversal events take place, and the initial source or sources of relevant data at the level of individual bytes. Clearscope combines static instrumentation and dynamic monitoring to achieve low overhead and precise tracking on real-world applications on real devices.

The ClearScope project delivered modified Android ROMs that were installable on real devices.  The modified OS includes instrumentation that records the provenance and usage of sensitive information across all userspace applications.  Our entire system is open-source, available upon request, and also employed by Aarno Labs for consulting investigations of behaviors of untrusted applications.  For example, the DoD asked Aarno to investigate a malware implant loaded on devices available to consumers.  As compared to a multi-month investigation performed using common tools, our investigation took 5 days, and uncovered more behaviors (with higher fidelity reporting).  ClearScope has been delivered to multiple agencies in the DoD and intelligence communities.