2 lecture embedded system security a.-r. sadeghi, @tu ... · pdf file2 lecture embedded system...
TRANSCRIPT
2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
3
Android Runtime
Dalvik VM
Native libs (C/C++) Core libs
Application layer
Middleware layer
Kernel layer
Process Manager
Drivers File
System Network
Linux
Package Manager
Application Framework
Default (core) apps Third party apps
Browser Contacts Facebook Skype
Activity Manager Ref Monitor App Installer
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Provides developers API to basic functionalities and services (e.g., set alarms, access location information, set up a phone call)
Activity Manager Includes a Reference Monitor which mediates access requests to security-critical services (e.g.,
SMS, Contacts, Location) based on permissions (later more details) Responsible for starting applications
Package Manager Installation of new Apps Management of Permissions and Apps
4 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Android Runtime
Dalvik VM
Native libs (C/C++) Core libs
Package Manager
Application Framework
Activity Manager Ref Monitor App Installer
Dalvik Virtual Machine (DVM) Virtual Machine optimized for embedded environments Runs optimized file format “.dex” and Dalvik bytecode generated from Java
.class/.jar files at build time Relies on underlying Linux kernel for threading and low-level memory
management
Core Libraries Provide most of the functionality available in the core libraries of Java Provides core APIs of Java (familiar programming environment)
5 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Android Runtime
Dalvik VM
Native libs (C/C++) Core libs
Package Manager
Application Framework
Activity Manager Ref Monitor App Installer
C/C++ system libraries
Exposed to developers through the Android application framework
Core libraries include: Libc (Bionic), media libraries, Surface Manager, 3D libraries, SQLite, SSL
6 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Android Runtime
Dalvik VM
Native libs (C/C++) Core libs
Package Manager
Application Framework
Activity Manager Ref Monitor App Installer
Android Application
Apps are written in Java (type safe language) Each app is executed within its own Dalvik VM instance Apps also include native code via Java Native Interface (JNI) Android Apps consist of components
Activities (user interfaces) Services (background processes) Broadcast receivers (application mailboxes) Content providers (SQL-like databases)
7 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Dalvik VM
Activities Services
Content Providers
Broadcast Receivers
JNI C/C++ libs
7
8 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Inter-process communication (IPC)
Intents (message-based )
Remote Procedure Calls (establishing permanent connections)
File system (files, Unix domain sockets)
Network sockets
9
Application layer
Middleware layer
Kernel layer
App B
IPC MAC
File System DAC
Network Sockets
DAC
App A
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
MAC – Mandatory Access Control DAC – Discretionary Access Control
10 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Application isolation VMs and sandboxing Apps are written in Java (but native code can be used)
Application Access Control Permission framework at middleware layer Discretionary access control to file system at Linux level
Code Integrity System code is signed by Google Applications are signed by developers
It is easy to obtain a developer key, just 25 USD fee
App Distribution Apps do not go through vetting process, but directly published at
Google App market or other 3rd party markets
11 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 11
12
General Idea
The application sandbox specifies which system resources the application is allowed to access
An attacker can only perform actions defined in the sandbox
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 12
Each application is isolated in own sandbox Applications can access only own resources Access to sensitive resources depends on the application’s capabilities (“permissions”)
Sandboxing is enforced by Linux Each App is assigned a unique UserID and runs in separate process Each App has a private data folder
13 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 13
Application are assigned permissions Permissions are needed to control access
System resources (logs, battery, etc.) Sensitive data (SMS, contacts, e-mails, etc.) System interfaces (Internet, send SMS, etc.)
Application (developers) can also define own permissions to protect application interfaces
Permissions are either Simply associated strings (most permissions) Mapped to Linux GIDs (few: Internet, Bluetooth, ext. storage,…)
14 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 14
Android Middleware
Installer
Perm. P1
App B
Perm. P2 Perm. P3
Reference Monitor
App A
Dalvik VM
Permission Database
15 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 15
Android Middleware
Installer
App B
Reference Monitor
App A
Application Manifest
P3 App A Application
Manifest P1 P2
Dalvik VM
Permission Database
16 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 16
App A is allowed to send SMS (P1)
App A also posses permission P2 (e.g., access location)
App B has two interfaces protected by permission P2 and P3
App B
App A
Perm. P1 Perm. P2
Perm. P2 Perm. P3
17 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 17
Android Market
User
Install Requested
permissions are reasonable
Permissions
Movie Player
Download App
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 18
Android Market
User
Why Movie Player requests permission
to send SMS?
Permissions
Malicious Movie Player
Download app
Deny install
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 19
Android
Browser
Phone
Download Provider
Core Application with many interfaces
Required Permission: CALL_PHONE
Granted Permission: CALL_PHONE
20 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
21 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Enforced by Linux Discretionary Access Control (DAC) Processes are owned by users Files are assigned access rules for user, group and everyone
Each app is assigned a unique user id (uid) System resources are owned by a user “root” or “system” Each app has a private data folder Apps may share one sandbox (when signed with the same key)
App Sandbox, uid = xx
Private folder of uid = yy
File System
Sandbox System, uid = yy
Private folder of uid = xx
Application B
C/C
++
libs
Java VM
JNI
Application A
C/C
++
libs
Java VM
JNI
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 22
Only system sandbox can access sensitive phone functionality (GSM, GPS, …)
System sandbox exposes this functionality to other apps via APIs protected with system permissions (p1 … pn)
Applications can declare own permissions to protect sensitive interfaces (e.g., enabling access to application data)
23
Sensitive driver
Sandbox System, uid = yy
Application A
App Sandbox, uid = xx
Private folder of uid = xx
pn
p1
p2
…
Declared permissions: p1 … pn
Pn +1
Declared permissions: pn+1
Linux / File System
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 23
Applications must be granted corresponding permissions to be able to access protected interfaces
Permission assignments are monitored by middleware reference monitor Some exceptional cases: INTERNET and EXTERNAL_STORAGE permissions
Enforced by Linux kernel rather than middleware These permissions are mapped to Linux groups (e.g., each app granted Internet
permission is a member of a group which is allowed to access Internet driver)
24
Sensitive driver
Sandbox System, uid = yy
Application A
App Sandbox, uid = xx
Private folder of uid = xx
pn
p1
p2
…
Declared permissions: p1 … pn
Linux / File System
Middleware
Granted permissions: p1
INTERNET
,
INTERNET Socket
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 24
Security Weaknesses of Android Permission Framework
25 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 25
26
Confused deputy attacks
Attacks by colluding
applications
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 26
Linux kernel
Do not have a right permission? Ask your neighbor! Invoke browser to download malicious files (Lineberry et al., BlackHat 2010)
27
Middleware
Networking
Malware
Sandbox Granted permissions:
none
Browser Sandbox Granted permissions:
INTERNET
Browser
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Linux kernel
Do not have a right permission? Ask your neighbor! Invoke browser to download malicious files (Lineberry et al., BlackHat 2010) Invoke Phone app to perform a phone call (Enck et al., TechReport 2008)
28
Middleware
Malware
Sandbox Granted permissions:
none
Phone Sandbox Granted permissions:
p1
Phone app
API to make phone calls
API to send SMS
System Sandbox
p1 p2
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Linux kernel
Do not have a right permission? Ask your neighbor! Invoke browser to download malicious files (Lineberry et al., BlackHat
2010) Invoke Phone app to perform a phone call (Enck et al., TechReport 2008) Invoke Android Scripting Environment (ASE) to send SMS messages (Davi
et al.,ISC 2010)
29
Middleware
Malware
Sandbox Granted permissions:
INTERNET API to make phone calls
API to send SMS
System Sandbox
p1 p2
ASE Sandbox Granted permissions:
INTERNET, p2
ASE app
Networking
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Divide necessary permissions among two (or more) apps 1st app has access to user location; 2nd is granted Internet access
Apps communicate directly
30
API to access location
Sandbox B Granted permissions:
p3
System Sandbox
Middleware
Malware B
Malware A
Sandbox A Granted permissions:
INTERNET
Networking
Linux kernel
API to change volume settings
p3 -
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Divide necessary permissions among two (or more) apps 1st app has access to user location; 2nd is granted Internet access
Apps communicate directly
Apps communicate via overt/covert channels in a System Sandbox (e.g., write/read data to system databases, or write-read system settings) (Soundcomber, NDSS`2011)
31
API to access location
Sandbox B Granted permissions:
p3
System Sandbox
Middleware
Malware B
Malware A
Sandbox A Granted permissions:
INTERNET
Networking
Linux kernel
API to change volume settings
p3 -
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture
Divide necessary permissions among two (or more) apps 1st app has access to user location; 2nd is granted Internet access
Apps communicate directly Apps communicate via overt/covert channels in a System Sandbox (e.g., write/read data to
system databases, or write-read system settings) (Soundcomber, NDSS`2011) Apps communicate via file sharing
32
API to access location
Sandbox B Granted permissions:
p3
System Sandbox
Middleware
Malware B
Malware A
Sandbox A Granted permissions:
INTERNET
Linux kernel
API to change volume settings
File System
p3 -
Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture