2 lecture embedded system security a.-r. sadeghi, @tu ... · pdf file2 lecture embedded system...

2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture

3

Android Runtime

Dalvik VM

Native libs (C/C++) Core libs

Application layer

Middleware layer

Kernel layer

Process Manager

Drivers File

System Network

Linux

Package Manager

Application Framework

Default (core) apps Third party apps

Browser Contacts Facebook Skype

Activity Manager Ref Monitor App Installer

Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture

Provides developers API to basic functionalities and services (e.g., set alarms, access location information, set up a phone call)

Activity Manager Includes a Reference Monitor which mediates access requests to security-critical services (e.g.,

SMS, Contacts, Location) based on permissions (later more details) Responsible for starting applications

Package Manager Installation of new Apps Management of Permissions and Apps


Android Runtime

Dalvik VM


Package Manager



Dalvik Virtual Machine (DVM) Virtual Machine optimized for embedded environments Runs optimized file format “.dex” and Dalvik bytecode generated from Java

.class/.jar files at build time Relies on underlying Linux kernel for threading and low-level memory

management

Core Libraries Provide most of the functionality available in the core libraries of Java Provides core APIs of Java (familiar programming environment)


Android Runtime

Dalvik VM


Package Manager



C/C++ system libraries

Exposed to developers through the Android application framework

Core libraries include: Libc (Bionic), media libraries, Surface Manager, 3D libraries, SQLite, SSL


Android Runtime

Dalvik VM


Package Manager



Android Application

Apps are written in Java (type safe language) Each app is executed within its own Dalvik VM instance Apps also include native code via Java Native Interface (JNI) Android Apps consist of components

Activities (user interfaces) Services (background processes) Broadcast receivers (application mailboxes) Content providers (SQL-like databases)


Dalvik VM

Activities Services

Content Providers

Broadcast Receivers

JNI C/C++ libs

7

Inter-process communication (IPC)

Intents (message-based )

Remote Procedure Calls (establishing permanent connections)

File system (files, Unix domain sockets)

Network sockets

9

Application layer

Middleware layer

Kernel layer

App B

IPC MAC

File System DAC

Network Sockets

DAC

App A


MAC – Mandatory Access Control DAC – Discretionary Access Control

Application isolation VMs and sandboxing Apps are written in Java (but native code can be used)

Application Access Control Permission framework at middleware layer Discretionary access control to file system at Linux level

Code Integrity System code is signed by Google Applications are signed by developers

It is easy to obtain a developer key, just 25 USD fee

App Distribution Apps do not go through vetting process, but directly published at

Google App market or other 3rd party markets

11 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 11

12

General Idea

The application sandbox specifies which system resources the application is allowed to access

An attacker can only perform actions defined in the sandbox

Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2012 Android Security Architecture 12

Each application is isolated in own sandbox Applications can access only own resources Access to sensitive resources depends on the application’s capabilities (“permissions”)

Sandboxing is enforced by Linux Each App is assigned a unique UserID and runs in separate process Each App has a private data folder


Application are assigned permissions Permissions are needed to control access

System resources (logs, battery, etc.) Sensitive data (SMS, contacts, e-mails, etc.) System interfaces (Internet, send SMS, etc.)

Application (developers) can also define own permissions to protect application interfaces

Permissions are either Simply associated strings (most permissions) Mapped to Linux GIDs (few: Internet, Bluetooth, ext. storage,…)


Android Middleware

Installer

Perm. P1

App B

Perm. P2 Perm. P3

Reference Monitor

App A

Dalvik VM

Permission Database


Android Middleware

Installer

App B

Reference Monitor

App A

Application Manifest

P3 App A Application

Manifest P1 P2

Dalvik VM

Permission Database


App A is allowed to send SMS (P1)

App A also posses permission P2 (e.g., access location)

App B has two interfaces protected by permission P2 and P3

App B

App A

Perm. P1 Perm. P2

Perm. P2 Perm. P3


Android Market

User

Install Requested

permissions are reasonable

Permissions

Movie Player

Download App


Android Market

User

Why Movie Player requests permission

to send SMS?

Permissions

Malicious Movie Player

Download app

Deny install


Android

Browser

Phone

Download Provider

Core Application with many interfaces

Required Permission: CALL_PHONE

Granted Permission: CALL_PHONE


Enforced by Linux Discretionary Access Control (DAC) Processes are owned by users Files are assigned access rules for user, group and everyone

Each app is assigned a unique user id (uid) System resources are owned by a user “root” or “system” Each app has a private data folder Apps may share one sandbox (when signed with the same key)

App Sandbox, uid = xx

Private folder of uid = yy

File System

Sandbox System, uid = yy

Private folder of uid = xx

Application B

C/C

++

libs

Java VM

JNI

Application A

C/C

++

libs

Java VM

JNI


Only system sandbox can access sensitive phone functionality (GSM, GPS, …)

System sandbox exposes this functionality to other apps via APIs protected with system permissions (p1 … pn)

Applications can declare own permissions to protect sensitive interfaces (e.g., enabling access to application data)

23

Sensitive driver


Application A



pn

p1

p2

…

Declared permissions: p1 … pn

Pn +1

Declared permissions: pn+1

Linux / File System


Applications must be granted corresponding permissions to be able to access protected interfaces

Permission assignments are monitored by middleware reference monitor Some exceptional cases: INTERNET and EXTERNAL_STORAGE permissions

Enforced by Linux kernel rather than middleware These permissions are mapped to Linux groups (e.g., each app granted Internet

permission is a member of a group which is allowed to access Internet driver)

24

Sensitive driver


Application A



pn

p1

p2

…

Declared permissions: p1 … pn

Linux / File System

Middleware

Granted permissions: p1

INTERNET

,

INTERNET Socket


Security Weaknesses of Android Permission Framework


26

Confused deputy attacks

Attacks by colluding

applications


Linux kernel

Do not have a right permission? Ask your neighbor! Invoke browser to download malicious files (Lineberry et al., BlackHat 2010)

27

Middleware

Networking

Malware

Sandbox Granted permissions:

none

Browser Sandbox Granted permissions:

INTERNET

Browser


Linux kernel

Do not have a right permission? Ask your neighbor! Invoke browser to download malicious files (Lineberry et al., BlackHat 2010) Invoke Phone app to perform a phone call (Enck et al., TechReport 2008)

28

Middleware

Malware


none

Phone Sandbox Granted permissions:

p1

Phone app

API to make phone calls

API to send SMS

System Sandbox

p1 p2


Linux kernel

Do not have a right permission? Ask your neighbor! Invoke browser to download malicious files (Lineberry et al., BlackHat

2010) Invoke Phone app to perform a phone call (Enck et al., TechReport 2008) Invoke Android Scripting Environment (ASE) to send SMS messages (Davi

et al.,ISC 2010)

29

Middleware

Malware


INTERNET API to make phone calls

API to send SMS

System Sandbox

p1 p2

ASE Sandbox Granted permissions:

INTERNET, p2

ASE app

Networking


Divide necessary permissions among two (or more) apps 1st app has access to user location; 2nd is granted Internet access

Apps communicate directly

30

API to access location

Sandbox B Granted permissions:

p3

System Sandbox

Middleware

Malware B

Malware A

Sandbox A Granted permissions:

INTERNET

Networking

Linux kernel

API to change volume settings

p3 -



Apps communicate directly

Apps communicate via overt/covert channels in a System Sandbox (e.g., write/read data to system databases, or write-read system settings) (Soundcomber, NDSS`2011)

31



p3

System Sandbox

Middleware

Malware B

Malware A


INTERNET

Networking

Linux kernel


p3 -



Apps communicate directly Apps communicate via overt/covert channels in a System Sandbox (e.g., write/read data to

system databases, or write-read system settings) (Soundcomber, NDSS`2011) Apps communicate via file sharing

32



p3

System Sandbox

Middleware

Malware B

Malware A


INTERNET

Linux kernel


File System

p3 -


2 lecture embedded system security a.-r. sadeghi, @tu ... · pdf file2 lecture embedded system...

Documents