![Page 1: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/1.jpg)
BE PARANOID ORNOT TO BE ?
![Page 2: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/2.jpg)
Alizée PENELLinux and AndroidSystem Developer
Dev Team Member
![Page 3: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/3.jpg)
Agenda
01
Internet Permission in Marshmallow
02
Network socket in
Android OS
03
Security Aspects
![Page 4: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/4.jpg)
INTERNET PERMISSIONIN MARSHMALLOW
![Page 5: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/5.jpg)
INTERNET PERMISSION DECLARATION
AndroidManifest.xml
https://github.com/vx/connectbot from VX Solutions
![Page 6: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/6.jpg)
INTERNET PERMISSION DEFINITION
frameworks/base/core/AndroidManifest.xml
![Page 7: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/7.jpg)
MARSHMALLOW PERMISSIONS
Permission are automatically granted at install time - UI shows permissions details- UI from Google Play, not from the system
Dangerous permissions are granted at runtime
![Page 8: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/8.jpg)
INTERNET PERMISSION INTERNALS
On device : /system/etc/permissions/platform.xml
system/core/include/private/android_filesystem_config.h
root@genymotion:/ cat /data/system/packages.list
![Page 9: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/9.jpg)
MAPPING GIDPROCESS
![Page 10: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/10.jpg)
That’s all ?
Anything is checked at the runtime ?
![Page 11: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/11.jpg)
NETWORK SOCKETSIN ANDROID OS
![Page 12: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/12.jpg)
THE BASICS
![Page 13: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/13.jpg)
JAVA.NET.SOCKET CLASS
Any application can directly instantiate this class Even the framework uses it
Packed in Android Java core library : core-libart.jarSource file : libcore/luni/src/main/java/net/Socket.java
![Page 14: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/14.jpg)
![Page 15: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/15.jpg)
ANY PERMISSION CHECKED !?
![Page 16: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/16.jpg)
SOCKET SYSCALL IN BIONIC
bionic/libc/bionic/socket.cpp
Same type of declaration for connect and accept syscalls
NetdClientDispath, C structure of 4 function pointers on 3 syscalls ( __socket, __connect, __accept4) & 1 function (fallBackNetIdForResolv)
![Page 17: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/17.jpg)
WHAT HAPPENING IN BIONIC ?
As soon as bionic is loaded, the function __libc_preinit() is called by the dynamic linker
In __libc_preinit(), call to netdClientInit() function
The libnetd_client.so library is loaded by dlopen()
![Page 18: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/18.jpg)
WHAT HAPPENING IN BIONIC ?
From libnetd_client.so library, bionic retrieves 4 function symbols :
- netdClientInitSocket()- netdClientInitConnect()- netdClientInitAccept4()- netdClientInitNetIdForResolv()
Call them, one by one, with their respective syscall as a parameter.
![Page 19: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/19.jpg)
NETDCLIENT LIBRARY
![Page 20: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/20.jpg)
IMPACTS ON NETDCLIENTDISPATCH STRUCTURE
NetdClientDispatch structure does not contain the syscalls anymore
It points on libnetd_client library functions :- netdClientSocket()- netdClientConnect()- netdClientAccept4()- getNetworkForResolv()
![Page 21: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/21.jpg)
![Page 22: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/22.jpg)
WHAT !?
![Page 23: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/23.jpg)
ANDROID KERNEL
Android kernels have many modifications
Every Android kernel has a network option activated : Paranoid
![Page 24: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/24.jpg)
PARANOID KERNEL OPTION
It restricts access to some networking features depending on the group of the calling process
include/linux/android_aids.h
![Page 25: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/25.jpg)
SOCKET CREATION IN THE KERNEL
In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket
If not allowed, return EACCES
![Page 26: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/26.jpg)
SUMMARY
![Page 27: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/27.jpg)
INTEREST OF NETDCLIENT LIBRARY AND BIONIC TRICK
Firewall marks in netd
Networks packets are flagged through a fwmark client/server mechanism
Allow packets going through iptable rules, set by the OS
In a “system case”, fwmark server checks also the permission of the process
![Page 28: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/28.jpg)
SECURITY ASPECTS
![Page 29: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/29.jpg)
DISCLAIMER
I am NOT a Security developer
Consider just the architectural aspect of the implementation
![Page 30: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/30.jpg)
HOW TO BREAK THE SYSTEM ?
Internet permission
Paranoid option
Rooted devices
![Page 31: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/31.jpg)
HOW TO BREAK THE SYSTEM ?
sharedUserId- A way to share permissions between packages- Permissions state is propagated to all packages upon changes
Other applications
![Page 33: BE PARANOID OR NOT TO BE€¦ · INTERNET PERMISSION INTERNALS On device : ... In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creating the socket](https://reader034.vdocument.in/reader034/viewer/2022050500/5f92f2c4069b9b45bb08a5ab/html5/thumbnails/33.jpg)
QUESTIONS ?