teaching android mobile securitypeople.rennes.inria.fr/jean-francois.lalande/talks/... ·...
TRANSCRIPT
Introduction Labs Evaluation Conclusion
Teaching Android Mobile Security
Jean-François Lalande Valérie Viet Triem Tong Pierre GrauxGuillaume Hiet Wojciech Mazurczyk Habiba Chaoui Pascal Berthomé
SIGCSE’19
MinneapolisFebruary 28th 2019
2 / 30
Introduction Labs Evaluation Conclusion
Android security?
Research
Attacks:design,models
Counter-measures:
protect,detect
Experiment,Visualize
Teaching
Malware?
Permissions?
Developapps?
2 / 30
Introduction Labs Evaluation Conclusion
Android security?
Research
Attacks:design,models
Counter-measures:
protect,detect
Experiment,Visualize
Teaching
Malware?
Permissions?
Developapps?
3 / 30
Introduction Labs Evaluation Conclusion
Android complexity
Thesis: working on security requires a deep understanding of Android
4 / 30
Introduction Labs Evaluation Conclusion
Android complexity
Thesis: working on security requires a deep understanding of Android
5 / 30
Introduction Labs Evaluation Conclusion
Bloom’s taxonomy
We used the levels of the cognitive process:
Remember – (you know about security?)UnderstandApplyAnalyze(Evaluate)(Create) – (student project, possibly linked with research)
6 / 30
Introduction Labs Evaluation Conclusion
Designing security labs with Bloom’s taxonomy
Soft.components
Cognitiveprocess Remember Understand Apply Analyze Eval. Create
ApplicationsDEV
app development
MALmalware reverse
PROJ
AOSP classesBANK
banking app reverse COVcovert channels
CLASSvulnerable class loader
DVM & ARTPACK
reverse packersAOSP internals
INSTcompile, flash MEM
memory forensicKERN
ROP programmingKernel
Cognitive Process
TO DESIGN
7 / 30
Introduction Labs Evaluation Conclusion
Outline
1 Introduction
2 Labs
3 Evaluation
4 Conclusion
8 / 30
Introduction Labs Evaluation Conclusion
DEV Lab: Android Development
Classical Android development labs.
Basic graphical interfacesMessaging componentsConcurrency, Synchronization, SensorsSecurity, Wear OS, Firebase Cloud Messaging
Learning outcomes: architecture of an app, REST communications
9 / 30
Introduction Labs Evaluation Conclusion
INST Lab - Compiling, Modifying, Flashing
Using real device for:Developing, testingFlashing, customizing ROMs
We use these smartphonesNexus 5, 5XSony Xperia X (premium series)
Kernel debugging on a Nexus 5X
Learning outcomes:Customize Android, compile and install.
10 / 30
Introduction Labs Evaluation Conclusion
Designing security labs with Bloom’s taxonomy
Soft.components
Cognitiveprocess Remember Understand Apply Analyze Eval. Create
ApplicationsDEV
app development
MALmalware reverse
PROJ
AOSP classesBANK
banking app reverse COVcovert channels
CLASSvulnerable class loader
DVM & ARTPACK
reverse packersAOSP internals
INSTcompile, flash MEM
memory forensicKERN
ROP programmingKernel
Cognitive Process
11 / 30
Introduction Labs Evaluation Conclusion
MAL Lab - Malware Reverse Engineering
Reverse engineering activities (2 examples from 6):
Ransomware: programming an antidote (bytecode editing)Spyware: capturing and sniffing HTTP requests for a dead remote server
Tools:Reverse: Bytecode Viewer, JadxSoot: parsing Java bytecodeNetwork tunneling: Ngrok
Learning outcomes:Security analysts adapt their methodology to the nature of the threat.
12 / 30
Introduction Labs Evaluation Conclusion
BANK Lab - Banking Application Reverse
Reverse engineering banking appsSteeling credentials
Tools:Jadx, Burp, Andbug
Learning outcomes:Comprehend the countermeasures ofregular apps.Try to bypass countermeasures.
13 / 30
Introduction Labs Evaluation Conclusion
Designing security labs with Bloom’s taxonomy
Soft.components
Cognitiveprocess Remember Understand Apply Analyze Eval. Create
ApplicationsDEV
app development
MALmalware reverse
PROJ
AOSP classesBANK
banking app reverse COVcovert channels
CLASSvulnerable class loader
DVM & ARTPACK
reverse packersAOSP internals
INSTcompile, flash MEM
memory forensicKERN
ROP programmingKernel
Cognitive Process
14 / 30
Introduction Labs Evaluation Conclusion
COV Lab - Developing Covert Channels
Exfiltrate data using a covert channelsExploit operating systems flawsDiscuss countermeasures
Tools:Android Studio
Learning outcomes:Comprehend cover channels.Bypass security policies.
15 / 30
Introduction Labs Evaluation Conclusion
MEM Lab - Memory Dump Forensic
Forensic of a memory dumpRecover credentials
Tools:Volatility
Learning outcomes:Comprehend the leaks induced by the memorymanagement.Simple forensic of memory dumps.
16 / 30
Introduction Labs Evaluation Conclusion
Designing security labs with Bloom’s taxonomy
Soft.components
Cognitiveprocess Remember Understand Apply Analyze Eval. Create
ApplicationsDEV
app development
MALmalware reverse
PROJ
AOSP classesBANK
banking app reverse COVcovert channels
CLASSvulnerable class loader
DVM & ARTPACK
reverse packersAOSP internals
INSTcompile, flash MEM
memory forensicKERN
ROP programmingKernel
Cognitive Process
17 / 30
Introduction Labs Evaluation Conclusion
CLASS Lab - Vulnerable Class Loader
Attack study:A vulnerable class loader
Tools:Android Studio, Jadx
Learning outcomes:Conduct an investigation.Find vulnerabilities.
18 / 30
Introduction Labs Evaluation Conclusion
PACK Lab - Packers
Reversing: why methods body are empty ?Obfuscated codeNative code packer unpacking bytecode atruntime
Tools:IDA pro, radar2
Learning outcomes:Analyze a packer.Combining static and dynamic analysis.
19 / 30
Introduction Labs Evaluation Conclusion
KERN Lab - Kernel ROP Attacks
We provide a vulnerable kernel driver.
Exploiting this vulnerability.Use ROP for putting a payload in memoryOvercome R and X memory exclusion
⇒ One of the most technically difficult labs!
Learning outcomes:Learning the security internals of AndroidDesigning attacks against the sytem.
20 / 30
Introduction Labs Evaluation Conclusion
Designing security labs with Bloom’s taxonomy
Soft.components
Cognitiveprocess Remember Understand Apply Analyze Eval. Create
ApplicationsDEV
app development
MALmalware reverse
PROJ
AOSP classesBANK
banking app reverse COVcovert channels
CLASSvulnerable class loader
DVM & ARTPACK
reverse packersAOSP internals
INSTcompile, flash MEM
memory forensicKERN
ROP programmingKernel
Cognitive Process
21 / 30
Introduction Labs Evaluation Conclusion
Designing security labs with Bloom’s taxonomy
Soft.components
Cognitiveprocess Remember Understand Apply Analyze Eval. Create
ApplicationsDEV
app development
MALmalware reverse
PROJ
AOSP classesBANK
banking app reverse COVcovert channels
CLASSvulnerable class loader
DVM & ARTPACK
reverse packersAOSP internals
INSTcompile, flash MEM
memory forensicKERN
ROP programmingKernel
Cognitive Process
22 / 30
Introduction Labs Evaluation Conclusion
Online material
Goal: reuse these labs for your own needs !
gitlab.inria.fr/jlalande/teaching-android-mobile-security/
Full text of 4 labs (2 more to come !)
23 / 30
Introduction Labs Evaluation Conclusion
Outline
1 Introduction
2 Labs
3 Evaluation
4 Conclusion
24 / 30
Introduction Labs Evaluation Conclusion
Evaluation survey
87 answers over 200 students88% followed the labs few months before6 labs evaluated
France: CentraleSupélec, INSA CVLPoland: Warsaw University of Technology,Morocco: Ibn Tofail University
25 / 30
Introduction Labs Evaluation Conclusion
Global quality of the labs
Students are happy with our labs :)
26 / 30
Introduction Labs Evaluation Conclusion
Labs provided me a fine understanding of Android security
Students do not over estimate their security skills. . .
27 / 30
Introduction Labs Evaluation Conclusion
Labs evaluation
Each lab was separately evaluated with this ranking [Campbell et al., SIGCSE’15]:
1. Unknown (No trace in my memory);2. Discovering (I recall some of the content);3. Intermediate (I understood most of the content);4. Good knowledge (I am able to do the lab again, without a supervisor and with
the help of documents);5. Advanced (I can reuse my knowledge in another use case).
GoalEvaluate a knowledge increment δ and a raw skill level m for each lab.
28 / 30
Introduction Labs Evaluation Conclusion
Labs evaluation results
Increment δ: +1.85: shifting from "Discovering" to "Good knowledge"Raw self-evaluation m of skills: 3.31 (="Intermediate")
INSTMAL
MEM
COV CLASS
DEV
1 2 3 4 5
1. Unknown2. Discovering3. Intermediate4. Good knowledge5. Advanced
29 / 30
Introduction Labs Evaluation Conclusion
Conclusion
A full set of labs for mobile securityFrom application level to kernel attacksWith Bloom’ taxonomy in mindMaterial available online
Perspectives
Play all the labs for the same studentsSubmit to Clark.center ?