Smartphone Security pr. Sven Bugiel

Transcription

1 Smartphone Security pr Sven Bugiel

2 Organizational: Teams 2-3 Students per team Register your team by to me Names, Student IDs, and addresses of all team members Preferred and backup topic Deadline: Wednesday, October 31 st Confirmation of the topic on the same (or next) day, depending on number of conflicts, RNG seed, and your discipline to adhere to the deadline Maximum of two teams per topic 2

3 Organizational: Dates Midterm report Progress report by each team Short (4-6 pages) Deadline: Friday, December 14 th!!! Final report and code submission pages report + zipped code ( or diff file) Clearly stating for which part which team members were responsible Deadline: Friday, February 15th Concluding meeting and presentations Short presentation (10-15 min) of each team s results Every team member has to speak Date: TBA 3

4 Today s Agenda Introduction Android Software Stack Android Security Mechanisms Selected Attacks Projects Proposals 4

5 Smartphones Applications Today Mobile Phone Features Interfaces GPS, WiFi, Bluetooth, Infrared, NFC Call, SMS, MP3, Video Online Services Browsing, , E-Shopping, Social Networking Location Services Navigation, Recommendation 5

6 Smartphones as Target of Attacks

7 Threat Classification Attacks on Privacy Location, , Contacts Runtime Attacks Code Injection, Return-Oriented Programming Attack Vectors Hardware Attacks GSM Module, Base Station Malware Trojans, Viruses, Worms 7

8 Android

9 Big Picture (Android Anatomy and Physiology, Patrick Brady) 9

10 Linux Kernel Standard Linux kernel ( for Android 2.2.x Froyo ; for Android 4.1.x Jelly Beans ) Patches for Android (e.g., aggressive Power Management, Logger, Binder) Binder: High-performance, shared memory based IPC Synchronous calls between processes Per-process thread pool for processing requests Android Interface Definition Language (AIDL) 10

11 Native Libraries C/C++ libraries Exposed to developers through the Android application framework Core libraries include: Libc (Bionic) Media libraries Surface Manager 3D libraries SQLite SSL 11

12 Android Runtime Dalvik Virtual Machine VM optimized for embedded environments Runs optimized file format.dex and Dalvik bytecode generated from Java.class/.jar files at build time Relies on underlying Linux kernel for threading and low-level memory management Core Libraries Provide most of the functionality available in the core libraries of Java Provides core APIs of Java (familiar programming environment) 12

13 Application Framework Provides developers API to basic functionalities and services (e.g., set alarms, access location information, take advantage of device HW, ) App Service (App. Framework) lib App Service (App. Framework) Native Service lib App Service (App. Framework) Native Daemon lib APIs are the same as for the core applications (e.g., Phone, Contacts, ) Activity Manager Enforces permissions on IPC ( Reference Monitor ) Responsible for starting applications Package Manager Management of Permissions and Applications 13

14 App Runtime Service lib 14

15 App Runtime Service lib 15

16 App Runtime Service Native Service lib 16

17 App Runtime Service Native Service lib 17

18 App Runtime Service Native Daemon lib 18

19 App Runtime Service Native Daemon lib 19

20 Applications Third party applications (e.g., Android Market) A number of core ( system ) applications (cannot be uninstalled) Contacts Settings Browser Components of applications Activity: User interface Service: Background service Content Provider: SQL-like database Broadcast receiver: Mailbox for broadcasted messages Applications can contain native code (C/C++ shared libraries) For simplicity, Binder-based IPC between components often called Inter- Component Communication Binder usually not exposed to native code in applications 20

21 Android Security Mechanisms

22 Sandboxing General Idea The application sandbox specifies which system resources the application is allowed to access An attacker can only perform actions defined in the sandbox 22

23 Application Isolation by Sandboxing Each application is isolated in own sandbox Applications can access only own resources Access to sensitive resources depends on the application s capabilities ( permissions ) Sandboxing is enforced by Linux Each App is assigned a unique UserID and runs in separate process Each App has a private data folder 23

24 Android Installer: Installation of a Benign App Android Market Movie Player Download App Permissions Requested permissions are reasonable User Install 24

25 Android Installer: Installation of a Security-Critical App Android Market Malicious Movie Player Download app Permissions Why does this app requests permission to send SMS? User Deny install 25

26 Android Permission System Applications (UIDs) are assigned permissions Permissions are needed to control access to System resources (logs, battery, etc.) Sensitive data (SMS, contacts, s, etc.) System interfaces (Internet, send SMS, etc.) Application (developers) can also define own permissions to protect application interfaces Permissions are either Simply associated strings (most permissions) Mapped to Linux GIDs (few: Internet, Bluetooth, ext. storage, ) 26

27 Android Permissions: Example App A is allowed to send SMS (P 1 ) App A also holds permission P 2 (e.g., access location) App B has two interfaces protected by permission P 2 and P 3 App A Perm. P 1 Perm. P 2 Perm. P 2 Perm. P 3 App B 27

28 Permission Enforcement Binder provides certain information to the callee of IPC getuid(): returns caller s UID getpid(): returns caller s PID System enforces permission check upon IPC call checkpermission(string Perm): checks if caller has been granted the permission Perm Can also be called by applications themselves 28

29 Android InSecurity

30 Do you understand Permissions? 30

31 Requesting dangerous permissions android.permission.internet android.permission.access_coarse_location android.permission.read_phone_state android.permission.vibrate Geinimi Trojan 2010 User has to confirm requested permissions android.permission.internet android.permission.access_coarse_location android.permission.read_phone_state android.permission.vibrate com.android.launcher.permission.install_shortcut android.permission.access_fine_location android.permission.call_phone android.permission.mount_unmount_filesystems android.permission.read_contacts android.permission.read_sms android.permission.send_sms android.permission.set_wallpaper android.permission.write_contacts android.permission.write_external_storage com.android.browser.permission.read_history_bookmarks com.android.browser.permission.write_history_bookmarks android.permission.access_gps android.permission.access_location android.permission.restart_packages android.permission.receive_sms android.permission.write_sms 31

32 Good news everyone: The really dangerous permissions are reserved for the System Components / Apps Bad news: Android s Security Framework is prone to privilege escalation attacks 32

33 Application-level Privilege Escalation Attacks Confused deputy attacks Attacks by colluding applications 33

34 Application-level Privilege Escalation Attacks Scenario 1: Confused deputy attack Unprivileged App A Privilege P1 App B A privileged program is fooled into misusing its privileges on behave of another (malicious) unprivileged program. Android Middleware Examples: 1) Invoke browser to download malicious files (Lineberry et al., BlackHat 2010) 2) Unauthorized phone call (Enck et al., TechReport 2008) 34

35 Google Android: Communication with web servers without possessing INTERNET Permission 0 Permissions Malicious App 1) Ask Browser for data transfer from a remote server 2) Browser forwards request 3) Files are transmitted to SD card Android Web Browser INTERNET Permission 35

36 Scenario 2: Collusion attack Application-level Privilege Escalation Attacks Privilege P1 App A Android Core Privilege P2 App B Malicious apps collude in order to merge their respective permissions Android Middleware 1) Apps communicate directly 2) Apps communicate via covert (e.g., volume settings) or overt (e.g., content providers) channels in AndroidCore Example: Soundcomber (Schlegel et al., NDSS 2011) 36

37 Google Android: Soundcomber: A stealthy and context-aware sound Trojan APP_B Permission: Internet APP_A Permission: Record Audio 1) Call Credit Institute 2) Credit Card Number is extracted from the speech 37

38 Soundcomber Internals Exploiting Covert Channels in Android APP_B Permission: Internet Read Android Core Application APP_A Permission: Record Audio Write Volume Setting 38

39 Application-level Privilege Escalation Attacks Scenario 3: Breaking out of the sandbox a) IPC / RPC / Sockets (Example: Davi et al., 2010) Reference Monitor a) Root exploit (Example: DroidDream Trojan 2011) 39

40 Malware Evolution

41 Update attack [Zhou et al., Oakland 2012] 1. Install App 2. App triggers Update 3. Deploy malicious update 4. Load update (dynamically) 5. Perform malicious action 8/23/

42 Rootkit Example: Interposing communication with GSM Modem Phone / SMS App Middleware Kernel System Call Table sys_open sys_reboot sys_read List of modules List of processes List network connections Hardware GSM Modem 8/23/

43 TapLogger / TouchLogger Infer user s input to virtual keyboard by measuring the accelerometer and gyroscope during typing [Xu et al., WiSec 2012; Cai et al., HotSec 2011] S A F E 8/23/

44 Projects Proposals in a Nutshell (see course material for details)

45 Confused Deputy Finder Develop a tool to detect whether a 3 rd party app unintentionally leaks security/privacy sensitive data. Preferred implementation based on blackbox testing Alternative approach: Using static analysis frameworks. 45

46 Data Shadowing Extend the query interface of 1-2 selected system ContentProviders (e.g., Contacts and SMS), such that a very fine-grained data filtering is possible: Per-row: Is access to an entire contact/sms allowed, e.g., because he belongs to a certain group like work? Per-column: Should certain information of a contact/sms (e.g., phone number) not be returned? Per-cell: Combination of the both above 46

47 Data Exfiltration Use the TaintDroid framework to prevent security/privacy sensitive data from being exfiltrated. Very similar to AppFence architecture, so difference should be made clear (NO PLAGIATISM!) 47

48 SEAndroid Multi-Level Security Extend the Mandatory Access Control of SEAndroid from the kernel into the middleware level by extending strategically important API with policy enforcement hooks and adding the corresponding security types to SEAndroid s default definitions. 48

49 KeyChain Extension and Integration KeyChain is a central credential storage on Android 4.X Extend this service with 1. Support for new crypto credentials and a functionality to encrypt/sign data without the need to reveal the key ( crypto service ) 2. Use this new functionality by integrating the KeyChain into Contacts (i.e., connect a contact with a key for its ID) and SMS (i.e., use the stored key of the recipient to encrypt the SMS and hence enable encrypted SMS) 49

50 Enhanced Installer Extend the Android default installer with new security features to check whether an installation is allowed 1. Based on static properties of apps (e.g., developer signature and requested permissions) 2. Based on dynamic properties of the system (e.g., which permissions inherits the new app due to a shared UID) 3. Based on a very simple virus scan to detect if the App s native code contains, e.g., a root exploit, etc. 50

51 Blue Pill / KeyLogger Develop malicious versions of the default Launcher and Keyboard app which are able to hide/re-link installed apps or log the user s input, respectively Consider how security mechanisms like the Home button can be prevented or the user be tricked into taking this blue pill 51

52 Rootkit Develop a rootkit which can interpose on the communication with high-value low-level targets such as rild in order to compromise the system security and which is able to communicate with a control server Consider how the rootkit could be made persistent 52

53 References Android tutorials by MarakanaTech on Youtube Books: Manning: Android in Action Hashimi: Android