Windows Phone 7 Internals and Exploitability



Similar documents
Bypassing Memory Protections: The Future of Exploitation

Bypassing Browser Memory Protections in Windows Vista

Adobe Flash Player and Adobe AIR security

Virtualization System Security

Why should I care about PDF application security?

Windows Operating Systems. Basic Security

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Seven for 7: Best practices for implementing Windows 7

Web application security: automated scanning versus manual penetration testing.

POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk

Implementation of Web Application Firewall

Windows Phone 8 Security Overview

Windows Phone 8 Security deep dive

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

Patch and Vulnerability Management Program

What is Web Security? Motivation

Management (CSM) Capability

Topic 5a Operating System Fundamentals

Using Palo Alto Networks to Protect Microsoft SharePoint Deployments

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Windows 8: Redmond s Safest Operating System Ever?

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Learning objectives for today s session

Windows Remote Access

Smartphone Spying Tools Mylonas Alexios

Penetration Testing Report Client: Business Solutions June 15 th 2015

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Penetration Testing Corporate Collaboration Portals. Giorgio Fedon, Co-Founder at Minded Security

The Leader in Cloud Security SECURITY ADVISORY

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Detecting the One Percent: Advanced Targeted Malware Detection

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

V ISA SECURITY ALERT 13 November 2015

BYPASSING THE ios GATEKEEPER

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Advanced Endpoint Protection Overview

Discovering passwords in the memory

CPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Enterprise Apps: Bypassing the Gatekeeper

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

SENSE Security overview 2014

Vulnerability management lifecycle: defining vulnerability management

Microsoft Security Bulletin MS Important

Safety measures in Linux

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Penetration Test Report

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011

Egress Switch Best Practice Security Guide V4.x

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

OWASP Mobile Top Ten 2014 Meet the New Addition

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

SOLO NETWORK (11) (21) (31) (41) (48) (51) (61)

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Adobe Systems Incorporated

Anti-exploit tools: The next wave of enterprise security

Host-based Protection for ATM's

SECURITY ASPECTS OF OPEN SOURCE

Turn the Page: Why now is the time to migrate off Windows Server 2003

California Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Service Manager and the Heartbleed Vulnerability (CVE )

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Security Testing. How security testing is different Types of security attacks Threat modelling

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Security challenges for internet technologies on mobile devices

Web Application Vulnerability Testing with Nessus

USB Portable Storage Device: Security Problem Definition Summary

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

An Analysis of Address Space Layout Randomization on Windows Vista

Pass-the-Hash. Solution Brief

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Building A Secure Microsoft Exchange Continuity Appliance

MCAFEE FOUNDSTONE FSL UPDATE

8070.S000 Application Security

Modern Binary Exploitation Course Syllabus

Enterprise Application Security Workshop Series

UNCLASSIFIED Version 1.0 May 2012

BlackBerry 10.3 Work and Personal Corporate

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

Defense in Depth: Protecting Against Zero-Day Attacks

How To Protect Your Computer From Being Hacked By A Hacker (For A Fee)

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Transcription:

Windows Phone 7 Internals and Exploitability (abridged white paper) Tsukasa Oi Research Engineer

目 次 1. Abstract... 3 2. Introduction: Windows Phone 7 and Analysis... 3 3. Security Analysis Windows Phone 7... 3 3.1. Application Model... 3 3.2. Process Memory and ASLR... 4 3.3. Memory uses in.net... 4 3.4. Application Security System... 4 4. Security Analysis OEM customizations... 4 5. Conclusions... 5 2

1. Abstract Windows Phone 7 is a modern mobile operating system developed by Microsoft. This operating system based on Windows Embedded CE 6 protects the system and the user by modern sandbox and secure application model. We have analyzed the internals of this operating system to evaluate security of the Windows Phone 7 operating system. We also focused on customizations by third-party vendors. Windows Phone 7-based devices by some vendors have special interfaces for OEM use but some of those makes subverting sandbox and chamber model easier because of various design/implementation issues such as directory traversal and improper open privileged operations. 2. Introduction: Windows Phone 7 and Analysis Windows Phone 7 is based by Windows Embedded CE 6.0R3 and some features (including security loader) are ported from Windows Embedded Compact 7. However, many components in this operating system are veiled and this is why we decided to analyze security in Windows Phone 7 operating system. We used native code access and reverse engineering to unveil operating system components and analyzed some components and mechanisms to evaluate its security. 3. Security Analysis Windows Phone 7 3.1. Application Model Windows Phone 7 only allows Windows Phone Marketplace applications which are signed by Microsoft. Almost all applications are written in.net (except some OEM applications and applications from selected vendors) and minimize attack surface. 3

3.2. Process Memory and ASLR Address Space Layout Randomization (ASLR) is one of the exploit mitigation features which make executing arbitrary code harder by randomizing memory addresses and layout in the process. If randomization is not enough, it could make attackers to estimate memory addresses easier and could lead to arbitrary code execution. We analyzed randomness of ASLR using native code access and most of memory areas are randomized well (estimated entropy is approximately 10-bits). However, we found the fact that only base addresses are randomized. This makes heap spraying or similar techniques easier and more reliable. 3.3. Memory uses in.net We also found insecure memory uses which is related to dynamic string allocation in.net. More specifically, dynamic Unicode strings are allocated in executable (RWX) memory. This could be used by attackers to spray executable code in the memory. 3.4. Application Security System In Windows Phone 7 operating system, each application is isolated and sandboxed. This seems to be well-designed and conforming principle of least privilege. Execution domain is separated by chambers which make elevating privileges much harder. We analyzed the Policy Engine and base policy data and we could not find any design flaw. 4. Security Analysis OEM customizations Windows Phone 7 can be customized by OEMs. OEMs can install their original drivers and applications. However, OEMs code is relatively vulnerable and some of OEM customizations (driver interfaces) make possible to break Windows Phone 7 s strong sandbox. Here are some details. Some OEMs and non-oems applications declare undocumented capability ID_CAP_INTEROPSERVICES which allows native code and Interop Services access. If 4

these applications are vulnerable, the attacker can exploit vulnerabilities and access OEMs driver interfaces. For example, HTCFileUtility.dll driver allows some file system access. If this driver is used by the attacker, he/she can steal critical and sensitive information from the device, including their e-mails. HTC has recently modified the driver to restrict accessible paths but this modification was not enough. We found latest version of this DLL has directory traversal vulnerability and the attacker is still possible to access almost every file in the system. Some of those device drivers seem to be unconcerned about security and this might be a big difference between device drivers for Android, which are relatively well-designed. 5. Conclusions Windows Phone 7 s sandbox is very strong and conforming principle of least privilege. But some insufficient memory protection features and OEM driver interfaces might threaten users and devices. We think ID_CAP_INTEROPSERVICES is a design flaw in this operating system. Microsoft and OEMs will need to make Interop Services access more granularized. We hope these issues to be fixed in Windows Phone 8 and we guess... they will. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information