Lecture Embedded System Security

Transcription

1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2011

2 Overview Introduction Android Software Stack Android Security Mechanisms Recent Attacks Security Extensions 2

3 Overview Introduction Android Software Stack Android Security Mechanisms Recent Attacks Security Extensions 3

4 Summary Smartphones and their applications have become an integral part of information society Security and privacy-protection technology is an enabler for innovative business models Recent research on mobile phone security (main focus on Android) 4

5 Trust Model Different & more complicated than PC world Mutual mistrust, resource constraints, Users Enterprises Network Providers Device Manufacturer Service Providers 5

6 Smartphones Applications Today Mobile Phone Features Interfaces GPS, WiFi, Bluetooth, Infrared Call, SMS, MP3, Video Online Services Browsing, , E-Shopping, Social Networking Location Services Navigation, Recommendation 6

7 And in Near Future: Context-Based Policies & Applications Bluetooth Discovery Bluetooth interface should only be discovered at home Requires location recognition Lend Phone Access control to sensitive data (e.g., SMS) when lending to others Requires user recognition Application Restriction in Company A company restricts the set of applications which can be used while the employee is working Requires policy enforcement by trusted third parties 7

8 Worldwide Smartphone Sales to End Users by Operating System Sold Units Q1/ Android Symbian ios Research In Motion Microsoft Other OS 0 1Q/2011 Based on Gartner Statistics (May 2011) 8

9 9

10 Threat Classification Attacks on Privacy Location, , Contacts Runtime Attacks Code Injection, Return-Oriented Programming Attack Vectors Hardware Attacks GSM Module, Base Station Malware Trojans, Viruses, Worms 10

11 11

12 Overview of selected smartphones Closed Source Sandboxing Code Signing Code Inspection Non-Executable Memory Open Source Strict Sandboxing Java Dalvik Virtual Machine Java Apps Lightweight Code Signing Permission Framework Open Source Security Framework based on Role- Based Access Control Detailed information not yet published Closed Source Apps and main part of the OS in Java End-to-End Encryption Code signing and digital certificates 12

13 Overview Introduction Android Software Stack Android Security Mechanisms Recent Attacks Security Extensions 13

14 Big Picture (Android Anatomy and Physiology, Patrick Brady) 14

15 Linux Kernel Standard Linux kernel ( for Android Froyo ) Patches for Android (e.g., aggressive Power Management, Logger, Binder) Binder: High-performance, shared memory based IPC Synchronous calls between processes Per-process thread pool for processing requests Android Interface Definition Language (AIDL) 15

16 Native Libraries C/C++ libraries Exposed to developers through the Android application framework Core libraries include: Libc (Bionic) Media libraries Surface Manager 3D libraries SQLite SSL 16

17 Android Runtime Dalvik Virtual Machine VM optimized for embedded environments Runs optimized file format.dex and Dalvik bytecode generated from Java.class/.jar files at build time Relies on underlying Linux kernel for threading and low-level memory management Core Libraries Provide most of the functionality available in the core libraries of Java Provides core APIs of Java (familiar programming environment) 17

18 Application Framework Provides developers API to basic functionalities and services (e.g., set alarms, access location information, take advantage of device HW, ) App Service (App. Framework) lib App Service (App. Framework) Native Service lib App Service (App. Framework) Native Daemon lib APIs are the same as for the core applications (e.g., Phone, Contacts, ) Activity Manager Enforces permissions on IPC ( Reference Monitor ) Responsible for starting applications Package Manager Management of Permissions and Applications 18

19 Applications Third party applications (e.g., Android Market) A number for core ( system ) applications (cannot be uninstalled) Contacts Settings Browser Components of applications Activity: User interface Service: Background service Content Provider: SQL-like database Broadcast receiver: Mailbox for broadcasted messages Applications can contain native code (C/C++ shared libraries) For simplicity, Binder-based IPC between components often called Inter- Component Communication Binder usually not exposed to native code in applications 19

20 Overview Introduction Android Software Stack Android Security Mechanisms Recent Attacks Security Extensions 20

21 Sandboxing General Idea The application sandbox specifies which system resources the application is allowed to access An attacker can only perform actions defined in the sandbox 21

22 Application Isolation by Sandboxing Each application is isolated in own sandbox Applications can access only own resources Access to sensitive resources depends on the application s capabilities ( permissions ) Sandboxing is enforced by Linux Each App is assigned a unique UserID and runs in separate process Each App has a private data folder 22

23 Android Installer: Installation of a Benign App Android Market Movie Player Download App Permissions Requested permissions are reasonable User Install 23

24 Android Installer: Installation of a Security-Critical App Android Market Malicious Movie Player Download app Permissions Why Movie Player requests permission to send SMS? User Deny install 24

25 Android Permission System Application are assigned permissions Permissions are needed to control access System resources (logs, battery, etc.) Sensitive data (SMS, contacts, s, etc.) System interfaces (Internet, send SMS, etc.) Application (developers) can also define own permissions to protect application interfaces Permissions are either Simply associated strings (most permissions) Mapped to Linux GIDs (few: Internet, Bluetooth, ext. storage, ) 25

26 The Manifest File Application App A Manifest P 1 P 2 Application Manifest P 3 App B Perm. P 2 Perm. P 3 Perm. P 1 Installer Permission Database Reference Monitor Dalvik VM Android Middleware 26

27 Permission System: Example App A is allowed to send SMS (P 1 ) App A also posses permission P 2 (e.g., access location) App B has two interfaces protected by permission P 2 and P 3 App A Perm. P 1 Perm. P 2 Perm. P 2 Perm. P 3 App B 27

28 Permission Enforcement Binder provides certain information to the callee of IPC getuid(): returns caller s UID getpid(): returns caller s PID System enforces permission check upon IPC call checkpermission(string Perm): checks if caller has been granted the permission Perm Can also be called from applications themselves 28

29 Android Permission Graph Phone Granted Permission: CALL_PHONE Core Application with many interfaces Browser Required Permission: CALL_PHONE Android Download Provider 29

30 Overview Introduction Android Software Stack Android Security Mechanisms Recent Attacks Security Extensions 30

31 31

32 Requesting dangerous permissions android.permission.internet android.permission.access_coarse_location android.permission.read_phone_state android.permission.vibrate Geinimi Trojan 2010 User has to confirm Requested permissions android.permission.internet android.permission.access_coarse_location android.permission.read_phone_state android.permission.vibrate com.android.launcher.permission.install_shortcut android.permission.access_fine_location android.permission.call_phone android.permission.mount_unmount_filesystems android.permission.read_contacts android.permission.read_sms android.permission.send_sms android.permission.set_wallpaper android.permission.write_contacts android.permission.write_external_storage com.android.browser.permission.read_history_bookmarks com.android.browser.permission.write_history_bookmarks android.permission.access_gps android.permission.access_location android.permission.restart_packages android.permission.receive_sms android.permission.write_sms 32

33 Problem Android Permission Framework is vulnerable to Application-level Privilege Escalation Attacks 33

34 Application-level Privilege Escalation Attacks Scenario 1: Confused deputy attack Unprivileged App A Privilege P1 App B A privileged program is fooled into misusing its privileges on behave of another (malicious) unprivileged program. Android Middleware Examples: 1) Invoke browser to download malicious files (Lineberry et al., BlackHat 2010) 2) Unauthorized phone call (Enck et al., TechReport 2008) 34

35 Scenario 2: Collusion attack Application-level Privilege Escalation Attacks Privilege P1 Privilege P2 App A Android Core App B Android Middleware 1) Apps communicate directly 2) Apps communicate via covert (e.g., volume settings) or overt (e.g., content providers) channels in AndroidCore Example: Soundcomber (Schlegel et al., NDSS 2011) 35

36 Breaking out of the sandbox a) IPC / RPC / Sockets (Example: Davi et al., 2010) Access control a) Kernel exploit (Example: DroidDream Trojan 2011) 36

37 Privilege Escalation on Google Android NO Permission to send SMS Java Application Native Code Exploit Bug Escalate Privileges Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Marcel Winandy Information Security Conference (ISC 2010) 37

38 Google Android: Communication with web servers without possesing INTERNET Permission 0 Permissions Malicious App 1) Ask Browser for data transfer from a remote server 2) Browser forwards request 3) Files are transmitted to SD card Android Web Browser INTERNET Permission 38

39 Google Android: Install arbitrary applications without the users knowledge Android Web Browser Permission: INSTALL_PACKAGES 1) Exploit Bug in web Browser 2) Enforce the installation of various apps 39

40 Google Android: Soundcomber: A stealthy and context-aware sound Trojan APP_B Permission: Internet APP_A Permission: Record Audio 1) Call Credit Institute 2) Credit Card Number is extracted from the speech 40

41 Soundcomber Internals Exploiting Covert Channels in Android APP_B Permission: Internet Read Android Core Application APP_A Permission: Record Audio Write Volume Setting 41

42 Application Installation What user perceives: (Jon Oberheide, 42

43 Application Installation (cont.) What actually happens: Android Device 1 Market App Install Request 2 Market Servers Google Vending 6 5 GTtalk Service INSTALL_ASSET 4 3 C2DM Service APK Hosting APK Download 43

44 Application Installation (cont.) What is the consequence: Malicious software could impersonate Market app and fake the INSTALL_ASSET Further apps could be installed without ever prompting the user to approve the Installation of new packages Permissions requested by these new packages 44

45 Overview Introduction Android Software Stack Android Security Mechanisms Recent Attacks Security Extensions 45

46 46

47 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Dalvik VM TaintDroid Porscha Mediator Reference Monitor Saint Apex CRePE XManDroid QUIRE IPC Inspection Installer Kirin Saint Apex QUIRE Android Middleware Linux Kernel Hardware SELinux 47

48 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Installer Prevents the Monitor installation of Kirin malicious applications Identifies security-critical combinations of permissions at install-time Android Middleware Linux Kernel Hardware 48

49 Kirin William Enck, Machigar Ongtang, and Patrick McDaniel. On Lightweight Mobile Phone Application Certification. ACM CCS 2009 Goal Lightweight certification of applications to mitigate malware Solution Check the set of permissions requested by an application at installtime against a policy database The database contains security-critical combinations of permissions E.g., an application requesting RECORD_AUDIO, INTERNET, and CALL_PHONE indicates a voice recorder In case of a policy match Kirin denies the installation Conclusion Can be easily integrated in Android s installer and prevents most of existing malware Open Problems Policy deployment, collusion attacks, cannot catch dynamic behavior of applications, a lot of false positive (usability) 49

50 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Saint [2009] Reference Installer Apps can define Monitor flexible access Kirin control policies Saint for own Saint interfaces Privileged apps can be protected from being misused by malicious apps Android Middleware Linux Kernel Hardware 50

51 Saint Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically Rich Application-Centric Security in Android. ACSAC 2009 Goal Provide a framework which allows applications and their interfaces from being misused Solution Saint (Secure Application INTeraction) extends Android s installer and reference monitor to meet this goal Saint allows the assignment of signature-and configuration-based policies at install-time At runtime, Saint enforces fine-grained permission checks Context Policies: State of the device (e.g., location, time, battery, etc.) Configuration: Application version of the caller and callee (e.g., only version 2.1 and higher are allowed to access an application interface) Conclusion Saint provides a sophisticated framework which allow developer to protect their applications from being exploited and misused Open Problem The developer (likely not to be interested in security) is himself responsible for deploying Saint policies 51

52 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Apex [2010] Reference Installer Android Permission Monitor Extension Kirin Fine-grained Saint permission model Saint allowing users Apex to deny certain Apex permissions Allows to specifiy runtime constraints: Maximum number of SMS per day Android Middleware Linux Kernel Hardware 52

53 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 CRePE [2010] Reference Installer Context-Related Monitor Policy Enforcement Kirin for Android Saint Saint See Slide Applications Apex of Context- Apex Based Policies CRePE for application examples Android Middleware Linux Kernel Hardware 53

54 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 To: App A Porscha [2010] Reference Installer Security-sensitive Monitor data (SMS, E-Kirin Mail, Documents) Saint are tagged Saint with a DRM-compliant Apex security Apex Porscha CRePE Mediator policy Only applications complying to the policy are allowed to read data Android Middleware Linux Kernel Hardware 54

55 Security Extensions for Android App A Perm. P Location 1 Data App B Perm. P 2 Perm. P 3 TaintDroid [2010] Dalvik VM Reference Installer Monitor TaintDroid Deploys dynamic taint analysis in Kirin Saint Saint order to detect unauthorized Apex Apex Porscha leakage of sensitive data CRePE Mediator Applied to real apps in Android Market, showed many of them leak sensitive data Android Middleware Linux Kernel Hardware 55

56 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 SELinux for Android Dalvik VM Reference Installer Monitor TaintDroid Kirin [2010] Saint Saint Mitigates privilege Apex escalation Apex Porscha attacks at the CRePE kernel level Mediator Android Middleware Linux Kernel SELinux Hardware 56

57 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Dalvik VM Reference Installer Monitor TaintDroid Kirin Saint Saint XManDroid [2011] Apex Apex Porscha extended Monitoring on Android CRePE Mediator Prevents privilege XManDroid escalation attacks (in particular, confused deputy and collusion attacks) on the application level by monitoring IPC messages Detects also covert and overt channel attacks on Android the ICC Middleware level (e.g., Soundcomber) Linux Kernel SELinux Hardware 57

58 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Dalvik VM Reference Installer Monitor TaintDroid Kirin Saint Saint QUIRE Apex [2011] Apex Porscha Prevents confused deputy CRePE attacks by tracking the IPC Mediator call chain XManDroid Based on the IPC call QUIRE chain, applications themselves decide if the request should be processed or denied for the case the originator lacks permissions QUIRE enables secure in-payment services (PayPal, Google Checkout) Android Middleware However, QUIRE does not address collusion attacks QUIRE and is developer-centric Linux Kernel SELinux Hardware 58

59 Security Extensions for Android App A Perm. P 1 App B Perm. P 2 Perm. P 3 Dalvik VM Reference Installer Monitor TaintDroid IPC Inspection [2011] Kirin Demonstrates several Saint severe privilege Saint Apex Apex Porscha escalation attacks against Android CRePE Mediator system applications XManDroid Prevents confused deputy attacks by QUIRE permission IPC reduction: Inspection The receiving application of an ICC communication reduces its permissions to the caller s permissions Android Middleware QUIRE Linux Kernel Hardware SELinux 59

60 60