pacsec talk slides android security

43
Securing a mobile platform from the ground up Rich Cannings <[email protected]> Alex Stamos <[email protected]>

Upload: saah007

Post on 23-Nov-2015

37 views

Category:

Documents


0 download

DESCRIPTION

mobile operating system

TRANSCRIPT

  • Securing a mobile platform from the ground up

    Rich Cannings Alex Stamos

  • OverviewWhy care about mobile security?What is Android?How do I develop on Android?Android MarketWhat about Security?Cornerstones of Android securityPreventionMinimizationDetectionReaction

  • OverviewWhy care about mobile security?What is Android?How do I develop on Android?Android MarketWhat about Security?Cornerstones of Android securityPreventionMinimizationDetectionReaction

  • Some Statistics6.77 billion people[1]1.48 billion Internet enabled PCs[2]4.10 billion mobile phones[1]Mobile phone replacement rate12-18 month average[3]1.1 billion mobile phones are purchased per year[4]13.5% of mobile phone sales are smartphones[5]The number of smartphones will soon compare with the number of Internet enabled PCs[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use(based on The World Factbook)[2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1[3][4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp[5] http://www.gartner.com/it/page.jsp?id=985912

  • Mobile Security is Getting InterestingTechniques for desktop analysis are more useful to smart phones

    Mobile networks can now be easily manipulatedFrom phones:Miller, Lackey, Miras at BlackHat 2009From false base stations:http://openbts.sourceforge.net/

  • Mobile Security MaturesWe are now seeing attacks against all layers of mobile infrastructure:

    ApplicationsPlatformOSBasebandNetwork

  • Mobile Security MaturesWe are now seeing attacks against all layers of mobile infrastructure:

    ApplicationsPlatformOSBasebandNetwork

    Mobile devices must be treated as fully fledged computers.

    Do not assume they are "special".

  • OverviewWhy care about mobile security?What is Android?How do I develop on Android?Android MarketWhat about Security?Cornerstones of Android securityPreventionMinimizationDetectionReaction

  • Free, open source mobile platformSource code athttp://source.android.comAny handset manufacturer or hobbyist can installAny developer can useSDK at http://developer.android.comEmpower users and developersThe Android Platform

  • The Android Technology StackLinux kernelRelies upon 90+ open source librariesIntegrated WebKit based browserSQLite for structured data storageOpenSSLBouncyCastlelibc based on OpenBSDApache HarmonyApache HttpClientSupports common sound, video and image codecsAPI support for handset I/OBluetooth,EDGE,3G,wifiCamera, Video,GPS, compass, accelerometer, sound, vibrator

  • OverviewWhy care about mobile security?What is Android?How do I develop on Android?Android MarketWhat about Security?Cornerstones of Android securityPreventionMinimizationDetectionReaction

  • Android DevelopmentJava applications are composed of:ActivitiesVisual user interface for one focused endeavor

  • Android DevelopmentJava applications are composed of:ActivitiesVisual user interface for one focused endeavorServicesRuns in the background for an indefinite period of time

  • Android DevelopmentJava applications are composed of:ActivitiesVisual user interface for one focused endeavorServicesRuns in the background for an indefinite period of timeIntentsAsynchronous messagingURL dispatching on steroidsGlues many Activities and Services together to make an applicationProvides interactivity between applications

  • Example Email Application

  • Application LifecycleDesigned to protect battery life

  • Application LifecycleDesigned to protect battery lifeActivities live on a stack

  • Application LifecycleDesigned to protect battery lifeActivities live on a stack

  • Application LifecycleDesigned to protect battery lifeActivities live on a stackBackground activities can be killed at any moment

  • Application LifecycleDesigned to protect battery lifeActivities live on a stackBackground activities can be killed at any momentThe platform makes it easy for developers to code applications that are killed at any moment without losing stateHelps with DoS issues

  • Android MarketConnects developers with usersDarwinian environmentGood applications excelBad applications forgotten~10,000 applications on MarketBalance of openness and securityNot the only way to install appsNot a walled gardenDevelopers self-sign applicationsFor updatingUses Java's keytool and jarsigner

  • Application SigningWhy self signing?Market ties identity to developer accountCAs have had major problems with fidelity in the pastNo applications are trusted. No "magic key"

    What does signing determine?Shared UID for shared keysSelf-updates

  • OverviewWhy care about mobile security?What is Android?How do I develop on Android?Android MarketWhat about Security?Cornerstones of Android securityPreventionMinimizationDetectionReaction

  • Security PhilosophyFinite time and resourcesHumans have difficulty understanding riskSafer to assume thatMost developers do not understand securityMost users do not understand security

    Security philosophy cornerstonesNeed to prevent security breaches fromoccurringNeed to minimize the impact of a security breachNeed to detect vulnerabilities and security breachesNeed to react to vulnerabilities and security breaches swiftly

  • Prevent5 million new lines of codeUses almost 100 open source librariesAndroid is open source can't rely on obscurityTeamed up with security experts fromGoogle Security TeamiSEC Partnersn.runsConcentrated on high risk areasRemote attacksMedia codecsNew/custom security featuresLow-effort/high-benefit featuresProPolice stack overflow protectionHeap protection in dlmalloc

  • dlmalloc

    Heap consolidation attackAllocation meta-data is stored in bandHeap overflow can perform 2 arbitrary pointer overwritesTo fix, check:b->fd->bk == bb->bk->fd == b

  • WebKit Heap Overflow

  • MinimizeWe cannot rely on prevention aloneVulnerabilities happenUsers will install malwareCode will be buggyHow can we minimize the impact of a security issue?My webmail cannot access my banking web appSame origin policyWhy can malware access my browser? my banking info?Extend the web security model to the OS

  • MinimizeTraditional operating system securityHost basedUser separationMobile OSes are for single usersUser separation is like a "same user policy"Run each application in its own UID is like a "same application policy"Privilege separationMake privilege separation relatively transparent to the developer

  • Application SandboxEach application runs within its own UID and VMDefault privilege separation modelInstant security featuresResource sharingCPU, MemoryData protectionFS permissionsAuthenticated IPCUnix domain socketsPlace access controls close to the resource, not in the VM

  • Application SandboxPlace access controls close to the resourceSmaller perimeter easier to protectDefault Linux applications have too much powerLock down user access for a "default" applicationFully locked down applications limit innovationRelying on users making correct security decisions is tricky

  • PermissionsWhitelist modelAllow minimal access by defaultAllow for user accepted access to resourcesAsk users less questionsMake questions more understandable194 permissionsMore granularityLess understandability

  • More Privilege SeparationMedia codecs are very complex very insecureWon't find all the issues media librariesBanish OpenCore media library to a lesser privileged processmediaserverImmediately paid offCharlie Miller reported a vulnerability in our MP3 parsingoCERT-2009-002

  • DetectA lesser-impact security issue is still a security issueInternal detection processesDeveloper educationCode auditsFuzzingHoneypotEveryone wants security allow everyone to detect issuesUsersDevelopersSecurityResearchers

  • External ReportsPatrick McDaniel, William Enck, Machigar OngtangApplied formal methods to access SMS and DialerCharlie Miller, John HeringOutdated WebKit library with PCRE issueXDA DevelopersSafe mode lock screen bypassCharlie Miller, Collin MullinerMP3, SMS fuzzing resultsPanasonic, Chris PalmerPermission regression bugs

    If you find a security issue, please email [email protected]

  • User Reporting

  • A User ReportMemoryUp: mobile RAM optimizerfaster, more stable, more responsive, less waiting timenot quite

  • ReactAutoupdaters are the best security tool since Diffie-HellmanEvery modern operating system should be responsible for:Automatically updating itselfProviding a central update system for third-party applicationsAndroid's Over-The-Air update system (OTA)User interaction is optionalNo additional computer or cable is requiredVery high update rate

  • Shared UID RegressionShared UID featureMalware does not hurt computers, malware authors doTwo applications are signed can share UIDsMore interactivityPanasonic reported that shared UID was brokenIf the user installs malware, then the attacker could share UIDs with an existing installed app, like the browserBreaks Application Sandbox

  • Update Process2009-05-14Panasonic reported the issuePatched the issue, wrote regression tests2009-05-15Kicked off internal auditBuilt and tested every flavour of AndroidCoordinated a public response with the reporter, carriers, PR and oCERT2009-05-21Received critical-mass approval2009-05-22OTAed users, rolled out patches to factories, SDK, and open sourceReleased advisory (oCERT-2009-006)

  • Not over yet!2009-07-06Completed audit and testsCoordinated a public response with, carriers, PR and oCERT2009-07-15Received critical-mass approval2009-07-16OTAed users, rolled out patches to factories, SDK, and open source2009-07-16Released advisory(oCERT-2009-011)

  • ConclusionSecurityan ongoing processnot a checkboxProcessPreventMinimizeDetectReact

  • Questions?Find a security [email protected] to contribute code?Visithttp://source.android.comAdd me as a code reviewer!Want to write an Android application?Visit http://developer.android.comWant to email us?Email [email protected] [email protected] are both hiring

    richc speaksstamosa speaks[stamosa]

    richc speaksstamosa speaksstamosa

    expand self-signing discussionrichcstamosarichcrichcrichcrichcrichcrichcstamosastamosastamosastamosarichcrichcrichcrichcrichc