be paranoid or not to be aliz e penel
play

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System - PowerPoint PPT Presentation

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member Agenda 02 03 01 Network Security Internet socket in Aspects Permission in Android OS Marshmallow INTERNET PERMISSION IN MARSHMALLOW


  1. BE PARANOID OR NOT TO BE ?

  2. Alizée PENEL Linux and Android System Developer Dev Team Member

  3. Agenda 02 03 01 Network Security Internet socket in Aspects Permission in Android OS Marshmallow

  4. INTERNET PERMISSION IN MARSHMALLOW

  5. INTERNET PERMISSION DECLARATION AndroidManifest.xml htups:/ /github.com/vx/connectbot from VX Solutjons

  6. INTERNET PERMISSION DEFINITION frameworks/base/core/AndroidManifest.xml

  7. MARSHMALLOW PERMISSIONS Permission are automatjcally granted at install tjme - UI shows permissions details - UI from Google Play, not from the system Dangerous permissions are granted at runtjme

  8. INTERNET PERMISSION INTERNALS On device : /system/etc/permissions/platgorm.xml system/core/include/private/android_fjlesystem_confjg.h root@genymotion:/ cat /data/system/packages.list

  9. MAPPING GID PROCESS

  10. That’s all ? Anything is checked at the runtjme ?

  11. NETWORK SOCKETS IN ANDROID OS

  12. THE BASICS

  13. JAVA.NET.SOCKET CLASS Any applicatjon can directly instantjate this class Even the framework uses it Packed in Android Java core library : core-libart.jar Source fjle : libcore/luni/src/main/java/net/Socket.java

  14. ANY PERMISSION CHECKED !?

  15. SOCKET SYSCALL IN BIONIC bionic/libc/bionic/socket.cpp Same type of declaratjon for connect and accept syscalls NetdClientDispath , C structure of 4 functjon pointers on 3 syscalls ( __socket, __connect, __accept4) & 1 functjon (fallBackNetIdForResolv)

  16. WHAT HAPPENING IN BIONIC ? As soon as bionic is loaded, the functjon __libc_preinit() is called by the dynamic linker In __libc_preinit() , call to netdClientInit() functjon The libnetd_client.so library is loaded by dlopen()

  17. WHAT HAPPENING IN BIONIC ? From libnetd_client.so library, bionic retrieves 4 functjon symbols : netdClientInitSocket() - netdClientInitConnect() - netdClientInitAccept4() - netdClientInitNetIdForResolv() - Call them, one by one, with their respectjve syscall as a parameter.

  18. NETDCLIENT LIBRARY

  19. IMPACTS ON NETDCLIENTDISPATCH STRUCTURE NetdClientDispatch structure does not contain the syscalls anymore It points on libnetd_client library functjons : netdClientSocket() - netdClientConnect() - netdClientAccept4() - getNetworkForResolv() -

  20. WHAT !?

  21. ANDROID KERNEL Android kernels have many modifjcatjons Every Android kernel has a network optjon actjvated : Paranoid

  22. PARANOID KERNEL OPTION It restricts access to some networking features depending on the group of the calling process include/linux/android_aids.h

  23. SOCKET CREATION IN THE KERNEL In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creatjng the socket If not allowed, return EACCES

  24. SUMMARY

  25. INTEREST OF NETDCLIENT LIBRARY AND BIONIC TRICK Firewall marks in netd Networks packets are fmagged through a fwmark client/server mechanism Allow packets going through iptable rules, set by the OS In a “system case”, fwmark server checks also the permission of the process

  26. SECURITY ASPECTS

  27. DISCLAIMER I am NOT a Security developer Consider just the architectural aspect of the implementatjon

  28. HOW TO BREAK THE SYSTEM ? Internet permission Paranoid optjon Rooted devices

  29. HOW TO BREAK THE SYSTEM ? sharedUserId - A way to share permissions between packages - Permissions state is propagated to all packages upon changes Other applicatjons

  30. Thanks for your atuentjon ! PENEL Alizée apenel@genymobile.com www.genymobile.com

  31. QUESTIONS ?

Recommend


More recommend