finding third party risks
play

Finding Third - party Risks Fourteenforty Research Institute, Inc. - PowerPoint PPT Presentation

Mar 08, 2024 •269 likes •644 views

Fourteenforty Research Institute, Inc. Kyoto, 2012 FIRST Technical Colloquium Sma martphone tphone Securi ecurity ty and Finding Third - party Risks Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Tsukasa Oi

  1. Fourteenforty Research Institute, Inc. Kyoto, 2012 – FIRST Technical Colloquium Sma martphone tphone Securi ecurity ty and Finding “Third - party” Risks Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Tsukasa Oi – Research Engineer 1

  2. Fourteenforty Research Institute, Inc. Self lf Introdu duct ction ion • Fourteenforty Research Institute, Inc. (FFRI) – Tokyo, Japan – R&D in the field of computer security • Tsukasa Oi : Research Engineer at FFRI – Currently focusing on mobile security – Recent Talks at: • PacSec 2011 “How Security Broken?” • Black Hat Abu Dhabi 2011 “Yet Another Android Rootkit /protecting/system/is/not/enough/ ” • Black Hat USA 2012 “Windows Phone 7 Internals and Exploitability” 2

  3. Fourteenforty Research Institute, Inc. Back ckgr ground nd • Modern mobile operating systems – Sandbox to protect system and applications – Some kind of MAC (Mandatory Access Control) – Integrated application distribution (App Stores) • Modifications by Third-party Vendors – Android – Windows Phone (7.x) 3

  4. Fourteenforty Research Institute, Inc. Age genda da • Security Design – Android – Windows Phone 7 • Risks and Vulnerabilities – What we find • Third-Party Risks and Vulnerabilities – Remote DoS – Privilege Escalation – Access Control Vulnerability • Finding Vulnerabilities 4

  5. Fourteenforty Research Institute, Inc. Caution ion! We cannot disclose many of vulnerabilities we’ve found 5

  6. Fourteenforty Research Institute, Inc. It looks pretty good. But is it enough then? SECUR URIT ITY Y DE DESIG IGN 6

  7. Fourteenforty Research Institute, Inc. Andr droid oid : Permissio mission • Restrict access to specific resources – Need declaration to use specific features • Sensor data / Camera • Location • Access to system resources – Special GID or software checks – Some permissions are restricted for system apps (like INSTALL_PACKAGE; allows unattended installation) • Checks by package location / signature 7

  8. Fourteenforty Research Institute, Inc. Andr droid oid : Permissio mission n Check cks s (1) Caller Application Application Metadata IPC (through Binder) Activity Manager System Service Package Manager • Service Manager (or important method) checks callers permission – Achieve good isolation (IPC glue is automatically-generated) 8

  9. Fourteenforty Research Institute, Inc. Andr droid oid : Permissio mission n Check cks s (2) Normal Case “Internet” Case android.permission.READ_LOGS android.permission.INTERNET GID: 1007 GID: 3003 (log) (inet) Application Application Kernel Specific checks POSIX permissions for Android * • Some permissions are associated with specific GIDs – Use POSIX permission checks except “Internet” permission * Linux kernel for Android is modified to restrict Internet sockets to processes which have GID 3003 (inet). 9

  10. Fourteenforty Research Institute, Inc. Andr droid oid : Iso solati ation on • One UID for One App – Unless apps by same developer declare to share UID – No apps can access other apps data unless its permission is world-accessible • Vulnerability in Skype for Android (CVE-2011-1717) • Read-only access to some system resources – e.g. Data in SD card (will require READ_EXTERNAL_STORAGE permission in the future) – e.g. /data/system/packages.list (which enables to access package list without permission) 10

  11. Fourteenforty Research Institute, Inc. Andr droid oid : Add dditiona onal l Secu curity rity by by Vendo dor • Some vendors add security layer to avoid issues – NAND protection protect system partition of flash will not be overwritten – LSM (Linux Security Modules); except SEAndroid prohibit dangerous operations from being performed – Better security controls (e.g. 3LM Security) • Some of them can be effectively broken – “Yet Another Android Rootkit /protecting/system/is/not/enough/ ” Black Hat Abu Dhabi 2011 11

  12. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Capa pabi bilit lity • Restrict access like Android’s permission system – Fewer (and simple) capabilities • Specific SID for capability • Special Capabilities for limited apps – Some capabilities are not allowed for distribution (without explicit permission by Microsoft) – Use OEM’s interop service (ID_CAP_INTEROPSERVICES) 12

  13. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Iso solati ation on • One Chamber for One App – Windows Phone 7 creates “chamber” to isolate application data and program • Almost no access to system resources – Normal developers can run only managed (.NET) code • Only few developers are allowed to run native code (with WPInteropManifest.xml in the package) – Almost no apps can access other apps data 13

  14. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Iso solati ation on Detaile iled Launch App Package Manager Shell (telshell.exe) Apps (TaskHost.exe) (pacman*.dll) Query Apps Check if App Allowed Kernel Policy Engine Security Loader (PolicyEngine.dll) (lvmod.dll) Access Control Prevent untrusted Running applications (sandbox) files to be loaded (related components) • Executable modules and resources are restricted 14

  15. Fourteenforty Research Institute, Inc. Concl clus usion ion • Although there are some small “flaws”, these OS protect system from being compromised 15

  16. Fourteenforty Research Institute, Inc. In other words : what we always find RIS ISKS KS AN AND V D VULNE NERABI RABILI LITI TIES ES 16

  17. Fourteenforty Research Institute, Inc. What we fi find d : Acc ccess ss Contro trol l Vulner nerabil abilit ity • Access to resources which is not allowed (normally) – The risk of vulnerability will vary on the resource we can access using exploits – Critical one may lead to privilege escalation 17

  18. Fourteenforty Research Institute, Inc. What we fi find d : Privil vileg ege e Esc scalation ion • Make malicious program to run on higher privileges – Normal users to System user • “system” user in Android is allowed to use almost all system privileges and resources • This may lead to complete compromise – System user to Administrative user • Gaining “root” privilege – Keep admin privileges • Modify and infect the system permanently • This is complete compromise 18

  19. Fourteenforty Research Institute, Inc. What kind of vulnerability third-party made? TH THIR IRD-PA PARTY TY RIS ISKS KS 19

  20. Fourteenforty Research Institute, Inc. Andr droid oid : Re Remo mote te DoS Vulner nerabil abilit ity • “Data Wipe” vulnerability in Samsung and HTC devices – Clicking “ tel :…” URL triggers “data wipe” feature – Special phone numbers (which trigger specific event) are not handled correctly • Demonstrated by IMEI display (“*#06#” from remote) • Denial of Service (force-to-reboot) vulnerability in various Android devices (Sharp, Fujitsu-Toshiba, NEC- Casio…) – Similar example on a Japanese smartphone we’ve found – Clicking specific URL (more specifically, calling read system call for special location) triggers kernel panic and forces device to reboot Reference: http://www.guardian.co.uk/technology/2012/sep/27/samsung-htc-phones-remote-wipe 20

  21. Fourteenforty Research Institute, Inc. Andr droid oid : Privil vileg ege e Esc scalation ion Vulner nerabil abilit ity • ACER Iconia Tab / Motorola Xoom OS Command Injection – “/system/bin/ cmdclient ” setuid (and world-executable) program – Ability to run any command in root privilege Reference: http://forum.xda-developers.com/showthread.php?t=1138228 (ACER Iconia Tab A500) http://www.xoomforums.com/forum/motorola-xoom-development/12997-rooting-family- edition.html (Motorola Xoom FE) 21

  22. Fourteenforty Research Institute, Inc. Andr droid oid : Acc ccess ss Contro trol l Vulnerab nerabili ility • ZTE Root Shell Vulnerability – “/system/bin/ sync_agent ” setuid (and world-executable) program – Ability to run a root shell with a hard coded password Reference: http://blog.mobiledefense.com/2012/05/zte-root-shell-vulnerability/ 22

  23. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Vulne lnera rabi bilit lity • Heap overflow vulnerability in [not disclosed yet] – CVE-2005-2096 (vulnerability in zlib -1.2.2) – This showed us Windows Phone 7 apps are not vuln-free (such native vulnerabilities can be found) • Risks of Exploitation – If a vulnerable native app has “Interop Services” capability, it can cause disaster (ID_CAP_INTEROPSERVICES) – Otherwise it’s not much help for bypassing sandbox • Just taking control may be not enough for system compromise (because of strong isolation) • Fortunately, [not disclosed] didn’t have one 23

Recommend

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive Efficiencies and Build Market Trust? IIA/ISACA Chicago Hacking Conference October 28, 2019 BDO USA, LLP, a Delaware limited liability partnership, is the U.S.

153 views • 13 slides
GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - - - - What should the Asian market worry about? Dr. Paul Fisher, LBMA Chairman Asia Pacific Precious Metals Conference,

517 views • 9 slides
FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents,

FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents,

Presenting a live 90-minute webinar with interactive Q&A FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents, Distributors and Other Intermediaries WEDNESDAY, JANUARY 16, 2013 1pm Eastern |

720 views • 59 slides
Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

620 views • 34 slides
Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

627 views • 46 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Dynamic Interpretation of Emerging Risks in the Financial Sector, by Kathleen Weiss Hanley

Dynamic Interpretation of Emerging Risks in the Financial Sector, by Kathleen Weiss Hanley

Discussion of Dynamic Interpretation of Emerging Risks in the Financial Sector, by Kathleen Weiss Hanley and Gerard Hoberg PRESENTER Paul Glasserman, Columbia Business School Key Finding Commonality in the risks disclosed by banks

386 views • 10 slides
EGUS CDE Agreement Terminology/Updates Agreement Types : AB (2 Party) Party A,

EGUS CDE Agreement Terminology/Updates Agreement Types : AB (2 Party) Party A,

EGUS CDE Agreement Terminology/Updates Agreement Types : AB (2 Party) Party A, Party B ABA (3 Party) Party A, Party B, Party A Clearing Member ABB (3 Party) Party A, Party B, Party B Clearing Member

404 views • 21 slides
KIDS PARTIES Take the hassle away and party the Mundo Mana way. 1 Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. 1 Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. 1 Contents Party rooms 4 Toddler packages (1-3 years) 6 Childrens packages (4+ years) 8 Package Overview 10 Party Extras | Birthday cakes 12 Bespoke party room

476 views • 14 slides
KIDS PARTIES Take the hassle away and party the Mundo Mana way. Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. Contents Party rooms 4 Toddler packages (1-3 years) 6 Childrens packages (3+ years) 8 Package Overview 10 Party Extras | Birthday cakes 11 Bespoke party room

357 views • 24 slides
VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018 Todays Presentation ! Definitions ! Why do we need Vendor Risk Management ! Risks Posed by Third Party / Vendor Relationships ! Vendor Risk

346 views • 24 slides
STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11 LICENSED 148 PENDING 27 WITHDRAWN 32 TOTAL 239 ADUs reviewed as Special Exceptions Pre 2013 ZTA 12-11 Allows ADUs as

741 views • 14 slides
Third-Party Legal Opinions in Corporate Transactions Defining Scope, Limitations and Key Terms;

Third-Party Legal Opinions in Corporate Transactions Defining Scope, Limitations and Key Terms;

Presenting a live 90-minute webinar with interactive Q&A Third-Party Legal Opinions in Corporate Transactions Defining Scope, Limitations and Key Terms; Minimizing Liability Risks for Opinion Giver THURS DAY, MARCH 27, 2014 1pm East ern

652 views • 48 slides
Presenting a live 90-minute webinar with interactive Q&A Third-Party Risk: Tailoring Contract

Presenting a live 90-minute webinar with interactive Q&A Third-Party Risk: Tailoring Contract

Presenting a live 90-minute webinar with interactive Q&A Third-Party Risk: Tailoring Contract Clauses, Covenants, and Certifications to Enhance Compliance in a Global Market Minimizing FCPA and Related Anti-Corruption Risks and Maximizing

552 views • 39 slides
ESA and non-ESA missions (Third Party Missions TPM) 4 types of activities with Third Party

ESA and non-ESA missions (Third Party Missions TPM) 4 types of activities with Third Party

Clement Albinet - ESA / Ground Segment and Mission Management Department 18 th November 2019 ESA UNCLASSIFIED - For Official Use ESA and non-ESA missions (Third Party Missions TPM) 4 types of activities with Third Party Missions (TPM) New

629 views • 24 slides
Rendering Third-Party Legal Opinions on LLC Status, Power, Action, Enforceability and Membership

Rendering Third-Party Legal Opinions on LLC Status, Power, Action, Enforceability and Membership

Presenting a live 90-minute webinar with interactive Q&A Rendering Third-Party Legal Opinions on LLC Status, Power, Action, Enforceability and Membership Interests Drafting Defensible Opinions and Minimizing Preparer Liability Risks

875 views • 62 slides
A competitive advantage for your company through Third Party Monitoring ODIS THIRD PARTY

A competitive advantage for your company through Third Party Monitoring ODIS THIRD PARTY

A competitive advantage for your company through Third Party Monitoring ODIS THIRD PARTY (CONTRACT) MANAGEMENT (TPM) Index Introduction Complexity, governance and risk Past, Present and Future, where are you in the evolution?

295 views • 15 slides
EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain

EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain

EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain efficiencies Reach new members Provide more products and services RISKS Reputation Risk Operational Risk Transaction Risk

361 views • 19 slides
AFJROTC More Than Just a Class ! Why Join AFJROTC? CORPS PARTY PARTY PARTY! FIELD TRIPS LAST

AFJROTC More Than Just a Class ! Why Join AFJROTC? CORPS PARTY PARTY PARTY! FIELD TRIPS LAST

AFJROTC More Than Just a Class ! Why Join AFJROTC? CORPS PARTY PARTY PARTY! FIELD TRIPS LAST THREE YEARS . Field Trip to State Fair / College Football Field Trip to the Perot Museum San Antonio Field Trip 2018 Competing Teams . Teams

631 views • 19 slides
ACH and Third Party Payment Processors Definition of Third-Party Relationship Entity with

ACH and Third Party Payment Processors Definition of Third-Party Relationship Entity with

ACH and Third Party Payment Processors Definition of Third-Party Relationship Entity with which financial institution has entered into a business relationship Facilitate customer access to bank services or products Perform functions

369 views • 26 slides
NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need

NEEDFINDING IN HUMAN CENTERED DESIGN What is need finding? What is need finding? What is need finding? Needfinding is the process of uncovering User needs Opportunities for improvement Design Insights by learning about their goals

418 views • 14 slides
Immigration in the Party Political Agenda: A Comparative Analysis of Party Manifestos in Six

Immigration in the Party Political Agenda: A Comparative Analysis of Party Manifestos in Six

Immigration in the Party Political Agenda: A Comparative Analysis of Party Manifestos in Six European Countries Didier Ruedin, Laura Morales, Jean-Benoit Pilet, Peter Thomas ECPR Annual Conference , Bordeaux, 6 September 2013 Politicization of

163 views • 12 slides
Economic Outlook: Growth, Risks, and Sustainability John McHale Whitaker Institute, NUI Galway

Economic Outlook: Growth, Risks, and Sustainability John McHale Whitaker Institute, NUI Galway

Economic Outlook: Growth, Risks, and Sustainability John McHale Whitaker Institute, NUI Galway Irish Fiscal Advisory Council September 14, 2015 Presentation to the Fianna Fil Parliamentary Party, Marine Hotel, Sutton Overview Recent

543 views • 42 slides

More recommend