the firewall android deserves a context aware kernel
play

The Firewall Android Deserves: A Context-aware Kernel Message - PowerPoint PPT Presentation

May 24, 2023 •107 likes •631 views

The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu Agenda Overview of project Android security background Binder IPC BinderFilter Logging and analysis tools Picky Demos

  1. The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu

  2. Agenda Overview of project ● Android security background ● Binder IPC ● BinderFilter ● Logging and analysis tools ● Picky ● Demos ● Discussion & future work ● Questions ● Slides: https://goo.gl/2SlB40 ●

  3. Who am I? Graduated June 2016, Dartmouth College ● OpenSSH and Android security research with ● Sergey Bratus Web analysis automation and Android ● security research at Ionic Security Particle physics simulations at Brookhaven ● National Lab

  4. Motivation Dynamic (run-time) blocking of all ● inter-app communication Context informed policy decisions ● Binder message parser and hook ●

  7. Previous Research rovo89. Xposed. 2016 ● Stephan Heuser, Adwait Nadkarni, William Enck, Ahmad-Reza Sadegi. Boxify. ● 2015 Nitay Artenstein and Idan Revivo. Man in the Binder. 2014 ● Xueqiang Wang, Kun Sun, Yuewu Wang, Jiwu Jing. DeepDroid. 2015 ● Mauro Conti, Vu Thein Nguyen, Bruno Crispo. CRePE. 2011 ● Android Marshmallow. Google. 2015 ●

  8. Project Overview Inter-application message firewall and Binder hooking framework ● Linux kernel driver, C ○ Binder IPC message parser and formatter ● Script, Python ○ User policy generation ● Android application, Java & C (JNI, NDK) ○ ● https://github.com/dxwu/AndroidBinder ● https://github.com/dxwu/Picky

  9. Features Complete mediation ● Everything is done in the kernel Binder IPC system ○ Dynamic permission blocking for all applications ● Blocking of custom, user-specified messages at runtime ● Contextual blocking ● ○ Wifi state, Wifi SSID, Bluetooth state, Apps running Modification of message data ● Camera, Location ○ Usable interface for setting policy ●

  10. Permissions android.permission.CAMERA android.permission.READ_SMS android.permission.RECORD_AUDIO android.permission.RECEIVE_MMS android.permission.READ_CONTACTS android.permission.RECEIVE_WAP_PUSH android.permission.WRITE_CONTACTS android.permission.READ_CALENDAR android.permission.GET_ACCOUNTS android.permission.WRITE_CALENDAR android.permission.ACCESS_FINE_LOCATION android.permission.BODY_SENSORS android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_NETWORK_STATE android.permission.READ_EXTERNAL_STORAGE android.permission.CHANGE_NETWORK_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.ACCESS_WIFI_STATE com.android.vending. android.permission.CHANGE_WIFI_STATE INTENT_PACKAGE_INSTALL_COMMIT android.permission.BATTERY_STATS android.permission.INTERNET android.permission.BLUETOOTH android.permission.SYSTEM_ALERT_WINDOW android.permission.BLUETOOTH_ADMIN android.permission.WRITE_SETTINGS android.permission.NFC android.permission.READ_PHONE_STATE android.permission.FLASHLIGHT android.permission.CALL_PHONE com.android.browser.permission.READ_HISTORY_BOOKMARKS android.permission.READ_CALL_LOG android.permission.TRANSMIT_IR android.permission.WRITE_CALL_LOG android.permission.USE_SIP android.permission.SEND_SMS android.permission.RECEIVE_SMS

  11. Installation methods Android versions 4.3+ have disabled loadable kernel modules ● Kernel make config does not set CONFIG_MODULES=y ○ To place a hook in Binder, which is a statically compiled kernel driver, we have to ● recompile the kernel sources with our modifications Flash new kernel image onto Android with fastboot ● ○ This preserves user information, apps, and state! Requirements: ● Linux build env (Include headers don’t work on OSX) ○ adb, fastboot, abootimg ○ Unlocked bootloader, root access ○

  12. Android Security Concepts Permissions ● Android 6.0 introduced dynamic permissions for certain messages ○ 7.5% of users have Android M [1] ■ Sandboxing enforced by UID ○ (each application is a different Linux user) ○ ● Intents ○ Async messages passed between applications requesting data or to start an activity ● Built on Linux ○ SELinux, file permissions, system calls

  13. ART https://upload.wikimedia.org/wikipedia/commons/thumb/a/af/Android-System-Architecture.svg/2000px-Android- System-Architecture.svg.png

  14. http://4.bp.blogspot.com/-uT2NBaV8WG8/UJuO0syJhnI/AAAAAAAADgI/0CkrBvjyNDY/s1600/Android+Boot+Squence.png

  15. http://image.slidesharecdn.com/jlstomoyotutorial-091023181710-phpapp02/95/learning-analyzing-and-protecting-android-with-tomoyo-linux-jls2009-10-728.jpg?cb=1256436625

  16. Linux Kernel Linux process Dalvik Virtual Machine Android Application https://flexguruin.files.wordpress.com/2010/09/android_dalvik_vm.gif

  17. myCustomCameraApp.java getSystemService() Camera.java native takePicture() JNI android_hardware_Camera.cpp takePicture() Camera.cpp takePicture() ICamera.cpp transact(TAKE_PICTURE, …) syscall binder.c

  18. Binder Android’s IPC system (Linux IPC wasn’t good enough) ● Supports tokens, death notifications, (local) RPC ● Every inter-application message (intent) goes through Binder ● Enables a client-server architecture with applications ● Implemented as a linux kernel driver (/dev/binder) ● /drivers/staging/android/binder.{c,h} ○ Userland applications call into the driver using ioctl() ● Binder driver copies data from process A to process B ● Intents, Messengers, and ContentProviders are built on Binder ●

  19. Linux process (UID 10098) Linux process (UID 10099) Client Application Service Binder Proxy Binder Stub Android Binder IPC IBinder: IBinder : onTransact() { transact() ... } Linux driver (/dev/binder)

  20. Service Binder Client Await requests (BC_REGISTER_LOOPER) Request from client (BC_TRANSACTION) Service thread sleeps Request from client (BC_TRANSACTION) Wait for response callback Reply to client (BC_REPLY) Reply to client (BC_REPLY)

  21. Applications MyApp.java Intent batteryStatus = Context. registerReceiver (null, new IntentFilter( Intent. ACTION_BATTERY_CHANGED);

  22. Application Framework ContextImpl.java registerReceiver() -> registerReceiverInternal()-> ActivityManagerNative.registerReceiver () ActivityManagerNative.java Parcel data = Parcel.obtain() data.writeString(packageName) filter.writeToParcel(data) IBinder.transact(data, reply) BinderProxy.java (implements IBinder) transact() -> native transactNative() //JNI

  23. Core Libraries android_util_Binder.cpp android_os_BinderProxy_transact() -> IBinder.transact() BpBinder : IBinder IPCThreadState::self()->transact()

  24. Core Libraries IPCThreadState.cpp fd=open(“/dev/binder”) ProcessState.cpp transact() -> Parcel.cpp waitForResponse() - mParcel.write > // copies Java (data) talkWithDriver() parcel to this thread’s memory region ioctl(fd, BINDER_WRITE_READ, Linux Kernel mParcel) binder.c

  25. struct binder_transaction_data { /* The first two are only used for bcTRANSACTION and brTRANSACTION, identifying struct binder_write_read { the target and contents of the transaction. signed long write_size; */ signed long write_consumed; union { unsigned long write_buffer; size_thandle; signed long read_size; void *ptr; signed long read_consumed; } target; unsigned long read_buffer; }; void *cookie; unsigned intcode; struct flat_binder_object { unsigned intflags; /* 8 bytes for large_flat_header. */ unsigned long type; /* General information about the transaction. */ unsigned long flags; pid_t sender_pid; uid_t sender_euid; /* 8 bytes of data. */ size_t data_size; union { size_t offsets_size; void *binder; // local obj signed long handle; // remote obj union { }; struct { /* transaction data */ /* extra data associated with local object */ const void *buffer; void *cookie; const void *offsets; }; } ptr; uint8_t buf[8]; } data; };

  26. binder.c (kernel driver) 1. device_initcall(binder_init); // called when kernel boots 2. binder_init() a. misc_register(&binder_miscdev) // register driver name and file operations 3. binder_ioctl() // entry point from userland a. wait_event_interruptable() // block caller until a response b. copy_from_user() // copy struct binder_write_read from userland c. binder_thread_write() or binder_thread_read() // depends on client or server request 4. binder_thread_write() // Called by client making a request a. Checks userland command // i.e. BC_TRANSACTION b. binder_transaction() c. copy_from_user(data) // copy struct binder_transaction_data from userland (buffer contents) d. list_add_tail(data, target) // add work to the target thread’s queue e. wake_up_interruptable(target) // wake up the sleeping server thread 5. binder_thread_read() // Called by service thread waiting to handle requests a. while (1) { if (BINDER_LOOPER_NEED_DATA) goto retry; } b. data = list_first_entry() // get request data c. copy_to_user(data) // copy the data to service

  27. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data

  28. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data data

Recommend

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding Binder and how its used Intercepting and modifying data with BinderFilter Demos! @davidwuuuuuuuu @sergeybratus Undergraduate at

1.1k views • 51 slides
Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P Presented by Mary Salinas t d b M S li What problem are they trying to solve? l ? Context-aware applications are great for Context aware

164 views • 13 slides
Android Customization: From the Kernel to the Apps Hi, I am Cdric, I work for Genymobile as a

Android Customization: From the Kernel to the Apps Hi, I am Cdric, I work for Genymobile as a

Android Customization: From the Kernel to the Apps Hi, I am Cdric, I work for Genymobile as a System Engineer Genymobile is a company specialized in Android. We are based in France (Paris and Lyon) and SF. We develop and customize android

514 views • 40 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad

Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad

Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad Hoc Networks* Rutgers-Helsinki Ph.D. Student Workshop on Spontaneous Networking 8-12th May 2006 Oriana Riva University of Helsinki, Dep. of

361 views • 15 slides
everyone deserves a garden Plantui vision Everyone deserves a garden. We believe that in the

everyone deserves a garden Plantui vision Everyone deserves a garden. We believe that in the

everyone deserves a garden Plantui vision Everyone deserves a garden. We believe that in the future greens will be grown near where they are consumed. From large production units to neighbourhood, homes and restaurants. Plantui is a design

494 views • 27 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Lab 1 Introduction to Android & Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android & Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android & Hello World Example KUAN-TING LAI 2018/9/10 Android History Code Version Linux kernel Initial release API version [1] name number date level (No codename) [2] 1.0 ? September 23, 2008 1 Petit

1.4k views • 40 slides
Discrete Event Simulation And Discrete Event Simulation And Evaluation Of A Firewall Aware

Discrete Event Simulation And Discrete Event Simulation And Evaluation Of A Firewall Aware

Discrete Event Simulation And Discrete Event Simulation And Evaluation Of A Firewall Aware Evaluation Of A Firewall Aware Architecture For Mobile IP Architecture For Mobile IP Artur Hecker Artur Hecker Supervisors: Supervisors: Prof. Dr.

260 views • 22 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Component- -based, Context based, Context- -aware aware Component Software Systems Software

Component- -based, Context based, Context- -aware aware Component Software Systems Software

Component- -based, Context based, Context- -aware aware Component Software Systems Software Systems Workshop on Spontaneous Networking Rutgers University Michael Przybilski 1 10.05.2006 michael.przybilski@cs.helsinki.fi Outline

593 views • 19 slides
FastTrack: Foreground App-Aware I/O Management for Improving User Experience of Android

FastTrack: Foreground App-Aware I/O Management for Improving User Experience of Android

FastTrack: Foreground App-Aware I/O Management for Improving User Experience of Android Smartphones Jihong Kim Seoul National University NVRAMOS 2018 October 25, 2018 Mobile Storage Optimization Research Why does my aging smartphone get

732 views • 36 slides
Citizenship in the context of immigration and emigration Hilary Term 2015 Week 8 - Who deserves

Citizenship in the context of immigration and emigration Hilary Term 2015 Week 8 - Who deserves

Citizenship in the context of immigration and emigration Hilary Term 2015 Week 8 - Who deserves to be a citizen? Investor and Olympic citizenship Evelyn Ersanilli 09 March 2015 Speaker name 1 Investor citizenship vs golden residence

290 views • 11 slides
Energy Aware Scheduling Byungchul Park LG Electronics System S/W Engineer Kernel Developer

Energy Aware Scheduling Byungchul Park LG Electronics System S/W Engineer Kernel Developer

Energy Aware Scheduling Byungchul Park LG Electronics System S/W Engineer Kernel Developer Computer Science Physics Dance Outline 2 Basic SMP Load Balancing Per-Entity Load Tracking Attempts for Power Saving Energy Aware

875 views • 76 slides
Android Internals Android Builders Summit April 13 th 2011 Karim Yaghmour

Android Internals Android Builders Summit April 13 th 2011 Karim Yaghmour

Android Internals Android Builders Summit April 13 th 2011 Karim Yaghmour karim.yaghmour@opersys.com @karimyaghmour About ... Author of: Introduced Linux Trace Toolkit in 1999 Originated Adeos and relayfs (kernel/relay.c) 1.

439 views • 39 slides
Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing

Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing

Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing Readings Context-Aware Computing Applications, by Bill Schilit, Norman Adams, and Roy Want Ask not for whom the cell phone tolls: Some problems

923 views • 27 slides
Automatic Debugging of Android Applications Pedro Machado Supervisors: Rui Maranho (PhD)

Automatic Debugging of Android Applications Pedro Machado Supervisors: Rui Maranho (PhD)

Automatic Debugging of Android Applications Pedro Machado Supervisors: Rui Maranho (PhD) Jos Campos (MSc) Context Context 3 Context 4 Context Source: Gartner 5 Software Development Process Design Implement Test Release

630 views • 45 slides
Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and

Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and

Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and Stephen Hines* October 18, 2017 *This was/is a really HUGE effort by many other people/teams/companies. We are just the messengers. :) Making large

565 views • 42 slides
A component-based approach for Context-Aware Systems specification Brahim Djoudi , Chafia

A component-based approach for Context-Aware Systems specification Brahim Djoudi , Chafia

Constantine 2 University LIRE laboratory Team Software Engineering and Distributed Systems A component-based approach for Context-Aware Systems specification Brahim Djoudi , Chafia Bouanaka, Nadia Zeghib Plan Introduction Context-Aware

477 views • 35 slides
Management Challenges of Context Management Challenges of Context- - Aware Services in

Management Challenges of Context Management Challenges of Context- - Aware Services in

DSOM 2003 DSOM 2003 Management Challenges of Context Management Challenges of Context- - Aware Services in Ubiquitous Aware Services in Ubiquitous Environments Environments Heinz-Gerd Hegering, Axel Kpper Claudia Linnhoff-Popien, Helmut

307 views • 6 slides
Context-aware recommendation Eirini Kolomvrezou, Hendrik Heuer Special Course in Computer and

Context-aware recommendation Eirini Kolomvrezou, Hendrik Heuer Special Course in Computer and

Context-aware recommendation Eirini Kolomvrezou, Hendrik Heuer Special Course in Computer and Information Science User Modelling & Recommender Systems Aalto University Context-aware recommendation 2 Recommendation Problem

479 views • 34 slides
The Magicians Assistant Kevin Tassini Carnegie Mellon University Context-Aware Technology

The Magicians Assistant Kevin Tassini Carnegie Mellon University Context-Aware Technology

The Magicians Assistant Kevin Tassini Carnegie Mellon University Context-Aware Technology Context-Aware Technology Collecting data to help systematically predict the users state (GPS, accelerometer, microphone, time). Providing

317 views • 28 slides
Extended Context Patterns A Visual Language for Context-Aware Applications Andrei

Extended Context Patterns A Visual Language for Context-Aware Applications Andrei

Extended Context Patterns A Visual Language for Context-Aware Applications Andrei Olaru and Adina Magda Florea cs@andreiolaru.ro AI-MAS Group, University Politehnica of Bucharest 10.10.2016 0 / 10 . Andrei

516 views • 26 slides
EECS Seminars Developing Android Location-aware Apps Victor Matos Cleveland State University

EECS Seminars Developing Android Location-aware Apps Victor Matos Cleveland State University

Lesson 24 EECS Seminars Developing Android Location-aware Apps Victor Matos Cleveland State University Portions of this presentation are reproduced from work created and shared by Google and used according to terms described in the Creative

462 views • 33 slides

More recommend