the real deal of android device security the third party
play

The Real Deal of Android Device Security: The Third Party Collin - PowerPoint PPT Presentation

Apr 01, 2024 •49 likes •949 views

The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide CanSecWest 2014 Introductions Collin Mulliner Jon Oberheide Mulliner and Oberheide, CSW 2014 #Cats4Fun Mulliner and Oberheide, CSW 2014

  1. The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide CanSecWest 2014

  2. Introductions ● Collin Mulliner ● Jon Oberheide Mulliner and Oberheide, CSW 2014

  3. #Cats4Fun Mulliner and Oberheide, CSW 2014

  4. Thanks, Mudge! Mulliner and Oberheide, CSW 2014

  5. Thanks, Mudge! Mulliner and Oberheide, CSW 2014

  6. Android Mulliner and Oberheide, CSW 2014

  7. Android Most popular smartphone platform about 1 billion devices today Mulliner and Oberheide, CSW 2014

  8. This dude is in trouble Mulliner and Oberheide, CSW 2014

  9. Lets patch him up! Mulliner and Oberheide, CSW 2014

  10. WTF are we doing here people ● Anti-malware ○ 99.9%* of Android malware is bullshit toll fraud ● MDM ○ “Manage” your way out of an insecure platform ○ HEY I CAN SEE ALL MY VULNERABLE DEVICES, YAY! ● Other features of mobile “security” products ○ Find my phone (G does it), backup (G does it), …? * I just made this up, kinda Mulliner and Oberheide, CSW 2014

  11. How about... ● Maybe we try to fix the underlying issues? ○ “Enumerating badness” always doomed to fail ○ Naw, that’s crazy talk! ● Underlying issues (in our not-so-humble opinion) ○ Lack of platform integrity ○ Privilege escalation vulns, large attack surface ○ Huge windows of vuln due to slow/non-existing patching practices Mulliner and Oberheide, CSW 2014

  12. Our research ● Investigated Android vulns and solutions ○ Vulns in native and managed code ○ More than privesc! ● Let’s show what can be done ○ Mostly PoC, but deployed to 100k’s of real-world devices vs. ○ If we can do this on the cheap, maybe Big Corp can do it for reals ● “Defensive” talk, booooooooo Mulliner and Oberheide, CSW 2014

  13. A tale of three projects ● Vulns exist ○ X-Ray ● How to get rid of them ○ PatchDroid ● How to brick a lot of people’s phones ;-) ○ ReKey Mulliner and Oberheide, CSW 2014

  14. Ideal mobile ecosystem...HA! ● In a perfect world… ● AOSP : Google ships a secure base platform. ● OEM : Samsung and third-party suppliers don’t introduce vulns in their handsets and customizations. ● Carrier : T-Mobile rolls out rapid OTA updates to keep users up to date and patched. Mulliner and Oberheide, CSW 2014

  15. Real-world mobile ecosystem ● In the real world… ● AOSP : Android improving mitigations, but slowly. ● OEM : Customizations by device OEMs are a primary source of vulnerabilities. ● Carrier : Updates are not made available for months and sometimes even years. Mulliner and Oberheide, CSW 2014

  16. Real-world mobile ecosystem ● In the real world… ● AOSP : Android improving mitigations, but slowly. All software has vulns, mobile or otherwise. ● OEM : Customizations by device OEMs are a primary source of vulnerabilities. Failing to deliver patches is the real issue. ● Carrier : Updates are not made available for months and sometimes even years. Mulliner and Oberheide, CSW 2014

  17. Disclosure & patching process Third-party providers weeks Google OEM Carrier months months days Researcher days days Public Attackers Mulliner and Oberheide, CSW 2014

  18. Challenges in patching ● Why is mobile patching challenging? ● Complicated software supply chain ● Testing, testing, testing ● Risk of bricking devices ● Inverted economic incentives ● Want to patch your device's vulnerabilities? ● Loadset controlled by carrier ● Can't patch the device (unless rooted) Mulliner and Oberheide, CSW 2014

  19. What the carriers say " Patches must be integrated and tested for different platforms to ensure the best possible user experience. Therefore, distribution varies by manufacturer and device. " - AT&T Mulliner and Oberheide, CSW 2014

  20. What the carriers say " Patches must be integrated and tested for different platforms to ensure the best possible user experience. Therefore, distribution varies by manufacturer and device. " - AT&T Mulliner and Oberheide, CSW 2014

  21. Privilege escalation vulnerabilities ● Android security model ● Permissions framework, “sandboxing” (Linux uid/gid) ● Compromise of browser (or other app) != full control of device ● Privilege escalation vulnerabilities ● Unprivileged code execution → Privileged code execution ● Publicly released to allow users to jailbreak their devices ● Public exploits reused by mobile malware to root victim's devices ● Ooooh, fancy mobile privesc, right??? Mulliner and Oberheide, CSW 2014

  22. Quick trivia ● What's wrong with the following code? /* Code intended to run with elevated privileges */ do_stuff_as_privileged(); /* Drop privileges to unprivileged user */ setuid(uid); /* Code intended to run with lower privileges */ do_stuff_as_unprivileged(); ● Assuming a uid/euid=0 process dropping privileges... Mulliner and Oberheide, CSW 2014

  23. Zimperlich vulnerability ● Return value not checked! setuid(2) can fail: EAGAIN The uid does not match the current uid and uid brings process over its RLIMIT_NPROC resource limit. ● Android's zygote does fail if setuid does: err = setuid(uid); if (err < 0) { LOGW("cannot setuid(%d): %s", uid, strerror(errno)); } ● Fork until limit, when setuid fails, app runs as uid 0! Mulliner and Oberheide, CSW 2014

  24. A sampling of privesc vulns ● ASHMEM : Android kernel mods, no mprotect check ● Exploid : no netlink source check, inherited from udev ● Exynos : third-party device driver, kmem read/write ● Gingerbreak : no netlink source check, GOT overwrite ● Levitator : My_First_Kernel_Module.ko, kmem read/write ● Mempodroid : inherited from upstream Linux kernel ● RageAgainstTheCage : no setuid retval check ● Wunderbar : inherited from upstream Linux kernel ● Zimperlich : no setuid retval check ● ZergRush : UAF in libsysutils Mulliner and Oberheide, CSW 2014

  25. X-Ray for Android ● How can we measure this problem? ● X-Ray for Android ● DARPA CFT funded ● Performing _actual_ vuln assessment on mobile ● Detects most common privescs ● Works without any special privileges or permissions http://xray.io Mulliner and Oberheide, CSW 2014

  26. Static probes ● Static probes ● Can identify vulnerabilities using static analysis ● Send up vulnerable component (eg. binary, library) to service ● Disassemble and look for patched/vulnerable code paths libdvm.so X-Ray Analyze! Service result Mulliner and Oberheide, CSW 2014

  27. Static probe example: Zimperlich Mulliner and Oberheide, CSW 2014

  28. Ok, what does it _really_ look like? ● l33t static analysis...aka ghetto objdump/python/grep ● Do we need to be that smart or perfect? Thankfully, no. Mulliner and Oberheide, CSW 2014

  29. Dynamic probes (aka psuedo-exploits) ● Dynamic probes ● Not all vulnerabilities are in software components we can access ● Example: kernel vulns, kernel image not accessible by X-Ray ● Probe locally for vulnerability presence! ● Basically sad, neutered, wacky half exploits :-( halp! X-Ray liblevitator_v1.so Service Execute! result Mulliner and Oberheide, CSW 2014

  30. Dynamic probe example: Levitator Mulliner and Oberheide, CSW 2014

  31. Dynamic probe example: Exploid Mulliner and Oberheide, CSW 2014

  32. Probe manifests in JSON Static probe: { "id": "webkit", "type": "static", Dynamic probe: "name": "WebKit (inactive)", "query_url": "/xray/webkit/query", { "probe_url": "/xray/webkit/probe", "id": "exynos", "static_payload": "/system/lib/libwebcore.so" "type": "dynamic", } "name": "Exynos", "result_url": "/xray/exynos/result", "dynamic_slot": "06", "dynamic_payload_armeabi": "/xray/static/exynos/armeabi/libexynos_v1.so", "dynamic_signature_armeabi": "vrX...", "dynamic_payload_armeabi-v7a": "/xray/static/exynos/armeabi-v7a/libexynos_v1.so", "dynamic_signature_armeabi-v7a": "mbe...", "dynamic_payload_mips": "/xray/static/exynos/mips/libexynos_v1.so", "dynamic_signature_mips": "F33...", "dynamic_payload_x86": "/xray/static/exynos/x86/libexynos_v1.so", "dynamic_signature_x86": "Lu7..." }, Mulliner and Oberheide, CSW 2014

  33. X-Ray distribution ● Not in Google Play*, but free for download at http://xray.io ● Results collected by us (and Five Eyes) from users who ran the X-Ray app on their Android device: 74,405 devices 4,312 models 190 countries * don’t ask Mulliner and Oberheide, CSW 2014

  34. Aside: Android exploitation challenges ● Android fragmentation is _real_ ○ Not for app dev, but for exploit dev ● X-Ray’s binary dataset ○ 3,124 unique libsysutils.so ○ 5,936 unique libdvm.so ○ 5,303 unique vold ● If only there was a way to collect all those binaries... Mulliner and Oberheide, CSW 2014

Recommend

Android Sensing Tutorial Hasan Faik Alan 9/8/2015 Android Device Fragmentation August 2014 -

Android Sensing Tutorial Hasan Faik Alan 9/8/2015 Android Device Fragmentation August 2014 -

Android Sensing Tutorial Hasan Faik Alan 9/8/2015 Android Device Fragmentation August 2014 - Over 18,000 Distinct Devices https://opensignal.com/reports/2014/android-fragmentation/ Example Android Device CPU : Quad-core 2.5 GHz Krait 400 GPU

573 views • 35 slides
Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June 14, 2018 Mobile OSes rapidly expanding their device range and user base. Android: 2 billion monthly active users but

403 views • 15 slides
Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Multi-Persona Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile devices have multiple uses - - the device needs to reflect that. 2 Android Builders 2014 Security Use Case Personal Phone

874 views • 55 slides
Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5

Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5

Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5 GHz Krait 400 GPU : Adreno 330 Development - Getting Started http://developer.android.com/develop/ Development - Getting Started

581 views • 33 slides
Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Introduction Background information SNE Research Project 2 Kernel patching Evaluation Android patching from the MDM Proof of concept Android patching From a Mobile Device Management perspective Cedric Van Bockhaven cbockhaven@os3.nl

466 views • 20 slides
IP Log for DSDP/Device Debugging move of DSF, MI, and GDB components to CDT Third-Party Code CQ

IP Log for DSDP/Device Debugging move of DSF, MI, and GDB components to CDT Third-Party Code CQ

IP Log for DSDP/Device Debugging move of DSF, MI, and GDB components to CDT Third-Party Code CQ Third-Party Code License Use No pre-req dependencies Committers Past and Present Active Name Organization Francois Chouinard Ericsson AB Marc

354 views • 7 slides
REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic

REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic

REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic ranging application Current Work Paul: 2 device ranging using android devices + calculations in MATLAB Vitor: Device to device communication

273 views • 12 slides
Handheld Device Architectures: Are We Doing Enough? Manu Awasthi Ashoka University Handheld

Handheld Device Architectures: Are We Doing Enough? Manu Awasthi Ashoka University Handheld

Handheld Device Architectures: Are We Doing Enough? Manu Awasthi Ashoka University Handheld Devices Android Versions https://www.counterpointresearch.com/can-android-o- de-fragment-android/ Memory Usage

498 views • 28 slides
Android for the Enterprise Ge#ng from Here to There 1

Android for the Enterprise Ge#ng from Here to There 1

Android for the Enterprise Ge#ng from Here to There 1 Confiden)al Overview 3LM addresses enterprise needs: security and device management. 2 Confiden)al Overview m

281 views • 26 slides
Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments

Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments

Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments Open source Tape Otto Dagger ActionBarSherlock Android Design on every device. Lifecycle Install Apps Run Forever Uninstall

844 views • 82 slides
Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich Olga Gadyatskaya RAID 2016 Sensitive Resource Protection in Android Android is the most popular mobile OS: - ~ 2 billion of third-party apps

523 views • 24 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by Appliances? appliance / pl ns/ Noun A device designed to perform a specific task, typically a domestic one. Digital Signage

1.04k views • 55 slides
Managing App Testing Device Clouds: Issues and Opportunities Mattia Fazzini Alessandro Orso

Managing App Testing Device Clouds: Issues and Opportunities Mattia Fazzini Alessandro Orso

Managing App Testing Device Clouds: Issues and Opportunities Mattia Fazzini Alessandro Orso Problem Description Study Methodology Android Mobile App Testing Devices and Tests Considered AWS Compatibility Device Farm Android Version

321 views • 5 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

LECTURE IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE Program Runtime Attacks Wireless Security Side Channels CONNECTED DEVICES Thread Intelligence Secure Group Communication

1.04k views • 6 slides
The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Googles protection Threats Risks Survival Network Data protection (encryption) App/device

888 views • 45 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides

More recommend