A Component-based Environment for Android Apps Alexander Senier - - PowerPoint PPT Presentation

SLIDE 1

A Component-based Environment for Android Apps

Alexander Senier FOSDEM, Brussels, 2020-02-02

SLIDE 2

2020-02-02 2

Smartphone Trust Challenges Privilege Escalation

SLIDE 3

2020-02-02 3

Media Frameworks are not getting simpler. How do we avoid such fatal errors?

SLIDE 4

4 2020-02-02

Trustworthy Systems Component-based Architectures

■ Can’t reimplement everything ■ Solution: software reuse ▪ Untrusted software (gray) ▪ Policy object (green) ▪ Client software (orange) ■ Policy object ▪ Establishes assumptions of client ▪ Sanitizes ▪ Enforces additional policies Network Stack Web browser Protocol validator (e.g. Firewall)

SLIDE 5

2020-02-02 5

Information Flow Correctness

SLIDE 6

2020-02-02 6

Trustworthy Systems Information Flow: Genode OS Framework

■ Recursive system structure ▪ Root: Microkernel ▪ Parent: Responsibility + control ▪ Isolation is default ▪ Strict communication policy ■ Everything is a user-process ▪ Application ▪ File systems ▪ Drivers, Network stacks ■ Stay here for the next 2 talks for details (13:00) ■ Hierarchical System Architecture

https://genode.org

SLIDE 7

7 2020-02-02

Trustworthy Systems Correctness: SPARK

■ Programming Language ▪ Based on Ada ▪ Compilable with GCC and LLVM ▪ Customizable runtimes ▪ Contracts (preconditions, postconditions, invariants) ■ Verification Toolset ▪ Absence of runtime errors ▪ Functional correctness ■ Applications ▪ Avionics ▪ Defense ▪ Air Traffic Control ▪ Space ▪ Automotive ▪ Medical Devices ▪ Security

https://www.adacore.com/about-spark

SLIDE 8

2020-02-02 8

Applying this Approach to Android Apps

SLIDE 9

2020-02-02 9

GART Project Objectives

■ Unmodified Android Apps ■ On top of Genode OS Framework ■ Formally-verified policy objects

SLIDE 10

2020-02-02 10

■ Build system ■ Android Runtime ■ Trusted Proxies ■ IPC

GART Project Elements

SLIDE 11

2020-02-02 11

Build System Integration

SLIDE 12

2020-02-02 12

Build System Integration Android Build Files

■ Soong replaced old make-based build system in Oreo (8.0) ■ JSON-like blueprint files ■ Purely declarative – no conditionals, no control flow ■ Complex cases handled in Go application ■ Manifests for the Ninja build system are generated

cc_binary { name: "gzip", srcs: ["src/test/minigzip.c"], shared_libs: ["libz"], stl: "none", }

SLIDE 13

2020-02-02 13

Build System Integration Translating Android Build Files

$ gnoos -b android -i libnativehelper/Android.bp -o libnativehelper.mk -p LIBNATIVEHELPER_ \ '/cc_library[@name=libnativehelper]' $ cat libnativehelper.mk LIBNATIVEHELPER_CFLAGS = -Werror -fvisibility=protected LIBNATIVEHELPER_EXPORT_HEADER_LIB_HEADERS = jni_headers jni_platform_headers libnativehelper_header_only LIBNATIVEHELPER_EXPORT_INCLUDE_DIRS = include LIBNATIVEHELPER_HEADER_LIBS = jni_headers jni_platform_headers libnativehelper_header_only LIBNATIVEHELPER_HOST_SUPPORTED = True LIBNATIVEHELPER_NAME = libnativehelper LIBNATIVEHELPER_SHARED_LIBS = liblog LIBNATIVEHELPER_SRCS = JNIHelp.cpp JniConstants.cpp JniInvocation.cpp toStringArray.cpp

SLIDE 14

2020-02-02 14

Build System Integration Integrating Android Build Files (1)

■ Gnoos has been integrated into Genode build system ■ Consistent with regular Genode applications ▪ Library build files are in lib/mk ▪ Library import files are in lib/import ▪ Applications have a target.mk

SLIDE 15

2020-02-02 15

Build System Integration Integrating Android Build Files (2)

■ Porting native Android applications is easy ■ With run script, they can be run as every other Genode application ■ gart_gtest_main makes porting Android tests a one-liner

$ make -C build/arm_v8a run/test/libutils ... [init .> libutils_test] Note: Google Test filter = -VectorTest.SetCapacity_Overflow:VectorTest._grow_OverflowSize [init .> libutils_test] :VectorTest._grow_OverflowCapacrstr16EmptyTarget_bug:SystemClock.SystemClock [init .> libutils_test] [==========] Running 61 tests from 9 test cases. [init .> libutils_test] [----------] Global test environment set-up. [init .> libutils_test] [----------] 3 tests from VectorTest [init .> libutils_test] [ RUN ] VectorTest.CopyOnWrite_CopyAndAddElements [init .> libutils_test] [ OK ] VectorTest.CopyOnWrite_CopyAndAddElements (2 ms) ... [init .> libutils_test] [ PASSED ] 61 tests. [init] child "libutils_test" exited with exit value 0 Run script execution successful. make: Leaving directory 'build/arm_v8a'

SLIDE 16

2020-02-02 16

Android Runtime

SLIDE 17

2020-02-02 17

Android Runtime Dependencies

art_runtime_tests libart-gtest libicui18n libsigchain libart-compiler-gtest libicuuc liblog libartd-disassembler libart-runtime-gtest libicuuc_stubdata libartd libbacktrace libdexfiled libtombstoned_client libnativeloader liblz4 libmetricslogger libartbased libasync_safe libdemangle libziparchive libbase libcutils libnativehelper libnativebridge libgtest_prod libz libutils libdl libvndksupport ld-android libvixld-arm libvixld-arm64 libartd-compiler libgtest liblzma art_runtime_compiler_tests art_libdexfile_tests

SLIDE 18

2020-02-02 18

Android Runtime Components

■ Item1 ■ Titem2 ▪ Subitem ■ dalvikvm ▪ Only ~200 LOC ▪ Linked with only few libraries – libsigchain, libnativehelper, libc ▪ libsigchain: interception layer for signals ▪ libnativehelper: helpers for Java/native interface ■ libart ▪ Actual Java Virtual Machine ▪ Loaded dynamically by dalvikvm ▪ > 50 dependencies that needed to be ported

SLIDE 19

2020-02-02 19

Android Runtime Current State

■ Item1 ■ Titem2 ▪ Subitem ■ dalvikvm and libart ported to Genode ▪ The ~1000 tests cases of dependencies succeed ▪ Most of the ~500 ART test cases succeed ▪ Runtime fully initializes and starts Java program on Genode/arm_v8a (and then crashes, see below ;) ■ Open issues ▪ Concurrency bugs due to missing futex implementation ▪ Probably some more due to differences between Genodes libc and Linux ▪ Runtime-compiler basically ported, but still has issues

https://github.com/Componolit/gart

SLIDE 20

2020-02-02 20

Trusted Proxies

SLIDE 21

2020-02-02 21

Trusted Proxies Component Environment

■ Downsized SPARK/Ada runtime ▪ Optimized for critical low- complexity components ▪ No allocators, no exception handlers, no implicit dynamic code, no tasking... ▪ Support for Genode, Muen and Linux ▪ Easy to customize and port to new (embedded) environments ■ Gneiss component library ▪ Fully asynchronous, event-driven and platform-independent ▪ Support for Genode, Muen and Linux ▪ Only constructs that are formally verifiable with SPARK proof tools ▪ Generic interfaces: Log, timer, block device, message, shared memory ■ See recordings of previous talk by Johannes Kliemann for details

https://github.com/Componolit/ada-runtime | https://github.com/Componolit/gneiss

SLIDE 22

2020-02-02 22

Trusted Proxies Verified Binary Parsers

■ RecordFlux ▪ DSL and toolset for formal specification of binary messages ▪ Model verification (absence of contradictions, reachability, ...) ▪ Generation of verifiable binary parsers ▪ Generation of message generators ■ See recording of Tobias Reihers talk for details (Saturday, 11:30, security devroom)

https://github.com/Componolit/RecordFlux | https://arxiv.org/abs/1910.02146 package TLV is type Tag is (Msg_Data .> 1, Msg_Error .> 3) with Size .> 2; type Length is mod 2.*14; type Message is message Tag : Tag then Length if Tag = Msg_Data, then null if Tag = Msg_Error; Length : Length then Value with Length .> Length * 8; Value : Payload; end message; end TLV;

SLIDE 23

2020-02-02 23

Future Work / Next Up: Android IPC

SLIDE 24

2020-02-02 24

SLIDE 25

2020-02-02 25

Android IPC Binder device

■ Linux device node /dev/[vnd|hw|]binder ▪ Interaction through ioctl() interface ▪ Blocking or non-blocking ▪ Send and/or receive phase ■ Data is passed via linked data structure ▪ Local/remote objects with reference counting ▪ Special objects ▪ File-descriptor passing ▪ Linux kernel copies between processes ▪ Name-service application (ServiceManager)

B i n d e r d e v i c e s " / d e v / b i n d e r " " / d e v / h w b i n d e r " " / d e v / v n d b i n d e r "

• p

e n : i n t P a t h n a m e : S t r i n g F l a g s : I n t O p e n fm a g s O _ R D WR i

• c

t l : i n t F D : I n t R e q u e s t : U n s i g n e d _ L

• n

g D a t a : P

• i

n t e r ? = B i n d e r r e q u e s t s B I N D E R _ WR I T E _ R E A D P e r f

• r

m r e a d / w r i t e

• p

e r a t i

• n

B I N D E R _ S E T _ MA X _ T H R E A D SS e t m a x i m u m n u m b e r

• f

b i n d e r t h r e a d s B I N D E R _ S E T _ C O N T E X T _ MG RB e c

• m

e c

• n

t e x t m a n a g e r B I N D E R _ T H R E A D _ E X I T E x i t a b i n d e r t h r e a d B I N D E R _ V E R S I O N R e t r i e v e b i n d e r v e r s i

• n

B i n d e r d a t a b i n d e r _ w r i t e _ r e a d R e q u e s t = B I N D E R _ WR I T E _ R E A D Wr i t e _ S i z e : S i g n e d _ L

• n

g B y t e s t

• w

r i t e Wr i t e _ C

• n

s u m e d : S i g n e d _ L

• n

g B y t e s c

• n

s u m e d b y k e r n e l d r i v e r Wr i t e _ B u fg e r : P

• i

n t e r P

• i

n t e r t

• w

r i t e b u fg e r R e a d _ S i z e : S i g n e d _ L

• n

g B y t e s t

• r

e a d R e a d _ C

• n

s u m e d : S i g n e d _ L

• n

g B y t e s c

• n

s u m e d b y k e r n e l d r i v e r R e a d _ B u fg e r : P

• i

n t e r P

• i

n t e r t

• r

e a d b u fg e r b i n d e r _ s e t _ m a x _ t h r e a d s R e q u e s t = B I N D E R _ S E T _ MA X _ T H R E A D S U n s i g n e d _ 3 2 M a x i m u m n u m b e r

• f

t h r e a d s b i n d e r _ v e r s i

• n

R e q u e s t = B I N D E R _ V E R S I O N P r

• t
• c
• l

_ V e r s i

• n

: S i g n e d _ 3 2 D r i v e r p r

• t
• c
• l

v e r s i

• n

v

• i

d R e q u e s t = B I N D E R _ T H R E A D _ E X I T v

• i

d R e q u e s t = B I N D E R _ S E T _ C O N T E X T _ MG R B i n d e r t r a n s a c t i

• n

C

• m

m a n d : U n s i g n e d _ 3 2 b i n d e r _ t r a n s a c t i

• n

_ d a t a C

• m

m a n d = B C _ T R A N S A C T I O N C

• m

m a n d = B C _ R E P L Y ∨ H a n d l e : U 3 2 D e s c r i p t

• r

f

• r

r e m

• t

e

• b

j e c t s P t r : P

• i

n t e r P

• i

n t e r t

• l
• c

a l

• b

j e c t s C

• k

i e : P

• i

n t e r T a r g e t

• b

j e c t c

• k

i e C

• d

e : U 3 2 R e m

• t

e m e t h

• d

I D F l a g s : U 3 2 F l a g s S e n d e r _ P I D : P i d S e n d e r p r

• c

e s s I D S e n d e r _ E U I D : U i d E fg e c t i v e u s e r I D

• f

s e n d e r D a t a _ S i z e : S i z e N u m b e r

• f

b y t e s

• f

d a t a O fg s e t s _ S i z e : S i z e N u m b e r

• f

b y t e s

• f
• fg

s e t s B u fg e r : P

• i

n t e r T r a n s a c t i

• n

d a t a B u f : U 8 ( 8 ) I n l i n e d a t a O fg s e t s : P

• i

n t e r O fg s e t s f r

• m

b u fg e r t

• fm

a t _ b i n d e r _

• b

j e c t s s t r u c t b i n d e r _ u i n t p t r _ t C

• m

m a n d = B C _ F R E E _ B U F F E R P

• i

n t e r t

• t

r a n s a c t i

• n

d a t a r e c e i v e d

• n

a r e a d . i n t C

• m

m a n d = B C _ I N C R E F S C

• m

m a n d = B C _ A C Q U I R E C

• m

m a n d = B C _ R E L E A S E C

• m

m a n d = B C _ D E C R E F S ∨ ∨ ∨ O b t a i n / r e l e a s e a s t r

• n

g / w e a k r e f e r e n c e b i n d e r _ p t r _ c

• k

i e C

• m

m a n d = B C _ I N C R E F S _ D O N E C

• m

m a n d = B C _ A C Q U I R E _ D O N E ∨ O b t a i n i n g w e a k / s t r

• n

g r e f e r e n c e d

• n

e n

• p

a r a m e t e r s C

• m

m a n d = B C _ R E G I S T E R _ L O O P E R R e g i s t e r a s p a w n e d l

• p

e r t h r e a d w i t h t h e d e v i c e . n

• p

a r a m e t e r s C

• m

m a n d = B C _ E N T E R _ L O O P E R C

• m

m a n d = B C _ E X I T _ L O O P E R ∨ C a l l e d w h e n a n a p p l i c a t i

• n
• l

e v e l t h r e a d e n t e r s a n d e x i t s t h e b i n d e r l

• p

, r e s p e c t i v e l y . b i n d e r _ h a n d l e _ c

• k

i e C

• m

m a n d = B C _ R E Q U E S T _ D E A T H _ N O T I F I C A T I O N C

• m

m a n d = B C _ C L E A R _ D E A T H _ N O T I F I C A T I O N ∨ S e t u p

• r

c l e a r a d e a t h n

• t

i fj c a t i

• n

f

• r

a h a n d l e b i n d e r _ u i n t p t r _ t C

• m

m a n d = B C _ D E A D _ B I N D E R _ D O N E D e a t h n

• t

i fj c a t i

• n

d

• n

e b i n d e r _ t r a n s a c t i

• n

_ d a t a _ s g C

• m

m a n d = B C _ T R A N S A C T I O N _ S G C

• m

m a n d = B C _ R E P L Y _ S G ∨ S c a t t e r

• g

a t h e r t r a n s a c t i

• n

T r a n s a c t i

• n

_ D a t a : b i n d e r _ t r a n s a c t i

• n

_ d a t a T r a n s a c t i

• n

d a t a B u fg e r _ S i z e : S i z e B u fg e r s i z e s i z e B i n d e r _ D r i v e r _ C

• m

m a n d _ P r

• t
• c
• l

B C _ T R A N S A C T I O N B C _ R E P L Y B C _ F R E E _ B U F F E R B C _ I N C R E F S B C _ A C Q U I R E B C _ R E L E A S E B C _ D E C R E F S B C _ I N C R E F S _ D O N E B C _ A C Q U I R E _ D O N E B C _ R E G I S T E R _ L O O P E R B C _ E N T E R _ L O O P E R B C _ E X I T _ L O O P E R B C _ R E Q U E S T _ D E A T H _ N O T I F I C A T I O N B C _ C L E A R _ D E A T H _ N O T I F I C A T I O N B C _ D E A D _ B I N D E R _ D O N E B C _ T R A N S A C T I O N _ S G B C _ R E P L Y _ S G D a t a b u fg e r b i n d e r 1 . . . 2 . . . 3 0 w e a k _ b i n d e r 3 5 w e a k _ b i n d e r 5 . . . 6 h a n d l e 1 0 w e a k _ h a n d l e 1 2 h a n d l e 1 2 8 f d 1 3 2 f d 1 4 f d a 2 2 p t r . . . . . . e fg 2 p t r s i z e O fg s e t s O fg s e t 1 O fg s e t 2 O fg s e t 3 O fg s e t 4 O fg s e t 5 O fg s e t 6 O fg s e t 7 O fg s e t 8 O fg s e t 9 O fg s e t 1 O fg s e t 1 1 . . . T r a n s a c t i

• n

fm a g s T F _ O N E _ W A Y O n e

• w

a y c a l l , a s y n c h r

• n
• u

s , n

• r

e t u r n T F _ R O O T _ O B J E C T C

• n

t e n t s a r e t h e c

• m

p

• n

e n t s r

• t
• b

j e c t T F _ S T A T U S _ C O D E C

• n

t e n t s a r e a 3 2

• b

i t s t a t u s c

• d

e T F _ A C C E P T _ F D S A l l

• w

r e p l i e s w i t h fj l e d e s c r i p t

• r

s B i n d e r t y p e s B I N D E R _ T Y P E _ B I N D E R B I N D E R _ T Y P E _ WE A K _ B I N D E R B I N D E R _ T Y P E _ H A N D L E B I N D E R _ T Y P E _ WE A K _ H A N D L E B I N D E R _ T Y P E _ F D B I N D E R _ T Y P E _ F D A B I N D E R _ T Y P E _ P T R s i z e

SLIDE 26

2020-02-02 26

Android IPC Idea: User-level message broker

■ Verified broker component to handle binder transactions ▪ Android apps are client of broker using message passing ▪ Clients share memory region with broker ▪ Broker implements name service and copies between clients ■ Pros ▪ No additional complexity in the kernel ▪ Enables filter components / policies ■ Cons ▪ At least 3 copies per transaction (Android kernel needs 1)

SLIDE 27

2020-02-02 27

Conclusions

■ Conclusions ▪ Rehosting Android Runtime to Genode is feasible ▪ Easy porting due to declarative nature of Androids build system ▪ Googles extensive test suite is extremely helpful ▪ Environment for trustworthy formally verified filters exists ■ Future Work ▪ User-level binder IPC on Genode ▪ Porting or emulation of required Android services ▪ Integration into Genodes Nitpicker UI subsystem ▪ Trusted filters (e.g. encrypted / tagged calendar entries) ▪ Test complex, unmodified Android applications on Genode

SLIDE 28

2020-02-02 28

Questions?

Alexander Senier senier@componolit.com

@Componolit · componolit.com · github.com/Componolit