application security
play

APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey - PowerPoint PPT Presentation

May 16, 2023 •309 likes •742 views

WINDOWS PHONE 8 APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh About us Dmitriy D1g1 Evdokimov - Security researcher at ERPScan - Mobile security, RE, fuzzing, exploit dev etc. - Editor of Russian hacking

  1. WINDOWS PHONE 8 APPLICATION SECURITY HackInParis 2013 Dmitriy Evdokimov Andrey Chasovskikh

  2. About us Dmitriy ‘D1g1’ Evdokimov - Security researcher at ERPScan - Mobile security, RE, fuzzing, exploit dev etc. - Editor of Russian hacking magazine - DEFCON Russia (DCG #7812) co-organizer Andrey Chasovskikh - Software developer - Windows Phone addict 2 HackInParis 2013

  3. Agenda • Intro • Security model • First steps in Windows Phone 8 • Applications • Application security • Conclusion 3 HackInParis 2013

  4. INTRO

  5. Intro • 29 Oct 2012 – Windows Phone 8 released • Based on Windows 8 core – ARM architecture • Market share: 3,2% (Q1 2013, IDC) • 145 000+ applications in Windows Phone Store 5 HackInParis 2013

  6. SECURITY MODEL

  7. Chambers - Trusted Computing Base (TCB) Kernel, kernel-mode drivers - Least Privileged Chamber (LPC) All other software: services, pre-installed apps, application from WP store 7 HackInParis 2013

  8. Capabilities WMAppManifest.xml Developers OEM Developers System - Network - Cell API - Debug - Camera - Device management - SMS API - NFC Etc. - Live ID - SD card access - SIM API - Wallet Etc. - Speech recognition - Front camera Etc. Total 27 Total 350+ Total 39 8 HackInParis 2013

  9. Sandboxing • File system structure is hidden • Local folder URI, files • Former isolated storage Chamber Chamber • Limited app-to-app communication App1 App2 Local folder Local folder for App1 for App2 9 HackInParis 2013

  10. App-to-app communication • File types associations - LaunchFileAsync() - Reserved: xap, msi, bat, cmd, py, jar etc. • URI associations - LaunchUriAsync() - Reserved: http, tel, wallet, LDAP, rlogin, telnet etc. - Proximity communication using NFC 10 HackInParis 2013

  11. Local folder Physical File Storage Local Folder Settings Storage File Storage Files Directory Database 11 HackInParis 2013

  12. Application protection • All binaries are signed • Application file is signed – Kind of checksum file is put into applications • Certificate pinning for Store • XAP file has DRM key 12 HackInParis 2013

  13. The Microsoft PlayReady Ecosystem 13 HackInParis 2013

  14. XAP file protection • Before august 2012 – ZIP archive – Sign • After august 2012 – New file format – PlayReady Header – AESCTR algorithm 14 HackInParis 2013

  15. FIRST STEPS IN WINDOWS PHONE 8

  16. Windows 8 vs Windows Phone 8 • WP8 is migrating from the WinCE core to the WinNT core • Win8/emulator (x86) • WinRT/device (ARM) http://intrepidusgroup.com/insight/2012/12/windows-phone-8-and-windows-8-similarity/ 16 HackInParis 2013

  17. WP8 emulator • Hyper-V images – %ProgramFiles(x86)%\Microsoft SDKs\ Windows Phone\v8.0\Emulation\Images\ • Emulator vs. Device – x86 – Fake binaries • FakeLed.sys, Fakevibra.sys, FakeModem.dll etc. – Different user-agent – Prohibited to install apps from the Store 17 HackInParis 2013

  18. WP8 device • Windows Phone 8 has standardized bootloader – Full flash images are available • ImgMount tool – FFU Image file as a virtual hard drive 18 HackInParis 2013

  19. Reversing WP8 internals • No debug symbols • Tip: restore information from Event Tracing for Windows (ETW) • Use IDAPython *InstallerWorker.exe 19 HackInParis 2013

  20. Windows API calls • Full Windows API is not available by default • Originally posted on XDA for WindowsRT apps – Find kernerbase.dll address (“MZ”) -> Get “LoadLibraryA” and “GetProcAddress” functions -> call any function you want – http://bit.ly/Uw2Gk6 • Works for Windows Phone 8 20 HackInParis 2013

  21. APPLICATIONS

  22. .NET and CLR Applications Developer Platform (XAML, XNA, Device services) .NET Framework (CoreCLR) WP8 OS, Win8 based 22 HackInParis 2013

  23. Frameworks 23 HackInParis 2013

  24. Application kinds • Microsoft • OEM – XAP files are not encrypted (~ZIP) – C:\PROGRAMS\CommonFiles\Xaps\ • Windows Phone Store apps – C:\Data\Programs\{ProductID}\Install\ • Company applications – XAP files are not encrypted (~ZIP) – Company hubs • Developer applications – Need developer unlock 24 HackInParis 2013

  25. Application file structure • Application assemblies (in various formats) • Resources • AppManifest.xaml • WMAppManifest.xml 25 HackInParis 2013

  26. APPLICATION SECURITY

  27. Security?! “One of the goals of the Windows Phone app platform is to foster the creation of apps that are secure by design and secure by default . ” Security for Windows Phone 27 HackInParis 2013

  28. Application entry points • User input • Web • SD card • Bluetooth • Sockets • NFC • URI • Speech2Text Green – Windows Phone 7 White – Windows Phone 8 28 HackInParis 2013

  29. Vulnerabilities iOS Windows Phone 8 (Objective-C) (C#/VB/C/C++) Platform independent vulnerabilities Platform specific vulnerabilities Android (Java) Note: Main programming languages in brackets 29 HackInParis 2013

  30. Work with SD card • WP8 allows only read operations • Only registered file types • Files on SD cards are not encrypted OS Details iOS Work with SD card is absent Android READ/WRITE 30 HackInParis 2013

  31. Privacy • Device Unique ID – Requires ID_CAP_IDENTITY_DEVICE – DeviceExtendedProperties.GetValue(“DeviceUniqueId”) • Windows Live Anonymous ID – Requires ID_CAP_IDENTITY_USER – UserExtendedProperties.GetValue(“ANID2”) • Both identifiers are per-publisher OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId() 31 HackInParis 2013

  32. Privacy, part 2 • Device name, manufacturer, firmware versions – Requires ID_CAP_IDENTITY_DEVICE – DeviceStatus class • Location tracking – ID_CAP_LOCATION – GeoCoordinateWatcher class OS Details iOS UDID (apps that use UDIDs are no longer accepted, from May 1, 2013) Android telephonyManager.getDeviceId() 32 HackInParis 2013

  33. Secure storage • Device can be encrypted (not for all countries) – BitLocker 2.0/TPM – Available only in business settings • Data Protection API (DPAPI) • System.Security.Cryptography • Algorithms: AES, HMACSHA1, HMACSHA256, Rfc2898DeriveBytes, RSA, SHA1, SHA256 OS Details iOS Keychain, /System/Library/Frameworks/Security.framework Android android.security.KeyChain (from 4.0) 33 HackInParis 2013

  34. Data leak • Keyboard cache is isolated per-application • Cache for applications that access internet – Controlled by OS OS Details iOS plist, Custom created documents, Preferences, Logs, Cache data, Keyboard cache, Pasteboard cache, Cookies Android shared_preference, logs, external storage, MODE_WORLD_READABLE or MODE_WORLD_WRITETABLE 34 HackInParis 2013

  35. Work with URI • Handling function: MapUri() • Filter user input • Exclude critical arguments from URI – Ex.: prgrm://command?request=data&role=admin OS Details iOS openURL(), handleOpenURL() Android android.net.Uri class 35 HackInParis 2013

  36. Cross-site scripting (XSS) • WebBrowser control (based on IE10) • JavaScript is disabled by default • To see if enabled: – WebBrowser.IsScriptEnabled = true – <WebBrowser IsScriptEnabled = “True” /> OS Details iOS UIWebView Class + stringByEvaluatingJavaScriptFromString() shouldStartLoadWithRequest() Android WebView.getSettings().setJavaScriptEnabled(); WebView.getSettings().setPluginsEnabled(); 36 HackInParis 2013

  37. Directory traversal • Local folder API accepts paths with traversal – IsolatedStorageFile class (WP7) – StorageFolder class • Win32 storage API OS Details iOS contentsAtPath, fileHandleForReadingAtPath, _fopen etc. Android ContentProvider + incorrect or missing rights, files functions 37 HackInParis 2013

  38. XML External Entity (XXE) • System.Xml namespace – Entity resolving is prohibited by default • Entities can be resolved by using custom XmlResolver for XmlDocument OS Details iOS libXML2 + _xmlParseMemory, NSXMLParser + setShouldResolveExternalEntities:YES Android setFeature(external-general-entities, True) 38 HackInParis 2013

  39. SQL injection • Bad: • Good: OS Details iOS sqlite3_exec() Android query(), rawQuery() 39 HackInParis 2013

  40. Memory corruption bugs • Developers can use native code • Format string, BoF, use-after-free etc. – С /C++ functions • Compilation flags: /sdl, /GS, /DYNAMICBASE, /NXCOMPAT OS Details iOS – fPIE, – fstack-protector-all, -fobjc-arc Android Only in native libs, -fstack-protector, -Wformat-security, NX, ASLR, PIE HackInParis 2013

  41. CONCLUSION

  42. Conclusion • Windows Phone 8 is pretty secure • Greater attack surface • Security-related API • More flexible than in iOS • More simple than in Android 42 HackInParis 2013

  43. Q&A Dmitry ‘D1g1’ Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha 43 HackInParis 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application Security Management (ASM) Features and Benefits Performance Review Ordering Information About Application Security Management (ASM)

618 views • 7 slides
Application security Application security September 25, 2020 Administrative submittal

Application security Application security September 25, 2020 Administrative submittal

Application security Application security September 25, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab assignments questions in written report form, as a text, pdf, or Word

566 views • 37 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 - Barcelona Topics Short w3af introduction Whats new in w3af Automating Web application exploitation The problem and how other tools are

553 views • 54 slides
Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

540 views • 29 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

874 views • 34 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Network Monitoring Session Schema OGF20 Meeting - Manchester May 2007 Augusto Ciuffoletti -

Network Monitoring Session Schema OGF20 Meeting - Manchester May 2007 Augusto Ciuffoletti -

Network Monitoring Session Schema OGF20 Meeting - Manchester May 2007 Augusto Ciuffoletti - INFN Italy (joint work with M. Polychronakis Forth - Crete) Summary Describe a network monitoring framework Define a solution

901 views • 27 slides
Untangling the Strings Scaling Puppet with inotify Steven McDonald steven.mcdonald@anchor.net.au

Untangling the Strings Scaling Puppet with inotify Steven McDonald steven.mcdonald@anchor.net.au

Untangling the Strings Scaling Puppet with inotify Steven McDonald steven.mcdonald@anchor.net.au Anchor linux.conf.au 2015 Sysadmin miniconf Background Puppet is a centralised configuration management system. Background Puppet is a

658 views • 45 slides
Agent Languages Overview Requirements Java Tcl/Tk Telescript Evaluation Franz J. Kurfess

Agent Languages Overview Requirements Java Tcl/Tk Telescript Evaluation Franz J. Kurfess

Agent Languages Overview Requirements Java Tcl/Tk Telescript Evaluation Franz J. Kurfess CSC/CPE 580 Intelligent Agents Spring 2002 217 Requirements for agent Languages distributed programming large-scale (tens of thousands of

706 views • 34 slides
Swarm MPM Simulation Tools -- Breve and Swarm Anguo Dong Computer Science Department

Swarm MPM Simulation Tools -- Breve and Swarm Anguo Dong Computer Science Department

Swarm MPM Simulation Tools -- Breve and Swarm Anguo Dong Computer Science Department University of Calgary donga@cpsc.ucalgary.ca 1 2 What is Breve (I) What is Breve (II) Used for a wide variety of simulation A free simulation

301 views • 6 slides
Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2

Petros Papapanagiotou Automated Reasoning Lecture 9 What have you done so far? Done To Go 2 Learned new things!.. 3 ...and some (more) logic!.. 4 ...and practiced using Isabelle!.. 5 ...but why? 6 Where is the connection...

1.02k views • 66 slides
PKTLAB Edge Measurement Active measurement from end hosts where vantage point is an

PKTLAB Edge Measurement Active measurement from end hosts where vantage point is an

PacketLab: A Universal Measurement Endpoint Interface Kirill Levchenko with Amogh Dhamdhere, Bradley Huffaker, kc claffy, Mark Allman, Vern Paxson PKTLAB Edge Measurement Active measurement from end hosts where vantage point is an

2.67k views • 29 slides
VMware Backup &amp; Replication using Vembu VMBackup About Vembu Technologies Founded in 200 2

VMware Backup &amp; Replication using Vembu VMBackup About Vembu Technologies Founded in 200 2

VMware Backup &amp; Replication using Vembu VMBackup About Vembu Technologies Founded in 200 2 4000+ Channel Partners Private Company Reached more than 60,000 businesses Profitable since 2006 70 % of our customers are from North America, 20%

368 views • 13 slides
Kafka in Jail Running Kafka in container orchestrated clusters Sean Glover, Lightbend @seg1o

Kafka in Jail Running Kafka in container orchestrated clusters Sean Glover, Lightbend @seg1o

Kafka in Jail Running Kafka in container orchestrated clusters Sean Glover, Lightbend @seg1o Who am I? Im Sean Glover Senior Software Engineer at Lightbend Member of the Fast Data Platform team Contributor to various projects in

788 views • 60 slides

More recommend