SLIDE 1
BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System - - PowerPoint PPT Presentation
BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System - - PowerPoint PPT Presentation
BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member Agenda 02 03 01 Network Security Internet socket in Aspects Permission in Android OS Marshmallow INTERNET PERMISSION IN MARSHMALLOW
SLIDE 2
SLIDE 3
Agenda
01
Internet Permission in Marshmallow
02
Network socket in Android OS
03
Security Aspects
SLIDE 4
INTERNET PERMISSION IN MARSHMALLOW
SLIDE 5
INTERNET PERMISSION DECLARATION
AndroidManifest.xml
htups:/ /github.com/vx/connectbot from VX Solutjons
SLIDE 6
INTERNET PERMISSION DEFINITION
frameworks/base/core/AndroidManifest.xml
SLIDE 7
MARSHMALLOW PERMISSIONS
Permission are automatjcally granted at install tjme
- UI shows permissions details
- UI from Google Play, not from the system
Dangerous permissions are granted at runtjme
SLIDE 8
INTERNET PERMISSION INTERNALS
On device : /system/etc/permissions/platgorm.xml system/core/include/private/android_fjlesystem_confjg.h
root@genymotion:/ cat /data/system/packages.list
SLIDE 9
MAPPING GID PROCESS
SLIDE 10
That’s all ? Anything is checked at the runtjme ?
SLIDE 11
NETWORK SOCKETS IN ANDROID OS
SLIDE 12
THE BASICS
SLIDE 13
JAVA.NET.SOCKET CLASS
Any applicatjon can directly instantjate this class
Even the framework uses it
Packed in Android Java core library : core-libart.jar
Source fjle : libcore/luni/src/main/java/net/Socket.java
SLIDE 14
SLIDE 15
ANY PERMISSION CHECKED !?
SLIDE 16
SOCKET SYSCALL IN BIONIC
bionic/libc/bionic/socket.cpp Same type of declaratjon for connect and accept syscalls
NetdClientDispath, C structure of 4 functjon pointers on 3 syscalls ( __socket, __connect, __accept4) & 1 functjon (fallBackNetIdForResolv)
SLIDE 17
WHAT HAPPENING IN BIONIC ?
As soon as bionic is loaded, the functjon __libc_preinit() is called by the dynamic linker In __libc_preinit(), call to netdClientInit() functjon The libnetd_client.so library is loaded by dlopen()
SLIDE 18
WHAT HAPPENING IN BIONIC ?
From libnetd_client.so library, bionic retrieves 4 functjon symbols :
- netdClientInitSocket()
- netdClientInitConnect()
- netdClientInitAccept4()
- netdClientInitNetIdForResolv()
Call them, one by one, with their respectjve syscall as a parameter.
SLIDE 19
NETDCLIENT LIBRARY
SLIDE 20
IMPACTS ON NETDCLIENTDISPATCH STRUCTURE
NetdClientDispatch structure does not contain the syscalls
anymore It points on libnetd_client library functjons :
- netdClientSocket()
- netdClientConnect()
- netdClientAccept4()
- getNetworkForResolv()
SLIDE 21
SLIDE 22
WHAT !?
SLIDE 23
ANDROID KERNEL
Android kernels have many modifjcatjons Every Android kernel has a network optjon actjvated : Paranoid
SLIDE 24
PARANOID KERNEL OPTION
It restricts access to some networking features depending
- n the group of the calling process
include/linux/android_aids.h
SLIDE 25
SOCKET CREATION IN THE KERNEL
In net/ipv4/af_inet.c & net/ipv6/af_inet6.c, the process group is checked before creatjng the socket If not allowed, return EACCES
SLIDE 26
SUMMARY
SLIDE 27
INTEREST OF NETDCLIENT LIBRARY AND BIONIC TRICK
Firewall marks in netd Networks packets are fmagged through a fwmark client/server mechanism Allow packets going through iptable rules, set by the OS In a “system case”, fwmark server checks also the permission
- f the process
SLIDE 28
SECURITY ASPECTS
SLIDE 29
DISCLAIMER
I am NOT a Security developer Consider just the architectural aspect of the implementatjon
SLIDE 30
HOW TO BREAK THE SYSTEM ?
Internet permission Paranoid optjon Rooted devices
SLIDE 31
HOW TO BREAK THE SYSTEM ?
sharedUserId
- A way to share permissions between packages
- Permissions state is propagated to all packages upon changes
Other applicatjons
SLIDE 32
Thanks for your atuentjon !
PENEL Alizée apenel@genymobile.com www.genymobile.com
SLIDE 33