finding third party risks
play

Finding Third - party Risks Fourteenforty Research Institute, Inc. - PowerPoint PPT Presentation

Mar 08, 2024 •269 likes •644 views

Fourteenforty Research Institute, Inc. Kyoto, 2012 FIRST Technical Colloquium Sma martphone tphone Securi ecurity ty and Finding Third - party Risks Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Tsukasa Oi

  1. Fourteenforty Research Institute, Inc. Kyoto, 2012 – FIRST Technical Colloquium Sma martphone tphone Securi ecurity ty and Finding “Third - party” Risks Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Tsukasa Oi – Research Engineer 1

  2. Fourteenforty Research Institute, Inc. Self lf Introdu duct ction ion • Fourteenforty Research Institute, Inc. (FFRI) – Tokyo, Japan – R&D in the field of computer security • Tsukasa Oi : Research Engineer at FFRI – Currently focusing on mobile security – Recent Talks at: • PacSec 2011 “How Security Broken?” • Black Hat Abu Dhabi 2011 “Yet Another Android Rootkit /protecting/system/is/not/enough/ ” • Black Hat USA 2012 “Windows Phone 7 Internals and Exploitability” 2

  3. Fourteenforty Research Institute, Inc. Back ckgr ground nd • Modern mobile operating systems – Sandbox to protect system and applications – Some kind of MAC (Mandatory Access Control) – Integrated application distribution (App Stores) • Modifications by Third-party Vendors – Android – Windows Phone (7.x) 3

  4. Fourteenforty Research Institute, Inc. Age genda da • Security Design – Android – Windows Phone 7 • Risks and Vulnerabilities – What we find • Third-Party Risks and Vulnerabilities – Remote DoS – Privilege Escalation – Access Control Vulnerability • Finding Vulnerabilities 4

  5. Fourteenforty Research Institute, Inc. Caution ion! We cannot disclose many of vulnerabilities we’ve found 5

  6. Fourteenforty Research Institute, Inc. It looks pretty good. But is it enough then? SECUR URIT ITY Y DE DESIG IGN 6

  7. Fourteenforty Research Institute, Inc. Andr droid oid : Permissio mission • Restrict access to specific resources – Need declaration to use specific features • Sensor data / Camera • Location • Access to system resources – Special GID or software checks – Some permissions are restricted for system apps (like INSTALL_PACKAGE; allows unattended installation) • Checks by package location / signature 7

  8. Fourteenforty Research Institute, Inc. Andr droid oid : Permissio mission n Check cks s (1) Caller Application Application Metadata IPC (through Binder) Activity Manager System Service Package Manager • Service Manager (or important method) checks callers permission – Achieve good isolation (IPC glue is automatically-generated) 8

  9. Fourteenforty Research Institute, Inc. Andr droid oid : Permissio mission n Check cks s (2) Normal Case “Internet” Case android.permission.READ_LOGS android.permission.INTERNET GID: 1007 GID: 3003 (log) (inet) Application Application Kernel Specific checks POSIX permissions for Android * • Some permissions are associated with specific GIDs – Use POSIX permission checks except “Internet” permission * Linux kernel for Android is modified to restrict Internet sockets to processes which have GID 3003 (inet). 9

  10. Fourteenforty Research Institute, Inc. Andr droid oid : Iso solati ation on • One UID for One App – Unless apps by same developer declare to share UID – No apps can access other apps data unless its permission is world-accessible • Vulnerability in Skype for Android (CVE-2011-1717) • Read-only access to some system resources – e.g. Data in SD card (will require READ_EXTERNAL_STORAGE permission in the future) – e.g. /data/system/packages.list (which enables to access package list without permission) 10

  11. Fourteenforty Research Institute, Inc. Andr droid oid : Add dditiona onal l Secu curity rity by by Vendo dor • Some vendors add security layer to avoid issues – NAND protection protect system partition of flash will not be overwritten – LSM (Linux Security Modules); except SEAndroid prohibit dangerous operations from being performed – Better security controls (e.g. 3LM Security) • Some of them can be effectively broken – “Yet Another Android Rootkit /protecting/system/is/not/enough/ ” Black Hat Abu Dhabi 2011 11

  12. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Capa pabi bilit lity • Restrict access like Android’s permission system – Fewer (and simple) capabilities • Specific SID for capability • Special Capabilities for limited apps – Some capabilities are not allowed for distribution (without explicit permission by Microsoft) – Use OEM’s interop service (ID_CAP_INTEROPSERVICES) 12

  13. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Iso solati ation on • One Chamber for One App – Windows Phone 7 creates “chamber” to isolate application data and program • Almost no access to system resources – Normal developers can run only managed (.NET) code • Only few developers are allowed to run native code (with WPInteropManifest.xml in the package) – Almost no apps can access other apps data 13

  14. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Iso solati ation on Detaile iled Launch App Package Manager Shell (telshell.exe) Apps (TaskHost.exe) (pacman*.dll) Query Apps Check if App Allowed Kernel Policy Engine Security Loader (PolicyEngine.dll) (lvmod.dll) Access Control Prevent untrusted Running applications (sandbox) files to be loaded (related components) • Executable modules and resources are restricted 14

  15. Fourteenforty Research Institute, Inc. Concl clus usion ion • Although there are some small “flaws”, these OS protect system from being compromised 15

  16. Fourteenforty Research Institute, Inc. In other words : what we always find RIS ISKS KS AN AND V D VULNE NERABI RABILI LITI TIES ES 16

  17. Fourteenforty Research Institute, Inc. What we fi find d : Acc ccess ss Contro trol l Vulner nerabil abilit ity • Access to resources which is not allowed (normally) – The risk of vulnerability will vary on the resource we can access using exploits – Critical one may lead to privilege escalation 17

  18. Fourteenforty Research Institute, Inc. What we fi find d : Privil vileg ege e Esc scalation ion • Make malicious program to run on higher privileges – Normal users to System user • “system” user in Android is allowed to use almost all system privileges and resources • This may lead to complete compromise – System user to Administrative user • Gaining “root” privilege – Keep admin privileges • Modify and infect the system permanently • This is complete compromise 18

  19. Fourteenforty Research Institute, Inc. What kind of vulnerability third-party made? TH THIR IRD-PA PARTY TY RIS ISKS KS 19

  20. Fourteenforty Research Institute, Inc. Andr droid oid : Re Remo mote te DoS Vulner nerabil abilit ity • “Data Wipe” vulnerability in Samsung and HTC devices – Clicking “ tel :…” URL triggers “data wipe” feature – Special phone numbers (which trigger specific event) are not handled correctly • Demonstrated by IMEI display (“*#06#” from remote) • Denial of Service (force-to-reboot) vulnerability in various Android devices (Sharp, Fujitsu-Toshiba, NEC- Casio…) – Similar example on a Japanese smartphone we’ve found – Clicking specific URL (more specifically, calling read system call for special location) triggers kernel panic and forces device to reboot Reference: http://www.guardian.co.uk/technology/2012/sep/27/samsung-htc-phones-remote-wipe 20

  21. Fourteenforty Research Institute, Inc. Andr droid oid : Privil vileg ege e Esc scalation ion Vulner nerabil abilit ity • ACER Iconia Tab / Motorola Xoom OS Command Injection – “/system/bin/ cmdclient ” setuid (and world-executable) program – Ability to run any command in root privilege Reference: http://forum.xda-developers.com/showthread.php?t=1138228 (ACER Iconia Tab A500) http://www.xoomforums.com/forum/motorola-xoom-development/12997-rooting-family- edition.html (Motorola Xoom FE) 21

  22. Fourteenforty Research Institute, Inc. Andr droid oid : Acc ccess ss Contro trol l Vulnerab nerabili ility • ZTE Root Shell Vulnerability – “/system/bin/ sync_agent ” setuid (and world-executable) program – Ability to run a root shell with a hard coded password Reference: http://blog.mobiledefense.com/2012/05/zte-root-shell-vulnerability/ 22

  23. Fourteenforty Research Institute, Inc. Windo dows ws Phone ne 7 : Vulne lnera rabi bilit lity • Heap overflow vulnerability in [not disclosed yet] – CVE-2005-2096 (vulnerability in zlib -1.2.2) – This showed us Windows Phone 7 apps are not vuln-free (such native vulnerabilities can be found) • Risks of Exploitation – If a vulnerable native app has “Interop Services” capability, it can cause disaster (ID_CAP_INTEROPSERVICES) – Otherwise it’s not much help for bypassing sandbox • Just taking control may be not enough for system compromise (because of strong isolation) • Fortunately, [not disclosed] didn’t have one 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive Efficiencies and Build Market Trust? IIA/ISACA Chicago Hacking Conference October 28, 2019 BDO USA, LLP, a Delaware limited liability partnership, is the U.S.

153 views • 13 slides
GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - - - - What should the Asian market worry about? Dr. Paul Fisher, LBMA Chairman Asia Pacific Precious Metals Conference,

517 views • 9 slides
FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents,

FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents,

Presenting a live 90-minute webinar with interactive Q&A FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents, Distributors and Other Intermediaries WEDNESDAY, JANUARY 16, 2013 1pm Eastern |

720 views • 59 slides
Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

620 views • 34 slides
Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

627 views • 46 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Dynamic Interpretation of Emerging Risks in the Financial Sector, by Kathleen Weiss Hanley

Dynamic Interpretation of Emerging Risks in the Financial Sector, by Kathleen Weiss Hanley

Discussion of Dynamic Interpretation of Emerging Risks in the Financial Sector, by Kathleen Weiss Hanley and Gerard Hoberg PRESENTER Paul Glasserman, Columbia Business School Key Finding Commonality in the risks disclosed by banks

386 views • 10 slides
EGUS CDE Agreement Terminology/Updates Agreement Types : AB (2 Party) Party A,

EGUS CDE Agreement Terminology/Updates Agreement Types : AB (2 Party) Party A,

EGUS CDE Agreement Terminology/Updates Agreement Types : AB (2 Party) Party A, Party B ABA (3 Party) Party A, Party B, Party A Clearing Member ABB (3 Party) Party A, Party B, Party B Clearing Member

404 views • 21 slides
KIDS PARTIES Take the hassle away and party the Mundo Mana way. 1 Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. 1 Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. 1 Contents Party rooms 4 Toddler packages (1-3 years) 6 Childrens packages (4+ years) 8 Package Overview 10 Party Extras | Birthday cakes 12 Bespoke party room

476 views • 14 slides
KIDS PARTIES Take the hassle away and party the Mundo Mana way. Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. Contents Party rooms 4

KIDS PARTIES Take the hassle away and party the Mundo Mana way. Contents Party rooms 4 Toddler packages (1-3 years) 6 Childrens packages (3+ years) 8 Package Overview 10 Party Extras | Birthday cakes 11 Bespoke party room

357 views • 24 slides
VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018 Todays Presentation ! Definitions ! Why do we need Vendor Risk Management ! Risks Posed by Third Party / Vendor Relationships ! Vendor Risk

346 views • 24 slides
STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11 LICENSED 148 PENDING 27 WITHDRAWN 32 TOTAL 239 ADUs reviewed as Special Exceptions Pre 2013 ZTA 12-11 Allows ADUs as

741 views • 14 slides
Third-Party Legal Opinions in Corporate Transactions Defining Scope, Limitations and Key Terms;

Third-Party Legal Opinions in Corporate Transactions Defining Scope, Limitations and Key Terms;

Presenting a live 90-minute webinar with interactive Q&A Third-Party Legal Opinions in Corporate Transactions Defining Scope, Limitations and Key Terms; Minimizing Liability Risks for Opinion Giver THURS DAY, MARCH 27, 2014 1pm East ern

652 views • 48 slides
Presenting a live 90-minute webinar with interactive Q&A Third-Party Risk: Tailoring Contract

Presenting a live 90-minute webinar with interactive Q&A Third-Party Risk: Tailoring Contract

Presenting a live 90-minute webinar with interactive Q&A Third-Party Risk: Tailoring Contract Clauses, Covenants, and Certifications to Enhance Compliance in a Global Market Minimizing FCPA and Related Anti-Corruption Risks and Maximizing

552 views • 39 slides
ESA and non-ESA missions (Third Party Missions TPM) 4 types of activities with Third Party

ESA and non-ESA missions (Third Party Missions TPM) 4 types of activities with Third Party

Clement Albinet - ESA / Ground Segment and Mission Management Department 18 th November 2019 ESA UNCLASSIFIED - For Official Use ESA and non-ESA missions (Third Party Missions TPM) 4 types of activities with Third Party Missions (TPM) New

629 views • 24 slides
Protecting Users by Confining JavaScript with SWAPI Deian Stefan, Petr Marchenko, Brad Karp,

Protecting Users by Confining JavaScript with SWAPI Deian Stefan, Petr Marchenko, Brad Karp,

Protecting Users by Confining JavaScript with SWAPI Deian Stefan, Petr Marchenko, Brad Karp, David Mazires, Dave Herman, and John C. Mitchell Modern websites are complex Modern websites are complex Modern websites are complex Page code

1.65k views • 97 slides
Vector-Boson + Multi-Jet Production with BlackHat David A. Kosower Institut de Physique

Vector-Boson + Multi-Jet Production with BlackHat David A. Kosower Institut de Physique

Vector-Boson + Multi-Jet Production with BlackHat David A. Kosower Institut de Physique Thorique, CEASaclay on behalf of the BlackHat Collaboration Carola Berger, Z. Bern, L. Dixon, Fernando Febres Cordero, Darren Forde, Harald Ita, DAK,

310 views • 29 slides
Six Thinking Hats Decision Making: . . . Metalevel Heuristic Methodology: Acknowledgments

Six Thinking Hats Decision Making: . . . Metalevel Heuristic Methodology: Acknowledgments

Overview Natural First Steps in . . . Decision Making: . . . Six Thinking Hats Decision Making: . . . Metalevel Heuristic Methodology: Acknowledgments Towards a Reference Home Page Fuzzy-Logic-Based Title Page Explanation

121 views • 8 slides
Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &

Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &

1 Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1 bada55.cr.yp.to BADA55 Crypto including How to manipulate curve standards: a white paper for the

879 views • 45 slides
Ethics in the age of Informatics, Big Data and AI Professor dr. May Thorseth, Dept. of Philosophy

Ethics in the age of Informatics, Big Data and AI Professor dr. May Thorseth, Dept. of Philosophy

Ethics in the age of Informatics, Big Data and AI Professor dr. May Thorseth, Dept. of Philosophy and Religious Studies, NTNU Director of Programme for Applied Ethics, NTNU Email: may.thorseth@ntnu.no Informatics Europe 2018 Chalmers 9

581 views • 28 slides
Embedded Management Interfaces e t u p m Emerging Massive Insecurity o C d r o f

Embedded Management Interfaces e t u p m Emerging Massive Insecurity o C d r o f

b a L y t i r u c e S r Embedded Management Interfaces e t u p m Emerging Massive Insecurity o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S Thursday, July 30, 2009

1.86k views • 160 slides
1 Logic for Reasoning about Truth: Outline Where Should We Start? Prereqs, Learning Goals,

1 Logic for Reasoning about Truth: Outline Where Should We Start? Prereqs, Learning Goals,

snick Introductions, again snack Steven Wolfman <wolf@cs.ubc.ca> CPSC 121: Models of Computation ICICS 239; office hours listed on the website 2016W2 I also have an open door policy: If my door is open, come in and talk!

623 views • 5 slides
Spear Phishing: Email versus Facebook Joint work with Freya Gassmann, Anna Girard, Nadina Hintz,

Spear Phishing: Email versus Facebook Joint work with Freya Gassmann, Anna Girard, Nadina Hintz,

Dagstuhl Seminar: Cybersafety in Modern Online Social Networks September 2017 Spear Phishing: Email versus Facebook Joint work with Freya Gassmann, Anna Girard, Nadina Hintz, Robert Landwirth, Andreas Luder Zinaida Benenson

356 views • 8 slides

More recommend