jeff vander stoep
play

Jeff Vander Stoep August 26th, 2016 $ whoami Jeff Vander Stoep - PowerPoint PPT Presentation

Jun 12, 2023 •250 likes •613 views

Android: protecting the kernel Jeff Vander Stoep August 26th, 2016 $ whoami Jeff Vander Stoep - jeffv@google.com @jeffvanderstoep Android Security since 2014 Focus on system hardening Software Engineer First - some good

  1. Android: protecting the kernel Jeff Vander Stoep August 26th, 2016

  2. $ whoami ● Jeff Vander Stoep - jeffv@google.com @jeffvanderstoep Android Security since 2014 ● Focus on system hardening ● ● Software Engineer

  3. First - some good news ● Most kernel bugs discussed are not directly reachable to untrusted code, due to Android’s security model. Android Nougat further reduces the attack surface of the kernel. ● New kernel defenses address our biggest category of kernel bugs. (more on this later)

  4. More good news Google Play Unknown Sources Warning Install Confirmation Verify Apps Consent Verify Apps Warning Runtime Security Checks Sandbox & permissions

  5. Proprietary + Confidential Agenda ● Kernel bugs in Android ○ Focus on biggest categories (we only have 45 minutes) ● Bugs by cause ○ Mitigations - memory protections ○ Gaps ● Bugs by reachability ○ Mitigations - attack surface reduction ○ Gaps ● Future work Proprietary + Confidential Proprietary + Confidential

  6. Proprietary + Confidential Kernel bugs have a long life. Fixing bugs is necessary but not sufficient! Proprietary + Confidential Proprietary + Confidential

  7. Proprietary + Confidential Goal: Use data on security vulnerabilities to prioritize mitigation development and adoption Proprietary + Confidential Proprietary + Confidential

  8. About the data ● Includes kernel bugs January 2014 -> April 2016 ● Includes low → critical severity kernel bugs Moderate → critical taken directly from public Nexus security ● bulletins ● Low severity bugs included because the definition of low has changed over time (many bugs previously listed as low considered moderate under new ratings)

  9. Proprietary + Confidential “At the operating system level, the Android platform provides the security of the Linux kernel…” source.android.com Proprietary + Confidential Proprietary + Confidential

  10. Security from the kernel ● Address space separation/process isolation ● unix permissions DAC capabilities ● SELinux ● ● seccomp ● namespaces ... ●

  11. Android security bugs by year 2014 2015 2016 Data: Jan 2014 → April 2016

  12. Why the rise in kernel bugs? ● Lockdown of userspace makes UID 0 significantly less useful. ● 2016 is the first year > 50% of devices in ecosystem have selinux in global enforcing. ● Kernel bugs payout more $$$ (Android vulnerability rewards)

  13. Where Android’s kernel bugs are born Data includes multiple vendors Some vendor drivers are in upstream, others are out-of-tree Data: Jan 2014 → April 2016

  14. Proprietary + Confidential Kernel defenses protect against in-tree AND out-of-tree vulnerabilities Proprietary + Confidential Proprietary + Confidential

  15. What causes Android’s kernel bugs? Bugs from upstream kernel and device specific bugs Data: Jan 2014 → April 2016

  16. What causes kernel bugs? Vendor drivers Core kernel Data: Jan 2014 → April 2016

  17. Mitigations - missing/incorrect bounds check ● Hardened usercopy ○ Protect against incorrect bounds Landing in checking in copy_*_user() PAN emulation ● upstream kernel! ○ Protect against kernel access to userspace bypassing hardened usercopy changes.

  18. Mitigations - missing/incorrect bounds check ● Stack protector strong ○ protects against stack buffer overflows KASLR (arm64 android-4.4 kernel) ● Makes code reuse attacks probabilistic ○ ● PXN - make userspace non-executable for the kernel ○ Protects against ret2user attacks RODATA - mark kernel memory as read-only/no-execute ● Makes code non-writeable, and data non-executable ○

  19. Mitigations - null pointer dereference ● CONFIG_LSM_MMAP_MIN_ADDR ○ Make null pointer dereference unexploitable (just crash) PAN emulation also make null pointer ● dereference non-exploitable

  20. Gaps - code review Code quality of upstream is significantly better than device specific drivers ● What can be done to enforce better code quality? Compiler changes e.g. integer overflow checking ○ Scripts e.g. checkpatch.pl ○ ○ Runtime changes - e.g. PAN enforce proper use of copy_*_user() ○ KASAN Constification ○

  21. Proprietary + Confidential Attack surface reduction Remove or restrict access to entry points into the kernel Proprietary + Confidential Proprietary + Confidential

  22. Proprietary + Confidential Attack surface reduction Gate access to kernel provided developer tools in developer settings. Proprietary + Confidential Proprietary + Confidential

  23. How are kernel bugs reached - driver/subsystem Includes many bugs only reachable by root or other privileged processes. Data: Jan 2014 → April 2016

  24. Bugs reachable by unprivileged apps Fix all bugs, but prioritize mitigation development for bugs that are reachable by apps More on this later... Data: Jan 2014 → April 2016

  25. Case study: Wifi driver bugs ● Every app-reachable bug should have been protected by a CAPABLE(CAP_NET_ADMIN) check. Relying on developers to correctly implement in-code checks is risky. ● Better to have privileged behavior guarded by auditable security policy. ● ● Many wifi driver bugs were reachable via local unix sockets! Add strong policy around all socket types.

  26. How are kernel bugs reached - syscall (before mitigations) 100% of perf vulns introduced in vendor customizations all bugs bugs reachable by apps Data: Jan 2014 → April 2016

  27. Mitigations - attack surface reduction Ioctl command whitelisting in SELinux ● Wifi ○ Originally hundreds of ioctl commands → 29 whitelisted safe network socket ioctls ○ Blocks access to all bugs without restricting legitimate access. ○ Unix sockets: wifi ioctls reachable by local unix sockets :( Hundreds → 8 whitelisted unix socket ioctls ○ No ioctls allowed on other socket types including generic and netlink sockets ● GPU ○ e.g. Shamu originally 36 -> 16 whitelisted commands Ioctl commands needed varies by device but < 50% needed seems consistent across KGSL drivers ○

  28. Mitigations - attack surface reduction ● Restrict access to perf ○ Access to perf_event_open() is disabled by default. Developers may re-enable access via debug shell ○ Remove access to debugfs ● ○ All app access to debugfs removed in N ● Remove default access to /sys App access to files in /sys must be whitelisted ○ Seccomp required for all devices (minijail shoutout!) ●

  29. Impact of mitigations Because most bugs are driver specific, effectiveness of mitigations varies across devices. In general most previously reachable bugs were made unreachable Case study of bugs reachable by apps on Nexus 6 (Shamu) ● 100% of wifi bugs blocked ○ ○ 50% of GPU bugs blocked ○ 100% of debugfs bugs blocked 100% of perf bugs blocked (by default) ○

  30. Gaps - Attack surface reduction ● Need more/better controls over kernel feature accessibility. ○ Controls allow us to do what’s best for both Linux developers and users of Linux based products. Argument inspection for seccomp ●

  31. Proprietary + Confidential Future work Kernel devs, we need more/better safety features (seat belts)! Sometimes seat belts are inconvenient… Proprietary + Confidential Proprietary + Confidential

  32. Those “other” categories - potential attack surface reduction syscalls provided by Architecture syscalls in bionic reduction (%) kernel arm 364 204 44 arm64 271 198 27 x86 373 203 46 x86_64 326 199 39

  33. Those “other” categories - Memory safety

  34. Where do we go from here? ● Kernel self protection project - get involved! ● Principle of Least Privilege ● Attack Surface Reduction ● Defense-in-depth ● Continue to find/fix bugs!

  35. QUESTIONS ?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PRESENTATI ON TO THE ABBOTSFORD COUNCI L 7 MARCH 2005 SPEAKER: ARMAND VANDER MEULEN DELEGATI

PRESENTATI ON TO THE ABBOTSFORD COUNCI L 7 MARCH 2005 SPEAKER: ARMAND VANDER MEULEN DELEGATI

PRESENTATI ON TO THE ABBOTSFORD COUNCI L 7 MARCH 2005 SPEAKER: ARMAND VANDER MEULEN DELEGATI ON: MARCUS JANZEN ( President) , ARMAND VANDER MEULEN, BRAM MOERMAN, MARY-MARGARET GAYE ( Executive Director) Your Worship. Thank you for the

341 views • 7 slides
Superior Court of California, County of San Bernardino June 13, 2019 Welcome (Judge Vander Feer)

Superior Court of California, County of San Bernardino June 13, 2019 Welcome (Judge Vander Feer)

Superior Court of California, County of San Bernardino June 13, 2019 Welcome (Judge Vander Feer) 2 State Bar Complaint Process (Melanie Lawrence) 3 State of the Court (Judge Vander Feer) 4 County Size and Geography 12% of California's

761 views • 52 slides
Computer Security Summer Scholars 2015 MaF Vander Werf

Computer Security Summer Scholars 2015 MaF Vander Werf

Computer Security Summer Scholars 2015 MaF Vander Werf HPC System Administrator 1 Center For Research Compu1ng (CRC), University of Notre Dame, Indiana

356 views • 23 slides
STEM for the Summer May 22, 2019 Vera Vander Kooy and Angela Fitzgerald STEM Connection STEM

STEM for the Summer May 22, 2019 Vera Vander Kooy and Angela Fitzgerald STEM Connection STEM

STEM for the Summer May 22, 2019 Vera Vander Kooy and Angela Fitzgerald STEM Connection STEM for Summer Vera Vander Kooy and Angela Fitzgerald How How Indiana Youth Institute - May 22, 2019 Poll Question Why do you want to incorporate more

562 views • 29 slides
Computer Security Summer Scholars 2014 MaF Vander Werf 1

Computer Security Summer Scholars 2014 MaF Vander Werf 1

Computer Security Summer Scholars 2014 MaF Vander Werf 1 Center For Research Compu1ng (CRC), University of Notre Dame, Indiana Security in HPC

265 views • 22 slides
Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator Security in HPC

Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator Security in HPC

Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator Security in HPC HPC is especially a target for hackers and malicious acts Why? Security in HPC PresCge CompuCng resources Financial Gain Break

617 views • 25 slides
CS465/565 web.eecs.utk.edu/~bvanderz/cs465 Brad Vander Zanden Course Material Relational

CS465/565 web.eecs.utk.edu/~bvanderz/cs465 Brad Vander Zanden Course Material Relational

CS465/565 web.eecs.utk.edu/~bvanderz/cs465 Brad Vander Zanden Course Material Relational Databases Query language (MySQL) Theory (relational database theory) Design (normalization, entity-relationship diagrams, indices)

376 views • 10 slides
Generation of Functional Mock-up Units from Causal Block Diagrams Bavo Vander Henst

Generation of Functional Mock-up Units from Causal Block Diagrams Bavo Vander Henst

Generation of Functional Mock-up Units from Causal Block Diagrams Bavo Vander Henst Bavo.VanderHenst@student.uantwerpen.be University of Antwerp Overview Functional Mockup Interface Starting point Flattening Optimization

622 views • 26 slides
Combining Partial Order Reduction with Bounded Model Checking CPA 2009 Jos e Vander Meulen

Combining Partial Order Reduction with Bounded Model Checking CPA 2009 Jos e Vander Meulen

Combining Partial Order Reduction with Bounded Model Checking CPA 2009 Jos e Vander Meulen and Charles Pecheur UC Louvain p. 1 A Concurrent System Set of asynchronous and interacting processes Producer 1 Consumer 1 Producer 2

510 views • 22 slides
30 Years in Perspective 1984-2014 Martin Vander Weyer Business Editor The Spectator April

30 Years in Perspective 1984-2014 Martin Vander Weyer Business Editor The Spectator April

30 Years in Perspective 1984-2014 Martin Vander Weyer Business Editor The Spectator April 1984: Headlines Miners Strike: transport workers ready to halt coal movements Hopes of big new oil find in North Sea CBI Survey most optimistic for 5

245 views • 9 slides
Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator Security in

Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator Security in

Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator Security in HPC HPC is especially a target for hackers and malicious acts Why? Security in HPC Prestige Computing resources Financial Gain

446 views • 30 slides
An Open Source Education Management Platform Presenters Zach Vander Veen David Downs

An Open Source Education Management Platform Presenters Zach Vander Veen David Downs

An Open Source Education Management Platform Presenters Zach Vander Veen David Downs Co-Founder/VP Instruction Director of Software Abre Applications zvanderveen@abre.io HCC @zjvv77 david@mail.hccanet.org Taking Complexity Providing

541 views • 12 slides
Demystifying Social Media To tweet or not to tweet? Rebecca Vander Linde Manager of Digital

Demystifying Social Media To tweet or not to tweet? Rebecca Vander Linde Manager of Digital

Demystifying Social Media To tweet or not to tweet? Rebecca Vander Linde Manager of Digital Communications American University University Communications and Marketing | American University 2 Facebook Live Choose a topic that is relevant

642 views • 31 slides
Why Documents Fail and What You Can Do About It Jeff Patton jeff@jpattonassociates.com

Why Documents Fail and What You Can Do About It Jeff Patton jeff@jpattonassociates.com

Why Documents Fail and What You Can Do About It Jeff Patton jeff@jpattonassociates.com twitter: @jeffpatton 1. Shared documents arent shared understanding 2. It takes more than words to tell a story 3. Stories are about more than what

753 views • 63 slides
Zotero for Legal Scholarship Jeff Newman jeff.newman@utoronto.ca How can Zotero help you?

Zotero for Legal Scholarship Jeff Newman jeff.newman@utoronto.ca How can Zotero help you?

Zotero for Legal Scholarship Jeff Newman jeff.newman@utoronto.ca How can Zotero help you? Collect and organize papers, books, cases, etc. Manage notes and annotations Generate bibliographies Backup your library Share information A Choice

505 views • 18 slides
Gallio: Crafting a Toolchain Jeff Brown jeff.brown@gmail.com About Me Jeff Brown Lead

Gallio: Crafting a Toolchain Jeff Brown jeff.brown@gmail.com About Me Jeff Brown Lead

Gallio: Crafting a Toolchain Jeff Brown jeff.brown@gmail.com About Me Jeff Brown Lead Software Engineer at Yellowpages.com Creator of Gallio Open Source Project Lead of MbUnit Open Source Project Coding is fun! Outline

769 views • 40 slides
Lecture 8 ARMA Models Colin Rundel 02/13/2017 1 AR(p) 2 AR(p) From last time, p 1.

Lecture 8 ARMA Models Colin Rundel 02/13/2017 1 AR(p) 2 AR(p) From last time, p 1.

Lecture 8 ARMA Models Colin Rundel 02/13/2017 1 AR(p) 2 AR(p) From last time, p 1. Expected value? 2. Covariance / correlation? 3. Stationarity? 3 AR ( p ) : y t = + 1 y t 1 + 2 y t 2 + + p y t p + w t

703 views • 30 slides
CS221: Algorithms and Data Structures Big-O Alan J. Hu (Borrowing some slides from Steve

CS221: Algorithms and Data Structures Big-O Alan J. Hu (Borrowing some slides from Steve

CS221: Algorithms and Data Structures Big-O Alan J. Hu (Borrowing some slides from Steve Wolfman) 1 Learning Goals Define big-O, big-Omega, and big-Theta: O(), (), () Explain intuition behind their definitions.

902 views • 55 slides
Lecture 2: Asymptotic Notation Steven Skiena Department of Computer Science State University of

Lecture 2: Asymptotic Notation Steven Skiena Department of Computer Science State University of

Lecture 2: Asymptotic Notation Steven Skiena Department of Computer Science State University of New York Stony Brook, NY 117944400 http://www.cs.sunysb.edu/ skiena Problem of the Day The knapsack problem is as follows: given a set of

652 views • 17 slides
Kernels for Below-Upper-Bound Parameterizations of the Hitting Set and Directed Dominating Set

Kernels for Below-Upper-Bound Parameterizations of the Hitting Set and Directed Dominating Set

Results on Parameterizations of Hitting Set Problem Hypergraph Terminology and Notation Results on HitSet( m k , k ) Results on HitSet( n k , k ) and HitSet( n k , k + d ) Open Problem Kernels for Below-Upper-Bound Parameterizations

661 views • 24 slides
Attacks and analysis of the Samsung S8 from Mobile PWN2OWN Jianjun Dai(@Jioun_dai) Guang

Attacks and analysis of the Samsung S8 from Mobile PWN2OWN Jianjun Dai(@Jioun_dai) Guang

Attacks and analysis of the Samsung S8 from Mobile PWN2OWN Jianjun Dai(@Jioun_dai) Guang Gong(@oldfresher) @360 Alpha Team About Us Alpha Team @360 Security 100+ Android vulnerabilities Google Qualcomm etc Won the highest

2.34k views • 42 slides
CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Open source (https://source.android.com/setup/) Google: Owns Android,

652 views • 43 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
React Native Platform specific code Native Components Methods React Native provides two ways

React Native Platform specific code Native Components Methods React Native provides two ways

React Native Platform specific code Native Components Methods React Native provides two ways to easily organize your code and separate it by platform: Using the Platform module. Using platform-specific file extensions. Certain

455 views • 28 slides

More recommend