mobile device and platform security part ii
play

Mobile Device and Platform Security Part II John Mitchell Two - PowerPoint PPT Presentation

Aug 30, 2022 •236 likes •1.17k views

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

  1. CS 155 Spring 2018 Mobile Device and Platform Security – Part II John Mitchell

  2. Two lectures on mobile security › Introduction: platforms and trends › Threat categories § Physical, platform malware, malicious apps › Defense against physical theft Thurs › Malware threats › System architecture and defenses § Apple iOS security features and app security model § Android security features and app security model › Security app development Tues § WebView – secure app and web interface dev § Device fragmentation

  3. ANDROID History and early decisions

  4. Android history › Android, Inc founded by Andy Rubin around 2005 § Worked with HTC-built device with a physical keyboard § Scrapped Blackberry-like phone when iPhone came out § First Android phone HTC Dream, Oct 2008 (T-Mobile G1): touchscreen and keyboard › Open-source software project › Backed and acquired by Google

  5. HTC Dream › First phone had § Android 1.6 (Donut) § 3.15 megapixel rear camera with auto-focus § 3.2 inch touchscreen § Gmail, Google Maps, Search, Google Talk, You Tube, calendar, contacts, alarm

  6. Android ecosystem › Open-source software distributed by Google § Business goal: increase number of users and devices linked to core Google products › Multiple hardware vendors § Each customize software for their products › Open marketplace for apps § Aim for scale Aside: open-source OS successful pre-mobile

  7. App market › Self-signed apps › App permissions § granted on user installation › Open market § Bad apps may show up on market § Shifts focus from remote exploit to privilege escalation

  8. ANDROID PLATFORM Theft and loss protection

  9. Predictive security § Look for malicious code in apps Privacy advisor § See if app can access private information Locate lost phone § Map location and make a sound Lock and wipe § Web interface to remotely remove data § Data backup Store and retrieve from cloud § https://www.lookout.com/android

  10. Device lock and unlock › Similar PIN and fingerprint › Fingerprint API lets users § Unlock device § Securely sign in to apps § Use Android Pay § Purchase on Play Store

  11. ANDROID PLATFORM Managed code

  12. Managed code overview › Java programming language › Bytecode execution environment § Verifier § Run-time checks § Memory safety › Permission checking § Stack inspection

  13. Java language overview Classes and Inheritance Virtual machine § Object features § Loader and initialization § Encapsulation § Linker and verifier § Inheritance § Bytecode interpreter Types and Subtyping Security § Primitive and ref types § Java “sandbox” § Interfaces; arrays § Type safety § Exception hierarchy § Stack inspection Generics § Subtype polymorphism. generic programming

  14. Managed code overview Java programming language Bytecode execution environment Verifier § Run-time checks § Memory safety § Permission checking Stack inspection §

  15. Java Implementation › Compiler and Virtual Machine § Compiler produces bytecode § Virtual machine loads classes on demand, verifies bytecode properties, interprets bytecode › Why this design? § Bytecode interpreter “manages” code execution safely § Minimize machine-dependent part of implementation

  16. Java Virtual Machine Architecture Java A.java A.class Compiler Compile source code Java Virtual Machine Loader Verifier Linker Bytecode Interpreter

  17. JVM Linker and Verifier › Linker § Adds compiled class or interface to runtime system § Creates static fields and initializes them § Resolves names › Checks symbolic names and replaces with direct references › Verifier § Check bytecode of a class or interface before loaded § Throw exception if error occurs

  18. Verifier › Bytecode may not come from standard compiler § Evil hacker may write dangerous bytecode › Verifier checks correctness of bytecode § Every instruction must have a valid operation code § Every branch instruction must branch to the start of some other instruction, not middle of instruction § Every method must have a structurally correct signature § Every instruction obeys the Java type discipline › Last condition is fairly complicated .

  19. Bytecode interpreter / JIT › Standard Java virtual machine interprets instructions § Perform run-time checks such as array bounds § Possible to compile bytecode class file to native code › Java programs can call native methods § Typically functions written in C › Just-in-time compiler (JIT) Translate set of bytecodes into native code, including checks § › Ahead-of-time (AOT) Similar principles but prior to loading into runtime system §

  20. Type Safety of Java › Run-time type checking § All casts are checked to make sure type safe § All array references are checked to make sure the array index is within the array bounds § References are tested to make sure they are not null before they are dereferenced. › Additional features § Automatic garbage collection § No pointer arithmetic If program accesses memory, that memory is allocated to the program and declared with correct type

  21. Managed code overview Java programming language Bytecode execution environment Verifier § Run-time checks § Memory safety § Permission checking Stack inspection §

  22. Managed code overview › Java programming language › Bytecode execution environment § Verifier § Run-time checks § Memory safety › Permission checking § Stack inspection

  23. ANDROID PLATFORM Platform security model

  24. Android platform model Architecture components Operating system, runtime environment § Application sandbox § Exploit prevention § Permission system Granted at install time § Checked at run time § Inter-app communication Intent system § Permission redelegation (intent input checking) §

  25. Android platform summary § Linux kernel, browser, SQL-lite database § Software for secure network communication › Open SSL, Bouncy Castle crypto API and Java library § C language infrastructure § Java platform for running applications › Dalvik bytecode, virtual machine / Android runtime (ART)

  27. Managed code runs in app sandbox Application development process: source code to bytecode

  28. Security Features › Isolation § Multi-user Linux operating system § Each application normally runs as a different user › Communication between applications § May share same Linux user ID › Access files from each other › May share same Linux process and Dalvik VM § Communicate through application framework › “Intents,” based on Binder, discussed in a few slides

  29. Application sandbox › Application sandbox § Each application runs with its UID in its own runtime environment › Provides CPU protection, memory protection › Only ping, zygote (spawn another process) run as root › Applications announce permission requirement § Create a whitelist model – user grants access at install time › Communication between applications § May share same Linux user ID › Access files from each other › May share same Linux process and runtime environment § Or communicate through application framework › “Intents,” reference monitor checks permissions

  30. App

  31. Android platform model Architecture components Operating system, runtime environment § Application sandbox § Exploit prevention § Permission system Granted at install time § Checked at run time § Inter-app communication Intent system § Permission redelegation (intent input checking) §

  32. Exploit prevention › Open source: public review, no obscurity › Goals § Prevent remote attacks, privilege escalation § Secure drivers, media codecs, new and custom features › Overflow prevention § ProPolice stack protection › First on the ARM architecture § Some heap overflow protections › Chunk consolidation in DL malloc (from OpenBSD) › ASLR § Avoided in initial release › Many pre-linked images for performance § Later developed and contributed by Bojinov, Boneh

  33. dlmalloc (Doug Lea) › Stores meta data in band › Heap consolidation attack § Heap overflow can overwrite pointers to previous and next unconsolidated chunks § Overwriting these pointers allows remote code execution › Change to improve security § Check integrity of forward and backward pointers › Simply check that back-forward-back = back, f-b-f=f § Increases the difficulty of heap overflow

  34. Android platform model Architecture components Operating system, runtime environment § Application sandbox § Exploit prevention § Permission system Granted at install time § Checked at run time § Inter-app communication Intent system § Permission redelegation (intent input checking) §

  35. Android market › Self-signed apps › App permissions granted on user installation › Open market § Bad applications may show up on market § Shifts focus from remote exploit to privilege escalation

  36. Android permissions › Example of permissions provided by Android § “android.permission.INTERNET” § “android.permission.READ_EXTERNAL_STORAGE § “android.permission.SEND_SMS” § “android.permission.BLUETOOTH” › Also possible to define custom permissions

  37. Android permission model https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* Inexpensive, ubiquitous, wireless, networked,

478 views • 19 slides
CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Gliz Seray Tuncay Administrative Announcements : Reaction paper was due today (and all classes)

807 views • 52 slides
Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [start] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

638 views • 26 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
Support for File system Kyungsik Lee SW Platform Lab., Corporate R&D LG Electronics, Inc.

Support for File system Kyungsik Lee SW Platform Lab., Corporate R&D LG Electronics, Inc.

Linux Kernel Encryption Support for File system Kyungsik Lee SW Platform Lab., Corporate R&D LG Electronics, Inc. 2016/10/20 Mobile Security Mobile Security is an important issue More data could be more danger with mobile devices

242 views • 23 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides
Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management

Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management

Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management (MDM) An MDM solution control to deploy, monitor, and manage devices Basic F c Fea eatures in ScreenGuide de [Parent] Configure daily Screen Time

144 views • 12 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks

Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

807 views • 78 slides
Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks

Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

791 views • 35 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC (August 2006) Srivaths Ravi (Email: sravi@nec- labs. com) NEC Laboratories America Princeton, NJ Security Requirements of Mobile Appliances

159 views • 12 slides
CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web browser Installed apps Both types of threats increasing in prevalence and sophistication source:

861 views • 31 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Improving Virtual Prototyping and Certification with Implicit Finite Element Method at Scale Seid

Improving Virtual Prototyping and Certification with Implicit Finite Element Method at Scale Seid

Improving Virtual Prototyping and Certification with Implicit Finite Element Method at Scale Seid Koric 1,2 , Robert F. Lucas 3 , Erman Guleryuz 1 1 National Center for Supercomputing Applications 2 Mechanical Science and Engineering Department,

211 views • 17 slides
CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY

CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY

10.1 CS356 Unit 10 Memory Allocation & Heap Management 10.2 BASIC OS CONCEPTS & TERMINOLOGY 10.3 User vs. Kernel Mode Kernel mode is a special processor mode for executing trusted (OS) code Certain features/privileges (such

936 views • 38 slides
Checkmate Checkmate: Breaking the Memory Wall with Optimal Tensor Rematerialization Paras Jain

Checkmate Checkmate: Breaking the Memory Wall with Optimal Tensor Rematerialization Paras Jain

Checkmate Checkmate: Breaking the Memory Wall with Optimal Tensor Rematerialization Paras Jain Joint work with: Ajay Jain, Ani Nrusimha, Amir Gholami, Pieter Abbeel, Kurt Keutzer, Ion Stoica, Joseph Gonzalez checkmateai.github.io BigGAN (2018)

1.02k views • 51 slides
T ag- I solated M emory B ringing Fine-grained E nclaves to R ISC- V Samuel Weiser Mario Werner

T ag- I solated M emory B ringing Fine-grained E nclaves to R ISC- V Samuel Weiser Mario Werner

S C I E N C E T E C H N O L O G Y P A S S I O N T ag- I solated M emory B ringing Fine-grained E nclaves to R ISC- V Samuel Weiser Mario Werner Ferdinand Brasser Maja Malenko Stefan Mangard Ahmad Sadeghi

1.36k views • 97 slides
Dynamic Memory Alloca/on: Advanced Concepts 15-213:

Dynamic Memory Alloca/on: Advanced Concepts 15-213:

Carnegie Mellon Dynamic Memory Alloca/on: Advanced Concepts 15-213: Introduc0on to Computer Systems 18 th Lecture, Oct. 26, 2010 Instructors: Randy Bryant

893 views • 45 slides
How to Get Good Performance by Using OpenMP ! ! Loop optimizations ! ! Measuring OpenMP

How to Get Good Performance by Using OpenMP ! ! Loop optimizations ! ! Measuring OpenMP

Agenda ! How to Get Good Performance by Using OpenMP ! ! Loop optimizations ! ! Measuring OpenMP performance ! ! Best practices ! ! Task parallelism !! !" #" Memory access patterns ! Correctness versus performance ! It

166 views • 14 slides
CPSC 213 Introduction to Computer Systems Unit 3 Course Review 1 Learning Goals 1 Memory

CPSC 213 Introduction to Computer Systems Unit 3 Course Review 1 Learning Goals 1 Memory

CPSC 213 Introduction to Computer Systems Unit 3 Course Review 1 Learning Goals 1 Memory Endianness and memory-address alignment Globals Machine model for access to global variables; static and dynamic arrays and structs

1.24k views • 86 slides
Building WebGPU with Rust Fosdem, 2th Feb 2020 Dzmitry Malyshau @kvark (Mozilla / Graphics

Building WebGPU with Rust Fosdem, 2th Feb 2020 Dzmitry Malyshau @kvark (Mozilla / Graphics

Building WebGPU with Rust Fosdem, 2th Feb 2020 Dzmitry Malyshau @kvark (Mozilla / Graphics Engineer) Agenda 1. WebGPU: Why and What? 2. Example in Rust 3. Architecture 4. Rust features used 5. Wrap-up 6. (bonus level) Browsers Can we

1.26k views • 61 slides

More recommend