the firewall android deserves a context aware kernel
play

The Firewall Android Deserves: A Context-aware Kernel Message - PowerPoint PPT Presentation

May 24, 2023 •107 likes •631 views

The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu Agenda Overview of project Android security background Binder IPC BinderFilter Logging and analysis tools Picky Demos

  1. The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu

  2. Agenda Overview of project ● Android security background ● Binder IPC ● BinderFilter ● Logging and analysis tools ● Picky ● Demos ● Discussion & future work ● Questions ● Slides: https://goo.gl/2SlB40 ●

  3. Who am I? Graduated June 2016, Dartmouth College ● OpenSSH and Android security research with ● Sergey Bratus Web analysis automation and Android ● security research at Ionic Security Particle physics simulations at Brookhaven ● National Lab

  4. Motivation Dynamic (run-time) blocking of all ● inter-app communication Context informed policy decisions ● Binder message parser and hook ●

  7. Previous Research rovo89. Xposed. 2016 ● Stephan Heuser, Adwait Nadkarni, William Enck, Ahmad-Reza Sadegi. Boxify. ● 2015 Nitay Artenstein and Idan Revivo. Man in the Binder. 2014 ● Xueqiang Wang, Kun Sun, Yuewu Wang, Jiwu Jing. DeepDroid. 2015 ● Mauro Conti, Vu Thein Nguyen, Bruno Crispo. CRePE. 2011 ● Android Marshmallow. Google. 2015 ●

  8. Project Overview Inter-application message firewall and Binder hooking framework ● Linux kernel driver, C ○ Binder IPC message parser and formatter ● Script, Python ○ User policy generation ● Android application, Java & C (JNI, NDK) ○ ● https://github.com/dxwu/AndroidBinder ● https://github.com/dxwu/Picky

  9. Features Complete mediation ● Everything is done in the kernel Binder IPC system ○ Dynamic permission blocking for all applications ● Blocking of custom, user-specified messages at runtime ● Contextual blocking ● ○ Wifi state, Wifi SSID, Bluetooth state, Apps running Modification of message data ● Camera, Location ○ Usable interface for setting policy ●

  10. Permissions android.permission.CAMERA android.permission.READ_SMS android.permission.RECORD_AUDIO android.permission.RECEIVE_MMS android.permission.READ_CONTACTS android.permission.RECEIVE_WAP_PUSH android.permission.WRITE_CONTACTS android.permission.READ_CALENDAR android.permission.GET_ACCOUNTS android.permission.WRITE_CALENDAR android.permission.ACCESS_FINE_LOCATION android.permission.BODY_SENSORS android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_NETWORK_STATE android.permission.READ_EXTERNAL_STORAGE android.permission.CHANGE_NETWORK_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.ACCESS_WIFI_STATE com.android.vending. android.permission.CHANGE_WIFI_STATE INTENT_PACKAGE_INSTALL_COMMIT android.permission.BATTERY_STATS android.permission.INTERNET android.permission.BLUETOOTH android.permission.SYSTEM_ALERT_WINDOW android.permission.BLUETOOTH_ADMIN android.permission.WRITE_SETTINGS android.permission.NFC android.permission.READ_PHONE_STATE android.permission.FLASHLIGHT android.permission.CALL_PHONE com.android.browser.permission.READ_HISTORY_BOOKMARKS android.permission.READ_CALL_LOG android.permission.TRANSMIT_IR android.permission.WRITE_CALL_LOG android.permission.USE_SIP android.permission.SEND_SMS android.permission.RECEIVE_SMS

  11. Installation methods Android versions 4.3+ have disabled loadable kernel modules ● Kernel make config does not set CONFIG_MODULES=y ○ To place a hook in Binder, which is a statically compiled kernel driver, we have to ● recompile the kernel sources with our modifications Flash new kernel image onto Android with fastboot ● ○ This preserves user information, apps, and state! Requirements: ● Linux build env (Include headers don’t work on OSX) ○ adb, fastboot, abootimg ○ Unlocked bootloader, root access ○

  12. Android Security Concepts Permissions ● Android 6.0 introduced dynamic permissions for certain messages ○ 7.5% of users have Android M [1] ■ Sandboxing enforced by UID ○ (each application is a different Linux user) ○ ● Intents ○ Async messages passed between applications requesting data or to start an activity ● Built on Linux ○ SELinux, file permissions, system calls

  13. ART https://upload.wikimedia.org/wikipedia/commons/thumb/a/af/Android-System-Architecture.svg/2000px-Android- System-Architecture.svg.png

  14. http://4.bp.blogspot.com/-uT2NBaV8WG8/UJuO0syJhnI/AAAAAAAADgI/0CkrBvjyNDY/s1600/Android+Boot+Squence.png

  15. http://image.slidesharecdn.com/jlstomoyotutorial-091023181710-phpapp02/95/learning-analyzing-and-protecting-android-with-tomoyo-linux-jls2009-10-728.jpg?cb=1256436625

  16. Linux Kernel Linux process Dalvik Virtual Machine Android Application https://flexguruin.files.wordpress.com/2010/09/android_dalvik_vm.gif

  17. myCustomCameraApp.java getSystemService() Camera.java native takePicture() JNI android_hardware_Camera.cpp takePicture() Camera.cpp takePicture() ICamera.cpp transact(TAKE_PICTURE, …) syscall binder.c

  18. Binder Android’s IPC system (Linux IPC wasn’t good enough) ● Supports tokens, death notifications, (local) RPC ● Every inter-application message (intent) goes through Binder ● Enables a client-server architecture with applications ● Implemented as a linux kernel driver (/dev/binder) ● /drivers/staging/android/binder.{c,h} ○ Userland applications call into the driver using ioctl() ● Binder driver copies data from process A to process B ● Intents, Messengers, and ContentProviders are built on Binder ●

  19. Linux process (UID 10098) Linux process (UID 10099) Client Application Service Binder Proxy Binder Stub Android Binder IPC IBinder: IBinder : onTransact() { transact() ... } Linux driver (/dev/binder)

  20. Service Binder Client Await requests (BC_REGISTER_LOOPER) Request from client (BC_TRANSACTION) Service thread sleeps Request from client (BC_TRANSACTION) Wait for response callback Reply to client (BC_REPLY) Reply to client (BC_REPLY)

  21. Applications MyApp.java Intent batteryStatus = Context. registerReceiver (null, new IntentFilter( Intent. ACTION_BATTERY_CHANGED);

  22. Application Framework ContextImpl.java registerReceiver() -> registerReceiverInternal()-> ActivityManagerNative.registerReceiver () ActivityManagerNative.java Parcel data = Parcel.obtain() data.writeString(packageName) filter.writeToParcel(data) IBinder.transact(data, reply) BinderProxy.java (implements IBinder) transact() -> native transactNative() //JNI

  23. Core Libraries android_util_Binder.cpp android_os_BinderProxy_transact() -> IBinder.transact() BpBinder : IBinder IPCThreadState::self()->transact()

  24. Core Libraries IPCThreadState.cpp fd=open(“/dev/binder”) ProcessState.cpp transact() -> Parcel.cpp waitForResponse() - mParcel.write > // copies Java (data) talkWithDriver() parcel to this thread’s memory region ioctl(fd, BINDER_WRITE_READ, Linux Kernel mParcel) binder.c

  25. struct binder_transaction_data { /* The first two are only used for bcTRANSACTION and brTRANSACTION, identifying struct binder_write_read { the target and contents of the transaction. signed long write_size; */ signed long write_consumed; union { unsigned long write_buffer; size_thandle; signed long read_size; void *ptr; signed long read_consumed; } target; unsigned long read_buffer; }; void *cookie; unsigned intcode; struct flat_binder_object { unsigned intflags; /* 8 bytes for large_flat_header. */ unsigned long type; /* General information about the transaction. */ unsigned long flags; pid_t sender_pid; uid_t sender_euid; /* 8 bytes of data. */ size_t data_size; union { size_t offsets_size; void *binder; // local obj signed long handle; // remote obj union { }; struct { /* transaction data */ /* extra data associated with local object */ const void *buffer; void *cookie; const void *offsets; }; } ptr; uint8_t buf[8]; } data; };

  26. binder.c (kernel driver) 1. device_initcall(binder_init); // called when kernel boots 2. binder_init() a. misc_register(&binder_miscdev) // register driver name and file operations 3. binder_ioctl() // entry point from userland a. wait_event_interruptable() // block caller until a response b. copy_from_user() // copy struct binder_write_read from userland c. binder_thread_write() or binder_thread_read() // depends on client or server request 4. binder_thread_write() // Called by client making a request a. Checks userland command // i.e. BC_TRANSACTION b. binder_transaction() c. copy_from_user(data) // copy struct binder_transaction_data from userland (buffer contents) d. list_add_tail(data, target) // add work to the target thread’s queue e. wake_up_interruptable(target) // wake up the sleeping server thread 5. binder_thread_read() // Called by service thread waiting to handle requests a. while (1) { if (BINDER_LOOPER_NEED_DATA) goto retry; } b. data = list_first_entry() // get request data c. copy_to_user(data) // copy the data to service

  27. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data

  28. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data data

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding Binder and how its used Intercepting and modifying data with BinderFilter Demos! @davidwuuuuuuuu @sergeybratus Undergraduate at

1.1k views • 51 slides
Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P Presented by Mary Salinas t d b M S li What problem are they trying to solve? l ? Context-aware applications are great for Context aware

164 views • 13 slides
Android Customization: From the Kernel to the Apps Hi, I am Cdric, I work for Genymobile as a

Android Customization: From the Kernel to the Apps Hi, I am Cdric, I work for Genymobile as a

Android Customization: From the Kernel to the Apps Hi, I am Cdric, I work for Genymobile as a System Engineer Genymobile is a company specialized in Android. We are based in France (Paris and Lyon) and SF. We develop and customize android

514 views • 40 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad

Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad

Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad Hoc Networks* Rutgers-Helsinki Ph.D. Student Workshop on Spontaneous Networking 8-12th May 2006 Oriana Riva University of Helsinki, Dep. of

361 views • 15 slides
everyone deserves a garden Plantui vision Everyone deserves a garden. We believe that in the

everyone deserves a garden Plantui vision Everyone deserves a garden. We believe that in the

everyone deserves a garden Plantui vision Everyone deserves a garden. We believe that in the future greens will be grown near where they are consumed. From large production units to neighbourhood, homes and restaurants. Plantui is a design

494 views • 27 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Lab 1 Introduction to Android & Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android & Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android & Hello World Example KUAN-TING LAI 2018/9/10 Android History Code Version Linux kernel Initial release API version [1] name number date level (No codename) [2] 1.0 ? September 23, 2008 1 Petit

1.4k views • 40 slides
Discrete Event Simulation And Discrete Event Simulation And Evaluation Of A Firewall Aware

Discrete Event Simulation And Discrete Event Simulation And Evaluation Of A Firewall Aware

Discrete Event Simulation And Discrete Event Simulation And Evaluation Of A Firewall Aware Evaluation Of A Firewall Aware Architecture For Mobile IP Architecture For Mobile IP Artur Hecker Artur Hecker Supervisors: Supervisors: Prof. Dr.

260 views • 22 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Component- -based, Context based, Context- -aware aware Component Software Systems Software

Component- -based, Context based, Context- -aware aware Component Software Systems Software

Component- -based, Context based, Context- -aware aware Component Software Systems Software Systems Workshop on Spontaneous Networking Rutgers University Michael Przybilski 1 10.05.2006 michael.przybilski@cs.helsinki.fi Outline

593 views • 19 slides
FastTrack: Foreground App-Aware I/O Management for Improving User Experience of Android

FastTrack: Foreground App-Aware I/O Management for Improving User Experience of Android

FastTrack: Foreground App-Aware I/O Management for Improving User Experience of Android Smartphones Jihong Kim Seoul National University NVRAMOS 2018 October 25, 2018 Mobile Storage Optimization Research Why does my aging smartphone get

732 views • 36 slides
Citizenship in the context of immigration and emigration Hilary Term 2015 Week 8 - Who deserves

Citizenship in the context of immigration and emigration Hilary Term 2015 Week 8 - Who deserves

Citizenship in the context of immigration and emigration Hilary Term 2015 Week 8 - Who deserves to be a citizen? Investor and Olympic citizenship Evelyn Ersanilli 09 March 2015 Speaker name 1 Investor citizenship vs golden residence

290 views • 11 slides
Energy Aware Scheduling Byungchul Park LG Electronics System S/W Engineer Kernel Developer

Energy Aware Scheduling Byungchul Park LG Electronics System S/W Engineer Kernel Developer

Energy Aware Scheduling Byungchul Park LG Electronics System S/W Engineer Kernel Developer Computer Science Physics Dance Outline 2 Basic SMP Load Balancing Per-Entity Load Tracking Attempts for Power Saving Energy Aware

875 views • 76 slides
Android Internals Android Builders Summit April 13 th 2011 Karim Yaghmour

Android Internals Android Builders Summit April 13 th 2011 Karim Yaghmour

Android Internals Android Builders Summit April 13 th 2011 Karim Yaghmour karim.yaghmour@opersys.com @karimyaghmour About ... Author of: Introduced Linux Trace Toolkit in 1999 Originated Adeos and relayfs (kernel/relay.c) 1.

439 views • 39 slides
Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing

Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing

Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing Readings Context-Aware Computing Applications, by Bill Schilit, Norman Adams, and Roy Want Ask not for whom the cell phone tolls: Some problems

923 views • 27 slides
S C A L I N G H A D O O P I N & O U T O F T H E P R I VAT E C L O U D P R I VA T E C

S C A L I N G H A D O O P I N & O U T O F T H E P R I VAT E C L O U D P R I VA T E C

J E F F K R A M E R ( H P H E L I O N ) S C A L I N G H A D O O P I N & O U T O F T H E P R I VAT E C L O U D P R I VA T E C L O U D S A R E L I K E Flickr Photo by John Lustig

751 views • 20 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android OS,

589 views • 35 slides
Final project lightning talks In your collaboration teams: People who havent presented

Final project lightning talks In your collaboration teams: People who havent presented

Welcome back to [occ]! (last day) Online Communities & Crowds Welcome back to [occ]! (last day) 2014-12-06 Final project lightning talks In your collaboration teams: Welcome back to [occ]! (last day) People who havent presented

599 views • 22 slides
DESIGN THINKING PeopleFocused Problem Solving 1 Design Thinking Slides1.notebook November 29,

DESIGN THINKING PeopleFocused Problem Solving 1 Design Thinking Slides1.notebook November 29,

Design Thinking Slides1.notebook November 29, 2017 DESIGN THINKING PeopleFocused Problem Solving 1 Design Thinking Slides1.notebook November 29, 2017 STEP 1 IMMERSION Jump into the problem: Get on the dance floor! Gather as much

400 views • 18 slides
BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member Agenda 02 03 01 Network Security Internet socket in Aspects Permission in Android OS Marshmallow INTERNET PERMISSION IN MARSHMALLOW

584 views • 33 slides
CS5530 Mobile/Wireless Systems GPS/Location in Android Yanyan Zhuang Department of Computer

CS5530 Mobile/Wireless Systems GPS/Location in Android Yanyan Zhuang Department of Computer

CS5530 Mobile/Wireless Systems GPS/Location in Android Yanyan Zhuang Department of Computer Science http://www.cs.uccs.edu/~yzhuang UC. Colorado Springs CS5530 Ref. CN5E, NT@UW, WUSTL Android Location Interface 1. Request permission in

207 views • 10 slides
Mobile Applications and Cloud Computing Mobile Applications and Cloud Computing 2015 Leonardo

Mobile Applications and Cloud Computing Mobile Applications and Cloud Computing 2015 Leonardo

Security aspects in Mobile Applications and Cloud Computing Mobile Applications and Cloud Computing 2015 Leonardo Aniello, Ph.D. aniello@dis.uniroma1.it Outline Security aspects in mobile applications Current situation Security

460 views • 30 slides
More Android 1 How hard was week 9 code review assignment? A) Easy

More Android 1 How hard was week 9 code review assignment? A) Easy

More Android 1 How hard was week 9 code review assignment? A) Easy B) Moderate C) Challenging D) Unreasonable 2 How long did week 9 assignment take? A) Less than 2 hours

593 views • 11 slides

More recommend