the real deal of android device security the third party
play

The Real Deal of Android Device Security: The Third Party Collin - PowerPoint PPT Presentation

Apr 01, 2024 •49 likes •949 views

The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide CanSecWest 2014 Introductions Collin Mulliner Jon Oberheide Mulliner and Oberheide, CSW 2014 #Cats4Fun Mulliner and Oberheide, CSW 2014

  1. The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide CanSecWest 2014

  2. Introductions ● Collin Mulliner ● Jon Oberheide Mulliner and Oberheide, CSW 2014

  3. #Cats4Fun Mulliner and Oberheide, CSW 2014

  4. Thanks, Mudge! Mulliner and Oberheide, CSW 2014

  5. Thanks, Mudge! Mulliner and Oberheide, CSW 2014

  6. Android Mulliner and Oberheide, CSW 2014

  7. Android Most popular smartphone platform about 1 billion devices today Mulliner and Oberheide, CSW 2014

  8. This dude is in trouble Mulliner and Oberheide, CSW 2014

  9. Lets patch him up! Mulliner and Oberheide, CSW 2014

  10. WTF are we doing here people ● Anti-malware ○ 99.9%* of Android malware is bullshit toll fraud ● MDM ○ “Manage” your way out of an insecure platform ○ HEY I CAN SEE ALL MY VULNERABLE DEVICES, YAY! ● Other features of mobile “security” products ○ Find my phone (G does it), backup (G does it), …? * I just made this up, kinda Mulliner and Oberheide, CSW 2014

  11. How about... ● Maybe we try to fix the underlying issues? ○ “Enumerating badness” always doomed to fail ○ Naw, that’s crazy talk! ● Underlying issues (in our not-so-humble opinion) ○ Lack of platform integrity ○ Privilege escalation vulns, large attack surface ○ Huge windows of vuln due to slow/non-existing patching practices Mulliner and Oberheide, CSW 2014

  12. Our research ● Investigated Android vulns and solutions ○ Vulns in native and managed code ○ More than privesc! ● Let’s show what can be done ○ Mostly PoC, but deployed to 100k’s of real-world devices vs. ○ If we can do this on the cheap, maybe Big Corp can do it for reals ● “Defensive” talk, booooooooo Mulliner and Oberheide, CSW 2014

  13. A tale of three projects ● Vulns exist ○ X-Ray ● How to get rid of them ○ PatchDroid ● How to brick a lot of people’s phones ;-) ○ ReKey Mulliner and Oberheide, CSW 2014

  14. Ideal mobile ecosystem...HA! ● In a perfect world… ● AOSP : Google ships a secure base platform. ● OEM : Samsung and third-party suppliers don’t introduce vulns in their handsets and customizations. ● Carrier : T-Mobile rolls out rapid OTA updates to keep users up to date and patched. Mulliner and Oberheide, CSW 2014

  15. Real-world mobile ecosystem ● In the real world… ● AOSP : Android improving mitigations, but slowly. ● OEM : Customizations by device OEMs are a primary source of vulnerabilities. ● Carrier : Updates are not made available for months and sometimes even years. Mulliner and Oberheide, CSW 2014

  16. Real-world mobile ecosystem ● In the real world… ● AOSP : Android improving mitigations, but slowly. All software has vulns, mobile or otherwise. ● OEM : Customizations by device OEMs are a primary source of vulnerabilities. Failing to deliver patches is the real issue. ● Carrier : Updates are not made available for months and sometimes even years. Mulliner and Oberheide, CSW 2014

  17. Disclosure & patching process Third-party providers weeks Google OEM Carrier months months days Researcher days days Public Attackers Mulliner and Oberheide, CSW 2014

  18. Challenges in patching ● Why is mobile patching challenging? ● Complicated software supply chain ● Testing, testing, testing ● Risk of bricking devices ● Inverted economic incentives ● Want to patch your device's vulnerabilities? ● Loadset controlled by carrier ● Can't patch the device (unless rooted) Mulliner and Oberheide, CSW 2014

  19. What the carriers say " Patches must be integrated and tested for different platforms to ensure the best possible user experience. Therefore, distribution varies by manufacturer and device. " - AT&T Mulliner and Oberheide, CSW 2014

  20. What the carriers say " Patches must be integrated and tested for different platforms to ensure the best possible user experience. Therefore, distribution varies by manufacturer and device. " - AT&T Mulliner and Oberheide, CSW 2014

  21. Privilege escalation vulnerabilities ● Android security model ● Permissions framework, “sandboxing” (Linux uid/gid) ● Compromise of browser (or other app) != full control of device ● Privilege escalation vulnerabilities ● Unprivileged code execution → Privileged code execution ● Publicly released to allow users to jailbreak their devices ● Public exploits reused by mobile malware to root victim's devices ● Ooooh, fancy mobile privesc, right??? Mulliner and Oberheide, CSW 2014

  22. Quick trivia ● What's wrong with the following code? /* Code intended to run with elevated privileges */ do_stuff_as_privileged(); /* Drop privileges to unprivileged user */ setuid(uid); /* Code intended to run with lower privileges */ do_stuff_as_unprivileged(); ● Assuming a uid/euid=0 process dropping privileges... Mulliner and Oberheide, CSW 2014

  23. Zimperlich vulnerability ● Return value not checked! setuid(2) can fail: EAGAIN The uid does not match the current uid and uid brings process over its RLIMIT_NPROC resource limit. ● Android's zygote does fail if setuid does: err = setuid(uid); if (err < 0) { LOGW("cannot setuid(%d): %s", uid, strerror(errno)); } ● Fork until limit, when setuid fails, app runs as uid 0! Mulliner and Oberheide, CSW 2014

  24. A sampling of privesc vulns ● ASHMEM : Android kernel mods, no mprotect check ● Exploid : no netlink source check, inherited from udev ● Exynos : third-party device driver, kmem read/write ● Gingerbreak : no netlink source check, GOT overwrite ● Levitator : My_First_Kernel_Module.ko, kmem read/write ● Mempodroid : inherited from upstream Linux kernel ● RageAgainstTheCage : no setuid retval check ● Wunderbar : inherited from upstream Linux kernel ● Zimperlich : no setuid retval check ● ZergRush : UAF in libsysutils Mulliner and Oberheide, CSW 2014

  25. X-Ray for Android ● How can we measure this problem? ● X-Ray for Android ● DARPA CFT funded ● Performing _actual_ vuln assessment on mobile ● Detects most common privescs ● Works without any special privileges or permissions http://xray.io Mulliner and Oberheide, CSW 2014

  26. Static probes ● Static probes ● Can identify vulnerabilities using static analysis ● Send up vulnerable component (eg. binary, library) to service ● Disassemble and look for patched/vulnerable code paths libdvm.so X-Ray Analyze! Service result Mulliner and Oberheide, CSW 2014

  27. Static probe example: Zimperlich Mulliner and Oberheide, CSW 2014

  28. Ok, what does it _really_ look like? ● l33t static analysis...aka ghetto objdump/python/grep ● Do we need to be that smart or perfect? Thankfully, no. Mulliner and Oberheide, CSW 2014

  29. Dynamic probes (aka psuedo-exploits) ● Dynamic probes ● Not all vulnerabilities are in software components we can access ● Example: kernel vulns, kernel image not accessible by X-Ray ● Probe locally for vulnerability presence! ● Basically sad, neutered, wacky half exploits :-( halp! X-Ray liblevitator_v1.so Service Execute! result Mulliner and Oberheide, CSW 2014

  30. Dynamic probe example: Levitator Mulliner and Oberheide, CSW 2014

  31. Dynamic probe example: Exploid Mulliner and Oberheide, CSW 2014

  32. Probe manifests in JSON Static probe: { "id": "webkit", "type": "static", Dynamic probe: "name": "WebKit (inactive)", "query_url": "/xray/webkit/query", { "probe_url": "/xray/webkit/probe", "id": "exynos", "static_payload": "/system/lib/libwebcore.so" "type": "dynamic", } "name": "Exynos", "result_url": "/xray/exynos/result", "dynamic_slot": "06", "dynamic_payload_armeabi": "/xray/static/exynos/armeabi/libexynos_v1.so", "dynamic_signature_armeabi": "vrX...", "dynamic_payload_armeabi-v7a": "/xray/static/exynos/armeabi-v7a/libexynos_v1.so", "dynamic_signature_armeabi-v7a": "mbe...", "dynamic_payload_mips": "/xray/static/exynos/mips/libexynos_v1.so", "dynamic_signature_mips": "F33...", "dynamic_payload_x86": "/xray/static/exynos/x86/libexynos_v1.so", "dynamic_signature_x86": "Lu7..." }, Mulliner and Oberheide, CSW 2014

  33. X-Ray distribution ● Not in Google Play*, but free for download at http://xray.io ● Results collected by us (and Five Eyes) from users who ran the X-Ray app on their Android device: 74,405 devices 4,312 models 190 countries * don’t ask Mulliner and Oberheide, CSW 2014

  34. Aside: Android exploitation challenges ● Android fragmentation is _real_ ○ Not for app dev, but for exploit dev ● X-Ray’s binary dataset ○ 3,124 unique libsysutils.so ○ 5,936 unique libdvm.so ○ 5,303 unique vold ● If only there was a way to collect all those binaries... Mulliner and Oberheide, CSW 2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Sensing Tutorial Hasan Faik Alan 9/8/2015 Android Device Fragmentation August 2014 -

Android Sensing Tutorial Hasan Faik Alan 9/8/2015 Android Device Fragmentation August 2014 -

Android Sensing Tutorial Hasan Faik Alan 9/8/2015 Android Device Fragmentation August 2014 - Over 18,000 Distinct Devices https://opensignal.com/reports/2014/android-fragmentation/ Example Android Device CPU : Quad-core 2.5 GHz Krait 400 GPU

573 views • 35 slides
Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June 14, 2018 Mobile OSes rapidly expanding their device range and user base. Android: 2 billion monthly active users but

403 views • 15 slides
Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Multi-Persona Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile devices have multiple uses - - the device needs to reflect that. 2 Android Builders 2014 Security Use Case Personal Phone

874 views • 55 slides
Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5

Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5

Android Sensing Tutorial Hasan Faik Alan 9/7/2017 Example Android Device CPU : Quad-core 2.5 GHz Krait 400 GPU : Adreno 330 Development - Getting Started http://developer.android.com/develop/ Development - Getting Started

581 views • 33 slides
Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Introduction Background information SNE Research Project 2 Kernel patching Evaluation Android patching from the MDM Proof of concept Android patching From a Mobile Device Management perspective Cedric Van Bockhaven cbockhaven@os3.nl

466 views • 20 slides
IP Log for DSDP/Device Debugging move of DSF, MI, and GDB components to CDT Third-Party Code CQ

IP Log for DSDP/Device Debugging move of DSF, MI, and GDB components to CDT Third-Party Code CQ

IP Log for DSDP/Device Debugging move of DSF, MI, and GDB components to CDT Third-Party Code CQ Third-Party Code License Use No pre-req dependencies Committers Past and Present Active Name Organization Francois Chouinard Ericsson AB Marc

354 views • 7 slides
REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic

REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic

REU/REV Update Paul Curtis and Vitor Weber 1 Project Description Android based acoustic ranging application Current Work Paul: 2 device ranging using android devices + calculations in MATLAB Vitor: Device to device communication

273 views • 12 slides
Handheld Device Architectures: Are We Doing Enough? Manu Awasthi Ashoka University Handheld

Handheld Device Architectures: Are We Doing Enough? Manu Awasthi Ashoka University Handheld

Handheld Device Architectures: Are We Doing Enough? Manu Awasthi Ashoka University Handheld Devices Android Versions https://www.counterpointresearch.com/can-android-o- de-fragment-android/ Memory Usage

498 views • 28 slides
Android for the Enterprise Ge#ng from Here to There 1

Android for the Enterprise Ge#ng from Here to There 1

Android for the Enterprise Ge#ng from Here to There 1 Confiden)al Overview 3LM addresses enterprise needs: security and device management. 2 Confiden)al Overview m

281 views • 26 slides
Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments

Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments

Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments Open source Tape Otto Dagger ActionBarSherlock Android Design on every device. Lifecycle Install Apps Run Forever Uninstall

844 views • 82 slides
Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich Olga Gadyatskaya RAID 2016 Sensitive Resource Protection in Android Android is the most popular mobile OS: - ~ 2 billion of third-party apps

523 views • 24 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
Community &amp; Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu

Community &amp; Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu

Community &amp; Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu DPDK CI &amp; Bugzilla Manager Intel DPDK Summit Userspace Dublin 2017 Agenda Community Growth Community Interactions Community

609 views • 29 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI

Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI

Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI 2012) Presented by: Kevin Burns October 2, 2013 Outline Paper Presentation Background/Motivation CFix Overview Bug Understanding Fix Strategy

347 views • 24 slides
Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009

Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009

Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009 About Git A Distributed Version Control system (DVCS): created by Linus Torvalds maintained by Junio Hamano Basics: commits are states of the

1.11k views • 75 slides
How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead

How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead

How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead Engineer -- Performance | @daviddaly44 | https://daviddaly.me/ - 22 % 2 3 Understand the performance of our software and when it changes. 4 How

668 views • 33 slides
H OW TO R EPAIR V ULNERABILITIES ? Correcting vulnerable logic, e.g. race condition

H OW TO R EPAIR V ULNERABILITIES ? Correcting vulnerable logic, e.g. race condition

A UTOMATIC P ROGRAM R EPAIR Zhen Huang 1 Penn State University Spring 2019 CMPSC 447, Software Security P RE PATCH W INDOW Attackers can leverage the window of time before a vulnerability is addressed. Attackers can exploit the

931 views • 60 slides
Self-defending software: g Automatically patching errors in deployed software Michael Ernst

Self-defending software: g Automatically patching errors in deployed software Michael Ernst

Self-defending software: g Automatically patching errors in deployed software Michael Ernst Michael Ernst University of Washington Joint work with: Joint work with: Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Sung Kim, Samuel

873 views • 44 slides
Releasing and Testing Free Opensource Graphics Drivers: the case of Mesa3D Emil Velikov

Releasing and Testing Free Opensource Graphics Drivers: the case of Mesa3D Emil Velikov

Releasing and Testing Free Opensource Graphics Drivers: the case of Mesa3D Emil Velikov (emil.velikov@collabora.com) Juan A. Surez (jasuarez@igalia.com) with Pierre-Loup Griffais (pgriffais@valvesoftware.com) XDC 2018 The speakers - Emil

606 views • 35 slides

More recommend