what exactly is different or new about
play

What, exactly, is different or new about MOBILE mobile security? - PowerPoint PPT Presentation

Jan 21, 2023 •347 likes •1.23k views

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

  1. What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University

  2. tl;dr The “computers inside the computer” Every chip has one or more CPUs inside; they have exploitable bugs Usability issues Smaller screens mean fewer security indicators The death of app isolation Apps have full Internet access, sensitive privileges, and abuse them Threat models: physical attacks Or, defending against the San Bernadino iPhone attack

  3. The computers inside your computer

  4. Have you looked inside a phone lately? Each chip has an embedded CPU, typically ARM “Firmware” (i.e., software) baked in by vendor, not part of the OS distribution (Google Pixel photos via iFixit)

  5. Example: SD card firmware Flash storage is incredibly complicated High defect rates, wear leveling / block remapping, etc. Allows a vanilla filesystem, designed for a hard drive, to “just work” Cheaper to use a general-purpose CPU Testing (defect mapping, binning) and runtime (load leveling, remapping) all done in software Even if 80% of blocks are dead, can still sell as a lower-capacity card

  6. Quality-control issues? Andrew “Bunnie” Huang designed the Chumby “I realized that all the units failing [in quality control] had Kingston microSD cards from a particular lot code.” (2009)

  7. Quality-control issues? Andrew “Bunnie” Huang designed the Chumby “I realized that all the units failing [in quality control] had Kingston microSD cards from a particular lot code.” (2009) “One [Shenzhen] vendor … interested me; it was literally a mom, pop and one young child sitting in a small stall of the mobile phone market, and they were busily slapping dozens of non-Kingston marked cards into Kingston retail packaging . They had no desire to sell to me, but I was persistent; this card interested me in particular because it also had the broken ‘D’ logo but no Kingston marking.”

  8. Counterfeit analysis Bunnie bought a bunch of cheap SD cards in Shenzhen “Normal”: OEM Toshiba “Sketchy”: alternate 
 OEM codes, etc. Conclusion: Kingston 
 resells lower-quality parts 
 at tight margins

  9. Counterfeit analysis Bunnie bought a bunch of cheap SD cards in Shenzhen “Normal”: OEM Toshiba “Sketchy”: alternate 
 OEM codes, etc. Conclusion: Kingston 
 resells lower-quality parts 
 “Larger vendors will tend to offer more consistent at tight margins quality, but even the largest players staunchly reserve the right to mix and match flash chips with different controllers, yet sell the assembly as the same part number — a nightmare if you’re dealing with implementation-specific bugs .”

  10. SD firmware hacking Bunnie and Sean “Xobs” Cross (2013) Discovered firmware 
 update command Able to send 8051 
 machine code (no 
 code signing, etc.) ☛ MITM attacks from 
 your storage?!

  11. SD firmware hacking Bunnie and Sean “Xobs” Cross (2013) Discovered firmware 
 update command Able to send 8051 
 machine code (no 
 code signing, etc.) ☛ MITM attacks from 
 your storage?! “It’s as of yet unclear how many other manufacturers leave their firmware updating sequences unsecured.”

  12. Same thing for your networking chips Modern network chips have embedded CPUs as well Support “full stack” WiFi Don’t interrupt the CPU as often Exploitable from the outside! No use of protection bits: every page is RWX (also no stack cookies, etc.) (Source: Gal Beniamini, Google Project Zero, googleprojectzero.blogspot.com/2017/04/over-air- exploiting-broadcoms-wi-fi_4.html)

  13. Attacking the main CPU from the NIC Option 1: Attack the OS kernel Heap overflow, vulnerable code pointer Option 2: Direct memory access PCIe devices can do DMA IOMMUs not used to limit visible memory in the kernel ☛ Arbitrary read/write to the OS kernel (Source: Gal Beniamini, Google Project Zero, googleprojectzero.blogspot.com/2017/04/over-air- exploiting-broadcoms-wi-fi_11.html)

  14. What about ARM TrustZone? TrustZone is something of an OS layer below the kernel Support for boot locking, DRM, etc. Of course, it’s exploitable (Also discovered by Gal Beniamini) memcpy() buffer overwrite vulnerability Messy process to build a ROP chain Shellcode to read/interact with the “secure file system” bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html

  15. TrustZone security engineering? MobileCore (Samsung) No ASLR, no stack cookies QSEE (Qualcomm): slightly better 9-bit ASLR, no guard page between stack, BSS, heap Trustlets: Proprietary code, bugs can linger Many trustlets directly exposed to userland through proxy services (Source: Gal Beniamini talk, BlueHat Israel 2017, microsoftrnd.co.il/Press%20Kit/ BlueHat%20IL%20Decks/GalBeniamini.pdf)

  16. Example: Android Full Disk Encryption KeyMaster app manages keys Vulnerabilities in other trustlets ☛ Privilege escalation ☛ Lack of separation across trustlets ☛ Master keys can leak Qualcomm, others support hardware- fused keys Not currently used by KeyMaster Maybe in Android “O”?

  17. Kernel bugs increasingly targeted (Source: “What’s New in Android Security”, Google I/O 2017. https://www.youtube.com/watch?v=C9_ytg6MUP0)

  18. What kinds of bugs? (Source: “What’s New in Android Security”, Google I/O 2017. https://www.youtube.com/watch?v=C9_ytg6MUP0)

  19. If we used a safe programming language Plenty of PL and systems research that addresses these remaining concerns!

  20. Summary so far All the computers inside the computer are vulnerable. All the same attack types (buffer overflow, heap grooming, ROP , etc.) Less competitive pressure ⇒ less use of standard defenses OS kernels tend to trust their devices to act reasonably. An “evil component” has a large attack surface IOMMUs can help limit this Unclear whether vendor isolation layer (Android “O” Treble) will help

  21. Challenges so far All the usual vulnerabilities that come from C programming. Can we please get rid of C? Is Rust a good alternative? At least most Android apps and many system services are in Java. Vulnerability discovery, patch delivery. If Beniamini can do it, so can others. Are similar vulns being exploited? Supply chain integrity. Are you even getting the chips you expect?

  22. The death of app isolation

  23. Default security policies Every web page has an origin (DNS name, protocol, etc.) Separation enforced by browser’s same origin policy Network connections limited (unless the receiving server allows it) Limited visibility of native OS resources Android apps have private storage, but unlimited networking Scan your internal network? Why not? Easy to abuse privileges

  24. Example: exfiltration of contacts list

  25. Example: exfiltration of contacts list When asked why Path didn’t give users the choice to opt-in right from the start, [Path CEO] Morin responded with the following: This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this. techcrunch.com/2012/02/07/path-uploads-your-iphones-address-book-to-their-servers-without-a-peep/

  26. ADS!

  27. Cost : Free Cost : $2.99

  28. Cost : Free Cost : $2.99 Downloads: 100,000 – 500,000

  29. Cost : Free Cost : $2.99 Downloads: Downloads: 10,000,000 – 50,000,000 100,000 – 500,000

  30. Ads are widely used

  31. Ads are widely used (and advertising uses 75% of the power budget - Pathak et al., Eurosys 2012)

  33. Measuring permission usage Separate library code from application code Simple static analysis of library code Stowaway (Felt et al., 2011) Map API calls to Android permissions Scout (Au et al., 2012) Theodore Book, Adam Pridgen, and Dan S. Wallach, Longitudinal analysis of Android ad library permissions . Mobile Security Technologies (MOST) 2013. Theodore Book and Dan S. Wallach, A case of collusion: A study of the interface between ad libraries and their apps . 3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), November 2013.

  35. Internet Retrieve ads Report usage

  36. Vibrate Notifies you about important ads!

  37. Read Phone State Get IMEI number

  38. WiFi State Access MAC Address Check Connection Type

  39. Wake Lock Video API calls

  40. Network State Check Connection Type

  41. Access Location

  42. “Dangerous” Collection of Permissions

  43. “Dangerous” Permissions

  44. “Dangerous” Permissions Get Tasks See what else is running

  45. “Dangerous” Permissions Read History and Bookmarks What are your favorite web pages?

  46. “Dangerous” Permissions Get Accounts your Google ID... and Facebook, too!

  47. “Dangerous” Permissions Read Contacts Getting to know you...

  48. “Dangerous” Permissions Change WiFi State Load those video ads!

  49. “Dangerous” Permissions Record Audio Just listening!

  50. “Dangerous” Permissions Camera Smile!

  51. The Great App Purge of 2013

  52. Google’s actions vs. ad library Ad Library Percent of Apps Removed 60.5% EverBadge 45.5% Hunt Mobile 40.7% AirPush 31.2% SendDroid 29.7% Waps 28.4% TapIt Average 11.6%

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Make the Web Fast, Google Improve

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Make the Web Fast, Google Improve

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Make the Web Fast, Google Improve end-user perceived latency Address the "head of line blocking" Not require multiple connections Retain the semantics of

1.16k views • 47 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

1.17k views • 91 slides
List of Attendees Paul Stacey, John Storer, Rich Langan, David Patrick, Dean Peschel, Lindsey

List of Attendees Paul Stacey, John Storer, Rich Langan, David Patrick, Dean Peschel, Lindsey

List of Attendees Paul Stacey, John Storer, Rich Langan, David Patrick, Dean Peschel, Lindsey Williams, Fred Short, Cory Riley, Terry Desmarais, Ray Grizzle, Krystin Ward, Robert Eckert, Kevin Sullivan, Doug Grout, Bruce Smith, Shannon Rogers,

1.15k views • 75 slides
Predicting the relevance of distributional semantic similarity with contextual information

Predicting the relevance of distributional semantic similarity with contextual information

Predicting the relevance of distributional semantic similarity with contextual information Philippe Muller, Ccile Fabre, Clmentine Adam IRIT & CLLE, University of Toulouse June 23rd, 2014 supported by Asfalda project (ANR-12-CORD-023)

269 views • 15 slides
Open Information Extraction Mausam Associate Professor Indian Institute of Technology, Delhi

Open Information Extraction Mausam Associate Professor Indian Institute of Technology, Delhi

Open Information Extraction Mausam Associate Professor Indian Institute of Technology, Delhi The Internet is the worlds largest library. Its just that all the books are on the floor. - John Allen Paulos ~20 Trillion URLs (Google)

1.34k views • 89 slides
What is EGG? Measures amount of current between electrodes Re fm ects the amount of vocal

What is EGG? Measures amount of current between electrodes Re fm ects the amount of vocal

10/7/18 Electroglottography for voice analysis Marc Garellek, UCSD AMP 2018 What is EGG? Measures amount of current between electrodes Re fm ects the amount of vocal fold contact: More VF contact more EGG current 1 1 10/7/18

329 views • 11 slides
Dialogue agents Christopher Potts CS 244U: Natural language understanding May 21 1 / 69

Dialogue agents Christopher Potts CS 244U: Natural language understanding May 21 1 / 69

Overview & motivations SwDA PLOW MDPs & grounded semantics The Cards Corpus POMDPs & approximate Dec-POMDPs Refs. Dialogue agents Christopher Potts CS 244U: Natural language understanding May 21 1 / 69 Overview &

1.71k views • 105 slides
Nominal distribution of prepositions and adnumeral operators in Polish Adam Przepirkowski 1 , 2

Nominal distribution of prepositions and adnumeral operators in Polish Adam Przepirkowski 1 , 2

Nominal distribution of prepositions and adnumeral operators in Polish Adam Przepirkowski 1 , 2 , 3 , Julia Pater 1 , Maciej Pastwa 1 1 University of Warsaw 2 Polish Academy of Sciences 3 University of Oxford Slavic Linguistics Society (SLS15)

1.13k views • 73 slides
EE-559 Deep learning 11. Recurrent Neural Networks and Natural Language Processing Fran

EE-559 Deep learning 11. Recurrent Neural Networks and Natural Language Processing Fran

EE-559 Deep learning 11. Recurrent Neural Networks and Natural Language Processing Fran cois Fleuret https://fleuret.org/dlc/ June 16, 2018 COLE POLYTECHNIQUE FDRALE DE LAUSANNE Inference from sequences Fran cois Fleuret

1.3k views • 104 slides
A/B Testing Crowdsourcing and Human Computation Instructor: Chris Callison-Burch Website:

A/B Testing Crowdsourcing and Human Computation Instructor: Chris Callison-Burch Website:

A/B Testing Crowdsourcing and Human Computation Instructor: Chris Callison-Burch Website: crowdsourcing-class.org Active versus Passive Crowdsourcing So far we have mainly looked at active crowdsourcing, where we explicitly solicit help

615 views • 33 slides
Developing Apps With WatchKit A Whirlwind Tour Adam Shaw Kabuki Vision @KabukiVision

Developing Apps With WatchKit A Whirlwind Tour Adam Shaw Kabuki Vision @KabukiVision

Developing Apps With WatchKit A Whirlwind Tour Adam Shaw Kabuki Vision @KabukiVision Journaling NoteMaster Dressed WatchKit SDK for building apps for Apple Watch Similar, but different from iOS app development Very limited

519 views • 27 slides
Questions for you 2 First, I ve got some questions for you: Who has tried speech input on

Questions for you 2 First, I ve got some questions for you: Who has tried speech input on

Slide 1 Slide 2 Questions for you 2 First, I ve got some questions for you: Who has tried speech input on the desktop? Who uses it regularly? Who uses it not only for dictation but also for commands-and-control? Anybody use it

644 views • 47 slides
Theranos UDLS Oct 12, 2018 Neil Newman tl;dl (Too Long, Didnt Listen) Revolutionary

Theranos UDLS Oct 12, 2018 Neil Newman tl;dl (Too Long, Didnt Listen) Revolutionary

Theranos UDLS Oct 12, 2018 Neil Newman tl;dl (Too Long, Didnt Listen) Revolutionary blood test machine Raised tons of money; lots of hype Unable to deliver Pretended everything going great Knowingly delivered

309 views • 18 slides
Ordering the Chaos CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1

Ordering the Chaos CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1

Ordering the Chaos CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 25.10.2020 ORDERING THE CHAOS - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker.

916 views • 70 slides
The Parallel Revolution Has Started: Are You Part of the Solution or Part of the Problem? Dave

The Parallel Revolution Has Started: Are You Part of the Solution or Part of the Problem? Dave

Parallel Parallel Applications Hardware Parallel IT industry Software Users (Silicon Valley) The Parallel Revolution Has Started: Are You Part of the Solution or Part of the Problem? Dave Patterson Parallel Computing Laboratory U.C.

1.17k views • 59 slides
Building Your Bench for Success: Management and Key Position Succession Planning June 7, 2017

Building Your Bench for Success: Management and Key Position Succession Planning June 7, 2017

Building Your Bench for Success: Management and Key Position Succession Planning June 7, 2017 The webinar will start at 11:30 am CT Marjorie Engle Senior Vice President Organizational Development and Family Business Services Administration

527 views • 38 slides
Do Judgments Screen Evidence? Brian Weatherson Rutgers/Arch e March, 2010 Brian Weatherson

Do Judgments Screen Evidence? Brian Weatherson Rutgers/Arch e March, 2010 Brian Weatherson

Do Judgments Screen Evidence? Brian Weatherson Rutgers/Arch e March, 2010 Brian Weatherson (Rutgers/Arch e) Do Judgments Screen Evidence? March, 2010 1 / 73 Setup S rationally judges that p on the basis of E . J is the proposition that

1.22k views • 92 slides
One Model To Learn Them All Lukasz Kaiser, Aidan N. Gomez, Noam Shazeer, Ashish Vaswani, Niki

One Model To Learn Them All Lukasz Kaiser, Aidan N. Gomez, Noam Shazeer, Ashish Vaswani, Niki

One Model To Learn Them All Lukasz Kaiser, Aidan N. Gomez, Noam Shazeer, Ashish Vaswani, Niki Parmar, Llion Jones, Jakob Uszkoreit CS546 Course Presentation Shruti Bhargava (shrutib2) Advised by : Prof. Julia Hockenmaier Outline

696 views • 35 slides
Recurrent Neural Networks CS 6956: Deep Learning for NLP Overview 1. Modeling sequences 2.

Recurrent Neural Networks CS 6956: Deep Learning for NLP Overview 1. Modeling sequences 2.

Recurrent Neural Networks CS 6956: Deep Learning for NLP Overview 1. Modeling sequences 2. Recurrent neural networks: An abstraction 3. Usage patterns for RNNs 4. BiDirectional RNNs 5. A concrete example: The Elman RNN 6. The vanishing

721 views • 60 slides
Almost over... Feedback Website schedule for talk feedback Booklet (infodesk) feedback@

Almost over... Feedback Website schedule for talk feedback Booklet (infodesk) feedback@

Almost over... Feedback Website schedule for talk feedback Booklet (infodesk) feedback@ fosdem.org Some stats 5 keynotes 38 lightning talks 36 talks in 9 main tracks 42 devrooms 618 events in total Infra stats T

677 views • 21 slides
Categorizing objects: global and part based models global and part-based models of appearance

Categorizing objects: global and part based models global and part-based models of appearance

9/21/2012 Categorizing objects: global and part based models global and part-based models of appearance Kristen Grauman UT Austin Generic categorization problem 1 9/21/2012 Challenges: robustness Realistic scenes are crowded, cluttered,

699 views • 54 slides
Learning to Compose Relational Embeddings in Knowledge Graphs Wenye Chen, Huda Hakami, Danushka

Learning to Compose Relational Embeddings in Knowledge Graphs Wenye Chen, Huda Hakami, Danushka

Learning to Compose Relational Embeddings in Knowledge Graphs Wenye Chen, Huda Hakami, Danushka Bollegala Relation Composition Knowledge Graphs (KG) (e.g. Freebase) represent knowledge in the form of relations between entities (Tim Cook,

167 views • 16 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
j t t t q t t t t t q t t LAW-MWE-CxG-2018 @ COLING 2018 t q t q t t t t t q t t t t t

j t t t q t t t t t q t t LAW-MWE-CxG-2018 @ COLING 2018 t q t q t t t t t q t t t t t

q q q t t q t t t t q t t t t t q t t t t t q t to Enhanced Universal Dependencies t t t q t t t t q t From Lexical Functional Grammar t t t q t t t t t q t Adam Przepirkowski and Agnieszka Patejuk t t q t t t q j t t

689 views • 37 slides

More recommend