1 / 43

Securing a mobile platform from the ground up

Securing a mobile platform from the ground up. Rich Cannings <richc@google.com> Alex Stamos <alex@isecpartners.com>. Overview. Why care about mobile security? What is Android? How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention

gloriann
Télécharger la présentation

Securing a mobile platform from the ground up

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing a mobile platform from the ground up Rich Cannings <richc@google.com> Alex Stamos <alex@isecpartners.com>

  2. Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction

  3. Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction

  4. Some Statistics • 6.77 billion people[1] • 1.48 billion Internet enabled PCs[2] • 4.10 billion mobile phones[1] • Mobile phone replacement rate • 12-18 month average[3] • 1.1 billion mobile phones are purchased per year[4] • 13.5% of mobile phone sales are smartphones[5] • The number of smartphones will soon compare with the number of Internet enabled PCs [1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook) [2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1 [3]  [4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp [5] http://www.gartner.com/it/page.jsp?id=985912

  5. Mobile Security is Getting Interesting • Techniques for desktop analysis are more useful to smart phones • Mobile networks can now be easily manipulated •  From phones: • Miller, Lackey, Miras at BlackHat 2009 • From false base stations: • http://openbts.sourceforge.net/

  6. Mobile Security Matures We are now seeing attacks against all layers of mobile infrastructure: • Applications • Platform • OS • Baseband • Network

  7. Mobile Security Matures We are now seeing attacks against all layers of mobile infrastructure: • Applications • Platform • OS • Baseband • Network Mobile devices must be treated as fully fledged computers. Do not assume they are "special".

  8. Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction

  9. The Android Platform • Free, open source mobile platform • Source code at http://source.android.com • Any handset manufacturer or hobbyist can install • Any developer can use • SDK at http://developer.android.com • Empower users and developers

  10. The Android Technology Stack • Linux kernel • Relies upon 90+ open source libraries • Integrated WebKit based browser • SQLite for structured data storage • OpenSSL • BouncyCastle • libc based on OpenBSD • Apache Harmony • Apache HttpClient • Supports common sound, video and image codecs • API support for handset I/O • Bluetooth, EDGE, 3G, wifi • Camera, Video, GPS, compass, accelerometer,            sound, vibrator

  11. Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction

  12. Android Development • Java applications are composed of: • Activities • Visual user interface for one focused endeavor

  13. Android Development • Java applications are composed of: • Activities • Visual user interface for one focused endeavor • Services • Runs in the background for an indefinite period of time

  14. Android Development • Java applications are composed of: • Activities • Visual user interface for one focused endeavor • Services • Runs in the background for an indefinite period of time • Intents • Asynchronous messaging • URL dispatching on steroids • Glues many Activities and Services together to make an application • Provides interactivity between applications

  15. Example Email Application

  16. Application Lifecycle • Designed to protect battery life

  17. Application Lifecycle • Designed to protect battery life • Activities live on a stack

  18. Application Lifecycle • Designed to protect battery life • Activities live on a stack

  19. Application Lifecycle • Designed to protect battery life • Activities live on a stack • Background activities can be killed at any moment

  20. Application Lifecycle • Designed to protect battery life • Activities live on a stack • Background activities can be killed at any moment • The platform makes it easy for developers to code applications that are killed at any moment without losing state • Helps with DoS issues

  21. Android Market • Connects developers with users • Darwinian environment • Good applications excel  • Bad applications forgotten • ~10,000 applications on Market • Balance of openness and security • Not the only way to install apps • Not a walled garden • Developers self-sign applications • For updating • Uses Java's keytool and jarsigner

  22. Application Signing Why self signing? • Market ties identity to developer account • CAs have had major problems with fidelity in the past • No applications are trusted.  No "magic key" What does signing determine? • Shared UID for shared keys • Self-updates

  23. Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction

  24. Security Philosophy • Finite time and resources • Humans have difficulty understanding risk • Safer to assume that • Most developers do not understand security • Most users do not understand security • Security philosophy cornerstones • Need to prevent security breaches from occurring • Need to minimize the impact of a security breach • Need to detect vulnerabilities and security breaches • Need to react to vulnerabilities and security breaches swiftly

  25. Prevent • 5 million new lines of code • Uses almost 100 open source libraries • Android is open source ⇒ can't rely on obscurity • Teamed up with security experts from • Google Security Team • iSEC Partners • n.runs • Concentrated on high risk areas • Remote attacks • Media codecs • New/custom security features • Low-effort/high-benefit features • ProPolice stack overflow protection • Heap protection in dlmalloc

  26. dlmalloc • Heap consolidation attack • Allocation meta-data is stored in band • Heap overflow can perform 2 arbitrary pointer overwrites • To fix, check: • b->fd->bk == b • b->bk->fd == b

  27. WebKit Heap Overflow

  28. Minimize • We cannot rely on prevention alone • Vulnerabilities happen • Users will install malware • Code will be buggy • How can we minimize the impact of a security issue? • My webmail cannot access my banking web app • Same origin policy • Why can malware access my browser? my banking info? • Extend the web security model to the OS

  29. Minimize • Traditional operating system security • Host based • User separation • Mobile OSes are for single users • User separation is like a "same user policy" • Run each application in its own UID is like a "same application policy"  • Privilege separation • Make privilege separation relatively transparent to the developer

  30. Application Sandbox • Each application runs within its own UID and VM • Default privilege separation model • Instant security features • Resource sharing • CPU, Memory • Data protection • FS permissions • Authenticated IPC • Unix domain sockets • Place access controls close to the resource, not in the VM

  31. Application Sandbox • Place access controls close to the resource • Smaller perimeter ⇒ easier to protect • Default Linux applications have too much power • Lock down user access for a "default" application • Fully locked down applications limit innovation • Relying on users making correct security decisions is tricky

  32. Permissions • Whitelist model • Allow minimal access by default • Allow for user accepted access to resources • Ask users less questions • Make questions more understandable • 194 permissions • More ⇒ granularity • Less ⇒ understandability

  33. More Privilege Separation • Media codecs are very complex ⇒ very insecure • Won't find all the issues media libraries • Banish OpenCore media library to a lesser privileged process • mediaserver • Immediately paid off • Charlie Miller reported a vulnerability in our MP3 parsing • oCERT-2009-002

  34. Detect • A lesser-impact security issue is still a security issue • Internal detection processes • Developer education • Code audits • Fuzzing • Honeypot • Everyone wants security ⇒ allow everyone to detect issues • Users • Developers • Security Researchers

  35. External Reports • Patrick McDaniel, William Enck, Machigar Ongtang • Applied formal methods to access SMS and Dialer • Charlie Miller, John Hering • Outdated WebKit library with PCRE issue • XDA Developers • Safe mode lock screen bypass • Charlie Miller, Collin Mulliner • MP3, SMS fuzzing results • Panasonic, Chris Palmer • Permission regression bugs • If you find a security issue, please email security@android.com

  36. User Reporting

  37. A User Report • MemoryUp: mobile RAM optimizer • faster, more stable, more responsive, less waiting time • not quite

  38. React • Autoupdaters are the best security tool since Diffie-Hellman • Every modern operating system should be responsible for: • Automatically updating itself • Providing a central update system for third-party applications • Android's Over-The-Air update system (OTA) • User interaction is optional • No additional computer or cable is required • Very high update rate

  39. Shared UID Regression • Shared UID feature • Malware does not hurt computers, malware authors do • Two applications are signed ⇒ can share UIDs • More interactivity • Panasonic reported that shared UID was broken • If the user installs malware, then the attacker could share UIDs with an existing installed app, like the browser • Breaks Application Sandbox

  40. Update Process • 2009-05-14 • Panasonic reported the issue • Patched the issue, wrote regression tests • 2009-05-15 • Kicked off internal audit • Built and tested every flavour of Android • Coordinated a public response with the reporter, carriers, PR and oCERT • 2009-05-21 • Received critical-mass approval • 2009-05-22 • OTAed users, rolled out patches to factories, SDK, and open source • Released advisory (oCERT-2009-006)

  41. Not over yet! • 2009-07-06 • Completed audit and tests • Coordinated a public response with, carriers, PR and oCERT • 2009-07-15 • Received critical-mass approval • 2009-07-16 • OTAed users, rolled out patches to factories, SDK, and open source • 2009-07-16 • Released advisory (oCERT-2009-011)

  42. Conclusion • Security • an ongoing process • not a checkbox • Process • Prevent • Minimize • Detect • React

  43. Questions? • Find a security issue? • Email security@android.com • Want to contribute code? • Visit http://source.android.com • Add me as a code reviewer! • Want to write an Android application? • Visit http://developer.android.com • Want to email us? • Email richc@google.com or alex@isecpartners.com • We are both hiring

More Related