1 / 26

Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform

Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform. Mohammad Nauman, Sohail Khan, Xinwen Zhang, Jean-Pierre Seifert TU Berlin & Deutsche Telekom Laboratories, Berlin, Germany jpseifert@sec.t-labs.tu-berlin.de. Agenda. Android introduction

zalika
Télécharger la présentation

Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond Kernel-level Integrity Measurement:Enabling Remote Attestation for the Android Platform Mohammad Nauman, Sohail Khan, Xinwen Zhang, Jean-Pierre Seifert TU Berlin & Deutsche Telekom Laboratories, Berlin, Germany jpseifert@sec.t-labs.tu-berlin.de

  2. Agenda • Android introduction • Problem motivation • Solution proposal • Evaluation / Measurement numbers • Q & A

  3. Android introduction

  4. Android Introduction A framework for mobile devices

  5. Android Introduction A framework for mobile devices Backed by many industry leaders

  6. Significance of Android “AdMob: Android Passes iPhone Web Traffic In U.S” http://techcrunch.com/2010/04/27/admob-android-passes-iphone-web-traffic-in-u-s/

  7. Android Architecture

  8. Problem motivation

  9. Problem motivation • Consider an organization that provides its employee, say Angela, with a G1 handset running several applications that she might require for carrying out her job responsibilities. • The employer, being the owner of the device, allows Angela to install applications that she might need for her daily use. • However, since the organization releases sensitive information to Angela's mobile, it is required that the integrity of Angela´s Android is intact and that there is no malicious software or application running on the mobile device. • Otherwise, sensitive information could be leaked, … Primary Use Case Let´s see a real life example!

  10. proudly presentsChancellor Angela Merkel

  11. The problem

  12. Android´s Dalvik Problem Establish the trustworthiness of an Android-powered mobile device • (Phone, tablet, netbook, …) Traditional approach of signing applications doesn’t work • “All applications are created equal” Existing approaches towards remote attestation fail • All application code is “dex” – invisible to the kernel Dex code executed by the Dalvik VM • Even if the VM is benign, the application running on top of it may be malicious

  13. Solution proposal

  14. Solution Extend the chain-of-trust to within the VM • (Just as IMA extended it from the pre-bootloader to within the OS) Choices: • Measure all loaded applications • Measure all loaded classes

  15. Attestation Architecture Angela´s Employer

  16. Basic requirements Establishment of a chain-of-trust Basic TPM/MTM replacement • TPMimplements basic functionality • Meant to serve as a placeholder • (earlier efforts at MTM/TPM implementation on mobiles …) (Slightly) modified IMA code • Communicate with TPMinstead of non-existent TPM

  17. Small IMA extensions Beside the communication with our TPM, we have not modied any functionality of IMA. • It measures all executables loaded on the Android platform by the Linux operating system. • This includes the Android VM as well as any libraries • (such as libdvm.so, libandroid-runtime.so and libandroid-system.so). This ensures that all the executables loaded outside the Dalvik virtual machine as well as the native code of Dalvik itself gets measured and stored in the Stored Measurement Log (SML). Similarly, the semantics of SML are also unmodied. • This is because we opted not to interleave the Linux executable hashes with the Dalvik executable hashes but keep the two logs separate. The aggregate up to the point of the Dalvik load is stored in the Android Measurement Log (AML). Once the chain of trust up to the Dalvik virtual machine is established, we provide two alternatives for measurement of code that is loaded on top of the Dalvik VM.

  18. Application Level Attestation Modify the Application Framework Layer to measure all loaded .apk files – packages • (Implementation details in the paper) Incomplete! Chain of trust breaks as the application framework layer itself isn’t measured/stored in the PCR More is required!

  19. Class level attestation Measure all loaded classes Different from IMA because: • Classes can come from arbitrary sources • Internet, local streams, files … • Same class files can reside in multiple jars (dex in case of Android) For example, an application may write a class loader that reads from a byte stream to load a class. • This is substantially unlike the Linux/IMA scenario in which all executables are loaded from the lesystem. • It is therefore possible in Linux to measure an executable before it is loaded. In case of Dalvik (or any Java-based VM), this is not always possible due to the fact of arbitrary class loaders. It is for this reason that the semantics of our binary attestation are: • we measure a class after it is loaded but before it can be executed!

  20. Class level attestation VM level implementation Selected Hash computed over the complicated class structure:

  21. Android Measurement Log:capturing the hash of the class and its descriptor 133A57C0CB942D5F74376BD6A89A3DD98EAB4886 vmaggregate … 4FC88626E94A631D9FF4BD7C39C57F6EA8847C3F Landroid/widget/AbsListView; FC060385A2B800175CE68D96AFC4A49E965A8E8F Landroid/widget/AbsListView\$CheckForLongPress; 8863C28E92E47E3B38BAAD68BA489C893D24912D Landroid/widget/AbsListView\$CheckForTap; B1DBC173355024025D79614CA72A4E6A6DA7DD3A Landroid/widget/AbsListView\$LayoutParams; 23B710A1C427555733403F095C20865554B7CB85 Landroid/widget/AbsListView\$PerformClick; 22A21B6943A575D4A47499EAEA60B9E6970A06C8 Landroid/widget/AbsListView\$RecycleBin; A12A6EFC33FB485769ED9914428DF19DEC67F4B5 Landroid/widget/AbsListView\$SavedState; 59517950D7280DC0CB4517B40E812D9E2B1BAFB2 Landroid/widget/AbsListView\$SavedState\$1; A4A5A5D0D44B5D3AF19427D5F7B09D43CDD7F4A1 Landroid/widget/AbsSeekBar; 665C10F925950A4E9F65EBBF26D629453DD5D4B2 Landroid/widget/AbsSpinner; 69CEB9E9ED1398EFFF0C2C0705C7D45506481BA1 Landroid/widget/AbsoluteLayout; 457F0C258A8B76B4C03C3A89B1B7BAC8E306ECA1 Landroid/widget/AbsoluteLayout\$LayoutParams; 8E84D83A9BFE50BDC7F41714769AB48CE55E208D Landroid/widget/AdapterView; AE8BB8B2E8585395EB697DC8403C3EC1E2BFF7ED Lcom/android/internal/telephony/Phone; 5CB11877BF82DA663722AFBF19CB3DE2DBC03F3B Lcom/android/internal/telephony/Phone\$State; AE1700E2564503F96ED5D277B2E5D886A12E68EA Lcom/android/internal/telephony/PhoneBase; …

  22. Evaluation / Measurement numbers

  23. Evaluation for Android cupcake Application-level results: Caching is helping here to mediate that time overhead! Faster hw hashing would be helpful – instead of JAVA! Power consumption, …

  24. Evaluation for Android cupcake Class-level results: Caching is helping here to mediate that time overhead! Faster hw hashing would be helpful – instead of JAVA! Power consumption, …

  25. Other points to note TPM is just a placeholder. • We’re waiting for an MTM implementation Bootloader needs modification for a full the chain-of-trust. The new Android Scripting Support isn’t supported yet. • Another reason why IMA can’t work … but our architecture fails here too Time of measurement, time of use race condition was a major concern in the original IMA technique. • The issue is that when reading from a filesystem, the file may change after it is measured but before it gets loaded for execution. • Since we measure classes or applications only after they are loaded and not from the filesystem, our architecture does not suffer from this drawback.

  26. Thank you for your attention! Questions?

More Related