【Android论文栏目提醒】:网学会员在Android论文频道为大家收集整理了“The case for SE Android - 研究报告“提供大家参考,希望对大家有所帮助!
The Case for SE Android Stephen Smalley sdstycho.nsa.gov Trust Mechanisms R2X National Security Agency 1 Android: What is it● Linux-based software stack for mobile devices.● Very divergent from typical Linux. ● Almost everything above the kernel is different. – Dalvik VM application frameworks – bionic C library system daemons – init ueventd ● Even the kernel is different. – Unique subsystems/drivers: Binder Ashmem ... – Hardcoded security checks. 2 Binder Ashmem● Android-specific mechanisms for IPC and shared memory.● Binder ● Primary IPC mechanism. ● Inspired by BeOS/Palm OpenBinder.● Ashmem ● Shared memory mechanism. ● Designed to overcome limitations of existing shared memory mechanisms in Linux debatable. 3 Android Security Model● Application-level permissions model. ● Controls access to app components. ● Controls access to system resources. ● Specified by the app writers and seen by the users.● Kernel-level sandboxing and isolation. ● Isolate apps from each other and the system. ● Prevent bypass of application-level controls. ● Relies on Linux discretionary access control DAC. ● Normally invisible to the users and app writers. 4Discretionary Access Control DAC● Typical form of access control in Linux.● Access to data is entirely at the discretion of the owner/creator of the data.● Some processes e.g. uid 0 can override and some objects e.g. sockets are unchecked.● Based on user group identity.● Limited granularity coarse-grained privilege. 5 Android DAC● Restrict use of system facilities by apps. ● e.g. bluetooth network storage access ● requires kernel modifications “special” group IDs● Isolate apps from each other. ● unique user and group ID per installed app ● assigned to app processes and files● Hardcoded scattered “policy”. 6 SELinux: What is it● Mandatory Access Control MAC for Linux. ● Defines and enforces a system-wide security policy. ● Over all processes objects and operations. ● Based on security labels.● Can confine flawed and malicious applications. ● Even ones that run as “root” / uid 0.● Can prevent privilege escalation. 7 How can SELinux help Android● Confine privileged daemons. ● Protect them from misuse. ● Limit the damage that can be done via them.● Sandbox and isolate apps. ● Strongly separate apps from each other and from the system. ● Prevent privilege escalation by apps.● Provide centralized analyzable policy. 8What cant SELinux protect against● Kernel vulnerabilities in general. ● Although it may block exploitation of specific vulnerabilities. Well see an example later. ● Other kernel hardening measures e.g. grsecurity can be used in combination with SELinux.● Anything allowed by the security policy. ● Good policy is important. ● Application architecture matters. – Decomposition least privilege. 9 SE Android: Goals● Improve our understanding of Android security.● Integrate SELinux into Android in a comprehensive and coherent manner.● Demonstrate useful security functionality in Android using SELinux.● Improve the suitability of SELinux for Android.● Identify other security gaps in Android that need to be addressed. 10 Enabling SELinux in Android: Challenges● Kernel ● No support for per-file security labeling yaffs2. ● Unique kernel subsystems lack SELinux support.● Userspace ● No existing SELinux support. ● All apps forked from the same process zygote. ● Sharing through framework services.● Policy ● Existing policies unsuited to Android. 11Enabling SELinux in Android: Kernel● Implemented per-file security labeling for yaffs2. ● Using recent support for extended attributes xattr. ● Enhanced to label new inodes at creation.● Analyzed and instrumented Binder for SELinux. ● Permission checks on IPC operations. ● Sender security label information.● To Do: ● Study and if needed instrument other Android- specific kernel subsystems e.g. ashmem. 12 Enabling SELinux in Android: SELinux Libraries/Tools● Ported minimal subset of libselinux to Android. ● Added xattr syscalls to bionic. ● Removed glibc-isms from libselinux.● Other libraries not required on the device. ● Policy can be built offline.● Specific tools ported as needed. ● init built-in commands for use by init.rc ● toolbox extensions for use from shell 13 Enabling SELinux in Android: Build Tools● Filesystem images generated using special purpose tools. ● mkyaffs2image make_ext4fs ● no support for extended attributes / security labels● Modified tools to label files in images. ● required understanding on-disk format ● used to generate labeled /system /data partitions 14 Enabling SELinux in Android: init● init / ueventd ● load policy set enforcing mode set context ● label sockets devices runtime files● init.rc ● setcon restorecon commands ● seclabel option 15 Enabling SELinux in Android: Zygote Installd● zygote ● Modified to set SELinux security context for apps. ● Maps DAC credentials to a security context.● installd ● Modified to label app data directories.● To Do: ● Generalize assignment of security contexts. ● Augment existing policy checks with SELinux permission checks. 16Enabling SELinux in Android: Policy● Confined domains for system daemons. ● Only kernel and init are unconfined.● Parallel existing Android DAC model for apps. ● Use domains to represent system permissions. ● Use categories to isolate apps.● Benefits: ● Small fixed policy. ● No policy writing for app writers. ● Normally invisible to users. 17 Enabling SELinux in Android: Current State● Basic working prototype ● on the Android emulator ● on the Nexus S● Kernel userspace and policy support● Capable of enforcing some security goals.● Still a long way from a complete solution. ● But lets see how well it does... 18 Case Study: vold● vold - Android volume daemon ● Runs as root. ● Manages mounting of disk volumes. ● Receives netlink messages from the kernel.● CVE-2011-1823 ● Does not verify that message came from kernel. ● Uses signed integer from message as array index without checking for 0.● Demonstrated by the Gingerbreak exploit. 19 GingerBreak: Overview● Collect information needed for exploitation. ● Identify the vold process. ● Identify addresses and values of interest.● Send carefully crafted netlink message to vold. ● Trigger execution of exploit binary. ● Create a setuid-root shell.● Execute setuid-root shell.● Got root 20