• Keine Ergebnisse gefunden

Taming the Robot

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2021

Aktie "Taming the Robot"

Copied!
15
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 15 Seite )

Volltext

(1)

© Weiss

Technische Universität Berlin Technische Universität Berlin

FG Security in Telecommunications

Taming the Robot: Efficient Sand-boxing of the Android OS

Steffen Liebergeld, March 22nd, 2011

(2)

Outline

Introduction

Virtualization

Microkernels

L4Linux

L4 Android

Conclusion

(3)

Introduction

Open Source

Custom 3

rd

party Apps

Linux kernel

New business models

Insufficient security policies

Software not up-to-date

Linux kernel – Outdated

– Custom drivers

– Recent study found 88 flaws

(4)

Android Security – Press Coverage

Apps found to “leak” private data

“Infected” Android Apps discovered in Android Market – Downloaded > 50.000 times

– Sent private information to the attacker

Android Trojan to send (expensive) premium SMS

Study using static code analysis found 88 critical flaws in the kernel

(5)

Security Analysis

Android kernel at the lowest layer in software stack

– Critical to availability, confidentiality and integrity

– In TCB of all components

– Insufficient access control mechanisms

• ACLs, Users, Groups...

Kernel contains about 14 million SLOC – Device drivers

– Protocol stacks (e.g. network) – Filesystems

No in-kernel isolation

– Any vulnerability is fatal

Hardware (CPU, Memory, Devices)

Kernel

fault

Libraries (Surface Manager, WebKit, bionic, ...) Android Runtime (Dalvik VM)

Application Framework (Window Manager, ...) ...

Browser Contacts

Phone

Flash Driver

Display Driver

Camera Driver

Wifi Driver

Power Mgmt

(6)

Virtualization

Flaws inherent with Android architecture – Android not suited for high-security

applications

Solution: Sand-boxing, Virtualization – Take Android vulnerabilities into

account

– … but limit their effects

Hardware (CPU, Memory, Devices) Android Software Stack

Android Kernel

(7)

VM

Virtualization

Ability to run multiple instances of Android concurrently on one device

Enables new opportunities for preventive security measures:

– Out-of-band security analysis

– Run security sensitive tasks besides Android (e.g. smartcard services, micropayment)

– Arbitrate hardware access

– Multiple Androids with different security

clearings Hypervisor

VM

Hardware (CPU, Memory, Devices) Android Kernel

Android Software Stack

Android Kernel

Android Software Stack

Android Software Stack

(8)

VM

Virtualization - Problems

Virtualization layer is new attack vector

Smart phone CPUs not virtualizable

Performance

Needs to be done right!

Hypervisor

VM

Hardware (CPU, Memory, Devices) Android Kernel

Android Software Stack

Android Kernel

Android Software Stack

(9)

Microkernels

Design principles

– Implement only functionality in kernel that cannot be implemented at user level – Hardware enforced isolation boundaries (Address spaces)

– Fast, explicit communication (IPC)

– Secure access control mechanism (Object capabilities)

Benefits:

– Flexibility: enable per-application resource allocation strategies – Limit scope of faults

– Control information flow

– Tailored TCB for individual applications

Added benefits

– Execute real-time applications beside non-real-time applications – Supports virtual machines

Forms a secure basis for our approach

(10)

L4Linux – Solving the Performance Problem

Many Smart phone CPUs not natively virtualizable

– Emulation (slow)

– Binary translation (slow, huge effort) – De-privileging (good performance, but

large initial porting effort)

L4Linux:

– Port of the Linux kernel

– Runs in its own address space

– Binary compatible at Linux kernel ABI – Applicable to non-virtualizable

platforms Microkernel

L4Linux kernel

Infrastructure

Firefox Gimp

Secure App

Native

App

(11)

L4 Android

Effort to transform stock L4Linux into L4Android – Make L4Linux run Android userland

Adaptions:

– Port of Android code to current L4Linux – Packaging of Android userland into ramdisk – Lots and lots of debugging

State of the Art:

– L4 Android works (proof of concept)

– Donut (1.6), Eclair (2.1) and Froyo (2.2) supported – Used as research vehicle

Work in progress:

– Virtualize mass storage, modem

– Implement fast and stable graphics driver

– Design secure GUI

(12)

L4android.org

Open Source Project

Website: l4android.org

DEMO

(13)

Conclusion

Virtualization can help with security – (if implemented correctly)

Microkernel forms a suitable basis – Provides isolation

– Allows isolated high-security components (micropayment, smartcard)

L4 Android

– Efficient virtualized Android

– Out-of-band security measures possible

(14)

Technische Universität Berlin Technische Universität Berlin

FG Security in Telecommunications

Thank you!

(15)

References

http://www.heise.de/security/meldung/Apps-telefonieren-nach-Hause-Update-1047796.html

http://www.heise.de/security/meldung/Google-entfernt-ueber-50-infizierte-Apps-aus-dem-Android-Market-1200662.html

http://www.heise.de/security/meldung/Erster-SMS-Trojaner-fuer-Android-gesichtet-1053377.html

http://www.coverity.com/html/press/coverity-scan-2010-report-reveals-high-risk-software-flaws-in-

android.html

Referenzen

Jetzt herunterladen ( PDF - 15 Seite - 810.91 KB )

ÄHNLICHE DOKUMENTE

The Delta Barrage — the Most Expensive Bridge of Its Time? The First Attempts at Taming the Nile1

The engagement of French foreign advisors such as engineers Louis Maurice Linant de Bellefonds and Eugène Mougel in the first phase of the project demonstrates the great

demand Looking at the spatial and temporal distribution of global water availability and

Note: The figure shows the estimated future total water demand (km 3 /yr) by sector for Middle of the Road scenario and the sector-wise distribution of water demand in 2010 and

Looking at the spatial and temporal distribution of global water availability and demand

(1) IIASA, Water, Austria (burek@iiasa.ac.at), (2) Department of Physical Geography, Utrecht University, Utrecht, The Netherlands, (3) NASA Goddard Institute for Space Studies,

Taming uncertainty: the limits to quantification

In its report, the Working Party on Model Risk (2015) argued that four distinct conceptions of quantitative models and their legitimate use exist, which can be seen as responses

Towards Taming Privilege-Escalation Attacks on Android

IPC calls that are checked at runtime by our monitor to identify call-chains to protect against confused deputy attacks (caused by intents); 2) kernel-level Mandatory Access

FeatureIDE: Taming the Preprocessor Wilderness

• Improvement of code quality : By combining annotated source code with a feature model, we can provide special- ized analyses that are aware of variability, such as detection

Opening up the verification and validation of safety-critical software

Traceability up to the requirements, mandatory for SIL-4 software development and specifically important in an open project, as one needs to trace V&V verdicts to trigger

Self-organization at the lowest level: proactively learning skills in autonomous systems

When the learning phase is triggered, the system has recognized that some important skill is missing or not working as expected. This is the case either because no SM in the Skill