Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
High FIVE: Samsung integrity protection of Android applications Volodymyr Shanoilo, CISSP Samsung R&D Institute Ukraine
CONTENTS • Integrity-affecting attack scenarios • Integrity of native and Java applications • Chain of Trust • Introductio...
INTRODUCTION
DEFINE INTEGRITY Data integrity – assurance of the accuracy and consistency of data System integrity – absence of unauthor...
IMPORTANCE • TrustZone apps need to verify authenticity and integrity of the client app • Highly secured device: kill all ...
ATTACK SCENARIOS • Modify main executable on disk – Runs whenever the modified app is launched – Runs with privileges of t...
ATTACK TARGETS Native components • System daemons • System utilities • System libraries Java components • System services ...
MITIGATION: NATIVE COMPONENTS • ELF is never modified • Located on read-only partition • Protected by dm-verity
MITIGATION: JAVA COMPONENTS apk is protected • Java apk is signed by a developer • Signature is verified at installation t...
ANDROID CHAIN OF TRUST
TrustZone CHAIN OF TRUST Bootloader ROM Secure Boot Key Secure Bootloader Bootloader Linux Kernel Android TIMA Periodic Ke...
SAMSUNG FIVEIle-based ntegrity rifier
COMPONENTS OF FIVE • Kernel module • Hooks to syscalls • Package Manager Patch • Android Run Time Patch • TrustZone applic...
NATIVE COMPONENTS PROTECTION • Signed at build time with RSA • FIVE kernel module hooks exec(), clone(), fork(), mmap() – ...
JAVA COMPONENTS • Application installation • Application start
Android JAVA COMPONENTS: INSTALLATION apk_signer Linux Kernel Kernel module SHA256 File for signing TrustZone HMAC Trusted...
Linux Kernel TrustZone Kernel module SHA256 Android JAVA COMPONENTS: APP START fork() File for check HMAC Trusted app stat...
App2App2 .so App1 .so.so JAVA COMPONENTS: MISUSE • Attack: substitute application components – Inject component of one apk...
LEVELS OF TRUST Preloaded – All objects RSA-signed or dm-verity protected Mixed – at least one object is HMAC-signed No in...
RUN-TIME PROTECTION • ptrace() and process_vm_writev() syscalls hooked • If a trace is detected, integrity is reset Malici...
LIMITATIONS • Trust to Kernel – Compromised kernel -> compromised FIVE • No protection against vulnerabilities in the appl...
Thank you! Icons used in the presentation are Designed by Freepik Designed by Yannick Lung Designed by fontawesome.com Des...
Nächste SlideShare
Wird geladen in …5
×

Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protection of Android applications

186 Aufrufe

Veröffentlicht am

Доповідь представить рішення з безпеки під назвою FIVE від компанії Samsung. Метою FIVE є моніторинг цілісності процесів Android та детектування зловмисних спроб модифікації оригінальних додатків та системних компонентів.
Ми поговоримо про можливі сценарії атак, спрямованих на цілісність додатків, зануримось у процес встановлення Java-додатків та розкажемо про проблеми, пов'язані з підрахунком та подальшою перевіркою цілісності нативних та Java програм. Наостанок ми покажемо, як саме FIVE захищає цілісність Android-додатків на телефонах Samsung.

Veröffentlicht in: Bildung
no profile picture user

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protection of Android applications

  1. 1. High FIVE: Samsung integrity protection of Android applications Volodymyr Shanoilo, CISSP Samsung R&D Institute Ukraine
  2. 2. CONTENTS • Integrity-affecting attack scenarios • Integrity of native and Java applications • Chain of Trust • Introduction of FIVE solution • Conclusions
  3. 3. INTRODUCTION
  4. 4. DEFINE INTEGRITY Data integrity – assurance of the accuracy and consistency of data System integrity – absence of unauthorized modifications to the system Application integrity process memory integrity, ability of the app to do what it is supposed to do
  5. 5. IMPORTANCE • TrustZone apps need to verify authenticity and integrity of the client app • Highly secured device: kill all apps with broken integrity • Applications attestation
  6. 6. ATTACK SCENARIOS • Modify main executable on disk – Runs whenever the modified app is launched – Runs with privileges of the original app (can be System) – Trusted by a user • Modify shared library – Affects multiple applications – Harder to detect • Run-time modification
  7. 7. ATTACK TARGETS Native components • System daemons • System utilities • System libraries Java components • System services • .so modules (JNI) • User applications
  8. 8. MITIGATION: NATIVE COMPONENTS • ELF is never modified • Located on read-only partition • Protected by dm-verity
  9. 9. MITIGATION: JAVA COMPONENTS apk is protected • Java apk is signed by a developer • Signature is verified at installation time apk != installed app • Unpacking files to disk • Ahead of Time (AOT) optimization • No direct connection between original apk and installed app
  10. 10. ANDROID CHAIN OF TRUST
  11. 11. TrustZone CHAIN OF TRUST Bootloader ROM Secure Boot Key Secure Bootloader Bootloader Linux Kernel Android TIMA Periodic Kernel Measurements Signature Signature SignatureSignature https://images.samsung.com/is/content/samsung/p5/ch/business/enterprise-edition/Samsung_Knox_Whitepaper.pdf App FIVE TIMA Real-time Kernel Protection (Hypervisor)
  12. 12. SAMSUNG FIVEIle-based ntegrity rifier
  13. 13. COMPONENTS OF FIVE • Kernel module • Hooks to syscalls • Package Manager Patch • Android Run Time Patch • TrustZone application Linux Kernel TrustZone Android Kernel module Trusted app ART Patch Package Manager Patch Hooks
  14. 14. NATIVE COMPONENTS PROTECTION • Signed at build time with RSA • FIVE kernel module hooks exec(), clone(), fork(), mmap() – Signature checked at process start – Signature is checked at library mapping • dm-verity checks signature of /system and /vendor partitions • /system and /vendor partitions mounted as read-only
  15. 15. JAVA COMPONENTS • Application installation • Application start
  16. 16. Android JAVA COMPONENTS: INSTALLATION apk_signer Linux Kernel Kernel module SHA256 File for signing TrustZone HMAC Trusted app HMAC fcntl() fcntl() DUHK SHA256 dex2oat Package Manager .so apk dex Device-Unique Hardware Key (DUHK)
  17. 17. Linux Kernel TrustZone Kernel module SHA256 Android JAVA COMPONENTS: APP START fork() File for check HMAC Trusted app status DUHK SHA256 == HMAC ART mmap() fcntl() odex file .so file apk file hook hook ART Hooks Hooks Device-Unique Hardware Key (DUHK)
  18. 18. App2App2 .so App1 .so.so JAVA COMPONENTS: MISUSE • Attack: substitute application components – Inject component of one apk to another apk – All components are signed • Mitigation: use certificate record – HMAC – DUHK – Developer public key .so .so File HMAC Pub keySHA256 DUHK .so Certificate record
  19. 19. LEVELS OF TRUST Preloaded – All objects RSA-signed or dm-verity protected Mixed – at least one object is HMAC-signed No integrity – at least one object has no signature or is corrupted
  20. 20. RUN-TIME PROTECTION • ptrace() and process_vm_writev() syscalls hooked • If a trace is detected, integrity is reset Malicious Target App 010011010010 011110101101 110101010101 ptrace()
  21. 21. LIMITATIONS • Trust to Kernel – Compromised kernel -> compromised FIVE • No protection against vulnerabilities in the application itself – These attacks do not tamper integrity
  22. 22. Thank you! Icons used in the presentation are Designed by Freepik Designed by Yannick Lung Designed by fontawesome.com Designed by Zlatko Najdenovski under Creative Commons (Attribution 3.0 Unported) Designed by Alpár-Etele Méder under Creative Commons (Attribution 3.0 Unported)

×