Доповідь представить рішення з безпеки під назвою FIVE від компанії Samsung. Метою FIVE є моніторинг цілісності процесів Android та детектування зловмисних спроб модифікації оригінальних додатків та системних компонентів.
Ми поговоримо про можливі сценарії атак, спрямованих на цілісність додатків, зануримось у процес встановлення Java-додатків та розкажемо про проблеми, пов'язані з підрахунком та подальшою перевіркою цілісності нативних та Java програм. Наостанок ми покажемо, як саме FIVE захищає цілісність Android-додатків на телефонах Samsung.
Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protection of Android applications
1. High FIVE:
Samsung integrity protection of Android applications
Volodymyr Shanoilo, CISSP
Samsung R&D Institute Ukraine
2. CONTENTS
• Integrity-affecting attack scenarios
• Integrity of native and Java applications
• Chain of Trust
• Introduction of FIVE solution
• Conclusions
4. DEFINE INTEGRITY
Data integrity – assurance of the accuracy and consistency of data
System integrity – absence of unauthorized modifications to the system
Application integrity
process memory integrity, ability of the app to do what it is supposed to do
5. IMPORTANCE
• TrustZone apps need to verify authenticity and integrity of the client app
• Highly secured device: kill all apps with broken integrity
• Applications attestation
6. ATTACK SCENARIOS
• Modify main executable on disk
– Runs whenever the modified app is launched
– Runs with privileges of the original app (can be System)
– Trusted by a user
• Modify shared library
– Affects multiple applications
– Harder to detect
• Run-time modification
7. ATTACK TARGETS
Native components
• System daemons
• System utilities
• System libraries
Java components
• System services
• .so modules (JNI)
• User applications
9. MITIGATION: JAVA COMPONENTS
apk is protected
• Java apk is signed by a developer
• Signature is verified at installation time
apk != installed app
• Unpacking files to disk
• Ahead of Time (AOT) optimization
• No direct connection between original apk and installed app
13. COMPONENTS OF FIVE
• Kernel module
• Hooks to syscalls
• Package Manager Patch
• Android Run Time Patch
• TrustZone application
Linux Kernel TrustZone
Android
Kernel module Trusted app
ART
Patch
Package Manager
Patch
Hooks
14. NATIVE COMPONENTS PROTECTION
• Signed at build time with RSA
• FIVE kernel module hooks exec(), clone(), fork(), mmap()
– Signature checked at process start
– Signature is checked at library mapping
• dm-verity checks signature of /system and /vendor partitions
• /system and /vendor partitions mounted as read-only
17. Linux Kernel TrustZone
Kernel module
SHA256
Android
JAVA COMPONENTS: APP START
fork()
File for check HMAC
Trusted app
status
DUHK
SHA256
== HMAC
ART
mmap()
fcntl()
odex file
.so file
apk file
hook hook
ART
Hooks Hooks
Device-Unique Hardware Key
(DUHK)
18. App2App2
.so
App1
.so.so
JAVA COMPONENTS: MISUSE
• Attack: substitute application components
– Inject component of one apk to another apk
– All components are signed
• Mitigation: use certificate record
– HMAC
– DUHK
– Developer public key
.so .so
File
HMAC
Pub keySHA256 DUHK
.so
Certificate record
19. LEVELS OF TRUST
Preloaded
– All objects RSA-signed or dm-verity protected
Mixed
– at least one object is HMAC-signed
No integrity
– at least one object has no signature or is corrupted
20. RUN-TIME PROTECTION
• ptrace() and process_vm_writev() syscalls hooked
• If a trace is detected, integrity is reset
Malicious
Target App
010011010010
011110101101
110101010101
ptrace()
21. LIMITATIONS
• Trust to Kernel
– Compromised kernel -> compromised FIVE
• No protection against vulnerabilities in the application itself
– These attacks do not tamper integrity
22. Thank you!
Icons used in the presentation are
Designed by Freepik
Designed by Yannick Lung
Designed by fontawesome.com
Designed by Zlatko Najdenovski under Creative Commons (Attribution 3.0 Unported)
Designed by Alpár-Etele Méder under Creative Commons (Attribution 3.0 Unported)