SlideShare ist ein Scribd-Unternehmen logo

Voxxed Days Villnius 2015 - Burning Marshmallows

R
Ron Munitz

This document summarizes Ron Munitz's presentation on Android security features and future vulnerabilities. It provides an overview of Android's security timeline and architecture. It then discusses past vulnerabilities like Stagefright and potential new avenues of attack in Android Marshmallow, such as issues with the fingerprint API, dynamic permission model, and app linking. The presentation speculates that future vulnerabilities may target certificate validation, media functions, and timing attacks against the keystore. It concludes by advertising Android security training classes.

Mobil
1 von 26
Downloaden Sie, um offline zu lesen
PSCG Ron Munitz Founder & CEO - The PSCG ron@thepscg.com Voxxed Days Vilnius 18 September 2015 @ronubo The slides are available online at: thepscg.com/talks/ Burning Marshmallows
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/4.0/ © Copyright Ron Munitz 2015 PSCG
about://Ron Munitz ● Founder and CEO of the PSCG ○ The Premium Embedded/Android consulting and Training firm ● Android*, Linux*, Security* Trainer and Instructor ○ The PSCG, NewCircle and the Linux Foundation ● Senior Lecturer at Afeka College of Engineering and Holon Institute of Technology ● Founder and (former) CTO of Nubo Software ○ The first Remote Android Workspace ● Always up for something new. Builder, Adviser. ● Building up on diverse engineering experience: ○ Distributed Fault Tolerant Avionic Systems ○ Highly distributed video routers ○ Real Time, Embedded, Server bringups ○ Operating Systems, very esoteric libraries, 0’s, 1’s and lots of them. PSCG
Agenda ● Android Security features timeline ● PR stunts and Software Security faceoff ● Introducing: Android 6.0 - Marshmallow ● Burning Marshmallows - Future PR stunts
Android Security Timeline PSCG Days of future past
Android Security Architecture ● Key Features ○ Robust security at the OS level through the Linux kernel ○ Mandatory application sandbox for all applications ○ Secure interprocess communication ○ Application signing ○ Application-defined and user-granted permissions ○ SE Linux ○ Multi-User support, “work profiles”, “guest profiles”,... ○ FUSE for sdcard (permissions, encryption) ○ Trusted Execution Environment and HW support PSCG
Android Security features timeline ● Permission System / Signature Systems ● JCE (BouncyCastle), OpenSSL ● Partial ASLR (“stagefright” → ICS!) ● Hardware Backed KeyStore ● Full ASLR (and later heap randomization and full PIE) ● SE Linux (first permissive, then Enforcing) ● OTA Update System (e.g. Chromium) ● Full disk encryption, dm-crypt ● Trusted Boot support, dm-verity ● SE Linux - Full domain enforcement (important addition) ● Partial Permission Module (Burden on the developer...) ● Fingerprinting API, ● Keystore redesign ● ...
Popular “Victims” PSCG A pre Marshmallow candy barbeque (or is it?)
Popular Attack Surfaces ● The AOSP builds on countless lines of code ○ Developed by Google and Partners ■ AOSP → OEM → Carrier chain of (mis)trust ○ “Borrowed”/Ported ● init services ○ If defined critical may lead to device reboot ○ If restarts other services - may lead to DoS ● Android services ○ Usually one service (server) serves multiple components (clients) ⇒ DoS ● Separate code injection and privilege escalation from DoS!
Don’t (blindly) believe the news ● StageFright sequences (by several vendors). ○ Fact: “Everyone” is fuzzing stagefright. ■ @see “Fuzzing the media framework in android” by the Intel OTC, at ELC 2015 ○ The mediaserver runs stagefright as the “media backend” ○ If “everyone” fuzzes ⇒ at least someone succeeds
Don’t (blindly) believe the news ● Fact: One of the Stagefright exploits was severe because it could be triggered remotely. ○ This is a huge deal. ○ If only... ● Fact: ASLR, PIE, DEP, SELinux,... ● Home exercise/Group bet: ○ Assuming an MMS costs $0.01. How many USD would you spend on arbitrary remote code execution? ○ Volunteers?
Don’t (blindly) believe the news ● Fact: One of the stagefright exploits resulted in DoS attacks on the media server due to heap overflow. ● This can lead to annoying behavior, and more. ● Fact: mediaserver is not a privileged user. Software components have bugs. It’s a part of life. ● Opinion: If someone manages to exploit those vulnerabilities, they probably deserve a prize...
Yet, don’t avoid somewhat silent news ● A good attack is a low profile attack. ● An excellent attack is a zero-day attack ● Disclosure does not always help, and the Android Ecosystem does is not a great helper ○ AOSP → OEM → Carrier → (?) → User ● And when someone in the chain decides to do something stupid within the chain - someone else will take advantage ○ @see the “yearly” signature verification attacks ○ In fact, let’s have a quick look at a recent one
Silent but lethal news as per Sep 15 A great example which has not been published without proportions and been recently patched at most, but not all implementations is the Certifi-gate attack against RST (Remote Support Tools):
Silent but lethal news as per Sep 15 ● It turns out that RST such as TeamViewer, RSupport and more, which were bundled in some popular device ROMs from leading companies (LG, Samsung, Huawei and more), had privileged access to elements such as ○ Screen Recording (Surface Flinger/Framebuffer) ○ Event Injection ○ Package Installation
Silent but lethal news as per Sep 15 ● It also turns out that these RST’s enabled “trusted” applications to take advantage of these permissions, by using them as a (confused?) deputy, while the applications would be an “extension”. ● What is trust? ○ Apparently, comparing an X509 certificate serial number to a hard-coded value, comparing a certificate “HashCode” to a hardcoded value etc… ● Given that, one could just build a “trusted” “extension” to the RST, that would have full device control, without ever asking for any permission. ● Great.
Marshmallow Additions PSCG
Marshmallow Additions ● FingerPrinting API ○ Biometric ID’s anyone? ○ Trusted Execution Environment implementation ■ @see attacks on ARM TrustZone.. ○ What if the device has no TEE? ■ Prone to forensics… ● Dynamic Permission API ○ Basically a good thing. Finally catches up with iOS dynamic permission model ○ Drawback: Will break applications. Not because it is a bad things. But because of application developers ○ Mitigation: SDL, Captain Hindsight
Marshmallow Additions ● Keystore API redesign ● Keystore HAL redesign/additions ○ keymaster v. 1.0 - First signs of maturity? ● Symmetric key cryptography support at (HW backed) keystores ○ This has been out for a while. ○ But on a platform hidden API (@hide) ○ Now available for all! ● Enable timed authentication ○ Introducing the gatekeeper HAL
Marshmallow Additions ● APK Validation changes ○ Following various notorious APK signing bugs (Master Key etc.). ○ If a file is declared in the manifest but not present in the APK itself ⇒ APK is considered corrupt ● Android for Work ○ Behavior is still evolving (for better? worse?) ○ Examples: Automatic System updates ○ Runtime Permission policy for all applications ○ Data usage tracking. ○ Most changes are Android. Not Google Play services. ● External Storage Encryption, App Linking and
Dynamic Permission API Target API < 23 Target API >= 23 Device API < 23 No change (shocking, isn’t it?) Use Build.VERSION.SDK_INT switch. Device API >= 23 No change on installation (all permissions granted) Permission can be revoked - may break apps. The device will warn the user about it. Full dynamic permission model. Make sure you check for SDK_INT , and always checkSelfPermission() , [shouldShowPermissionRationale()], and requestPermission() when relevant. Then, handle the user’s choice on onRequestPermissionResults()
Dynamic Permission API ● Long story short: Target API Level 23 ⇒ Application developer needs to be aware of dynamic permissions ● Device Level 23 ⇒ End User needs to be aware of the consequences of disabling permissions for older SDK level apps. ● It’s quite obvious researchers will celebrate this significant behavior change...
Ahead Of Time Compiling (ART) ● Marshmallow provides ART as the default (and only unless specifically configured) run time. ● It seems that the OAT files are still “Lollipop compliant” ⇒ Trivially reversible due to: ● A full mapping from Native code to DEX bytecode ● A full mapping from both to Java functions. ● So you can apply the same techniques for .dex file decompiling. ● @see my upcoming Android Reverse Engineering Lab
Speculations ● The most dominant attacks we’ll hear of will be in the categories of: ○ Certificate validation, self Certificate Chain validation ○ Everything under the AOSP /external/ ■ Home exercise: Can you play with toybox? ○ Everything media related ○ Application breaking ○ Fingerprint stealing (if and when) ○ Bad SE Linux policies (unlikely for the “serious” vendors, but hey, Android fragmentation…) ○ Timing attacks against the new Keystore API’s ● Or maybe we will hear of nothing. But attackers/researchers will definitely try.
Follow up: ● Android Security workshop ○ Public class in Tel-Aviv - October 18-20, 2015. ○ training@thepscg.com ○ Discount Code: VoxxedDays1809 ● Private/Public classes in Lithuania? ○ Contact me - training@thepscg.com
Thank You PSCG Consulting/Training requests: ron@thepscg.com

Empfohlen

CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...
TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...
TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...
Linaro
 
Porting Qt to a new Smartphone for Fun and Fame
Porting Qt to a new Smartphone for Fun and FamePorting Qt to a new Smartphone for Fun and Fame
Porting Qt to a new Smartphone for Fun and Fame
Jarosław Staniek
 
tizen-maintain-20150413rzr
tizen-maintain-20150413rzrtizen-maintain-20150413rzr
tizen-maintain-20150413rzr
Phil www.rzr.online.fr
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Codemotion
 
SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...
SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...
SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...
South Tyrol Free Software Conference
 
Tizen store-z1-20150228rzr
Tizen store-z1-20150228rzrTizen store-z1-20150228rzr
Tizen store-z1-20150228rzr
Phil www.rzr.online.fr
 
The Ultimate Android Security Checklist (Mdevcon 2014)
The Ultimate Android Security Checklist (Mdevcon 2014)The Ultimate Android Security Checklist (Mdevcon 2014)
The Ultimate Android Security Checklist (Mdevcon 2014)
Ron Munitz
 

Empfohlen

CodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallowsCodeMotion tel aviv 2015 - burning marshmallows
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...
TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...
TSC Sponsored BoF: Can Linux and Automotive Functional Safety Mix ? Take 2: T...
Linaro
 
Porting Qt to a new Smartphone for Fun and Fame
Porting Qt to a new Smartphone for Fun and FamePorting Qt to a new Smartphone for Fun and Fame
Porting Qt to a new Smartphone for Fun and Fame
Jarosław Staniek
 
tizen-maintain-20150413rzr
tizen-maintain-20150413rzrtizen-maintain-20150413rzr
tizen-maintain-20150413rzr
Phil www.rzr.online.fr
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Codemotion
 
SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...
SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...
SFScon 2020 - Kate Downing - Philippe Obredanne - FOSS & Third Party Software...
South Tyrol Free Software Conference
 
Tizen store-z1-20150228rzr
Tizen store-z1-20150228rzrTizen store-z1-20150228rzr
Tizen store-z1-20150228rzr
Phil www.rzr.online.fr
 
The Ultimate Android Security Checklist (Mdevcon 2014)
The Ultimate Android Security Checklist (Mdevcon 2014)The Ultimate Android Security Checklist (Mdevcon 2014)
The Ultimate Android Security Checklist (Mdevcon 2014)
Ron Munitz
 
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
Ron Munitz
 
Tizen architecture-solutionslinux-20130529
Tizen architecture-solutionslinux-20130529Tizen architecture-solutionslinux-20130529
Tizen architecture-solutionslinux-20130529
Phil www.rzr.online.fr
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
Antonio Parata
 
Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...
Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...
Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...
Samsung Open Source Group
 
The Ultimate Android Security Checklist (AnDevCon Boston 2014)
The Ultimate Android Security Checklist (AnDevCon Boston 2014)The Ultimate Android Security Checklist (AnDevCon Boston 2014)
The Ultimate Android Security Checklist (AnDevCon Boston 2014)
Ron Munitz
 
Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015
Phil www.rzr.online.fr
 
Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603
Phil www.rzr.online.fr
 
Teaching Open Source In The University
Teaching Open Source In The UniversityTeaching Open Source In The University
Teaching Open Source In The University
Dominique Cimafranca
 
Tizen contrib-fosdem-20140201
Tizen contrib-fosdem-20140201Tizen contrib-fosdem-20140201
Tizen contrib-fosdem-20140201
Phil www.rzr.online.fr
 
BKK16-105 HALs for LITE
BKK16-105 HALs for LITEBKK16-105 HALs for LITE
BKK16-105 HALs for LITE
Linaro
 
Let's Contribute
Let's ContributeLet's Contribute
Let's Contribute
Anoop Thomas Mathew
 
tizen-upstream-coop-tdc2014-pcoval
tizen-upstream-coop-tdc2014-pcovaltizen-upstream-coop-tdc2014-pcoval
tizen-upstream-coop-tdc2014-pcoval
Phil www.rzr.online.fr
 
Philosophy of Open Source - SFO17-TR01
Philosophy of Open Source - SFO17-TR01Philosophy of Open Source - SFO17-TR01
Philosophy of Open Source - SFO17-TR01
Linaro
 
BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr
Linaro
 
Lean Software Production and Qualification Infrastructures
Lean Software Production and Qualification InfrastructuresLean Software Production and Qualification Infrastructures
Lean Software Production and Qualification Infrastructures
AdaCore
 
FFmpeg: A Retrospective
FFmpeg: A RetrospectiveFFmpeg: A Retrospective
FFmpeg: A Retrospective
Samsung Open Source Group
 
IoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptIoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScript
Henri Cavalcante
 
Johnny-Five
Johnny-FiveJohnny-Five
Johnny-Five
Henri Cavalcante
 
Flatpak and AppImage usage on openSUSE
Flatpak and AppImage usage on openSUSEFlatpak and AppImage usage on openSUSE
Flatpak and AppImage usage on openSUSE
Kukuh Syafaat
 
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTUtilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Pôle Systematic Paris-Region
 
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
Ron Munitz
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)
Ron Munitz
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tizen architecture-solutionslinux-20130529
Tizen architecture-solutionslinux-20130529Tizen architecture-solutionslinux-20130529
Tizen architecture-solutionslinux-20130529
Phil www.rzr.online.fr
 
Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603
Phil www.rzr.online.fr
 
Philosophy of Open Source - SFO17-TR01
Philosophy of Open Source - SFO17-TR01Philosophy of Open Source - SFO17-TR01
Philosophy of Open Source - SFO17-TR01
Linaro
 
BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr
Linaro
 
IoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptIoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScript
Henri Cavalcante
 

Was ist angesagt? (20)

The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
 
Tizen architecture-solutionslinux-20130529
Tizen architecture-solutionslinux-20130529Tizen architecture-solutionslinux-20130529
Tizen architecture-solutionslinux-20130529
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
 
Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...
Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...
Connected Tizen: Bringing Tizen to Your Connected Devices Using the Yocto Pro...
 
The Ultimate Android Security Checklist (AnDevCon Boston 2014)
The Ultimate Android Security Checklist (AnDevCon Boston 2014)The Ultimate Android Security Checklist (AnDevCon Boston 2014)
The Ultimate Android Security Checklist (AnDevCon Boston 2014)
 
Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015Iotivity tizen-fosdem-2015
Iotivity tizen-fosdem-2015
 
Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603Tdc2014 tizen common_20140603
Tdc2014 tizen common_20140603
 
Teaching Open Source In The University
Teaching Open Source In The UniversityTeaching Open Source In The University
Teaching Open Source In The University
 
Tizen contrib-fosdem-20140201
Tizen contrib-fosdem-20140201Tizen contrib-fosdem-20140201
Tizen contrib-fosdem-20140201
 
BKK16-105 HALs for LITE
BKK16-105 HALs for LITEBKK16-105 HALs for LITE
BKK16-105 HALs for LITE
 
Let's Contribute
Let's ContributeLet's Contribute
Let's Contribute
 
tizen-upstream-coop-tdc2014-pcoval
tizen-upstream-coop-tdc2014-pcovaltizen-upstream-coop-tdc2014-pcoval
tizen-upstream-coop-tdc2014-pcoval
 
Philosophy of Open Source - SFO17-TR01
Philosophy of Open Source - SFO17-TR01Philosophy of Open Source - SFO17-TR01
Philosophy of Open Source - SFO17-TR01
 
BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr
 
Lean Software Production and Qualification Infrastructures
Lean Software Production and Qualification InfrastructuresLean Software Production and Qualification Infrastructures
Lean Software Production and Qualification Infrastructures
 
FFmpeg: A Retrospective
FFmpeg: A RetrospectiveFFmpeg: A Retrospective
FFmpeg: A Retrospective
 
IoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptIoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScript
 
Johnny-Five
Johnny-FiveJohnny-Five
Johnny-Five
 
Flatpak and AppImage usage on openSUSE
Flatpak and AppImage usage on openSUSEFlatpak and AppImage usage on openSUSE
Flatpak and AppImage usage on openSUSE
 
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTUtilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
 

Andere mochten auch

BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
Ron Munitz
 
Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)
Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)
Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)
Ron Munitz
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Ron Munitz
 
Multi-User Android - The Complete Guide (AnDevCon Boston 2014)
Multi-User Android - The Complete Guide (AnDevCon Boston 2014)Multi-User Android - The Complete Guide (AnDevCon Boston 2014)
Multi-User Android - The Complete Guide (AnDevCon Boston 2014)
Ron Munitz
 
X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)
Ron Munitz
 

Andere mochten auch (13)

BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)
 
The Android Build System - Android Marshmallow
The Android Build System - Android MarshmallowThe Android Build System - Android Marshmallow
The Android Build System - Android Marshmallow
 
Headless Android (Wearable DevCon 2014)
Headless Android (Wearable DevCon 2014)Headless Android (Wearable DevCon 2014)
Headless Android (Wearable DevCon 2014)
 
CodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering labCodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering lab
 
Welcome to MobModCon #1
Welcome to MobModCon #1Welcome to MobModCon #1
Welcome to MobModCon #1
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
 
Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)
Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)
Android ROM cooking: A practical Tutorial (DroidCon Torino 2014)
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
 
Multi-User Android - The Complete Guide (AnDevCon Boston 2014)
Multi-User Android - The Complete Guide (AnDevCon Boston 2014)Multi-User Android - The Complete Guide (AnDevCon Boston 2014)
Multi-User Android - The Complete Guide (AnDevCon Boston 2014)
 
X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)X86 ROM Cooking 101 (Android Builders Summit 2014)
X86 ROM Cooking 101 (Android Builders Summit 2014)
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 
Mob modcon 2015-android rom cooking tutorial
Mob modcon 2015-android rom cooking tutorialMob modcon 2015-android rom cooking tutorial
Mob modcon 2015-android rom cooking tutorial
 

Ähnlich wie Voxxed Days Villnius 2015 - Burning Marshmallows

Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014
Opersys inc.
 
Is Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIIs Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VI
Opersys inc.
 
Is Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VIs Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon V
Opersys inc.
 
Embedded Android Workshop at AnDevCon VI
Embedded Android Workshop at AnDevCon VIEmbedded Android Workshop at AnDevCon VI
Embedded Android Workshop at AnDevCon VI
Opersys inc.
 
Embedded Android Workshop at ABS 2014
Embedded Android Workshop at ABS 2014Embedded Android Workshop at ABS 2014
Embedded Android Workshop at ABS 2014
Opersys inc.
 
Embedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon VEmbedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon V
Opersys inc.
 
Embedded Android Workshop at Embedded World 2014
Embedded Android Workshop at Embedded World 2014Embedded Android Workshop at Embedded World 2014
Embedded Android Workshop at Embedded World 2014
Opersys inc.
 
Embedded Android Workshop at AnDevCon IV
Embedded Android Workshop at AnDevCon IVEmbedded Android Workshop at AnDevCon IV
Embedded Android Workshop at AnDevCon IV
Opersys inc.
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
Is Android the New Embedded Linux? at AnDevCon IV
Is Android the New Embedded Linux? at AnDevCon IVIs Android the New Embedded Linux? at AnDevCon IV
Is Android the New Embedded Linux? at AnDevCon IV
Opersys inc.
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Ron Munitz
 

Ähnlich wie Voxxed Days Villnius 2015 - Burning Marshmallows (20)

Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014
 
Is Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VIIs Android the New Embedded Linux? at AnDevCon VI
Is Android the New Embedded Linux? at AnDevCon VI
 
Is Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon VIs Android the New Embedded Linux? at AnDevCon V
Is Android the New Embedded Linux? at AnDevCon V
 
Embedded Android Workshop at AnDevCon VI
Embedded Android Workshop at AnDevCon VIEmbedded Android Workshop at AnDevCon VI
Embedded Android Workshop at AnDevCon VI
 
Embedded Android Workshop at ABS 2014
Embedded Android Workshop at ABS 2014Embedded Android Workshop at ABS 2014
Embedded Android Workshop at ABS 2014
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
 
Embedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon VEmbedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon V
 
Embedded Android Workshop at Embedded World 2014
Embedded Android Workshop at Embedded World 2014Embedded Android Workshop at Embedded World 2014
Embedded Android Workshop at Embedded World 2014
 
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
Android ROM Cooking 101: A practical tutorial (DroidCon Tel-Aviv 2014)
 
Embedded Android Workshop at AnDevCon IV
Embedded Android Workshop at AnDevCon IVEmbedded Android Workshop at AnDevCon IV
Embedded Android Workshop at AnDevCon IV
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
Extending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteExtending Android's Platform Toolsuite
Extending Android's Platform Toolsuite
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Is Android the New Embedded Linux? at AnDevCon IV
Is Android the New Embedded Linux? at AnDevCon IVIs Android the New Embedded Linux? at AnDevCon IV
Is Android the New Embedded Linux? at AnDevCon IV
 
Flutter not yet another mobile cross-platform framework - i ox-kl19
Flutter not yet another mobile cross-platform framework - i ox-kl19Flutter not yet another mobile cross-platform framework - i ox-kl19
Flutter not yet another mobile cross-platform framework - i ox-kl19
 
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
Android As a Server- Building Android for the Cloud (AnDevCon SF 2013)
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software Distribution
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to production
 

Kürzlich hochgeladen

9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
nishacall1
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Cara Menggugurkan Kandungan 087776558899
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
nishacall1
 

Kürzlich hochgeladen (6)

9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 

Voxxed Days Villnius 2015 - Burning Marshmallows

  • 1. PSCG Ron Munitz Founder & CEO - The PSCG ron@thepscg.com Voxxed Days Vilnius 18 September 2015 @ronubo The slides are available online at: thepscg.com/talks/ Burning Marshmallows
  • 2. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/4.0/ © Copyright Ron Munitz 2015 PSCG
  • 3. about://Ron Munitz ● Founder and CEO of the PSCG ○ The Premium Embedded/Android consulting and Training firm ● Android*, Linux*, Security* Trainer and Instructor ○ The PSCG, NewCircle and the Linux Foundation ● Senior Lecturer at Afeka College of Engineering and Holon Institute of Technology ● Founder and (former) CTO of Nubo Software ○ The first Remote Android Workspace ● Always up for something new. Builder, Adviser. ● Building up on diverse engineering experience: ○ Distributed Fault Tolerant Avionic Systems ○ Highly distributed video routers ○ Real Time, Embedded, Server bringups ○ Operating Systems, very esoteric libraries, 0’s, 1’s and lots of them. PSCG
  • 4. Agenda ● Android Security features timeline ● PR stunts and Software Security faceoff ● Introducing: Android 6.0 - Marshmallow ● Burning Marshmallows - Future PR stunts
  • 6. Android Security Architecture ● Key Features ○ Robust security at the OS level through the Linux kernel ○ Mandatory application sandbox for all applications ○ Secure interprocess communication ○ Application signing ○ Application-defined and user-granted permissions ○ SE Linux ○ Multi-User support, “work profiles”, “guest profiles”,... ○ FUSE for sdcard (permissions, encryption) ○ Trusted Execution Environment and HW support PSCG
  • 7. Android Security features timeline ● Permission System / Signature Systems ● JCE (BouncyCastle), OpenSSL ● Partial ASLR (“stagefright” → ICS!) ● Hardware Backed KeyStore ● Full ASLR (and later heap randomization and full PIE) ● SE Linux (first permissive, then Enforcing) ● OTA Update System (e.g. Chromium) ● Full disk encryption, dm-crypt ● Trusted Boot support, dm-verity ● SE Linux - Full domain enforcement (important addition) ● Partial Permission Module (Burden on the developer...) ● Fingerprinting API, ● Keystore redesign ● ...
  • 8. Popular “Victims” PSCG A pre Marshmallow candy barbeque (or is it?)
  • 9. Popular Attack Surfaces ● The AOSP builds on countless lines of code ○ Developed by Google and Partners ■ AOSP → OEM → Carrier chain of (mis)trust ○ “Borrowed”/Ported ● init services ○ If defined critical may lead to device reboot ○ If restarts other services - may lead to DoS ● Android services ○ Usually one service (server) serves multiple components (clients) ⇒ DoS ● Separate code injection and privilege escalation from DoS!
  • 10. Don’t (blindly) believe the news ● StageFright sequences (by several vendors). ○ Fact: “Everyone” is fuzzing stagefright. ■ @see “Fuzzing the media framework in android” by the Intel OTC, at ELC 2015 ○ The mediaserver runs stagefright as the “media backend” ○ If “everyone” fuzzes ⇒ at least someone succeeds
  • 11. Don’t (blindly) believe the news ● Fact: One of the Stagefright exploits was severe because it could be triggered remotely. ○ This is a huge deal. ○ If only... ● Fact: ASLR, PIE, DEP, SELinux,... ● Home exercise/Group bet: ○ Assuming an MMS costs $0.01. How many USD would you spend on arbitrary remote code execution? ○ Volunteers?
  • 12. Don’t (blindly) believe the news ● Fact: One of the stagefright exploits resulted in DoS attacks on the media server due to heap overflow. ● This can lead to annoying behavior, and more. ● Fact: mediaserver is not a privileged user. Software components have bugs. It’s a part of life. ● Opinion: If someone manages to exploit those vulnerabilities, they probably deserve a prize...
  • 13. Yet, don’t avoid somewhat silent news ● A good attack is a low profile attack. ● An excellent attack is a zero-day attack ● Disclosure does not always help, and the Android Ecosystem does is not a great helper ○ AOSP → OEM → Carrier → (?) → User ● And when someone in the chain decides to do something stupid within the chain - someone else will take advantage ○ @see the “yearly” signature verification attacks ○ In fact, let’s have a quick look at a recent one
  • 14. Silent but lethal news as per Sep 15 A great example which has not been published without proportions and been recently patched at most, but not all implementations is the Certifi-gate attack against RST (Remote Support Tools):
  • 15. Silent but lethal news as per Sep 15 ● It turns out that RST such as TeamViewer, RSupport and more, which were bundled in some popular device ROMs from leading companies (LG, Samsung, Huawei and more), had privileged access to elements such as ○ Screen Recording (Surface Flinger/Framebuffer) ○ Event Injection ○ Package Installation
  • 16. Silent but lethal news as per Sep 15 ● It also turns out that these RST’s enabled “trusted” applications to take advantage of these permissions, by using them as a (confused?) deputy, while the applications would be an “extension”. ● What is trust? ○ Apparently, comparing an X509 certificate serial number to a hard-coded value, comparing a certificate “HashCode” to a hardcoded value etc… ● Given that, one could just build a “trusted” “extension” to the RST, that would have full device control, without ever asking for any permission. ● Great.
  • 18. Marshmallow Additions ● FingerPrinting API ○ Biometric ID’s anyone? ○ Trusted Execution Environment implementation ■ @see attacks on ARM TrustZone.. ○ What if the device has no TEE? ■ Prone to forensics… ● Dynamic Permission API ○ Basically a good thing. Finally catches up with iOS dynamic permission model ○ Drawback: Will break applications. Not because it is a bad things. But because of application developers ○ Mitigation: SDL, Captain Hindsight
  • 19. Marshmallow Additions ● Keystore API redesign ● Keystore HAL redesign/additions ○ keymaster v. 1.0 - First signs of maturity? ● Symmetric key cryptography support at (HW backed) keystores ○ This has been out for a while. ○ But on a platform hidden API (@hide) ○ Now available for all! ● Enable timed authentication ○ Introducing the gatekeeper HAL
  • 20. Marshmallow Additions ● APK Validation changes ○ Following various notorious APK signing bugs (Master Key etc.). ○ If a file is declared in the manifest but not present in the APK itself ⇒ APK is considered corrupt ● Android for Work ○ Behavior is still evolving (for better? worse?) ○ Examples: Automatic System updates ○ Runtime Permission policy for all applications ○ Data usage tracking. ○ Most changes are Android. Not Google Play services. ● External Storage Encryption, App Linking and
  • 21. Dynamic Permission API Target API < 23 Target API >= 23 Device API < 23 No change (shocking, isn’t it?) Use Build.VERSION.SDK_INT switch. Device API >= 23 No change on installation (all permissions granted) Permission can be revoked - may break apps. The device will warn the user about it. Full dynamic permission model. Make sure you check for SDK_INT , and always checkSelfPermission() , [shouldShowPermissionRationale()], and requestPermission() when relevant. Then, handle the user’s choice on onRequestPermissionResults()
  • 22. Dynamic Permission API ● Long story short: Target API Level 23 ⇒ Application developer needs to be aware of dynamic permissions ● Device Level 23 ⇒ End User needs to be aware of the consequences of disabling permissions for older SDK level apps. ● It’s quite obvious researchers will celebrate this significant behavior change...
  • 23. Ahead Of Time Compiling (ART) ● Marshmallow provides ART as the default (and only unless specifically configured) run time. ● It seems that the OAT files are still “Lollipop compliant” ⇒ Trivially reversible due to: ● A full mapping from Native code to DEX bytecode ● A full mapping from both to Java functions. ● So you can apply the same techniques for .dex file decompiling. ● @see my upcoming Android Reverse Engineering Lab
  • 24. Speculations ● The most dominant attacks we’ll hear of will be in the categories of: ○ Certificate validation, self Certificate Chain validation ○ Everything under the AOSP /external/ ■ Home exercise: Can you play with toybox? ○ Everything media related ○ Application breaking ○ Fingerprint stealing (if and when) ○ Bad SE Linux policies (unlikely for the “serious” vendors, but hey, Android fragmentation…) ○ Timing attacks against the new Keystore API’s ● Or maybe we will hear of nothing. But attackers/researchers will definitely try.
  • 25. Follow up: ● Android Security workshop ○ Public class in Tel-Aviv - October 18-20, 2015. ○ training@thepscg.com ○ Discount Code: VoxxedDays1809 ● Private/Public classes in Lithuania? ○ Contact me - training@thepscg.com