Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
TIZEN Security
Hacking the New Mobile OS
Mark Manning
• Sr. Security Consultant with Intrepidus Group
• Mobile:
– Android
– Windows Phone
– Brew
– iOS
– Blackberry...
Jason Ross
• Sr. Security Consultant
with Intrepidus Group
– Android
– Web apps
– Network
• Extra Curricular
– TOOOL.ROC, ...
What we are going to tell you
What Tizen is &
Where it might be going
The Tizen security model
How to perform Tizen securi...
Tizen (/ˈtaɪzɛn/) is…
• An open source mobile operating system
– Started life as Samsung SLP (then Bada), & Intel MeeGo
– ...
Tizen wants to…
• Be the ubiquitous solution for “smart” consumer
devices
• Release a high end device this year
• Grab a 1...
Tizen Family Tree
1/17/2017 Intrepidus Group - Confidential
Tizen History
• February 2010
– Nokia and Intel announce MeeGo
– Nokia drops out of MeeGo in favor of Windows Phone
• Sept...
Vapor Hardware
1/17/2017 Intrepidus Group - Confidential 9
Quick Comparison
Android iOS
Firefox
OS
Ubuntu Tizen
Web App
Support
None None Yes Yes Yes
Native App
Support
Yes Yes No Y...
Technical Steering Group
• In charge of development and working with
OEMs (and advocacy)
• Consists of Samsung, Intel and ...
Tizen Association
• Always represented by 12 companies
• Always changing
• Current members:
1/17/2017 Intrepidus Group - C...
HTML5 Scores
1/17/2017 Intrepidus Group - Confidential
APPLICATIONS
Tizen Application Stack
1/17/2017 Intrepidus Group - Confidential
Types of Apps
• Web Applications:
– Written in HTML5
– JavaScript makes calls to Privileged APIs
– Supports libraries like...
WebRT
• WebRT is to Tizen what DalvikVM is to Android
• Execution of web applications
• Each application runs its own inst...
The Widget Stack
1/17/2017 Intrepidus Group - Confidential
Luckily Webkit is universally secure…
1/17/2017 Intrepidus Group - Confidential
WGT
• Web applications or widgets
• W3C standard way of packaging an HTML5 application
• Zip archive with .wgt extension
1...
Application Signing
• Each application is signed with 2 signatures
– W3C Recommended way of handling widget signing
– As o...
Privileged Device APIs
• Public:
– Any developer can access
– Example: Filesystem – access a location on the device
• Part...
config.xml File
• Similar to a manifest
• Declare Features: device capabilities
• Declare Privileges: API access required ...
config.xml Example
1/17/2017 Intrepidus Group - Confidential
Install Directory == Package Name
1/17/2017 Intrepidus Group - Confidential
Installation Directory Structure
bin
APPID.AppName
res
wgt
shared
data
res
trusted
tmp
tmp
1/17/2017 Intrepidus Group - Co...
1/17/2017 Intrepidus Group - Confidential
Encryption Support
• Web apps support encryption of Javascript,
HTML, CSS, etc
• Install-time encryption only
• Key config...
SMACK
SMACK - Introduction
• Linux Kernel Module
• Basis of the Tizen security sandbox model
• “Labels” are the metaphor
– simil...
Smack - Control Mechanisms
• File control
– Extended attributes (xattrs) give filesystem objects a label
– The label corre...
SMACK - Definitions
• Subject
• Object
• Access
• Label
1/17/2017 Intrepidus Group - Confidential
SMACK - Access Rule Format
<subject-label> <object-label> <access-rule>
1/17/2017 Intrepidus Group - Confidential
SMACK - Access Rule Examples
1/17/2017 Intrepidus Group - Confidential
contacts-service _ arwxt
com.Intrepidus.pwn * arwx-...
SMACK – Access Request Process
1/17/2017 Intrepidus Group - Confidential
/DEV/RANDOM
Content Security Framework
• McAfee contributed solution to a problem
first noticed in Android
– How does an app get acces...
Tizen Push Service
• Functionally similar to
GCM on Android
• Messages limited to text
data of 1024 bytes
1/17/2017 Intrep...
ASLR
• “Fully implemented" in the Linux Kernel but some additional
security measures are not currently implemented
1/17/20...
Weirdness
• Zypper is on the device
• Install all the things!
• OpenSSH: Running by default
on the device
• Root login is ...
PERFORMING ASSESSMENTS
Attackers we are emulating
• A malicious application
on the device
• A remote attacker that
has hijacked another
applicati...
Attack Vectors
• Malicious application store / third party store
– Helped out by the distributor signing model
• SMishing,...
Tools
• Tizen SDK – Eclipse IDE
• Web simulator
• Tizen Device Emulator
• SDB
1/17/2017 Intrepidus Group - Confidential
Tools - Tizen SDK IDE
• Eclipse
based
• Comes with the
Tizen device
emulator
• And the web
simulator
1/17/2017 Intrepidus ...
Tools - Web Simulator
• Lets you run a
WGT inside of
Google Chrome
• App assessment tool
1/17/2017 Intrepidus Group - Conf...
Tools - Web Simulator Controls
• Allows you to manipulate the web
simulator environment
• Contains functions to simulate
d...
Tools - Device Emulator
• Very similar to Android
Emulator
• Create virtual devices and run
them
• Devices are qemu VMs,
–...
Tools - Device Emulator Configuration
• Change skin
• Phone
• General Purpose
• Configure RAM
• Control hardware
accelerat...
Tools - SDB
• Smart
Development
Bridge
• AKA:
“It’s not ADB, we swear”
1/17/2017 Intrepidus Group - Confidential
Definitely not ADB…
1/17/2017 Intrepidus Group - Confidential
Using SDB + WRT to install apps
1/17/2017 Intrepidus Group - Confidential
Assessment Methodology
• Static Analysis
• File System Analysis
• Dynamic Analysis
• Network Analysis
1/17/2017 Intrepidus...
Static Analysis
• Improper permission requests
– Overprivileged applications are a greater threat
• Unprotected shared con...
File System Analysis
• Storing information on the SDCARD
• Unrestrictive file permissions
• Temporary files with 777 permi...
Dynamic Analysis
• Sensitive file storage
• Overly permissive content sharing
– Inter-application messaging
– Shared SQLit...
Network Analysis
• XSS means a privilege leakage
– Similar to an Android permission hijack but with JavaScript
• Cross ori...
Network MiTM Setup
• Set up a proxy in the WiFi Settings
• IPTables configuration
• Add CA certificates to the trusted sys...
Trusted root certificate store
• Anything in /etc/ssl/certs that’s in PEM format and is named
<8hexChars>.0 is considered ...
Verification of Certificates
• Use the certificate viewer from
to verify the certificate was
“installed” correctly.
Review
• Applications
– HTML5 / WebRT / Webkit
– Privileged APIs
• SMACK
– Subject / Object / Labels
– 41K rules
• Assessm...
Predictions
• A Tizen phone will be released next year &
adoption will be slow
– It will be rooted within the first week
•...
Questions
1/17/2017 Intrepidus Group - Confidential
Contact
• mark.manning@intrepidusgroup.com
• jason.ross@intrepidusgroup.com
• http://intrepidusgroup.com/insight
1/17/2017...
Nächste SlideShare
Wird geladen in …5
×

Tizen Security

419 Aufrufe

Veröffentlicht am

Provides an overview of the Tizen operating system, with a focus on security elements thereon. Covers securing apps on the Tizen platform as well, and ways to test them as an infosec professional. Co-pesented at DerbyCon 2103 with Mark Manning.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Tizen Security

  1. 1. TIZEN Security Hacking the New Mobile OS
  2. 2. Mark Manning • Sr. Security Consultant with Intrepidus Group • Mobile: – Android – Windows Phone – Brew – iOS – Blackberry • BSidesROC, Rochester 2600, Interlock Rochester 1/17/2017 Intrepidus Group - Confidential 2
  3. 3. Jason Ross • Sr. Security Consultant with Intrepidus Group – Android – Web apps – Network • Extra Curricular – TOOOL.ROC, DC585, BSidesROC – Security BSides*, Dragon Research Group 1/17/2017 Intrepidus Group - Confidential
  4. 4. What we are going to tell you What Tizen is & Where it might be going The Tizen security model How to perform Tizen security assessments Predictions for the future 1/17/2017 Intrepidus Group - Confidential
  5. 5. Tizen (/ˈtaɪzɛn/) is… • An open source mobile operating system – Started life as Samsung SLP (then Bada), & Intel MeeGo – Governed by Linux Foundation • Organized by a board of directors – The Tizen Association • Supported by large companies – Intel, Samsung, Fujitsu • Based on W3C standards for its applications – HTML5 APIs – Touch Events – Web Storage – WARP
  6. 6. Tizen wants to… • Be the ubiquitous solution for “smart” consumer devices • Release a high end device this year • Grab a 15% market share of smartphones • Replace Android as the most versatile operating system • Be installed on: – Smart TV’s – Cars – Smart Phones – Tablets – Anything that is designed for high end user experience 1/17/2017 Intrepidus Group - Confidential
  7. 7. Tizen Family Tree 1/17/2017 Intrepidus Group - Confidential
  8. 8. Tizen History • February 2010 – Nokia and Intel announce MeeGo – Nokia drops out of MeeGo in favor of Windows Phone • September 2011 – Intel suspends MeeGo & announces Tizen as its replacement • January 2012 – Tizen source code and SDK released • May 2013 – Tizen 2.1 released • July 2013 – Tizen 2.2 released • August 2013 – Tizen IVI 3.0 beta released 1/17/2017 Intrepidus Group - Confidential
  9. 9. Vapor Hardware 1/17/2017 Intrepidus Group - Confidential 9
  10. 10. Quick Comparison Android iOS Firefox OS Ubuntu Tizen Web App Support None None Yes Yes Yes Native App Support Yes Yes No Yes Yes Primary Application Isolation Mechanism Linux UIDs XNU / Seatbelt B2G / Gecko D-BUS / App Armor SMACK labels IDE Eclipse Xcode Good luck! Ubuntu SDK Eclipse Application Signing Model Developer Distributor Distributor Developer Distributor & Developer 1/17/2017 Intrepidus Group - Confidential
  11. 11. Technical Steering Group • In charge of development and working with OEMs (and advocacy) • Consists of Samsung, Intel and now Huawei • Coordinates development of the operating system 1/17/2017 Intrepidus Group - Confidential
  12. 12. Tizen Association • Always represented by 12 companies • Always changing • Current members: 1/17/2017 Intrepidus Group - Confidential
  13. 13. HTML5 Scores 1/17/2017 Intrepidus Group - Confidential
  14. 14. APPLICATIONS
  15. 15. Tizen Application Stack 1/17/2017 Intrepidus Group - Confidential
  16. 16. Types of Apps • Web Applications: – Written in HTML5 – JavaScript makes calls to Privileged APIs – Supports libraries like jQuery Mobile – Can be either “Packaged Web Apps” or “Hosted Web Apps” • Native Applications – C / C++ – Native APIs unrelated to web app APIs – Focused on gaming • Hybrid Applications – Little bit of both 1/17/2017 Intrepidus Group - Confidential
  17. 17. WebRT • WebRT is to Tizen what DalvikVM is to Android • Execution of web applications • Each application runs its own instance • Access to device resources via JavaScript API • Access control of web applications 1/17/2017 Intrepidus Group - Confidential
  18. 18. The Widget Stack 1/17/2017 Intrepidus Group - Confidential
  19. 19. Luckily Webkit is universally secure… 1/17/2017 Intrepidus Group - Confidential
  20. 20. WGT • Web applications or widgets • W3C standard way of packaging an HTML5 application • Zip archive with .wgt extension 1/17/2017 Intrepidus Group - Confidential
  21. 21. Application Signing • Each application is signed with 2 signatures – W3C Recommended way of handling widget signing – As opposed to Android’s one • Author signature – The author of the application used to verify who created the app • Distributer signature – from the publisher, or app store verifying where the application was distributed from 1/17/2017 Intrepidus Group - Confidential 21
  22. 22. Privileged Device APIs • Public: – Any developer can access – Example: Filesystem – access a location on the device • Partner: – Only those developers that have been verified and approved can access it. – Partners are given a special Partner CA to sign their applications – Example: ApplicationManager – manage application certificates • Platform – Reserved to OEMs and Tizen implementers – System level access to a device – Example: BluetoothAdapter 1/17/2017 Intrepidus Group - Confidential 22
  23. 23. config.xml File • Similar to a manifest • Declare Features: device capabilities • Declare Privileges: API access required by the app • Set policy: lets you set a “content security policy” for the application – White list the sites it should be connecting to – Based on W3C’s WARP 1/17/2017 Intrepidus Group - Confidential
  24. 24. config.xml Example 1/17/2017 Intrepidus Group - Confidential
  25. 25. Install Directory == Package Name 1/17/2017 Intrepidus Group - Confidential
  26. 26. Installation Directory Structure bin APPID.AppName res wgt shared data res trusted tmp tmp 1/17/2017 Intrepidus Group - Confidential
  27. 27. 1/17/2017 Intrepidus Group - Confidential
  28. 28. Encryption Support • Web apps support encryption of Javascript, HTML, CSS, etc • Install-time encryption only • Key configuration is located in /usr/share/secure-storage/config – Usually points to /csa/.seckey • Magic(key, wgt) = encryption 1/17/2017 Intrepidus Group - Confidential
  29. 29. SMACK
  30. 30. SMACK - Introduction • Linux Kernel Module • Basis of the Tizen security sandbox model • “Labels” are the metaphor – similar to how Android uses UIDs • Tizen 2.1 has 41,000 SMACK rules – Tizen 3 is looking to reduce these 1/17/2017 Intrepidus Group - Confidential
  31. 31. Smack - Control Mechanisms • File control – Extended attributes (xattrs) give filesystem objects a label – The label corresponds to a SMACK rule • IPC traffic • Network traffic – A CIPSO header is attached to each network packet • Processes – Can read /proc/self/attr/current to discover what SMACK labels they are running under 1/17/2017 Intrepidus Group - Confidential
  32. 32. SMACK - Definitions • Subject • Object • Access • Label 1/17/2017 Intrepidus Group - Confidential
  33. 33. SMACK - Access Rule Format <subject-label> <object-label> <access-rule> 1/17/2017 Intrepidus Group - Confidential
  34. 34. SMACK - Access Rule Examples 1/17/2017 Intrepidus Group - Confidential contacts-service _ arwxt com.Intrepidus.pwn * arwx- org.tizen.setting miracast-server rwx-- /opt/usr/apps/3FRIz5CoAw.Test = testApp /tmp/file.txt = myFile testApp myFile r
  35. 35. SMACK – Access Request Process 1/17/2017 Intrepidus Group - Confidential
  36. 36. /DEV/RANDOM
  37. 37. Content Security Framework • McAfee contributed solution to a problem first noticed in Android – How does an app get access to the system to perform effective scans? • Provides API for anti-virus vendors – Low-level hooks into the system to bypass usual application restrictions 1/17/2017 Intrepidus Group - Confidential
  38. 38. Tizen Push Service • Functionally similar to GCM on Android • Messages limited to text data of 1024 bytes 1/17/2017 Intrepidus Group - Confidential
  39. 39. ASLR • “Fully implemented" in the Linux Kernel but some additional security measures are not currently implemented 1/17/2017 Intrepidus Group - Confidential Securiy protection Purpose fstack-protector-all adds canary based buffer overflow checks on the stack and shuts down if it's corrupt D_FORTIFY_SOURCE=2 replaces unbouncd string function calls with bounded ones. Done where GCC can determine the buffer size. fpic, fpie position independent code for libraries (fpic) and executables (fpie). Protects against return to libc attacks NX Bit No Execute bit
  40. 40. Weirdness • Zypper is on the device • Install all the things! • OpenSSH: Running by default on the device • Root login is permitted 1/17/2017 Intrepidus Group - Confidential
  41. 41. PERFORMING ASSESSMENTS
  42. 42. Attackers we are emulating • A malicious application on the device • A remote attacker that has hijacked another application’s backend • Lost or stolen devices 1/17/2017 Intrepidus Group - Confidential Props to Katy Levinson/HackerDojo for this image
  43. 43. Attack Vectors • Malicious application store / third party store – Helped out by the distributor signing model • SMishing, phishing to install an application • “Drive by” content (malicious ad networks) – Helped by defining WARP access tags or setting the content-security-policy correctly 1/17/2017 Intrepidus Group - Confidential
  44. 44. Tools • Tizen SDK – Eclipse IDE • Web simulator • Tizen Device Emulator • SDB 1/17/2017 Intrepidus Group - Confidential
  45. 45. Tools - Tizen SDK IDE • Eclipse based • Comes with the Tizen device emulator • And the web simulator 1/17/2017 Intrepidus Group - Confidential
  46. 46. Tools - Web Simulator • Lets you run a WGT inside of Google Chrome • App assessment tool 1/17/2017 Intrepidus Group - Confidential
  47. 47. Tools - Web Simulator Controls • Allows you to manipulate the web simulator environment • Contains functions to simulate device events • Incoming calls / messages • Push messages • Orientation change • GeoLocation 1/17/2017 Intrepidus Group - Confidential
  48. 48. Tools - Device Emulator • Very similar to Android Emulator • Create virtual devices and run them • Devices are qemu VMs, – qcow format disk images 1/17/2017 Intrepidus Group - Confidential
  49. 49. Tools - Device Emulator Configuration • Change skin • Phone • General Purpose • Configure RAM • Control hardware acceleration 1/17/2017 Intrepidus Group - Confidential
  50. 50. Tools - SDB • Smart Development Bridge • AKA: “It’s not ADB, we swear” 1/17/2017 Intrepidus Group - Confidential
  51. 51. Definitely not ADB… 1/17/2017 Intrepidus Group - Confidential
  52. 52. Using SDB + WRT to install apps 1/17/2017 Intrepidus Group - Confidential
  53. 53. Assessment Methodology • Static Analysis • File System Analysis • Dynamic Analysis • Network Analysis 1/17/2017 Intrepidus Group - Confidential
  54. 54. Static Analysis • Improper permission requests – Overprivileged applications are a greater threat • Unprotected shared content – SQLite databases – Temporary files with 777 access • Encryption used – Custom encryption or built-in APIs? – Static keys saved in the application • Cross origin access restrictions – Which domains are restricted 1/17/2017 Intrepidus Group - Confidential
  55. 55. File System Analysis • Storing information on the SDCARD • Unrestrictive file permissions • Temporary files with 777 permissions 1/17/2017 Intrepidus Group - Confidential
  56. 56. Dynamic Analysis • Sensitive file storage • Overly permissive content sharing – Inter-application messaging – Shared SQLite database – Sensitive temp files 1/17/2017 Intrepidus Group - Confidential
  57. 57. Network Analysis • XSS means a privilege leakage – Similar to an Android permission hijack but with JavaScript • Cross origin attacks – Can we evade the network restrictions • SQLi (client side and server) – Parameterized queries are not used • Handling untrusted server input – Testing both the web server and the web client in this model • Secure data transport – SSL used throughout 1/17/2017 Intrepidus Group - Confidential
  58. 58. Network MiTM Setup • Set up a proxy in the WiFi Settings • IPTables configuration • Add CA certificates to the trusted system store 1/17/2017 Intrepidus Group - Confidential
  59. 59. Trusted root certificate store • Anything in /etc/ssl/certs that’s in PEM format and is named <8hexChars>.0 is considered a trusted cert • So… openssl x509 -in burpCA.der -inform DER -out burpCA.pem -outform PEM sdb push burpCA.pem /tmp/ sdb shell su mv /tmp/burpCA.pem /etc/ssl/certs/ffffffff.0
  60. 60. Verification of Certificates • Use the certificate viewer from to verify the certificate was “installed” correctly.
  61. 61. Review • Applications – HTML5 / WebRT / Webkit – Privileged APIs • SMACK – Subject / Object / Labels – 41K rules • Assessments – IDE / SDK / Emulator / Simulator – Network MiTM 1/17/2017 Intrepidus Group - Confidential
  62. 62. Predictions • A Tizen phone will be released next year & adoption will be slow – It will be rooted within the first week • Smart devices like cars, TV’s, and refrigerators will be pushed by Samsung • A webkit exploit affecting Tizen will break their security model – This will cause devastating results to the platform, unlike any other mobile vulnerability • Tizen will be adopted faster in non-American countries as a low cost, feature rich, alternative to Android 1/17/2017 Intrepidus Group - Confidential
  63. 63. Questions 1/17/2017 Intrepidus Group - Confidential
  64. 64. Contact • mark.manning@intrepidusgroup.com • jason.ross@intrepidusgroup.com • http://intrepidusgroup.com/insight 1/17/2017 Intrepidus Group - Confidential

×