SlideShare a Scribd company logo

The Art of defence: How vulnerabilites help shape security features and mitigations in android

Priyanka Aash
Priyanka Aash

Information security is ever evolving, and Android's security posture is no different. Android users faces threats from a variety of sources, from the mundane to the extraordinary. Lost and stolen devices, malware attacks, rooting vulnerabilities, malicious websites, and nation state attackers are all within the Android threat model, and something the Android Security Team deals with daily. In this talk, we will cover the threats facing Android users, using both specific examples from previous Black Hat conferences and published research, as well as previously unpublished threats. For the threats, we will go into the specific technical controls which contain the vulnerability, as well as newly added Android N security features which defend against future unknown vulnerabilities. Finally, we'll discuss where we could go from here to make Android, and the entire computer industry, safer. (Source: Black Hat USA 2016, Las Vegas)

Technology
1 of 57
Download to read offline
The Art of Defense How vulnerabilities help shape security features and mitigations in Android Nick Kralevich August 4th, 2016
$ whoami ● Nick Kralevich ● Android Security since December 2009 ● Android Platform Security Team Lead
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Agenda Quick overview of the Android Security Architecture Vulnerabilities that affected Android and Android’s response Where do we go from here?
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Android Security Ecosystem
Sandbox & permissions Runtime Security Checks Verify Apps Warning Verify Apps Consent Install Confirmation Unknown Sources Warning Google Play
Knowledge PHA or Not Data App installs Install Source Google Play Application Analysis Static Dynamic Reputation Etc. Other Google Services Search Drive Ads Etc. SafetyNet Analysis Exploit Detection ACE SIC Etc. Android App Sandbox Verified Boot Encryption Etc. Chrome Smart Lock Device Manager Safe Browsing SafetyNet Verify Apps App X App Y App Z Install Apps Apps Knowledge PHA or not Best practices Knowledge PHA or not Apps Knowledge Risk Signal Data Rare Apps App Install Checks Attest API Protections Warnings Configuration changes Etc Device Data Events Measurements Configurations Etc.
Learn More ● https://source.android.com/security/ ● Android Security 2015 Annual Report ○ https://security.googleblog.com/2016/04/android-security-2015-annual-report.html ● Android Security State of the Union ○ Black Hat 2015 - Adrian Ludwig ○ https://goo.gl/JrncdF
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Android Platform Overview
High Level Overview Contacts Game X Google Play Contacts Game Y Google Play System System System System System System System Trust Zone Kernel Hardware Root Root Root Root Root User 1 User 2 Verify Apps Safe Browsing SafetyNetGoogle Security Services Email Game Y Email Game Z Device Manager Smart Lock
Key Android Security Principles ● Exploit Mitigation ● Exploit Containment ● Principle of Least Privilege ● Architectural Decomposition ● Attack Surface Reduction ● Safe by design APIs ● Defense-in-depth
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Software Flaws
PingPong Root (CVE-2015-3636) ● Public Disclosure ○ oss-security ● Presented at Black Hat 2015 ○ Wen Xu / @K33nTeam ● Result: Kernel code execution https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back.pdf diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index a93f260..05ff44b 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk) if (sk_hashed(sk)) { write_lock_bh(&ping_table.lock); hlist_nulls_del(&sk->sk_nulls_node); + sk_nulls_node_init(&sk->sk_nulls_node); sock_put(sk); isk->inet_num = 0; isk->inet_sport = 0;
PingPong Root (CVE-2015-3636) commit be341cc348257a07c68bcbfdc526835d49283329 Author: Nick Kralevich <nnk@google.com> Date: Thu Feb 21 18:36:43 2013 -0800 init.rc: allow IPPROTO_ICMP support Allow userspace programs to create IPPROTO_ICMP sockets. This socket type allows an unprivileged program to safely send ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages, without relying on raw sockets or setuid programs. ● An attempt at security hardening made the vulnerable code reachable
PingPong Root (CVE-2015-3636) ● First priority: Fix the bug! ● Next step: How do we protect against similar bugs? Solely fixing bugs isn’t acceptable.
PingPong Root - Mitigation From: Jeff Vander Stoep <jeffv@google.com> Date: Tue, 18 Aug 2015 20:50:10 +0100 Subject: [PATCH] arm64: kconfig: Move LIST_POISON to a safe value Move the poison pointer offset to 0xdead000000000000, a recognized value that is not mappable by user-space exploits. Cc: <stable@vger.kernel.org> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Thierry Strudel <tstrudel@google.com> Signed-off-by: Will Deacon <will.deacon@arm.com> --- arch/arm64/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) ● Exploit Mitigation - Move LIST_POINTER out of user-space
● Disallow access to unusual socket families ○ Bluetooth socket family, AF_MSM_IPC, etc… ○ Backported as CVE-2016-3762. Android Security Bulletin—July 2016 ○ Other common socket families were blocked in previous Android versions. ● Whitelist allowable ioctls # Restrict socket ioctls. Either # 1. disallow privileged ioctls, # 2. disallow the ioctl permission, or # 3. disallow the socket class. neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow untrusted_app *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } *; PingPong Root - Mitigations
PingPong Root - TL;DR PingPong Root: 1 bug, 3 mitigations! Learn more: http://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html
PingPong Root - Mitigation ● The mitigations are effective at blocking or reducing the severity of a number of unrelated bugs ○ CVE-2016-2059 - Linux IPC router binding any port as a control port ○ CVE-2015-6642 - Security Vulnerability in AF_MSM_IPC socket: IPC_ROUTER_IOCTL_LOOKUP_SERVER ioctl leaks kernel heap memory to userspace ○ CVE-2016-2474 - Security Vulnerability - Nexus 5x wlan driver stack overflow ○ etc...
Stagefright ● Series of bugs reported by Joshua “jduck” Drake ● Private disclosure with embargo ● Public disclosure via NPR / blog post / PR / ads / etc... ● For this presentation, focusing on CVE-2015-3824 ○ MP4 'tx3g' Integer Overflow https://www.blackhat.com/docs/us-15/materials/us-15-Drake-Stagefright-Scary-Code-In-The-Heart-Of-Android.pdf
Stagefright - A “successful failure” ● Monthly patching cycle ● Public security bulletins ● No evidence of malicious exploitation ● Exploit mitigations (ASLR, etc) worked as intended and bought time ● Device diversity complicated exploitation and bought time ● Exploit containment (UID sandbox, SELinux) forced vulnerability chaining and bought time ● Widespread patch distribution: 57-89% of population [1] ● Significant architectural improvements (more later) ● Enhanced visibility of Android Vulnerability Rewards Program [1] Source: Zimperium.com, March 22nd, 2016
Stagefright ● Mediaserver architected for containment ○ “Android: Securing a Mobile Platform from the Ground Up” (Rich Cannings, Usenix Security 2009) ○ Charlie Miller - oCERT-2009-002 ● Stagefright exploit was contained ○ Required vulnerability chaining ● Mediaserver grew up. More features => more capabilities https://twitter.com/jduck/status/756197298355318784
Stagefright @@ -1948,6 +1948,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { size = 0; } + if (SIZE_MAX - chunk_size <= size) + return ERROR_MALFORMED; + uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size]; if (buffer == NULL) { return ERROR_MALFORMED; ● First Priority: Fix the bugs! ○ 7 patches provided by vulnerability reporter (yay!)
Stagefright ● Unfortunately, fix was incomplete: CVE-2015-3864 size = 0; } - if (SIZE_MAX - chunk_size <= size) { + if ((chunk_size > SIZE_MAX) || (SIZE_MAX - chunk_size <= size)) { return ERROR_MALFORMED; } + if (SIZE_MAX - chunk_size <= size) + return ERROR_MALFORMED; + uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size]; if (buffer == NULL) { return ERROR_MALFORMED; CVE-2015-3824 CVE-2015-3864
Stagefright Solely fixing bugs isn’t acceptable.
mediaserver - Architectural Improvements ● Mediaserver refactoring ● Integer overflow protections ● ASLR enhancements ○ Increase kernel randomness ○ Link time randomization ● Mediaserver seccomp ● Remove mediaserver execmem
MediaServer AudioFlinger AudioPolicyService CameraService MediaPlayerService RadioService ResourceManagerService SoundTriggerHwService AudioServer AudioFlinger AudioPolicyService RadioService SoundHwTrigger CamerServer CameraService ExtractorService ExtractorService MediaCodecService CodecService MediaDrmServer MediaDrmService MediaServer MediaPlayingService ResourceManagerService Android M - Services per process Android N - Services per process
MediaServer Audio devices Bluetooth Camera Device Custom Vendor Drivers DRM hardware FM Radio GPU IPC connection to Camera daemon mmap executable memory Network sockets Read access to app-provided files Read access to conf files Read/Write access to media Secure storage Sensor Hub connection Sound Trigger Devices AudioServer Audio Devices Bluetooth Custom vendor drivers FM radio Read/Write access to media CamerServer Camera Device GPU IPC connections to Camera daemon Sensor Hub Connection ExtractorService None MediaCodecService GPU MediaDrmServer DRM hardware Mmap executable memory Network sockets Secure storage MediaServer GPU Network Sockets Read access to app-provided files Read access to conf files Android M - Capabilities per process Android N - Capabilities per process
mediaserver - Refactoring results ● Vastly improved architectural decomposition ● Vastly improved separation of privileges ● Riskiest code moved to strongly sandboxed process ● Containment model significantly more robust Everyone is safer!
Stagefright - Integer Overflow Protections ● Majority of stagefright bugs were integer overflow ● In C & C++: ○ For unsigned values: the result is taken modulo 2bits ○ For signed values: the result is undefined UBSan to the rescue!
Stagefright before patch
Stagefright before patch v1, sanitized
Stagefright after patch v1, sanitized
libstagefright with UBSan ● In Summary: ○ UBSan with original patch: no integer overflow, stops exploit! ○ UBSan with no patch: no integer overflow, stops exploit! Learn More: https://android-developers.blogspot.com/2016/05/hardening-media-stack.html
ASLR Enhancements
ASLR Patch #1 - Increased randomness from kernel commit d07e22597d1d355829b7b18ac19afa912cf758d1 Author: Daniel Cashman <dcashman@google.com> Date: Thu Jan 14 15:19:53 2016 -0800 mm: mmap: add new /proc tunable for mmap_base ASLR [deleted] Concretely, the attack was against the mediaserver process, which was limited to respawning every 5 seconds, on an arm device. The hard-coded 8 bits used resulted in an average expected success rate of defeating the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a piece). With this patch, and an accompanying increase in the entropy value to 16 bits, the same attack would take an average expected time of over 45 hours (32768 tries), which makes it both less feasible and more likely to be noticed. https://lwn.net/Articles/667790/
ASLR Patch #2 - Library Load Order Randomization 1.so 2.so 3.so 4.so 1.so 2.so 3.so 4.so Random base address ● Compliments and enhances randomized mmap base address ● Dependent shared libraries are mapped into memory in random order ● Effectiveness depends on number of shared library dependencies ● No impact on initial executable nor dynamic linker load https://android-review.googlesource.com/178130
ASLR Patch #3 - Random gap between *.so files 1.so 2.so 3.so 4.so Random base address ● Checked in 15 days ago. :-) ○ Targeting future Android release ● Adds more gaps between shared libraries. ● Allow a lot more compact CFI shadow implementation https://android-review.googlesource.com/248499 1.so 2.so 3.so 4.so
mediaserver: additional changes open("/system/lib/libnetd_client.so", O_RDONLY) = 3 mmap2(NULL, 12904, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb6d9f000 open("/data/data/com.foo.bar/libnetd_client. so", O_RDONLY) = 4 mmap2(NULL, 12904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = -1 EACCES (Permission denied) mmap2(NULL, 20, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 4, 0) = -1 EACCES (Permission denied) finit_module(5, "", 0) = ? ERESTART_RESTARTBLOCK (Interrupted by signal) --- SIGSYS {si_signo=SIGSYS, si_code=SI_USER, si_pid=20745, si_uid=2000} --- +++ killed by SIGSYS +++ Bad system call ● Remove “execmem” ○ No anonymous executable memory ○ No loading executable code from outside /system (not new in Nougat) ○ Executable content can only come from dm-verity protected partition ● seccomp enforcement
Stagefright - TL;DR Stagefright: 7 mitigations!
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Data in Transit Protection
Data In Transit Protection ● The network is not to be trusted. ○ This has always been true but is especially for mobile devices. ○ But you already know this. ● Too much unencrypted traffic
Data In Transit Protection - Marshmallow In order to help you accurately and easily determine if your application is making cleartext traffic in Marshmallow we added two new features. 1. Strict mode cleartext detection to help you while testing. 2. usesCleartextTraffic application manifest attribute to block accidental regressions on user devices. Note: These are not limited to HTTP/HTTPS StrictMode.VmPolicy policy = new StrictMode.VmPolicy.Builder() .detectCleartextNetwork() .penaltyDeath() .build(); StrictMode.setVmPolicy(policy); <application android:usesCleartextTraffic="false" />
Data In Transit Protection ● The network is not safe ○ But you already know that ● Too much unencrypted traffic ● Too much badly encrypted traffic https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=android+x.509
Badly Encrypted Traffic ● What causes bad encryption bugs? ○ Code testing in non-production environments ○ Third party libraries changing global state ○ Insecure code samples online ○ Connection to legacy servers
Badly Encrypted Traffic HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(null, new TrustManager[] { new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) {} public void checkServerTrusted(X509Certificate[] chain, String authType) {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[]{}; } } }, null); HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory()); Do not use these code samples!
Network Security Config ● Customizing TLS through the current APIs is too error prone ● Network Security Config: Safer and easier API ● Fine grain blocking of insecure traffic in your app ● Eliminate debugging-related code in your release build ○ Connect to your development infrastructure without any code ○ Avoid writing custom code that removes security for debug builds and accidentally shipping it ● Limit the CAs you want to trust ● Easy to configure cert pinning
Network Security Config - Block insecure traffic <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">secure.example.com</domain> </domain-config> </network-security-config>
Network Security Config - Debug only CAs <network-security-config> <debug-overrides> <trust-anchors> <certificates src="@raw/debug_cas"/> </trust-anchors> </debug-overrides> </network-security-config>
Network Security Config - Pinning <network-security-config> <domain-config> <domain includeSubdomains="true">example.com</domain> <pin-set expiration="2018-01-01"> <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin> <!-- backup pin --> <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin> </pin-set> </domain-config> </network-security-config>
Data In Transit Protection - User Installed Certificates ● Question: How should user installed certificates be handled? ○ Opportunity to revisit old assumptions ● App files/memory/processes are protected by default ○ Why not network traffic? ● Interest from nation states https://www.eff.org/deeplinks/2015/12/kazakhstan-considers-plan-snoop-all-internet-traffic
Data In Transit Protection - User Installed Certificates ● Most application developers unaware secure traffic can be intercepted ● User installable certificates not commonly used Applications targeting “Nougat” or greater no longer trust user installed certs by default.
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Where do we go from here?
Languages ● Safe by design: As an industry, we need to move towards memory safe languages ○ This includes sacred cows such as the Linux kernel Bug root cause for all of Android (including kernel and other components)
Invest in Defense ● Invest in defenses: As an industry, we need to look beyond attacks and short term solutions, and invest in architectural improvements in all these areas: ● Exploit Mitigation ● Exploit Containment ● Principle of Least Privilege ● Architectural Decomposition ● Attack Surface Reduction ● Safe by design APIs ● Defense-in-depth
Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Black Hat Sound Bytes
Black Hat Sound Bytes ● Android has a robust, multi-layered defense designed to mitigate and contain vulnerabilities. ● Android is investing heavily in learning from vulnerabilities and applying those lessons in new releases. ● Vulnerabilities will never go away, but they can be contained and managed.
THANK YOU Nick Kralevich nnk@google.com

Recommended

CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 

Recommended

CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat Security Conference
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseConsulthinkspa
 
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...Pietro F. Maggi
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 

More Related Content

What's hot

Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat Security Conference
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseConsulthinkspa
 

What's hot (20)

Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an email
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for Enterprise
 

Viewers also liked

EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...Pietro F. Maggi
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Pietro F. Maggi
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
Samsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issuesSamsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issuesPriyanka Aash
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS securitySumanth Veera
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityCloudCheckr
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS securityPriyanka Aash
 
Keynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security ImpactKeynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security ImpactPriyanka Aash
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating systemSalma Begum
 

Viewers also liked (15)

EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
EMEA AppForum 2015 Android KitKat & Lollipop - new features for enterprise de...
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
 
Samsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issuesSamsung pay: tokenized numbers flaws and issues
Samsung pay: tokenized numbers flaws and issues
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
 
Stagefright (1)
Stagefright (1)Stagefright (1)
Stagefright (1)
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Behind the scenes with IOS security
Behind the scenes with IOS securityBehind the scenes with IOS security
Behind the scenes with IOS security
 
Keynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security ImpactKeynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security Impact
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating system
 
Android ppt
Android ppt Android ppt
Android ppt
 

Similar to The Art of defence: How vulnerabilites help shape security features and mitigations in android

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshMatt Turner
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018Ivanti
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebula Project
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...Dmytro Korzhevin
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 

Similar to The Art of defence: How vulnerabilites help shape security features and mitigations in android (20)

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

The Art of defence: How vulnerabilites help shape security features and mitigations in android

  • 1. The Art of Defense How vulnerabilities help shape security features and mitigations in Android Nick Kralevich August 4th, 2016
  • 2. $ whoami ● Nick Kralevich ● Android Security since December 2009 ● Android Platform Security Team Lead
  • 3. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Agenda Quick overview of the Android Security Architecture Vulnerabilities that affected Android and Android’s response Where do we go from here?
  • 4. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Android Security Ecosystem
  • 5. Sandbox & permissions Runtime Security Checks Verify Apps Warning Verify Apps Consent Install Confirmation Unknown Sources Warning Google Play
  • 6. Knowledge PHA or Not Data App installs Install Source Google Play Application Analysis Static Dynamic Reputation Etc. Other Google Services Search Drive Ads Etc. SafetyNet Analysis Exploit Detection ACE SIC Etc. Android App Sandbox Verified Boot Encryption Etc. Chrome Smart Lock Device Manager Safe Browsing SafetyNet Verify Apps App X App Y App Z Install Apps Apps Knowledge PHA or not Best practices Knowledge PHA or not Apps Knowledge Risk Signal Data Rare Apps App Install Checks Attest API Protections Warnings Configuration changes Etc Device Data Events Measurements Configurations Etc.
  • 7. Learn More ● https://source.android.com/security/ ● Android Security 2015 Annual Report ○ https://security.googleblog.com/2016/04/android-security-2015-annual-report.html ● Android Security State of the Union ○ Black Hat 2015 - Adrian Ludwig ○ https://goo.gl/JrncdF
  • 8. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Android Platform Overview
  • 9. High Level Overview Contacts Game X Google Play Contacts Game Y Google Play System System System System System System System Trust Zone Kernel Hardware Root Root Root Root Root User 1 User 2 Verify Apps Safe Browsing SafetyNetGoogle Security Services Email Game Y Email Game Z Device Manager Smart Lock
  • 10. Key Android Security Principles ● Exploit Mitigation ● Exploit Containment ● Principle of Least Privilege ● Architectural Decomposition ● Attack Surface Reduction ● Safe by design APIs ● Defense-in-depth
  • 11. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Software Flaws
  • 12. PingPong Root (CVE-2015-3636) ● Public Disclosure ○ oss-security ● Presented at Black Hat 2015 ○ Wen Xu / @K33nTeam ● Result: Kernel code execution https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back.pdf diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index a93f260..05ff44b 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk) if (sk_hashed(sk)) { write_lock_bh(&ping_table.lock); hlist_nulls_del(&sk->sk_nulls_node); + sk_nulls_node_init(&sk->sk_nulls_node); sock_put(sk); isk->inet_num = 0; isk->inet_sport = 0;
  • 13. PingPong Root (CVE-2015-3636) commit be341cc348257a07c68bcbfdc526835d49283329 Author: Nick Kralevich <nnk@google.com> Date: Thu Feb 21 18:36:43 2013 -0800 init.rc: allow IPPROTO_ICMP support Allow userspace programs to create IPPROTO_ICMP sockets. This socket type allows an unprivileged program to safely send ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages, without relying on raw sockets or setuid programs. ● An attempt at security hardening made the vulnerable code reachable
  • 14. PingPong Root (CVE-2015-3636) ● First priority: Fix the bug! ● Next step: How do we protect against similar bugs? Solely fixing bugs isn’t acceptable.
  • 15. PingPong Root - Mitigation From: Jeff Vander Stoep <jeffv@google.com> Date: Tue, 18 Aug 2015 20:50:10 +0100 Subject: [PATCH] arm64: kconfig: Move LIST_POISON to a safe value Move the poison pointer offset to 0xdead000000000000, a recognized value that is not mappable by user-space exploits. Cc: <stable@vger.kernel.org> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Thierry Strudel <tstrudel@google.com> Signed-off-by: Will Deacon <will.deacon@arm.com> --- arch/arm64/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) ● Exploit Mitigation - Move LIST_POINTER out of user-space
  • 16. ● Disallow access to unusual socket families ○ Bluetooth socket family, AF_MSM_IPC, etc… ○ Backported as CVE-2016-3762. Android Security Bulletin—July 2016 ○ Other common socket families were blocked in previous Android versions. ● Whitelist allowable ioctls # Restrict socket ioctls. Either # 1. disallow privileged ioctls, # 2. disallow the ioctl permission, or # 3. disallow the socket class. neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow untrusted_app *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } *; PingPong Root - Mitigations
  • 17. PingPong Root - TL;DR PingPong Root: 1 bug, 3 mitigations! Learn more: http://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html
  • 18. PingPong Root - Mitigation ● The mitigations are effective at blocking or reducing the severity of a number of unrelated bugs ○ CVE-2016-2059 - Linux IPC router binding any port as a control port ○ CVE-2015-6642 - Security Vulnerability in AF_MSM_IPC socket: IPC_ROUTER_IOCTL_LOOKUP_SERVER ioctl leaks kernel heap memory to userspace ○ CVE-2016-2474 - Security Vulnerability - Nexus 5x wlan driver stack overflow ○ etc...
  • 19. Stagefright ● Series of bugs reported by Joshua “jduck” Drake ● Private disclosure with embargo ● Public disclosure via NPR / blog post / PR / ads / etc... ● For this presentation, focusing on CVE-2015-3824 ○ MP4 'tx3g' Integer Overflow https://www.blackhat.com/docs/us-15/materials/us-15-Drake-Stagefright-Scary-Code-In-The-Heart-Of-Android.pdf
  • 20. Stagefright - A “successful failure” ● Monthly patching cycle ● Public security bulletins ● No evidence of malicious exploitation ● Exploit mitigations (ASLR, etc) worked as intended and bought time ● Device diversity complicated exploitation and bought time ● Exploit containment (UID sandbox, SELinux) forced vulnerability chaining and bought time ● Widespread patch distribution: 57-89% of population [1] ● Significant architectural improvements (more later) ● Enhanced visibility of Android Vulnerability Rewards Program [1] Source: Zimperium.com, March 22nd, 2016
  • 21. Stagefright ● Mediaserver architected for containment ○ “Android: Securing a Mobile Platform from the Ground Up” (Rich Cannings, Usenix Security 2009) ○ Charlie Miller - oCERT-2009-002 ● Stagefright exploit was contained ○ Required vulnerability chaining ● Mediaserver grew up. More features => more capabilities https://twitter.com/jduck/status/756197298355318784
  • 22. Stagefright @@ -1948,6 +1948,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { size = 0; } + if (SIZE_MAX - chunk_size <= size) + return ERROR_MALFORMED; + uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size]; if (buffer == NULL) { return ERROR_MALFORMED; ● First Priority: Fix the bugs! ○ 7 patches provided by vulnerability reporter (yay!)
  • 23. Stagefright ● Unfortunately, fix was incomplete: CVE-2015-3864 size = 0; } - if (SIZE_MAX - chunk_size <= size) { + if ((chunk_size > SIZE_MAX) || (SIZE_MAX - chunk_size <= size)) { return ERROR_MALFORMED; } + if (SIZE_MAX - chunk_size <= size) + return ERROR_MALFORMED; + uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size]; if (buffer == NULL) { return ERROR_MALFORMED; CVE-2015-3824 CVE-2015-3864
  • 24. Stagefright Solely fixing bugs isn’t acceptable.
  • 25. mediaserver - Architectural Improvements ● Mediaserver refactoring ● Integer overflow protections ● ASLR enhancements ○ Increase kernel randomness ○ Link time randomization ● Mediaserver seccomp ● Remove mediaserver execmem
  • 27. MediaServer Audio devices Bluetooth Camera Device Custom Vendor Drivers DRM hardware FM Radio GPU IPC connection to Camera daemon mmap executable memory Network sockets Read access to app-provided files Read access to conf files Read/Write access to media Secure storage Sensor Hub connection Sound Trigger Devices AudioServer Audio Devices Bluetooth Custom vendor drivers FM radio Read/Write access to media CamerServer Camera Device GPU IPC connections to Camera daemon Sensor Hub Connection ExtractorService None MediaCodecService GPU MediaDrmServer DRM hardware Mmap executable memory Network sockets Secure storage MediaServer GPU Network Sockets Read access to app-provided files Read access to conf files Android M - Capabilities per process Android N - Capabilities per process
  • 28. mediaserver - Refactoring results ● Vastly improved architectural decomposition ● Vastly improved separation of privileges ● Riskiest code moved to strongly sandboxed process ● Containment model significantly more robust Everyone is safer!
  • 29. Stagefright - Integer Overflow Protections ● Majority of stagefright bugs were integer overflow ● In C & C++: ○ For unsigned values: the result is taken modulo 2bits ○ For signed values: the result is undefined UBSan to the rescue!
  • 31. Stagefright before patch v1, sanitized
  • 32. Stagefright after patch v1, sanitized
  • 33. libstagefright with UBSan ● In Summary: ○ UBSan with original patch: no integer overflow, stops exploit! ○ UBSan with no patch: no integer overflow, stops exploit! Learn More: https://android-developers.blogspot.com/2016/05/hardening-media-stack.html
  • 35. ASLR Patch #1 - Increased randomness from kernel commit d07e22597d1d355829b7b18ac19afa912cf758d1 Author: Daniel Cashman <dcashman@google.com> Date: Thu Jan 14 15:19:53 2016 -0800 mm: mmap: add new /proc tunable for mmap_base ASLR [deleted] Concretely, the attack was against the mediaserver process, which was limited to respawning every 5 seconds, on an arm device. The hard-coded 8 bits used resulted in an average expected success rate of defeating the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a piece). With this patch, and an accompanying increase in the entropy value to 16 bits, the same attack would take an average expected time of over 45 hours (32768 tries), which makes it both less feasible and more likely to be noticed. https://lwn.net/Articles/667790/
  • 36. ASLR Patch #2 - Library Load Order Randomization 1.so 2.so 3.so 4.so 1.so 2.so 3.so 4.so Random base address ● Compliments and enhances randomized mmap base address ● Dependent shared libraries are mapped into memory in random order ● Effectiveness depends on number of shared library dependencies ● No impact on initial executable nor dynamic linker load https://android-review.googlesource.com/178130
  • 37. ASLR Patch #3 - Random gap between *.so files 1.so 2.so 3.so 4.so Random base address ● Checked in 15 days ago. :-) ○ Targeting future Android release ● Adds more gaps between shared libraries. ● Allow a lot more compact CFI shadow implementation https://android-review.googlesource.com/248499 1.so 2.so 3.so 4.so
  • 38. mediaserver: additional changes open("/system/lib/libnetd_client.so", O_RDONLY) = 3 mmap2(NULL, 12904, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb6d9f000 open("/data/data/com.foo.bar/libnetd_client. so", O_RDONLY) = 4 mmap2(NULL, 12904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = -1 EACCES (Permission denied) mmap2(NULL, 20, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 4, 0) = -1 EACCES (Permission denied) finit_module(5, "", 0) = ? ERESTART_RESTARTBLOCK (Interrupted by signal) --- SIGSYS {si_signo=SIGSYS, si_code=SI_USER, si_pid=20745, si_uid=2000} --- +++ killed by SIGSYS +++ Bad system call ● Remove “execmem” ○ No anonymous executable memory ○ No loading executable code from outside /system (not new in Nougat) ○ Executable content can only come from dm-verity protected partition ● seccomp enforcement
  • 40. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Data in Transit Protection
  • 41. Data In Transit Protection ● The network is not to be trusted. ○ This has always been true but is especially for mobile devices. ○ But you already know this. ● Too much unencrypted traffic
  • 42. Data In Transit Protection - Marshmallow In order to help you accurately and easily determine if your application is making cleartext traffic in Marshmallow we added two new features. 1. Strict mode cleartext detection to help you while testing. 2. usesCleartextTraffic application manifest attribute to block accidental regressions on user devices. Note: These are not limited to HTTP/HTTPS StrictMode.VmPolicy policy = new StrictMode.VmPolicy.Builder() .detectCleartextNetwork() .penaltyDeath() .build(); StrictMode.setVmPolicy(policy); <application android:usesCleartextTraffic="false" />
  • 43. Data In Transit Protection ● The network is not safe ○ But you already know that ● Too much unencrypted traffic ● Too much badly encrypted traffic https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=android+x.509
  • 44. Badly Encrypted Traffic ● What causes bad encryption bugs? ○ Code testing in non-production environments ○ Third party libraries changing global state ○ Insecure code samples online ○ Connection to legacy servers
  • 45. Badly Encrypted Traffic HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(null, new TrustManager[] { new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) {} public void checkServerTrusted(X509Certificate[] chain, String authType) {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[]{}; } } }, null); HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory()); Do not use these code samples!
  • 46. Network Security Config ● Customizing TLS through the current APIs is too error prone ● Network Security Config: Safer and easier API ● Fine grain blocking of insecure traffic in your app ● Eliminate debugging-related code in your release build ○ Connect to your development infrastructure without any code ○ Avoid writing custom code that removes security for debug builds and accidentally shipping it ● Limit the CAs you want to trust ● Easy to configure cert pinning
  • 47. Network Security Config - Block insecure traffic <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">secure.example.com</domain> </domain-config> </network-security-config>
  • 48. Network Security Config - Debug only CAs <network-security-config> <debug-overrides> <trust-anchors> <certificates src="@raw/debug_cas"/> </trust-anchors> </debug-overrides> </network-security-config>
  • 49. Network Security Config - Pinning <network-security-config> <domain-config> <domain includeSubdomains="true">example.com</domain> <pin-set expiration="2018-01-01"> <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin> <!-- backup pin --> <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin> </pin-set> </domain-config> </network-security-config>
  • 50. Data In Transit Protection - User Installed Certificates ● Question: How should user installed certificates be handled? ○ Opportunity to revisit old assumptions ● App files/memory/processes are protected by default ○ Why not network traffic? ● Interest from nation states https://www.eff.org/deeplinks/2015/12/kazakhstan-considers-plan-snoop-all-internet-traffic
  • 51. Data In Transit Protection - User Installed Certificates ● Most application developers unaware secure traffic can be intercepted ● User installable certificates not commonly used Applications targeting “Nougat” or greater no longer trust user installed certs by default.
  • 52. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Where do we go from here?
  • 53. Languages ● Safe by design: As an industry, we need to move towards memory safe languages ○ This includes sacred cows such as the Linux kernel Bug root cause for all of Android (including kernel and other components)
  • 54. Invest in Defense ● Invest in defenses: As an industry, we need to look beyond attacks and short term solutions, and invest in architectural improvements in all these areas: ● Exploit Mitigation ● Exploit Containment ● Principle of Least Privilege ● Architectural Decomposition ● Attack Surface Reduction ● Safe by design APIs ● Defense-in-depth
  • 55. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Black Hat Sound Bytes
  • 56. Black Hat Sound Bytes ● Android has a robust, multi-layered defense designed to mitigate and contain vulnerabilities. ● Android is investing heavily in learning from vulnerabilities and applying those lessons in new releases. ● Vulnerabilities will never go away, but they can be contained and managed.