0
Fourteenforty Research Institute, Inc.
1
Tizen Security
Fourteenforty Research Institute, Inc.
http://www.fourteenforty.jp...
Fourteenforty Research Institute, Inc.
• As alternative OS for smartphones and tablets Tizen and Firefox OS are
becoming r...
Fourteenforty Research Institute, Inc.
• Overview
– Open source OS for mobile devices
– One project in Linux Foundation
– ...
Fourteenforty Research Institute, Inc.
Tizen Architecture
4
From http://upload.wikimedia.org/wikipedia/commons/c/c3/What_i...
Fourteenforty Research Institute, Inc.
• There are 2 application package format
– Tizen Package (.tpk) : Native Applicatio...
Fourteenforty Research Institute, Inc.
• Installed into /opt/apps/(AppId)
• AppId is 10 byte length string
• Under /opt/ap...
Fourteenforty Research Institute, Inc.
Tizen Web package
7
From https://developer.tizen.org/documentation/articles/tizen-a...
Fourteenforty Research Institute, Inc.
• Zip archive with .tpk extension
• .tpk file constitutes the whole structure under...
Fourteenforty Research Institute, Inc.
Security
9
• Research on following security features
– OS level Security
• Access C...
Fourteenforty Research Institute, Inc.
Overview of Access Control
10
• All the processes run with one of 2 UIDs which corr...
Fourteenforty Research Institute, Inc.
Using 2 UIDs
11
Kernel
Web App1
Web Runtime
(UID: app)
Web App2
Native App
(UID: ap...
Fourteenforty Research Institute, Inc.
Application Isolation
12
All the applications run with UID ‘app’
↓
Can they access ...
Fourteenforty Research Institute, Inc.
• One of the implementations of LSM(Linux Security Modules)
• Labeling to Subject (...
Fourteenforty Research Institute, Inc.
Utilize SMACK Label
14
Kernel
Web App1
Web Runtime
(UID: app)
Web App2
Native App1
...
Fourteenforty Research Institute, Inc.
Vulnerability Protection
15
• Supports native(C/C++) application development from T...
Fourteenforty Research Institute, Inc.
DEP
16
• Tested following code as a Tizen Native Application
int func(){
int a = 10...
Fourteenforty Research Institute, Inc.
ASLR
17
• The value of /proc/sys/kernel/randomize_va_space is 2
– Which means ASLR ...
Fourteenforty Research Institute, Inc.
Applications
Content Security Framework(CSF)
18
• This framework makes it easier to...
Fourteenforty Research Institute, Inc.
• Privilege
– Tizen divides APIs into 3 categories according to its right
• Public ...
Fourteenforty Research Institute, Inc.
Web Application Sandbox
20
Kernel
Web Runtime
Web Application
JavaScript API
System...
Fourteenforty Research Institute, Inc.
• SMACK is the core part of access control in Tizen
• It has 2 stage access control...
Fourteenforty Research Institute, Inc.
• http://download.tizen.org/misc/media/conference2012/tuesday/ballroom
-c/2012-05-0...
Upcoming SlideShare
Loading in...5
×

Mr201305 tizen security_eng

574

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
574
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Mr201305 tizen security_eng"

  1. 1. Fourteenforty Research Institute, Inc. 1 Tizen Security Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Senior Research Engineer Shuichiro Suzuki
  2. 2. Fourteenforty Research Institute, Inc. • As alternative OS for smartphones and tablets Tizen and Firefox OS are becoming remarkable OS • A vendor in Japan may release a device with Tizen OS in this or next year • In Android security has been concerned after its release • How about the security in new OS? • Research on the security of Tizen • Research in this slides are done by using an emulator in Tizen SDK 2.1 Background 2
  3. 3. Fourteenforty Research Institute, Inc. • Overview – Open source OS for mobile devices – One project in Linux Foundation – Development is mainly lead by Samsung and Intel • Features – Linux based OS – It supports both web and native application development from Tizen 2.0 About Tizen 3
  4. 4. Fourteenforty Research Institute, Inc. Tizen Architecture 4 From http://upload.wikimedia.org/wikipedia/commons/c/c3/What_is_tizen_architecture.png Supports web and native applications
  5. 5. Fourteenforty Research Institute, Inc. • There are 2 application package format – Tizen Package (.tpk) : Native Applications – Tizen Web Package (.wgt) : Web Applications Tizen Package 5
  6. 6. Fourteenforty Research Institute, Inc. • Installed into /opt/apps/(AppId) • AppId is 10 byte length string • Under /opt/apps/(AppId) directory there are – bin/ – data/ – res/ Common Feature of Tizen Web/Native application 6
  7. 7. Fourteenforty Research Institute, Inc. Tizen Web package 7 From https://developer.tizen.org/documentation/articles/tizen-application-packaging-overview • Zip archive with .wgt extension • .wgt file constitutes the structure show below • bin directory has a file which is a symbolic link to Web Runtime (WRT) • A web apllication is hosted by this Web Runtime
  8. 8. Fourteenforty Research Institute, Inc. • Zip archive with .tpk extension • .tpk file constitutes the whole structure under (AppId) dirctory • bin directory has an application binary Tizen Native package 8 https://developer.tizen.org/documentation/articles/tizen-application-packaging-overviewより引用
  9. 9. Fourteenforty Research Institute, Inc. Security 9 • Research on following security features – OS level Security • Access Control • Vulnerability Protection • Content Security Framework – Application Rights Isolation • Privileges • Feature
  10. 10. Fourteenforty Research Institute, Inc. Overview of Access Control 10 • All the processes run with one of 2 UIDs which corresponds following accounts – root – app • Both web and native application run with UID ‘app’ • It has mandatory access control by SMACK – All the applications are labeled by SMACK
  11. 11. Fourteenforty Research Institute, Inc. Using 2 UIDs 11 Kernel Web App1 Web Runtime (UID: app) Web App2 Native App (UID: app) Service (UID: root) Run with UID ‘app’ Processes require high rights run with UID ‘root’
  12. 12. Fourteenforty Research Institute, Inc. Application Isolation 12 All the applications run with UID ‘app’ ↓ Can they access their private file each other?? Access control by SMACK (They cannot access their private file each other by default)
  13. 13. Fourteenforty Research Institute, Inc. • One of the implementations of LSM(Linux Security Modules) • Labeling to Subject (≓ process) and Object (≓ file) and controlled by access rules between them • Example of a rule: SMACK 13 Subject labeled “TopSecret” TopSecret Secret rx To object labeled “Secret” Can read and execute
  14. 14. Fourteenforty Research Institute, Inc. Utilize SMACK Label 14 Kernel Web App1 Web Runtime (UID: app) Web App2 Native App1 (UID: app) Service1 (UID: root) WebApp1 SMACK Label WebApp2 NativeApp1 File1 WebApp1 File2 WebApp2 Cannot access to a file labeled WebApp2 Service1 Run with UID ‘app’ Processes require high rights run with UID ‘root’
  15. 15. Fourteenforty Research Institute, Inc. Vulnerability Protection 15 • Supports native(C/C++) application development from Tizen 2.0 • There may be a typical buffer overflow vulnerability • Main possible protections are ASLR and DEP
  16. 16. Fourteenforty Research Institute, Inc. DEP 16 • Tested following code as a Tizen Native Application int func(){ int a = 10; int b = 20; return a+b; } _EXPORT_ int OspMain(int argc, char *pArgv[]) { AppLog("Application started."); char buf[1024]; int (*f)(); memcpy( buf, (char*)func, 1024); f = (int (*)())buf; int b = f(); ArrayList args(SingleObjectDeleter); args.Construct(); ….. Prepare buffer on the stack Copy func() into the buffer Run the cond on the stack This is executed without any errors DEP is not enabled (on Tizen SDK 2.1 x86 Emulator)
  17. 17. Fourteenforty Research Institute, Inc. ASLR 17 • The value of /proc/sys/kernel/randomize_va_space is 2 – Which means ASLR is enabled • But actually… (Tizen Native App on emulator) – Run a same program 2 times. Main modules, heap and stack addresses in /proc/[pid]/maps are the same -> Not Randomized (On Tizen SDK 2.1 x86 Emulator) • The value of /proc/self/personality is 00040000 (ADDR_NO_RANDOMIZE) – ASLR is disabled by this setting 09e0e000-09e70000 rw-p 00000000 00:00 0 [heap] 09e70000-09f80000 rw-p 00000000 00:00 0 [heap] b36e7000-b36ec000 r-xp 00000000 fe:00 73077 /opt/usr/apps/hNLQmS2Kl0/bin/MySample7.exe b36ec000-b36ed000 rw-p 00004000 fe:00 73077 /opt/usr/apps/hNLQmS2Kl0/bin/MySample7.exe b36ed000-b36f0000 r-xp 00000000 fe:00 73094 /opt/usr/apps/hNLQmS2Kl0/bin/MySample7 b36f0000-b36f1000 rw-p 00002000 fe:00 73094 /opt/usr/apps/hNLQmS2Kl0/bin/MySample7 bfdcf000-bfdf0000 rw-p 00000000 00:00 0 [stack]
  18. 18. Fourteenforty Research Institute, Inc. Applications Content Security Framework(CSF) 18 • This framework makes it easier to provide security check feature into Tizen • CSF defines API and Plug-in interface • Security check feature is provided as a Plugin(libengine.so) • A Plug-in provides features to check file, URL, Web site(HTML, JavaScript) • Applications provides the Plug-in (Security Application Package) must have trusted signature System Libraries Browser Call CSF APIs libengine.so Content Security Framework Installer Security Application Package libengine.so Install CSF Plugin
  19. 19. Fourteenforty Research Institute, Inc. • Privilege – Tizen divides APIs into 3 categories according to its right • Public - All the developers can use • Partner - Partner developers who registered Tizen appliction store can use • Platform - For managing Tizen platform(Limited developers can use) – Application without proper privilege can not use API – Application manifest file has the description of privileges • Feature – This is like a permission on Android platform – Write features to use (Access contacts, camera and so on) in manifest file – Web Runtime has Access Control Engine (ACE) – It controls an access to each features Application Rights Isolation 19
  20. 20. Fourteenforty Research Institute, Inc. Web Application Sandbox 20 Kernel Web Runtime Web Application JavaScript API System Call 2 stage access control via Web Runtime and SMACK SMACK(LSM) Check SMACK Rule WRT Access Control Engine Check Features Rule Even if there is a vulnerability in Web Runtime it can prevent to access to device file to which the process does not have an permission (Have not confirmed that all the access control level is the same between WRT and SMACK rules)
  21. 21. Fourteenforty Research Institute, Inc. • SMACK is the core part of access control in Tizen • It has 2 stage access control with WRT and SMACK for web based application • It can flexibly provides security check feature by Content Security Framework • There may be a classical vulnerability like buffer overflow since it allows to develop an application by native(C/C++) code. • There are some spaces to improve in memory protection such as ASLR or DEP Summary 21
  22. 22. Fourteenforty Research Institute, Inc. • http://download.tizen.org/misc/media/conference2012/tuesday/ballroom -c/2012-05-08-1600-1640-tizen_security_framework_overview.pdf • http://download.tizen.org/misc/media/conference2012/wednesday/seacl iff/2012-05-09-0945-1025- understanding_the_permission_and_access_control_model_for_tizen_applicati on_sandboxing.pdf • http://www.youtube.com/watch?v=GtiAQOo4beg Reference 22
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×