• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
 

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)

on

  • 6,309 views

TOMOYO Linux is a MAC (Mandatory Access Control) implementation which gives support to protect Linux systems as well as to learn, understand and analyze system behavior. Being lightweight, it results ...

TOMOYO Linux is a MAC (Mandatory Access Control) implementation which gives support to protect Linux systems as well as to learn, understand and analyze system behavior. Being lightweight, it results suitable for embedded systems too. This tutorial aims to show in a practical way how to make the best use of TOMOYO Linux potentials in order to study and protect embedded Linux systems, taking Android as a specific study case. Though Android is amazingly expanding its target to various kinds of devices, it was designed mainly for mobile phones. Then, unlike other embedded operating systems, it presents some peculiar characteristics which require a particular attention to apply MAC effectively. The session is directed to those who want to learn how to use TOMOYO Linux, to managers or developers interested in security concerning embedded Linux and Android, and even to anyone just wishing to take a closer glance at Android internals.

Statistics

Views

Total Views
6,309
Views on SlideShare
5,112
Embed Views
1,197

Actions

Likes
0
Downloads
152
Comments
0

6 Embeds 1,197

http://d.hatena.ne.jp 978
http://tomoyo.sourceforge.jp 200
http://www.slideshare.net 13
http://webcache.googleusercontent.com 4
http://translate.googleusercontent.com 1
http://wayback.archive.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • May I begin now? Thank you for such an opportunity to talk about tomoyo I am not fluent in English but I will give it a try. My name is Daisuke Numaguchi. I'm working in secure os group in NTTdata corporation. I've been employed here for 5 years. I'm conducting tomoyo linux promotional activities.
  • 最初に tomoyo と Android がどのようなものか紹介をしておきます。
  • TOMOYO Linux is a lightweight MAC implementation for Linux and Embedded Linux developed by NTT Data Corporation. It performs pathname-based MAC ( Mandatory Access Control ) , separating security domains according to process invocation history, which describes the system behavior. tomoyo は2つのものから成り立っている。 1つめはカーネルのパッチで、 tomoyo のためのパッチを追加するものです。 2つめは tomoyo のポリシーと呼ばれるアクセスコントロール設定を マネージメントするためのユーティリティです。
  • ここで強制アクセス制御について簡単に触れておきます。 強制アクセス制御は、ポリシーにしたがって access を制限するものです。 管理者であっても、例外なく制御をおこなうものです。 Linux の場合は、 SELinux, Smack, tomoyo ・・・などいくつか種類があります。
  • それでは tomoyo がどのようなところで活用できるかを少し紹介します。 まず「プロテクト」、 MAC ツールとしてのふつうの使い方です。 次に、 TOMOYO Linux has a special mode called "learning" mode. In learning mode, TOMOYO Linux analyzes the accesses occured in the kernel and stores them as MAC policy. 「学習」、 tomoyo はパス名のアクセス制御をしているので、 ポリシーを見ることで、自分が作ったアプリケーションが どのような振る舞いをするのか 簡単に知ることができます。 学習だけで使うことも可能ですが、アプリケーションのデバッグにも使うことができます。
  • Android はプロンプトモデル (prompting model) を採用している。 このプロンプトモデルは、ユーザにファイルを実行してもよいか、尋ねるタイプのモデルです。 Android は各アプリケーションが ( システム内の各部分も同様に ) 固有のプロセスで実行する、 マルチプロセスシステムです。アプリケーションとシステムの間のセキュリティは、 標準的な Linux と同様にしてアプリケーションに割り当てられたユーザ・グループ ID 制御により、 プロセスレベルで確保されます。
  • ここからは Android へ tomoyo の適用についてお話していきます
  • Android で tomoyo が起動するように Android を設定していきます。
  • Android に適用したイメージです。 Tomoyo はカーネル上で動作し、 Android 上で MAC を使えるようになります。
  • 今日、皆さんに見てもらうデモの環境です。 Android の tomoyo は、ネットワークを使って設定を変更するようにしています。 Android の tomoyo エージェントとホスト側の editpolicy プログラムが通信することになります。 Android に限らず、リモート管理機能は便利だと思います。
  • Editpolicy プログラムは tomoyo のポリシーを管理するツールです。
  • Tomoyo ではドメインと呼ばれるプログラム単位でポリシーを管理しています。 Tomoyo ではこのドメインポリシーを適切に設定することが重要になります。 これをみることで、プログラムの呼び出し順序を見ていくことができます。 例えば /system/bin/app_process は、 /init の順番で呼び出されていることがわかります。 は、ツリーの起点を表しています。 この部分は、プロファイル番号です。 TOMOYO manages the policy by a program unit to be called a domain in Tomoyo. It becomes important that I set domain policy corectly in Tomoyo. For example, I understand that /system/bin/app_process is called by kernel /init. is starting point of a domain tree. The second column is a profile number.
  • Profile defines tomoyo’s operation mode.
  • ドメインをプロセスの親子関係で表示しています。 /init プログラムから sh (シェル)や servicemanager というプログラムが呼び出されていることがわかります。

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009) Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009) Presentation Transcript

  • Japan Linux Symposium 2009 2009.10.23 Daisuke Numaguchi Tetsuo Handa Giuseppe La Tona NTT DATA CORPORATION
    • INTRODUCTIONS
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • TOMOYO overview
    • MAC implementation for Linux
      • Behavior oriented system analyzer and protector
      • Pathname-based MAC tools
    • It consists of:
      • a kernel patch ( ccspatch )
      • a set of utilities ( ccstools ) for managing access control settings (a.k.a. policy)
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • MAC(Mandatory Access Control)
    • Restrict access according to policy.
    • No exception, no bypass
      • Performed inside kernel space
    • SELinux, Smack, TOMOYO, AppArmor, LIDS, grsecurity, etc.
    2009/10/23 Copyright (C) 2009 NTT Data Corporation
  • How to use TOMOYO?
    • Protect
      • System administrator's operations
    • Learning
      • Know system behaviors
    • Analyze
      • Debug
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Android overview Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Android Kernel
    • Linux Kernel 2.6 with some changes
      • Reduced set of standard Linux utilities -> toolbox
      • No support glibc -> Bionic libraries
      • No standard IPC -> Binder , specific IPC driver
      • No native windowing system
      • Optimized Power Management
      • Low memory killer, Alarm etc.
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Dalvik and Zygote
    • Runtime is made by Java programs running in Dalvik : Virtual Machine for mobile devices
      • slow CPU, small RAM, no swap space, battery
      • Not a JVM, no JIT: only interpreter of DEX (optimized bytecode obtained from Java .class)
      • Multiple VM instances can run efficiently.
    • Zygote process :
      • first instance of Dalvik VM, partially initialized
      • load preload classes and resources
      • is kept always alive in idle state
      • When an application execution request occurs:
      • zygote fork() s to a new process…
        • … which loads the requested package
      • (Biology concept of “zygote”: duplicate, specialize and differentiate )
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Dalvik and Zygote
    • Runtime is made by Java programs running in Dalvik : Virtual Machine for mobile devices
      • slow CPU, small RAM, no swap space, battery
      • Not a JVM, no JIT: only interpreter of DEX (optimized bytecode obtained from Java .class)
      • Multiple VM instances can run efficiently.
    • Zygote process :
      • first instance of Dalvik VM, partially initialized
      • load preload classes and resources
      • is kept always alive in idle state
      • When an application execution request occurs:
      • zygote fork() s to a new process…
        • … which loads the requested package
      • (Biology concept of “zygote”: duplicate, specialize and differentiate )
    Copyright (C) 2009 NTT Data Corporation 2009/10/23 fork() application zygote Dalvik VM
  • Android boot sequence adbd vold (mount) rild (radio) debuggerd installd … Binder Copyright (C) 2009 NTT Data Corporation 2009/10/23 systemserver service manager service manager System Services Dalvik VM fork() Dalvik VM Dalvik VM Dalvik VM GUI service manager service manager Applications Home Runtime Kernel init init Daemons init init init Native Servers servicemanager registration mediaserver zygote exec() fork() Dalvik specialization
  • Android security model (1/2)
    • Each application runs in its own process
      • Runtime in separate instances of Dalvik virtual machine
    Copyright (C) 2009 NTT Data Corporation 2009/10/23 Dalvik VM Application 1 Zygote Dalvik VM Application 2 Dalvik VM Application 3 Dalvik VM Application 4
  • Android security model (2/2)
    • Each process is a “secure sandbox”
      • Linux Discretionary Access Control (DAC) for file access: all applications are assigned a unique UID (constant)
        • UID for system services are hard-coded
        • UID for user packages are progressively assigned at install-time, starting from uid 10000 (and mapped to app_0, app_1, …) ; they are saved in a file and are maintained constant during the life of the package on the device.
        • Application specific files are saved in /data/data in separate folders owned by specific UID users
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
    • TOMOYO ON ANDROID
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • TOMOYO Linux versions
    • There are 2 development lines:
      • Fully equipped version (1.x series)
        • provides full functionalities of pathname-based MAC (MAC for files, network, capabilities…)
      • Mainlined version (2.x series)
        • uses Linux Security Modules (LSM)
        • subset of MAC functionalities (only for files, so far)
          • missing functionalities will be added in the future
        • supports only kernels 2.6.30 and later
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Android kernel
    • Android SDK 1.6 ("donut") comes with kernel 2.6.29 .
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Android kernel
    • Android SDK 1.6 ("donut") comes with kernel 2.6.29 .
    • TOMOYO 2.x is available since kernel 2.6.30
    • TOMOYO 2.2 function is only file access control
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Android kernel
    • Android SDK 1.6 ("donut") comes with kernel 2.6.29 .
    • TOMOYO 2.x is available since kernel 2.6.30
    • TOMOYO 2.2 function is only file access control
    • So, choose TOMOYO 1.x !!
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Porting TOMOYO to Android
    • Patching Android Kernel with TOMOYO patch
    • Adapting ccstools
    • Cross-compiling for Android
    • Adding TOMOYO Policy Loader to Android boot
    • Creating policy
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Patching Android Kernel
    • TOMOYO 1.7.x (Fully equipped version )
    • Emulator (no real Android device needed)
      •  Linux kernel version: Goldfish v2.6.29
      • “ Goldfish” is the name given to the ARM architecture emulated by Android SDK Emulator
    • ccspatch 1.7.1-pre for Goldfish v2.6.29
    Copyright (C) 2009 NTT Data Corporation  2009/10/23 Kernel TOMOYO Linux
  • Adapting ccstools
    • Ccstools is for managing TOMOYO’s policy.
    • Ccstools was intended for use on PC
    • Ccstools has been enhanced with Network mode for embedded systems
    • More convenient for developing policies and debugging
    • Two utilities are needed for the device: ccs-init, ccs-editpolicy-agent
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Modifying Android boot (1/2)
    • Put "ccs-init (program for activating TOMOYO)" inside /sbin/
      • the kernel will call /sbin/ccs-init before /init starts.
    • Copy below files needed by /sbin/ccs-init
      • /system/bin/linker
        • /system/ partition is not mounted yet when /sbin/ccs-init starts.
      • /lib/libc.so
      • /lib/libm.so
        • Environment variable LD_LIBRARY_PATH="/system/lib" is not set yet when /sbin/ccs-init starts.
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Modifying Android boot (2/2)
    • Put "ccs-editpolicy-agent (program for managing TOMOYO remotely)" inside /sbin/
    • Append to /init.rc
      • ccs-editpolicy-agent will listen to tcp port 7000
      • We can issue "adb forward tcp:10000 tcp:7000" to connect from host environment.
    Copyright (C) 2009 NTT Data Corporation
        • service ccs_agent /sbin/ccs-editpolicy-agent 0.0.0.0:7000
        • oneshot
    2009/10/23
  • Creating policy
    • Put access control settings (a.k.a. policy) in /etc/ccs
      • /sbin/ccs-init will load them
      • Details: http://tomoyo.sourceforge.jp/1.7/android-arm.html
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • TOMOYO on Android overview Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • TOMOYO on Android overview Copyright (C) 2009 NTT Data Corporation TOMOYO tools TOMOYO patch 2009/10/23
  • EDITING POLICY (VIA AGENT) Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Copyright (C) 2009 NTT Data Corporation Android emulator (Goldfish) TOMOYO Linux (kernel patch) Android runtime Application framework TOMOYO Agent ccs-editpolicy-agent app Ubuntu 8.04 app app app Libraries Policy editor ccs-editpolicy TCP/IP 2009/10/23
  • Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Profile number Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Copyright (C) 2009 NTT Data Corporation Profile 0 for disabled, 1 for learning, 2 for permissive, 3 for enforcing 2009/10/23
  • Profile number Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server Copyright (C) 2009 NTT Data Corporation 2009/10/23 init init Daemons servicemanager mediaserver zygote
  • Problem with splitting domains
    • The applications are executed with different UID (i.e.: root, system, app_#, …) and different process name, but…
    Copyright (C) 2009 NTT Data Corporation 2009/10/23 Adapting ccstools service manager service manager Applications System Server
  • Problem with splitting domains
    • The applications are executed with different UID (i.e.: root, system, app_#, …) and different process name, but…
    • … they are all fork()ed from app_process!
    Copyright (C) 2009 NTT Data Corporation 2009/10/23 Adapting ccstools service manager service manager Applications System Server zygote Dalvik VM Dalvik VM Dalvik VM fork()
  • Problem with splitting domains
    • New and unexpected situation for TOMOYO Linux
    • In TOMOYO Linux, domain transitions occur after process invocation, that is execve(), not fork()
    •  Splitting domain
    • <kernel> /init /system/bin/app_process
    • in different domains according to each single application is impossible . . . ?
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Problem with splitting domains <kernel> /init /system/bin/app_process Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • TOMOYO’s MAC and Android DAC
    • Android security rule : data files of one application should be prevented from being accessed by other applications
    • This is performed by using DAC permissions, as said before
    • TOMOYO can provide with conditional ACL a further insurance that this rule is respected, especially in cases when:
      • DAC permissions are poorly configured
      • root process (zygote) would be hijacked
      • allow_read/write @APP_DATA_FILE if task.uid=path1.uid
      • allow_unlink @APP_DATA_FILE if task.uid=path1.uid
      • allow_mkdir @APP_DATA_DIR if task.uid=path1.parent.uid1
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • TOMOYO’s MAC and Android DAC
    • DAC’s ability to restrict by UID has a low granularity: only “owner”, “group”, “others”.
    • TOMOYO, on the other hand, allows minimal and customizable permissions to any group of specific UIDs.
    • Example: users are app_1, app_2, app_3, app_4; some files owned by app_2 (uid=10002) need to be accessed by app_1 (uid=10001) also, but not by all the “others”.
      • allow_read/write @SOME_FILES if task.uid= 10001-10002
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • An example
    • We want to allow only the Browser to connect to Internet.
    • In this way any process running under “<kernel> /init /system/app/process”
    • domain would be allowed to open TCP connection on any IP, port 80.
    •  least-privilege principle violated
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Solution
    • TOMOYO Linux allows conditional ACL
    • Using task’s UID as a condition , for access grant.
    In this way only the process with UID in HTTP_USERS group will be able to connect Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Solution
    • Add UID of browser application to HTTP_USERS group
    In this way only browser will be able to connect Copyright (C) 2009 NTT Data Corporation 2009/10/23 UID=10012
  • DEMO: Make policy for Web browser
    • Web browser access to restrict the location
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Saving access logs
    • You can save access logs by starting ccs-auditd (host computer) as shown below.
    Copyright (C) 2009 NTT Data Corporation /usr/sbin/ccs-auditd /tmp/grant_log /tmp/reject_log 127.0.0.1:10000 2009/10/23 #2009-10-19 10:07:15# profile=1 mode=learning (global-pid=36) task={ pid=36 ppid=1 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 type!=execute_handler } path1={ uid=0 gid=2000 ino=537 major=31 minor=0 perm=0755 type=file } path1.parent={ uid=0 gid=2000 ino=468 perm=0755 } exec={ realpath=&quot;/system/bin/app_process&quot; argc=5 envc=10 argv[]={ &quot;/system/bin/app_process&quot; &quot;-Xzygote&quot; &quot;/system/bin&quot; &quot;--zygote&quot; &quot;--start-system-server&quot; } envp[]={ &quot;PATH=/sbin:/system/sbin:/system/bin:/system/xbin&quot; &quot;LD_LIBRARY_PATH=/system/lib&quot; &quot;ANDROID_BOOTLOGO=1&quot; &quot;ANDROID_ROOT=/system&quot; &quot;ANDROID_ASSETS=/system/app&quot; &quot;ANDROID_DATA=/data&quot; &quot;EXTERNAL_STORAGE=/sdcard&quot; &quot;BOOTCLASSPATH=/system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar&quot; &quot;ANDROID_PROPERTY_WORKSPACE=9,32768&quot; &quot;ANDROID_SOCKET_zygote=10&quot; } } <kernel> /init allow_execute /system/bin/app_process
      • You can create advanced policy settings from access logs.
  • Policy error handler
    • Similar to “page fault handler”
    Copyright (C) 2009 NTT Data Corporation Access request Permitted by policy? Permitted by handler? YES Access granted Access rejected YES NO NO 2009/10/23
  • Conclusions
    • TOMOYO Linux suits well on Android
      • Will suits on other embedded devices as well
    • MAC enforced for system services and user applications
      • Whole system or targeted applications
    • Why not to try TOMOYO?
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Thank you for your attention Copyright (C) 2009 NTT Data Corporation Daisuke Numaguchi <numaguchid@nttdata.co.jp> Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Giuseppe La Tona <giuseppelatona@gmail.com> 2009/10/23
  • Information
    • Mailing list
      • English: [email_address]
      • Japanese: [email_address]
    • Web site
      • http://tomoyo.sourceforge.jp/
    • Wiki
      • http://elinux.org/TomoyoLinux
    Copyright (C) 2009 NTT Data Corporation 2009/10/23
  • Copyrights
    • Linux is a registered trademark of Linus Torvalds in Japan and other countries
    • Android is a registered trademark of Google
    • TOMOYO is a registered trademark of NTT Data Corporation in Japan
    • Other names and trademarks are the property of their respective owners.
    Copyright (C) 2009 NTT Data Corporation 2009/10/23