FROM JAVA TO ANDROID:A SECURITY ANALYSISPragati Ogal RaiMobile Technology Evangelist, PayPal@pragatiogal @PayPalDev
www.ethos3.com• Motorola JUIX Platform• Motorola Linux Java Platform• Android
Agenda• Java 2 Security Model• Android Security Model• Summarize
JAVA 2 SECURITY MODEL
Java• Developed by Sun Microsystems in the early 1990s• Platform Independent – write once run anywhere!• Compiled to byte ...
Java 2 Security Model• Language Security Features• Platform Security• Crypto APIs• Authentication & Access Control APIs• S...
JDK 1.0 Sandbox Model• Very restricted model• Local code is trusted• Remote code is not trusted
JDK 1.1 Security Model• Signed applet model• Trusted code has privileges• Untrusted code runs in sandbox
Java 2 Sandbox Model• Fine grained access control• Configurable Security Policy• No built-in concept of trustedlocal code
Security Policy File Example// If the code is signed by ”Pragati", grant it read/write access to all files in /tmp/pragati...
Protection DomainsDomain name “Pragati”Pragati’s certificateRead/write access to /temp/pragati/*Domain name “John”John’s c...
Protection DomainsA domain conceptually encloses a set of classes whose instancesare granted the same set of permissions.
Java 2 Platform Security ModelOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass...
Java Language Security• Programs cannot access arbitrary memory locations• Variables cannot be used before initialization•...
Java CompilerJava Files (.java) Java Class Files (.class)Compiler enforces language rules
Bytecode VerifierMini theorem proverEnforces language rulesDelayed bytecode verificationRuntime bindingOperating SystemRem...
Class LoaderLoads classes in namespaceSet permission for each class it loadsLink type checks for type safetyOperating Syst...
Java APIs and Security PackageClasses in java.security packageClasses in security extensionsBasis for application signingO...
Security Manager & Access ControllerSecurity manager exists for historical reasonsAccess control to system resourcesPolicy...
Key DatabaseCreate / verify digital signaturesOperating SystemRemote Class Files Local Class FilesSigned Class FilesByteco...
Java Sandbox• Permissions• Code Source• Protection Domain• Policy File• Keystore
Java 2 Security Model• All code runs in a sandbox• All classes are loaded with full bytecode verification• All classes are...
THE ANDROID STACK
Android• Open Platform• First phone based on Android came out in 2009• 75% smartphone market share as of October11: idc.com
Android Security Model• Platform Security• Crypto APIs• Secure Communication APIs• Key Management APIs
Install Time User ConsentYou control your phone!
Android Platform Architecturehttp://developer.android.com
Linux KernelUnique UID and GID for each application at install timeSharing can occur through component interactionsLinux P...
Linux Kernel (Cont’d)include/linux/android_aid.hAID_NET_BT 3002 Can create Bluetooth SocketsAID_INET 3003 Can create IPv4 ...
Middleware• Libraries for code execution• Libraries for services• Take care of device specific issues• Compiled to machine...
Java Virtual Machine?• There is no JVM in Android platform• No byte code is executed• JAR file will not run on Android pla...
Dalvik Virtual Machine
Dalvik Virtual Machine• Dalvik does not align to Java SE or Java ME• Library built on a subset of the Apache Harmony Java•...
.dex FileSourceFilesJavaCompilerJAR ToolDXConverterDalvik VMExample.jarA.classB.classStrings.xmlIcon.pngExample.jarClasses...
.dex Fileimsciences.edu.pkDalvik optimizes class files
Dalvik Virtual Machine• No security manager• Permissions are enforced in OS and not in VM• As of Android 2.2 Dalvik has a ...
Android Application Structure• Application is made of components• Activity: Define screens• Service: Background processing...
Android Application Structure• Applications communicate through Intents• Secure RPC using Binder• AndroidManifest.xml defi...
Permission Protection Levels• Normalandroid.permission.VIBRATEcom.android.alarm.permission.SET_ALARM• Dangerousandroid.per...
Application Layer Security• Permissions restrict component interaction• Permission labels defined in AndroidManifest.xml• ...
Android Security Model• Linux process sandbox• Permission based component interaction• Dalvik is not a security boundary• ...
SUMMARY
VisionProtect host machine from malicious codeOptimization for mobile platform
Install Time CheckingWho are you?What do you want to do?
SandboxPermissions + Code Sources +Policy + keystore + Protection DomainsLinux Process Sandbox
SignatureIdentity and TrustAuthorship and Persistence
PermissionsEnforced by VMEnforced by OS
Protection DomainCode Sources + PermissionsProcess
Virtual MachineVM is a security boundaryVM is NOT a security boundary
Security EnforcementApplets v/s ApplicationsNative v/s Java codeNo exceptions!
developer@paypal.com@PayPalDev @pragatiogalhttp://www.slideshare.net/pragatiogalThank you!
From java to android  a security analysis
Upcoming SlideShare
Loading in...5
×

From java to android a security analysis

768

Published on

Presented at AnDevCon Boston 2013

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
768
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • permission: type, name, and action of permissionCode source: location and signer of codeProtection domain: permission + codePolicy file: defines protection domainKeystore: verifies identity
  • Total system RAM is 64 MB; available after low level startup: 40MB and after high level services have started: 20 MB and large system libs 10 MB
  • "java.version" property returns "java.class.version" invariably returns 50"user.home" and "user.name" properties do not existHighly optimized VM to support multiple VM instances with own address space and separate memoryRelies on Linux kernel for underlying functionality such as threading and low-level memory managementLibrary built on a subset of the Apache Harmony JavaMemory is clean (mmap() and unwritten)) or dirty (malloc)Shared memory: used by many processesPrivate memory used by one process
  • ExamplesDex structures are using valid indices and offsets and code can’t misbehaveOptimaization: byte swapping (not needed on ARM)m static linking, pruning empty methodsRelies on Linux kernel for underlying functionality Garbage Collector is independent for each process but respect sharingBytecode verifierOptimization“Exact” GCIntra-application SecurityAnalysis & Debugging
  • From java to android a security analysis

    1. 1. FROM JAVA TO ANDROID:A SECURITY ANALYSISPragati Ogal RaiMobile Technology Evangelist, PayPal@pragatiogal @PayPalDev
    2. 2. www.ethos3.com• Motorola JUIX Platform• Motorola Linux Java Platform• Android
    3. 3. Agenda• Java 2 Security Model• Android Security Model• Summarize
    4. 4. JAVA 2 SECURITY MODEL
    5. 5. Java• Developed by Sun Microsystems in the early 1990s• Platform Independent – write once run anywhere!• Compiled to byte code that runs on a Virtual Machine• “Java is Secure”
    6. 6. Java 2 Security Model• Language Security Features• Platform Security• Crypto APIs• Authentication & Access Control APIs• Secure Communication APIs• Key Management APIs
    7. 7. JDK 1.0 Sandbox Model• Very restricted model• Local code is trusted• Remote code is not trusted
    8. 8. JDK 1.1 Security Model• Signed applet model• Trusted code has privileges• Untrusted code runs in sandbox
    9. 9. Java 2 Sandbox Model• Fine grained access control• Configurable Security Policy• No built-in concept of trustedlocal code
    10. 10. Security Policy File Example// If the code is signed by ”Pragati", grant it read/write access to all files in /tmp/pragatigrant signedBy ”Pragati" {permission java.io.FilePermission "/tmp/pragati/*", "read,write";};// If the code is signed by ”John", grant it read/write access to all files in /tmp/johngrant signedBy ”John" {permission java.io.FilePermission "/tmp/john/*", "read,write”;};// Grant everyone the following permission:grant {permission java.io.FilePermission "/tmp/pragati/*", "read";};
    11. 11. Protection DomainsDomain name “Pragati”Pragati’s certificateRead/write access to /temp/pragati/*Domain name “John”John’s certificateRead/write access to /temp/john/*Read access to /temp/pragati/*…………..Protection Domain = Code Source + Permission
    12. 12. Protection DomainsA domain conceptually encloses a set of classes whose instancesare granted the same set of permissions.
    13. 13. Java 2 Platform Security ModelOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass LoaderCore API Class FilesCore Java APISecurity PackageKey DatabaseSecurity ManagerAccess Controller
    14. 14. Java Language Security• Programs cannot access arbitrary memory locations• Variables cannot be used before initialization• Access methods are strictly adhered to• Entities declared final must not be changed• Objects cannot be arbitrarily cast into other objects• Array bounds must be checked on all array accesses
    15. 15. Java CompilerJava Files (.java) Java Class Files (.class)Compiler enforces language rules
    16. 16. Bytecode VerifierMini theorem proverEnforces language rulesDelayed bytecode verificationRuntime bindingOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass LoaderCore API Class FilesCore Java APISecurity PackageKey DatabaseSecurity ManagerAccess Controller
    17. 17. Class LoaderLoads classes in namespaceSet permission for each class it loadsLink type checks for type safetyOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass LoaderCore API Class FilesCore Java APISecurity PackageKey DatabaseSecurity ManagerAccess Controller
    18. 18. Java APIs and Security PackageClasses in java.security packageClasses in security extensionsBasis for application signingOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass LoaderCore API Class FilesCore Java APISecurity PackageKey DatabaseSecurity ManagerAccess Controller
    19. 19. Security Manager & Access ControllerSecurity manager exists for historical reasonsAccess control to system resourcesPolicy enforcementOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass LoaderCore API Class FilesCore Java APISecurity PackageKey DatabaseSecurity ManagerAccess ControllerSecurity manager exists for historical reasonsAccess control to system resourcesPolicy enforcementDefault only for applets
    20. 20. Key DatabaseCreate / verify digital signaturesOperating SystemRemote Class Files Local Class FilesSigned Class FilesBytecode VerifierClass LoaderCore API Class FilesCore Java APISecurity PackageKey DatabaseSecurity ManagerAccess Controller
    21. 21. Java Sandbox• Permissions• Code Source• Protection Domain• Policy File• Keystore
    22. 22. Java 2 Security Model• All code runs in a sandbox• All classes are loaded with full bytecode verification• All classes are loaded with Java language features• Signed classes verify the integrity and origination of Javaclasses• Security policy provides fine-grained access• Crypto APIs
    23. 23. THE ANDROID STACK
    24. 24. Android• Open Platform• First phone based on Android came out in 2009• 75% smartphone market share as of October11: idc.com
    25. 25. Android Security Model• Platform Security• Crypto APIs• Secure Communication APIs• Key Management APIs
    26. 26. Install Time User ConsentYou control your phone!
    27. 27. Android Platform Architecturehttp://developer.android.com
    28. 28. Linux KernelUnique UID and GID for each application at install timeSharing can occur through component interactionsLinux Process Sandbox
    29. 29. Linux Kernel (Cont’d)include/linux/android_aid.hAID_NET_BT 3002 Can create Bluetooth SocketsAID_INET 3003 Can create IPv4 and IPv6 Sockets
    30. 30. Middleware• Libraries for code execution• Libraries for services• Take care of device specific issues• Compiled to machine language• Native and Java code
    31. 31. Java Virtual Machine?• There is no JVM in Android platform• No byte code is executed• JAR file will not run on Android platform
    32. 32. Dalvik Virtual Machine
    33. 33. Dalvik Virtual Machine• Dalvik does not align to Java SE or Java ME• Library built on a subset of the Apache Harmony Java• Highly optimized VM to support multiple VM instances• Register based architecture• Shared constant pool• Executes Dalvik executables (.dex)
    34. 34. .dex FileSourceFilesJavaCompilerJAR ToolDXConverterDalvik VMExample.jarA.classB.classStrings.xmlIcon.pngExample.jarClasses.dexStrings.xmlIcon.png
    35. 35. .dex Fileimsciences.edu.pkDalvik optimizes class files
    36. 36. Dalvik Virtual Machine• No security manager• Permissions are enforced in OS and not in VM• As of Android 2.2 Dalvik has a JIT compiler• Dalvik Bytecode verification mainly for optimization• GC for each VM instance
    37. 37. Android Application Structure• Application is made of components• Activity: Define screens• Service: Background processing• Broadcast Receiver: Mailbox for messages from otherapplications• Content Provider: Relational database for sharing information
    38. 38. Android Application Structure• Applications communicate through Intents• Secure RPC using Binder• AndroidManifest.xml defines policy for application
    39. 39. Permission Protection Levels• Normalandroid.permission.VIBRATEcom.android.alarm.permission.SET_ALARM• Dangerousandroid.permission.SEND_SMSandroid.permission.CALL_PHONE• Signatureandroid.permission.FORCE_STOP_PACKAGESandroid.permission.INJECT_EVENTS• SignatureOrSystemandroid.permission.ACCESS_USBandroid.permission.SET_TIMEAll components are secured by permissionsDevelopers can define their own permissions as well
    40. 40. Application Layer Security• Permissions restrict component interaction• Permission labels defined in AndroidManifest.xml• Applications are self-signed; no CA required• Signatures define persistence and authorship
    41. 41. Android Security Model• Linux process sandbox• Permission based component interaction• Dalvik is not a security boundary• All applications need to be signed• Signature define persistence and authorship• Install time security decisions• Crypto APIs
    42. 42. SUMMARY
    43. 43. VisionProtect host machine from malicious codeOptimization for mobile platform
    44. 44. Install Time CheckingWho are you?What do you want to do?
    45. 45. SandboxPermissions + Code Sources +Policy + keystore + Protection DomainsLinux Process Sandbox
    46. 46. SignatureIdentity and TrustAuthorship and Persistence
    47. 47. PermissionsEnforced by VMEnforced by OS
    48. 48. Protection DomainCode Sources + PermissionsProcess
    49. 49. Virtual MachineVM is a security boundaryVM is NOT a security boundary
    50. 50. Security EnforcementApplets v/s ApplicationsNative v/s Java codeNo exceptions!
    51. 51. developer@paypal.com@PayPalDev @pragatiogalhttp://www.slideshare.net/pragatiogalThank you!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×