SlideShare a Scribd company logo

thcon23_The_Android_Security_Model.pdf

A
AvulaVenkatesh3

Android security model pdf useful bachelor degree students

Education
1 of 33
Download to read offline
1 THCON23 The Android Security Model THCON 2023 2023/04/21
2 2 THCON23 Agenda  Introduction  Security Model  Android Permissions  Hardening and Mitigations  Conclusion
3 3 THCON23 Presentation  Jean-Baptiste Cayrou  Security researcher @Synacktiv  Vulnerability research & exploitation  Synacktiv  Offensive security company  Based in France  ~140 Ninjas  We are hiring!!!
4 4 THCON23 Introduction  Android is an open-source project led by Google  Lastest version is Android 13  ~70% mobile devices worldwide use Android  It is based on a Linux kernel with the “binder” driver enabled for process interactions  In userland, applications are Java packages that run in a specific JVM
5 5 THCON23 Introduction  Our smartphones contain a lot of sensitive data  Emails and conversations  Photos and videos  And they have many sensors  Camera  Microphone  GPS  Access to this data and sensors must be protected against compromised or malicious applications
6 6 THCON23 Device Threats
7 7 THCON23 Device Threats  Applications may be malicious or compromised  For instance, by exploiting browser vulnerabilities  It is essential to prevent attackers from accessing:  Data  Sensors  Attackers might bypass restrictions by exploiting other system vulnerabilities  Perform a LPE (Local Privileged Escalation) → Reduce the risks and make LPE as difficult as possible
8 8 THCON23 Security Model
9 9 THCON23 Security Model  Android considers applications as untrusted  Least privilege principle  Only permit each component to perform necessary actions  Implement isolation and sandboxing of processes and applications  Restrict interactions between components  Hardening and exploit mitigations  Make vulnerabilities difficult to exploit  Ideally, make vulnerabilities unexploitable
10 10 THCON23 Isolation and sandboxing  Android uses Linux features to isolate applications and daemons  Linux users, groups (DAC security)  SELinux (MAC security)  SECCOMP to filter syscalls
11 11 THCON23 Isolation and sandboxing - Linux users  Some user IDs are reserved for system use  system is 1000, shell is 2000, bluetooth is 1002, etc.  Applications UID range is 10000 → 19999  Applications  Applications get a UID at installation time  Get a dedicated folder for data storage  Not able to read other applications folders (Unix file permissions)  /data/data/<PKG_NAME>/
12 12 THCON23 Isolation and sandboxing - SELinux  SELinux: Security Enhanced Linux  Enforced starting with Android 4.4 (2013)  Implemented as a Linux Security Module (LSM)  Implements security filtering hooks which are called inside the kernel // Extract of fs/ioctl.c SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg) { struct fd f = fdget(fd); int error; if (!f.file) return -EBADF; error = security_file_ioctl(f.file, cmd, arg); if (error) goto out; error = do_vfs_ioctl(f.file, fd, cmd, arg); // [...]
13 13 THCON23 Isolation and sandboxing - SELinux  The SELinux policy defines rules between subject, objects and actions  Subjects and objects are identified with security context called SELinux labels  The firmware contains a set of SELinux rules (the policy) loaded during the boot  Actions not included in the rules are forbidden  Rule example allow appdomain app_data_file:file rw_file_perms; actions {getattr open read ioctl lock w_file_perms} subjects objects
14 14 THCON23 Isolation and sandboxing - SECCOMP  SECCOMP is a Linux feature that filters syscalls  Enforced system-wide since Android 8.0  Reduces the Kernel attack surface  Filtering profiles are directly defined in the Android libc (Bionic)  Profiles: System, Application, Application Zygote  Filtering profile is enabled when an application starts  Configured by the JVM during application launch
15 15 THCON23 Isolation and sandboxing - SECCOMP  The system profile is relatively permissive  17/271 ARM64 syscalls blocked  70/368 ARM syscalls blocked  Applications can register additional filters to strengthen sandboxing  Chrome  Media Extractor - media decoding daemon (stagefrights)
16 16 THCON23 Kinds of Applications  Four different kinds of applications with associated SELinux contexts  Isolated  Untrusted  Privileged  System  Android Note: An Application = Java Package
17 17 THCON23  Isolated Applications  Mainly used for Chrome renderer processes  The most restricted isolation  Isolation: context=isolated_app and u0_i<uid> (90000 → 99999)  Different uid per isolated processus  Untrusted Applications  All third-party applications installed by the user  Isolation: context=untrusted_app and u0_a<uid> (10000 → 19999) Application Contexts
18 18 THCON23 Application Contexts  Privileged Applications  Applications in the firmware or signed by the vendor  Bypass most Android services permission checks  Isolation: context=priv_app/platform_app and uid=u0_a<uid>  System Applications  Highest privileged applications running as system  Signed by the vendor  Isolation: context=system_app and uid=system (1000)
19 19 THCON23 Android isolates processes ... But the system needs to do things… It needs interactions !
20 20 Android Permissions Security Model
21 21 Android Application  Applications are packaged in an APK archive  Their behavior is described in the AndroidManifest.xml  General information (name, version, icon)  Components exposed to the system  Permissions requested
22 22 Permissions in the AndroidManifest.xml  Permissions example : <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.myapplication"> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.WRITE_CONTACTS" /> <uses-permission android:name="android.permission.CAMERA" /> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <application ... </application> </manifest>
23 23 ACL with Android Permissions  Different types of permissions  Install-time permissions  Runtime permissions  Some permissions are directly mapped to Unix Groups  Others are checked at runtime during interactions with other components  Provide access control to system resources and interactions with other apps Runtime permission
24 24 THCON23 ACL in Interactions
25 25 THCON23 Hardening and Mitigations
26 26 THCON23 Hardening and Mitigations  Even with robust isolation, there is still some attack surface  This surface must be hardened to limit and make LPE more difficult
27 27 THCON23 Hardened components  Some components have strong restrictions → Reduce the attack surface of exposed component  Media Extractor (ex mediaserver)  Specific SECCOMP rules  Allow ~ 34/271 syscalls ARM64 and ~42/364 syscalls ARM  Sandbox Chrome/Webview  Very limited view of FS + Only 3 services accessible  Strong sandbox with SECCOMP
28 28 THCON23 Hardened components  More and more Rust in Android  Bluetooth stack  Keystore2  Ultra-wideband stack  DNS-over-HTTP/3 https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html
29 29 THCON23 Mitigations  Against remote exploitation  ASLR - Address Space Layout Randomization  PIE - Position Independent Executable  Scudo Heap allocator (Android 11)  Designed for security  Detects allocation corruptions  Detects double-free
30 30 THCON23 Mitigations  CFI - Control Flow Integrity  Prevents an attacker from altering the execution flow  Added at built time for specific binaries  Enabled in all media parsers since Android 8.1  Enabled in the Kernel since Android 9
31 31 THCON23 Mitigations  Compiler added checks:  UndefinedBehaviorSanitizer: integer overflow, misaligned addresses  BoundsSanitizer: check array access  ShadowCallStack: protect the return address  Process aborts if a sanitizer check is triggered  Prevent attackers from exploiting vulnerabilities
32 32 THCON23 Conclusion  Each Android release improves the OS security  Enhanced isolation  Improved mitigation  Even if there are vulnerabilities  Difficult to exploit them  Some bugs are now non-exploitable  Highly privileged components remain constrained
33 THCON23 https://www.linkedin.com/company/synacktiv https://twitter.com/synacktiv https://synacktiv.com

Recommended

Cloud Security
Cloud SecurityCloud Security
Cloud SecurityRashmi Agale
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?Priyanka Aash
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
CT
CTCT
CTYama Haku
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 

Recommended

Cloud Security
Cloud SecurityCloud Security
Cloud SecurityRashmi Agale
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?Priyanka Aash
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
CT
CTCT
CTYama Haku
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 securityraje21
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
How We Protected Our Router
How We Protected Our RouterHow We Protected Our Router
How We Protected Our RouterGlobalLogic Ukraine
 
Firewalls
FirewallsFirewalls
FirewallsDeevena Dayaal
 
21CSC202J Operating Systems-Unit-V.pptx.pdf
21CSC202J Operating Systems-Unit-V.pptx.pdf21CSC202J Operating Systems-Unit-V.pptx.pdf
21CSC202J Operating Systems-Unit-V.pptx.pdfanusri1904
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Andriod - Technical Review
Andriod - Technical ReviewAndriod - Technical Review
Andriod - Technical ReviewFolio3 Software
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Lecture 6
Lecture 6Lecture 6
Lecture 6Education
 
Cc4201519521
Cc4201519521Cc4201519521
Cc4201519521IJERA Editor
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 

More Related Content

Similar to thcon23_The_Android_Security_Model.pdf

Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 securityraje21
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
21CSC202J Operating Systems-Unit-V.pptx.pdf
21CSC202J Operating Systems-Unit-V.pptx.pdf21CSC202J Operating Systems-Unit-V.pptx.pdf
21CSC202J Operating Systems-Unit-V.pptx.pdfanusri1904
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Andriod - Technical Review
Andriod - Technical ReviewAndriod - Technical Review
Andriod - Technical ReviewFolio3 Software
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 

Similar to thcon23_The_Android_Security_Model.pdf (20)

Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Container security
Container securityContainer security
Container security
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 security
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
How We Protected Our Router
How We Protected Our RouterHow We Protected Our Router
How We Protected Our Router
 
Firewalls
FirewallsFirewalls
Firewalls
 
21CSC202J Operating Systems-Unit-V.pptx.pdf
21CSC202J Operating Systems-Unit-V.pptx.pdf21CSC202J Operating Systems-Unit-V.pptx.pdf
21CSC202J Operating Systems-Unit-V.pptx.pdf
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
 
Andriod - Technical Review
Andriod - Technical ReviewAndriod - Technical Review
Andriod - Technical Review
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Lecture 6
Lecture 6Lecture 6
Lecture 6
 
Cc4201519521
Cc4201519521Cc4201519521
Cc4201519521
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 

Recently uploaded

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIShubhangi Sonawane
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 

Recently uploaded (20)

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

thcon23_The_Android_Security_Model.pdf

  • 1. 1 THCON23 The Android Security Model THCON 2023 2023/04/21
  • 2. 2 2 THCON23 Agenda  Introduction  Security Model  Android Permissions  Hardening and Mitigations  Conclusion
  • 3. 3 3 THCON23 Presentation  Jean-Baptiste Cayrou  Security researcher @Synacktiv  Vulnerability research & exploitation  Synacktiv  Offensive security company  Based in France  ~140 Ninjas  We are hiring!!!
  • 4. 4 4 THCON23 Introduction  Android is an open-source project led by Google  Lastest version is Android 13  ~70% mobile devices worldwide use Android  It is based on a Linux kernel with the “binder” driver enabled for process interactions  In userland, applications are Java packages that run in a specific JVM
  • 5. 5 5 THCON23 Introduction  Our smartphones contain a lot of sensitive data  Emails and conversations  Photos and videos  And they have many sensors  Camera  Microphone  GPS  Access to this data and sensors must be protected against compromised or malicious applications
  • 7. 7 7 THCON23 Device Threats  Applications may be malicious or compromised  For instance, by exploiting browser vulnerabilities  It is essential to prevent attackers from accessing:  Data  Sensors  Attackers might bypass restrictions by exploiting other system vulnerabilities  Perform a LPE (Local Privileged Escalation) → Reduce the risks and make LPE as difficult as possible
  • 9. 9 9 THCON23 Security Model  Android considers applications as untrusted  Least privilege principle  Only permit each component to perform necessary actions  Implement isolation and sandboxing of processes and applications  Restrict interactions between components  Hardening and exploit mitigations  Make vulnerabilities difficult to exploit  Ideally, make vulnerabilities unexploitable
  • 10. 10 10 THCON23 Isolation and sandboxing  Android uses Linux features to isolate applications and daemons  Linux users, groups (DAC security)  SELinux (MAC security)  SECCOMP to filter syscalls
  • 11. 11 11 THCON23 Isolation and sandboxing - Linux users  Some user IDs are reserved for system use  system is 1000, shell is 2000, bluetooth is 1002, etc.  Applications UID range is 10000 → 19999  Applications  Applications get a UID at installation time  Get a dedicated folder for data storage  Not able to read other applications folders (Unix file permissions)  /data/data/<PKG_NAME>/
  • 12. 12 12 THCON23 Isolation and sandboxing - SELinux  SELinux: Security Enhanced Linux  Enforced starting with Android 4.4 (2013)  Implemented as a Linux Security Module (LSM)  Implements security filtering hooks which are called inside the kernel // Extract of fs/ioctl.c SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg) { struct fd f = fdget(fd); int error; if (!f.file) return -EBADF; error = security_file_ioctl(f.file, cmd, arg); if (error) goto out; error = do_vfs_ioctl(f.file, fd, cmd, arg); // [...]
  • 13. 13 13 THCON23 Isolation and sandboxing - SELinux  The SELinux policy defines rules between subject, objects and actions  Subjects and objects are identified with security context called SELinux labels  The firmware contains a set of SELinux rules (the policy) loaded during the boot  Actions not included in the rules are forbidden  Rule example allow appdomain app_data_file:file rw_file_perms; actions {getattr open read ioctl lock w_file_perms} subjects objects
  • 14. 14 14 THCON23 Isolation and sandboxing - SECCOMP  SECCOMP is a Linux feature that filters syscalls  Enforced system-wide since Android 8.0  Reduces the Kernel attack surface  Filtering profiles are directly defined in the Android libc (Bionic)  Profiles: System, Application, Application Zygote  Filtering profile is enabled when an application starts  Configured by the JVM during application launch
  • 15. 15 15 THCON23 Isolation and sandboxing - SECCOMP  The system profile is relatively permissive  17/271 ARM64 syscalls blocked  70/368 ARM syscalls blocked  Applications can register additional filters to strengthen sandboxing  Chrome  Media Extractor - media decoding daemon (stagefrights)
  • 16. 16 16 THCON23 Kinds of Applications  Four different kinds of applications with associated SELinux contexts  Isolated  Untrusted  Privileged  System  Android Note: An Application = Java Package
  • 17. 17 17 THCON23  Isolated Applications  Mainly used for Chrome renderer processes  The most restricted isolation  Isolation: context=isolated_app and u0_i<uid> (90000 → 99999)  Different uid per isolated processus  Untrusted Applications  All third-party applications installed by the user  Isolation: context=untrusted_app and u0_a<uid> (10000 → 19999) Application Contexts
  • 18. 18 18 THCON23 Application Contexts  Privileged Applications  Applications in the firmware or signed by the vendor  Bypass most Android services permission checks  Isolation: context=priv_app/platform_app and uid=u0_a<uid>  System Applications  Highest privileged applications running as system  Signed by the vendor  Isolation: context=system_app and uid=system (1000)
  • 19. 19 19 THCON23 Android isolates processes ... But the system needs to do things… It needs interactions !
  • 21. 21 21 Android Application  Applications are packaged in an APK archive  Their behavior is described in the AndroidManifest.xml  General information (name, version, icon)  Components exposed to the system  Permissions requested
  • 22. 22 22 Permissions in the AndroidManifest.xml  Permissions example : <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.myapplication"> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.WRITE_CONTACTS" /> <uses-permission android:name="android.permission.CAMERA" /> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <application ... </application> </manifest>
  • 23. 23 23 ACL with Android Permissions  Different types of permissions  Install-time permissions  Runtime permissions  Some permissions are directly mapped to Unix Groups  Others are checked at runtime during interactions with other components  Provide access control to system resources and interactions with other apps Runtime permission
  • 26. 26 26 THCON23 Hardening and Mitigations  Even with robust isolation, there is still some attack surface  This surface must be hardened to limit and make LPE more difficult
  • 27. 27 27 THCON23 Hardened components  Some components have strong restrictions → Reduce the attack surface of exposed component  Media Extractor (ex mediaserver)  Specific SECCOMP rules  Allow ~ 34/271 syscalls ARM64 and ~42/364 syscalls ARM  Sandbox Chrome/Webview  Very limited view of FS + Only 3 services accessible  Strong sandbox with SECCOMP
  • 28. 28 28 THCON23 Hardened components  More and more Rust in Android  Bluetooth stack  Keystore2  Ultra-wideband stack  DNS-over-HTTP/3 https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html
  • 29. 29 29 THCON23 Mitigations  Against remote exploitation  ASLR - Address Space Layout Randomization  PIE - Position Independent Executable  Scudo Heap allocator (Android 11)  Designed for security  Detects allocation corruptions  Detects double-free
  • 30. 30 30 THCON23 Mitigations  CFI - Control Flow Integrity  Prevents an attacker from altering the execution flow  Added at built time for specific binaries  Enabled in all media parsers since Android 8.1  Enabled in the Kernel since Android 9
  • 31. 31 31 THCON23 Mitigations  Compiler added checks:  UndefinedBehaviorSanitizer: integer overflow, misaligned addresses  BoundsSanitizer: check array access  ShadowCallStack: protect the return address  Process aborts if a sanitizer check is triggered  Prevent attackers from exploiting vulnerabilities
  • 32. 32 32 THCON23 Conclusion  Each Android release improves the OS security  Enhanced isolation  Improved mitigation  Even if there are vulnerabilities  Difficult to exploit them  Some bugs are now non-exploitable  Highly privileged components remain constrained