SlideShare a Scribd company logo
1 of 22
High FIVE:
Samsung integrity protection of Android applications
Volodymyr Shanoilo, CISSP
Samsung R&D Institute Ukraine
CONTENTS
• Integrity-affecting attack scenarios
• Integrity of native and Java applications
• Chain of Trust
• Introduction of FIVE solution
• Conclusions
INTRODUCTION
DEFINE INTEGRITY
Data integrity – assurance of the accuracy and consistency of data
System integrity – absence of unauthorized modifications to the system
Application integrity
process memory integrity, ability of the app to do what it is supposed to do
IMPORTANCE
• TrustZone apps need to verify authenticity and integrity of the client app
• Highly secured device: kill all apps with broken integrity
• Applications attestation
ATTACK SCENARIOS
• Modify main executable on disk
– Runs whenever the modified app is launched
– Runs with privileges of the original app (can be System)
– Trusted by a user
• Modify shared library
– Affects multiple applications
– Harder to detect
• Run-time modification
ATTACK TARGETS
Native components
• System daemons
• System utilities
• System libraries
Java components
• System services
• .so modules (JNI)
• User applications
MITIGATION: NATIVE COMPONENTS
• ELF is never modified
• Located on read-only partition
• Protected by dm-verity
MITIGATION: JAVA COMPONENTS
apk is protected
• Java apk is signed by a developer
• Signature is verified at installation time
apk != installed app
• Unpacking files to disk
• Ahead of Time (AOT) optimization
• No direct connection between original apk and installed app
ANDROID CHAIN OF TRUST
TrustZone
CHAIN OF TRUST
Bootloader ROM
Secure Boot Key
Secure
Bootloader
Bootloader
Linux Kernel
Android
TIMA
Periodic Kernel Measurements
Signature Signature
SignatureSignature
https://images.samsung.com/is/content/samsung/p5/ch/business/enterprise-edition/Samsung_Knox_Whitepaper.pdf
App
FIVE
TIMA Real-time Kernel Protection
(Hypervisor)
SAMSUNG
FIVEIle-based ntegrity rifier
COMPONENTS OF FIVE
• Kernel module
• Hooks to syscalls
• Package Manager Patch
• Android Run Time Patch
• TrustZone application
Linux Kernel TrustZone
Android
Kernel module Trusted app
ART
Patch
Package Manager
Patch
Hooks
NATIVE COMPONENTS PROTECTION
• Signed at build time with RSA
• FIVE kernel module hooks exec(), clone(), fork(), mmap()
– Signature checked at process start
– Signature is checked at library mapping
• dm-verity checks signature of /system and /vendor partitions
• /system and /vendor partitions mounted as read-only
JAVA COMPONENTS
• Application installation
• Application start
Android
JAVA COMPONENTS: INSTALLATION
apk_signer
Linux Kernel
Kernel module
SHA256
File for signing
TrustZone
HMAC
Trusted app
HMAC
fcntl() fcntl()
DUHK
SHA256
dex2oat
Package Manager
.so
apk
dex
Device-Unique Hardware Key
(DUHK)
Linux Kernel TrustZone
Kernel module
SHA256
Android
JAVA COMPONENTS: APP START
fork()
File for check HMAC
Trusted app
status
DUHK
SHA256
== HMAC
ART
mmap()
fcntl()
odex file
.so file
apk file
hook hook
ART
Hooks Hooks
Device-Unique Hardware Key
(DUHK)
App2App2
.so
App1
.so.so
JAVA COMPONENTS: MISUSE
• Attack: substitute application components
– Inject component of one apk to another apk
– All components are signed
• Mitigation: use certificate record
– HMAC
– DUHK
– Developer public key
.so .so
File
HMAC
Pub keySHA256 DUHK
.so
Certificate record
LEVELS OF TRUST
Preloaded
– All objects RSA-signed or dm-verity protected
Mixed
– at least one object is HMAC-signed
No integrity
– at least one object has no signature or is corrupted
RUN-TIME PROTECTION
• ptrace() and process_vm_writev() syscalls hooked
• If a trace is detected, integrity is reset
Malicious
Target App
010011010010
011110101101
110101010101
ptrace()
LIMITATIONS
• Trust to Kernel
– Compromised kernel -> compromised FIVE
• No protection against vulnerabilities in the application itself
– These attacks do not tamper integrity
Thank you!
Icons used in the presentation are
Designed by Freepik
Designed by Yannick Lung
Designed by fontawesome.com
Designed by Zlatko Najdenovski under Creative Commons (Attribution 3.0 Unported)
Designed by Alpár-Etele Méder under Creative Commons (Attribution 3.0 Unported)

More Related Content

What's hot

Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technologyFrank Victory
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
Continuous Integration - Mobile Practice
Continuous Integration - Mobile PracticeContinuous Integration - Mobile Practice
Continuous Integration - Mobile PracticeHARMAN Services
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)Sam Bowne
 
Designing a Highly Available Environment Using Methods of Modern IT Infrastru...
Designing a Highly Available Environment Using Methods of Modern IT Infrastru...Designing a Highly Available Environment Using Methods of Modern IT Infrastru...
Designing a Highly Available Environment Using Methods of Modern IT Infrastru...Perforce
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCASuman Sourav
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016The Linux Foundation
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
XPDDS19: When Unikraft Meets Arm64 - Jia He, Arm
XPDDS19: When Unikraft Meets Arm64 - Jia He, ArmXPDDS19: When Unikraft Meets Arm64 - Jia He, Arm
XPDDS19: When Unikraft Meets Arm64 - Jia He, ArmThe Linux Foundation
 
Practical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourcePractical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourceBlack Duck by Synopsys
 
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform  Suryakiran Kasturi & Akhil KumarAdopting agile in an embedded platform  Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil KumarXP Conference India
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingYue Chen
 

What's hot (20)

Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
Continuous Integration - Mobile Practice
Continuous Integration - Mobile PracticeContinuous Integration - Mobile Practice
Continuous Integration - Mobile Practice
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)CNIT 128: 3. Attacking iOS Applications (Part 2)
CNIT 128: 3. Attacking iOS Applications (Part 2)
 
Designing a Highly Available Environment Using Methods of Modern IT Infrastru...
Designing a Highly Available Environment Using Methods of Modern IT Infrastru...Designing a Highly Available Environment Using Methods of Modern IT Infrastru...
Designing a Highly Available Environment Using Methods of Modern IT Infrastru...
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Fortify dev ops (002)
Fortify   dev ops (002)Fortify   dev ops (002)
Fortify dev ops (002)
 
XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016XPDS16: Xen Project Weather Report 2016
XPDS16: Xen Project Weather Report 2016
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
XPDDS19: When Unikraft Meets Arm64 - Jia He, Arm
XPDDS19: When Unikraft Meets Arm64 - Jia He, ArmXPDDS19: When Unikraft Meets Arm64 - Jia He, Arm
XPDDS19: When Unikraft Meets Arm64 - Jia He, Arm
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
 
Practical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourcePractical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open Source
 
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform  Suryakiran Kasturi & Akhil KumarAdopting agile in an embedded platform  Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 

Similar to Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protection of Android applications

Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeDenis Gundarev
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUGDenis Gundarev
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldLINE Corporation
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 

Similar to Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protection of Android applications (20)

Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Mobile security
Mobile securityMobile security
Mobile security
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 

More from EmbeddedFest

Embedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practice
Embedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practiceEmbedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practice
Embedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practiceEmbeddedFest
 
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theoryEmbedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theoryEmbeddedFest
 
Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...
Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...
Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...EmbeddedFest
 
Embedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hood
Embedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hoodEmbedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hood
Embedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hoodEmbeddedFest
 
Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...
Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...
Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...EmbeddedFest
 
Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...
Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...
Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...EmbeddedFest
 
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbeddedFest
 
Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...
Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...
Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...EmbeddedFest
 
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered deviceEmbedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered deviceEmbeddedFest
 

More from EmbeddedFest (9)

Embedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practice
Embedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practiceEmbedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practice
Embedded Fest 2019. Wei Fu. Linux on RISC-V--Fedora and Firmware in practice
 
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theoryEmbedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theory
 
Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...
Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...
Embedded Fest 2019. Віталій Нужний. The Mobility Revolution: the Software tha...
 
Embedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hood
Embedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hoodEmbedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hood
Embedded Fest 2019. Игорь Опанюк. Das U-boot v2019: a look under the hood
 
Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...
Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...
Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: ка...
 
Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...
Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...
Embedded Fest 2019. Dov Nimratz. Artificial Intelligence in Small Embedded Sy...
 
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
 
Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...
Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...
Embedded Fest 2019. Игорь Таненков и Игорь Успеньев. Action Recognition from ...
 
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered deviceEmbedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
Embedded Fest 2019. Іван Пустовіт. From AOSP to Android powered device
 

Recently uploaded

Trauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesTrauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesPooky Knightsmith
 
8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital ManagementMBA Assignment Experts
 
Improved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio AppImproved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio AppCeline George
 
Personalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes GuàrdiaPersonalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes GuàrdiaEADTU
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhleson0603
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...Nguyen Thanh Tu Collection
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxAdelaideRefugio
 
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...Nguyen Thanh Tu Collection
 
Book Review of Run For Your Life Powerpoint
Book Review of Run For Your Life PowerpointBook Review of Run For Your Life Powerpoint
Book Review of Run For Your Life Powerpoint23600690
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....Ritu480198
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxMarlene Maheu
 
MOOD STABLIZERS DRUGS.pptx
MOOD     STABLIZERS           DRUGS.pptxMOOD     STABLIZERS           DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxPoojaSen20
 
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUMDEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUMELOISARIVERA8
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptNishitharanjan Rout
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxneillewis46
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSAnaAcapella
 
How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17Celine George
 

Recently uploaded (20)

Trauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesTrauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical Principles
 
8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management
 
Improved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio AppImproved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio App
 
Personalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes GuàrdiaPersonalisation of Education by AI and Big Data - Lourdes Guàrdia
Personalisation of Education by AI and Big Data - Lourdes Guàrdia
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptx
 
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
 
Supporting Newcomer Multilingual Learners
Supporting Newcomer  Multilingual LearnersSupporting Newcomer  Multilingual Learners
Supporting Newcomer Multilingual Learners
 
Book Review of Run For Your Life Powerpoint
Book Review of Run For Your Life PowerpointBook Review of Run For Your Life Powerpoint
Book Review of Run For Your Life Powerpoint
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
ESSENTIAL of (CS/IT/IS) class 07 (Networks)
ESSENTIAL of (CS/IT/IS) class 07 (Networks)ESSENTIAL of (CS/IT/IS) class 07 (Networks)
ESSENTIAL of (CS/IT/IS) class 07 (Networks)
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptx
 
MOOD STABLIZERS DRUGS.pptx
MOOD     STABLIZERS           DRUGS.pptxMOOD     STABLIZERS           DRUGS.pptx
MOOD STABLIZERS DRUGS.pptx
 
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUMDEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
DEMONSTRATION LESSON IN ENGLISH 4 MATATAG CURRICULUM
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptx
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
 
How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17
 

Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protection of Android applications

  • 1. High FIVE: Samsung integrity protection of Android applications Volodymyr Shanoilo, CISSP Samsung R&D Institute Ukraine
  • 2. CONTENTS • Integrity-affecting attack scenarios • Integrity of native and Java applications • Chain of Trust • Introduction of FIVE solution • Conclusions
  • 4. DEFINE INTEGRITY Data integrity – assurance of the accuracy and consistency of data System integrity – absence of unauthorized modifications to the system Application integrity process memory integrity, ability of the app to do what it is supposed to do
  • 5. IMPORTANCE • TrustZone apps need to verify authenticity and integrity of the client app • Highly secured device: kill all apps with broken integrity • Applications attestation
  • 6. ATTACK SCENARIOS • Modify main executable on disk – Runs whenever the modified app is launched – Runs with privileges of the original app (can be System) – Trusted by a user • Modify shared library – Affects multiple applications – Harder to detect • Run-time modification
  • 7. ATTACK TARGETS Native components • System daemons • System utilities • System libraries Java components • System services • .so modules (JNI) • User applications
  • 8. MITIGATION: NATIVE COMPONENTS • ELF is never modified • Located on read-only partition • Protected by dm-verity
  • 9. MITIGATION: JAVA COMPONENTS apk is protected • Java apk is signed by a developer • Signature is verified at installation time apk != installed app • Unpacking files to disk • Ahead of Time (AOT) optimization • No direct connection between original apk and installed app
  • 11. TrustZone CHAIN OF TRUST Bootloader ROM Secure Boot Key Secure Bootloader Bootloader Linux Kernel Android TIMA Periodic Kernel Measurements Signature Signature SignatureSignature https://images.samsung.com/is/content/samsung/p5/ch/business/enterprise-edition/Samsung_Knox_Whitepaper.pdf App FIVE TIMA Real-time Kernel Protection (Hypervisor)
  • 13. COMPONENTS OF FIVE • Kernel module • Hooks to syscalls • Package Manager Patch • Android Run Time Patch • TrustZone application Linux Kernel TrustZone Android Kernel module Trusted app ART Patch Package Manager Patch Hooks
  • 14. NATIVE COMPONENTS PROTECTION • Signed at build time with RSA • FIVE kernel module hooks exec(), clone(), fork(), mmap() – Signature checked at process start – Signature is checked at library mapping • dm-verity checks signature of /system and /vendor partitions • /system and /vendor partitions mounted as read-only
  • 15. JAVA COMPONENTS • Application installation • Application start
  • 16. Android JAVA COMPONENTS: INSTALLATION apk_signer Linux Kernel Kernel module SHA256 File for signing TrustZone HMAC Trusted app HMAC fcntl() fcntl() DUHK SHA256 dex2oat Package Manager .so apk dex Device-Unique Hardware Key (DUHK)
  • 17. Linux Kernel TrustZone Kernel module SHA256 Android JAVA COMPONENTS: APP START fork() File for check HMAC Trusted app status DUHK SHA256 == HMAC ART mmap() fcntl() odex file .so file apk file hook hook ART Hooks Hooks Device-Unique Hardware Key (DUHK)
  • 18. App2App2 .so App1 .so.so JAVA COMPONENTS: MISUSE • Attack: substitute application components – Inject component of one apk to another apk – All components are signed • Mitigation: use certificate record – HMAC – DUHK – Developer public key .so .so File HMAC Pub keySHA256 DUHK .so Certificate record
  • 19. LEVELS OF TRUST Preloaded – All objects RSA-signed or dm-verity protected Mixed – at least one object is HMAC-signed No integrity – at least one object has no signature or is corrupted
  • 20. RUN-TIME PROTECTION • ptrace() and process_vm_writev() syscalls hooked • If a trace is detected, integrity is reset Malicious Target App 010011010010 011110101101 110101010101 ptrace()
  • 21. LIMITATIONS • Trust to Kernel – Compromised kernel -> compromised FIVE • No protection against vulnerabilities in the application itself – These attacks do not tamper integrity
  • 22. Thank you! Icons used in the presentation are Designed by Freepik Designed by Yannick Lung Designed by fontawesome.com Designed by Zlatko Najdenovski under Creative Commons (Attribution 3.0 Unported) Designed by Alpár-Etele Méder under Creative Commons (Attribution 3.0 Unported)