Review on Android and KNOX device protection, including SELinux implementation, SE policy, and TrustZone security modules.

1. Android/KNOX Device Protec3on
• Objec3ve: Audit SELinux and KNOX device-
based security protec3on implementa3ons
and determine their effec3veness to counter
compromising a mobile device
– ARM TrustZone security architecture and its
implementa3on in Samsung KNOX 2.0
– SELinux implementa3on in official Android OS and
KNOX protected Android OS, with a focus on
default set of security policy configura3on

2. Summary
• KNOX retains most func3onality from Android ecosystem while integra3ng
security and management enhancements
• In addi3on, KNOX phone provides three enhanced plaSorm security features:
Customized Secure Boot for hardware boot, TrustZone-based Integrity
Measurement Architecture (TIMA) for protec3ng Linux Kernel, and Security
Enhancements for Android for Framework
– KNOX uses a Secure Boot protocol that requires the device boot loader,
kernel, and system soware to be cryptographically signed by a key whose
root of trust is verified by the hardware. A root cer3ficate and some hardware
keys are stored in TrustZone
– KNOX or SELinux u3lizes Mandatory Access Control (MAC) policies to isolate
applica3ons and data into different domains within the plaSorm. In Android
5.0, Android moves to full enforcement of SELinux, that is enforcement on
more than 60 domains rather than a limited set of crucial domains

3. KNOX Security Architecture
Hardware
Secure Boot
Linux Kernel
Android Framework
TrustZone
App App …
Security Enhancements for Android
(SEAndroid)
TrustZone-based Integrity
Measurement Architecture (TIMA)
Customized Secure Boot
KNOX Security Android

4. Hardware Keys in KNOX
Hardware keys Description
Samsung Secure
Boot Key
Verifies that all firmware is from Samsung
before allowing the device to boot.
Device Root Key Provides a unique key per device that is
used to perform cryptographic operations
(authentication and encryption)
associated with that specific device.
Warranty Bit Creates a one-time, writeable hardware
“fuse” used to flag devices whose system
software has been tampered.
Rollback
Prevention
Fuses
Set at manufacturing time in the Samsung
factory to prevent old firmware versions
from overwriting newer ones

5. Customized Secure Boot with TIMA
Verifica3on
Primary Boot
Loader
Secondary
Boot
Loader1/2/3
TIMA Android Boot
Loader
Android
Kernel
Hardware
Secure Boot
SE for Android
Hardware ---> sbl1 ---> sbl2 ---> sbl3 ---> tz.mbn ---> aboot.mbn ---> NON_HLOS.bin ---> kernel
e-fuse

6. SE Android = SE Linux + Android
• Android 4.3: SE Linux was firstly introduced
• Android 4.4: Google introduced SE Android
based on SELinux
• Android 5.0: Full enforcement of SELinux.
– From on a limited set of crucial domains (installd,
netd, vold and zygote) to everything (more than
60 domains)

7. Comparison among Linux/SELinux/SEAndroid/KNOX
• SE Android takes mobile device plaSorm into considera3on, so it only ports a
subset of SE Linux into Android. Besides Linux uid and gid based access
control, addi3onal components added in bionic for SE Android:
– Android manifest permission control.
– 12 new system calls were added into SE Android bionic.
– An AT_SECURE auxv flag was added for loaded applica3on, seen in
bionic/linker/linker.c.
• KNOX is similar to SE Android if we only look
at security policy mechanism. SE for Android
includes a set of security policy
configura<on files designed to achieve the
above security goal
– KNOX phones are provisioned with a
set of security policy configura<on
files designed to strengthen for
enterprise needs.
– KNOX provides management APIs that
allow the default SE for Android policy
files to be replaced with enterprise-
specific policy files.
SEAndroid - KNOX
SELinux - SEAndroid
Linux - SELinux

8. Mandatory Access Control
Original Android
App
(user privilege)
Daemon etc.
(root privilege)
User Land
Root Land
App
(user privilege)
Daemon etc.
(root privilege)
MAC
SE Android
SE Policy

9. KNOX On-Device Policy Files
Policy Files Notes
/sepolicy Kernel binary policy
/file_contexts File security contexts
/property_contexts Property security contexts
/seapp_contexts App security contexts.
/system/etc/security/mac_pe
rmissions.xml
App certificate to seinfo
mapping.