[a2]android security의 과거와 미래 – from linux to jelly bean

About�� Me��

2000�� AT&T�� Wireless:�� OODB/CORBA��

2001Cellvic(JTEL):�� CellvicOS/JVM��

2003�� Samsung:�� JVM�� for�� DTV/SimpleJIT��

2007�� Aromasoft:�� JVM�� for�� Mobile/JIT�� Optimization/Dalvik��

2011�� GE�� korea:�� Smart�� appliance/Linux��

2012�� SK플래닛:�� Android/T-Store�� ARM/Security��

–  [email protected]�� 또는�� [email protected]��

•  개인정보가�� 인터넷으로�� 빠져나간다��

•  앱이�� 허락받지�� 않은�� 인터넷을�� 사용한다��

•  앱이�� 허락받지�� 않은�� 동작(?)을�� 한다��

•  앱이�� 스스로�� 루팅을�� 한다��

•  앱이�� 코드를�� 스스로�� 변경한다��

•  앱이�� Dalvik�� VM의�� 정보를�� 변경한다��

•  안드로이드앱이�� Dalvik�� VM이�� 아닌�� 다른�� VM을�� 실행시킨다��

•  5억대�� 판매된,�� 하루에�� 130만대씩�� 개통되는�� 단말?��

•  A�� Java�� platform?��

–  역사상�� 자바가�� 표준�� 개발언어인�� 첫번째�� 디바이스?�� RIM?�� NDK?��

•  A�� forked�� Linux?�� –  Why�� linux?��

•  Andy�� Rubin:�� was�� a�� Apple�� Employee��

•  대안이�� 없어서?��

–  역사상�� 가장�� 많이�� 팔린�� linux�� device?��

•  Linux:�� Open�� Source�� –  ‘mkdir�� android�� ;�� cd�� android�� ;�� repo�� init�� -u�� git://android.git.kern

el.org/platform/manifest.git�� ;�� repo�� sync�� ;�� make’��

•  Java:�� easy�� to�� learn,�� many�� developers��

–  but�� an�� easy�� language�� for�� reverse-enigneering�� •  dex2jar,�� APKTool,�� JD-GUI,�� APKInspector,�� Smali,�� Dedexer,,,��

•  환상의�� 커플!!!��

•  Just�� a�� linux�� application�� –  following�� Google�� guides��

•  Linux�� Process��

•  Dalvik�� VM��

•  Bionic��

•  JNI��

•  Is�� that�� all???�� –  Missing�� something…⋯��

–  PackageManager,�� ActivityManager,,,��

•  Java?��

•  No�� more�� on�� Android!!!��

•  Dalvik�� VM�� is�� not�� a�� security�� boundary!!!��

–  But�� Linux�� Process��

•  Linux�� UID/Group�� ID:�� –  a�� unique�� id�� based�� on�� its�� signature�� assigned�� when�� it�� starts��

•  Linux�� DAC:�� all�� or�� nothing�� –  old�� style��

–  root�� can�� do�� everything��

–  RWX��

•  Permission��

–  Need�� to�� be�� described�� on��

AndroidMeanifest.xml��

•  Binder��

•  Kernel�� Enforcement��

–  group�� ID�� •  ��

–  Patch�� •  Internet��

<permission name="android.permission.INTERNET" > <group gid="inet" /> </permission>��

•  You�� can�� do�� everything�� in�� your�� process�� •  You�� can�� use�� Reflection/JNI�� –  To�� call�� hidden/private�� methods��

–  To�� get/set�� private�� fields�� •  But�� High�� return,�� High�� risk!!!��

ex)�� Unity3D:�� Using�� Mono�� VM��

Version�� Release�� date�� API�� level�� Distribution�� (September�� 4,�� 20

12)��

4.1.x�� Jelly�� Bean�� July�� 9,�� 2012�� 16�� 1.2%��

4.0.x�� Ice�� Cream�� Sandwich�� October�� 19,�� 2011�� 14-15�� 20.9%��

3.x.x�� Honeycomb�� February�� 22,�� 2011�� 11-13�� 2.1%��

2.3.x�� Gingerbread�� December�� 6,�� 2010�� 9-10�� 57.5%��

2.2�� Froyo�� May�� 20,�� 2010�� 8�� 14%��

2.0,�� 2.1�� Eclair�� October�� 26,�� 2009�� 7�� 3.7%��

1.6�� Donut�� September�� 15,�� 2009�� 4�� 0.4%��

1.5�� Cupcake�� April�� 30,�� 2009�� 3�� 0.2%��

•  NX�� bit(No�� eXecute):�� –  to�� prevent�� code�� execution�� on�� heap�� and�� stack(2.3+)��

•  Prelink:�� Used�� to�� speed�� up�� boot�� process�� –  removed�� to�� prevent�� return-to-libc�� attacks(4.0+)��

•  Address�� Space�� Layout�� Randomization(4.0+)��

–  randomize�� key�� locations�� in�� memory��

•  PIE�� (Position�� Independent�� Executable)�� –  supports�� (4.1+)��

•  FileSystem�� Encryption��

–  3.0+�� provides�� full�� filesystem�� encryption.�� 128bit�� AES

�� key�� derived�� from�� user�� password��

•  Credential�� Storage�� –  1.6+�� restricted�� for�� only�� system��

–  4.0+�� provides�� public�� API��

•  1st.�� Protected�� APK��

–  /data/app:�� apk�� without�� code��

–  /data/app-private:�� protected�� by�� filesystem��

•  2nd.�� License�� Verification�� Library(LVL)��

–  Google:�� 2010/7��

–  Amazon:�� DRM,�� T-Store:ARM��

•  3rd.�� Encrypted�� APK��

–  Jelly�� Bean��

–  Temporary�� Closed…⋯�� but��

•  ODEX�� File:�� optimized�� dex�� file��

•  4.0+�� provides�� a�� raw�� dex�� loading�� API��

–  Without�� ODEX!!!��

Dalvik�� Virtual�� Machine��

(JIT�� Compiler)��

dex�� file��

Storage�� odex�� file��

(reuse)��

decompile�� hijacking��

•  Applying�� SELinux�� in�� Android�� by�� NSA��

•  Linux�� Security�� Modules��

–  Standard�� Linux�� Security�� (Hooking)�� Framework�� from�� v2.6��

task�� management�� (creation,�� signaling,�� waiting),�� program�� loading�� (execve),�� file�� system�� management�� (superblo

ck,�� inode,�� and�� filehooks),�� IPC�� (message�� queues,�� shared�� memory,�� and�� semaphore�� operations),�� module�� hooks�� (i

nsertion�� and�� removal),�� and�� network�� hooks�� (covering�� sockets,�� netlink,�� network�� devices,�� and�� other�� protocol�� inte

rfaces)�� security.h��

•  2012/1�� AOSP�� master�� branch�� added(HAVE_SELINUX)��

–  in�� external/libselinux�� and�� external/sepolicy��

–  in�� core/java�� and�� core/jni��

•  SELinux.java,�� AndroidRuntime.cpp,�� android_os_SELinux.cpp��

•  Slow�� and�� incremental�� applying�� expected��

–  not�� enforcing�� mode�� but�� permissive�� mode��

–  Android�� 5.0?��

•  Need�� to�� consider�� it!��

•  ARM’s�� HW�� solution��

•  Virtualized�� processors�� on�� a�� ARM�� chip��

•  Secure�� World�� can�� read�� Normal�� World��

–  But�� Normal�� World�� can’t�� read�� Secure�� World��

•  Already�� on�� Galaxy�� S3!!!��

•  Use�� Obfuscator��

•  Use�� Native�� Code��

•  Keep�� data�� on�� your�� server��

•  Sorry,�� Find�� your�� own�� solutions!��

–  2011�� Google�� I/O�� Evading�� Pirates�� and�� Stopping�� Vampires�� using�� License�� Verification�� Library,�� In-App�� Billing,�� and�� App�� Engine��

–  2012.4�� Code�� Obfuscation�� for�� the�� Amazon�� In-App��

��

•  Even�� Android�� has�� many�� security�� problems,�� it�� is�� an�� ope

n,�� de-facto�� platform�� now��

•  It’s�� getting�� better�� but�� you�� need�� to�� keep�� your�� data/cod

e�� by�� your�� own�� ways��

•  Its�� openness�� and�� flexibility�� could�� give�� some�� chances�� to

�� creative�� developers��

•  T-Store�� promises�� to�� help�� you�� soon!��

[a2]android security의 과거와 미래 – from linux to jelly bean

Technology