From java to android a security analysis
•Download as PPTX, PDF•
4 likes•1,800 views
Presented at AnDevCon Boston 2013
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to From java to android a security analysis
Similar to From java to android a security analysis (20)
More from Pragati Rai
More from Pragati Rai (13)
Recently uploaded
Recently uploaded (20)
From java to android a security analysis
- 1. FROM JAVA TO ANDROID: A SECURITY ANALYSIS Pragati Ogal Rai Mobile Technology Evangelist, PayPal @pragatiogal @PayPalDev
- 2. www.ethos3.com • Motorola JUIX Platform • Motorola Linux Java Platform • Android
- 3. Agenda • Java 2 Security Model • Android Security Model • Summarize
- 4. JAVA 2 SECURITY MODEL
- 5. Java • Developed by Sun Microsystems in the early 1990s • Platform Independent – write once run anywhere! • Compiled to byte code that runs on a Virtual Machine • “Java is Secure”
- 6. Java 2 Security Model • Language Security Features • Platform Security • Crypto APIs • Authentication & Access Control APIs • Secure Communication APIs • Key Management APIs
- 7. JDK 1.0 Sandbox Model • Very restricted model • Local code is trusted • Remote code is not trusted
- 8. JDK 1.1 Security Model • Signed applet model • Trusted code has privileges • Untrusted code runs in sandbox
- 9. Java 2 Sandbox Model • Fine grained access control • Configurable Security Policy • No built-in concept of trusted local code
- 10. Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; }; // If the code is signed by ”John", grant it read/write access to all files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; }; // Grant everyone the following permission: grant { permission java.io.FilePermission "/tmp/pragati/*", "read"; };
- 11. Protection Domains Domain name “Pragati” Pragati’s certificate Read/write access to /temp/pragati/* Domain name “John” John’s certificate Read/write access to /temp/john/* Read access to /temp/pragati/* ………….. Protection Domain = Code Source + Permission
- 12. Protection Domains A domain conceptually encloses a set of classes whose instances are granted the same set of permissions.
- 13. Java 2 Platform Security Model Operating System Remote Class Files Local Class FilesSigned Class Files Bytecode Verifier Class LoaderCore API Class Files Core Java API Security Package Key Database Security Manager Access Controller
- 14. Java Language Security • Programs cannot access arbitrary memory locations • Variables cannot be used before initialization • Access methods are strictly adhered to • Entities declared final must not be changed • Objects cannot be arbitrarily cast into other objects • Array bounds must be checked on all array accesses
- 15. Java Compiler Java Files (.java) Java Class Files (.class) Compiler enforces language rules
- 16. Bytecode Verifier Mini theorem prover Enforces language rules Delayed bytecode verification Runtime binding Operating System Remote Class Files Local Class FilesSigned Class Files Bytecode Verifier Class LoaderCore API Class Files Core Java API Security Package Key Database Security Manager Access Controller
- 17. Class Loader Loads classes in namespace Set permission for each class it loads Link type checks for type safety Operating System Remote Class Files Local Class FilesSigned Class Files Bytecode Verifier Class LoaderCore API Class Files Core Java API Security Package Key Database Security Manager Access Controller
- 18. Java APIs and Security Package Classes in java.security package Classes in security extensions Basis for application signing Operating System Remote Class Files Local Class FilesSigned Class Files Bytecode Verifier Class LoaderCore API Class Files Core Java API Security Package Key Database Security Manager Access Controller
- 19. Security Manager & Access Controller Security manager exists for historical reasons Access control to system resources Policy enforcement Operating System Remote Class Files Local Class FilesSigned Class Files Bytecode Verifier Class LoaderCore API Class Files Core Java API Security Package Key Database Security Manager Access Controller Security manager exists for historical reasons Access control to system resources Policy enforcement Default only for applets
- 20. Key Database Create / verify digital signatures Operating System Remote Class Files Local Class FilesSigned Class Files Bytecode Verifier Class LoaderCore API Class Files Core Java API Security Package Key Database Security Manager Access Controller
- 21. Java Sandbox • Permissions • Code Source • Protection Domain • Policy File • Keystore
- 22. Java 2 Security Model • All code runs in a sandbox • All classes are loaded with full bytecode verification • All classes are loaded with Java language features • Signed classes verify the integrity and origination of Java classes • Security policy provides fine-grained access • Crypto APIs
- 24. Android • Open Platform • First phone based on Android came out in 2009 • 75% smartphone market share as of October1 1: idc.com
- 25. Android Security Model • Platform Security • Crypto APIs • Secure Communication APIs • Key Management APIs
- 26. Install Time User Consent You control your phone!
- 28. Linux Kernel Unique UID and GID for each application at install time Sharing can occur through component interactions Linux Process Sandbox
- 29. Linux Kernel (Cont’d) include/linux/android_aid.h AID_NET_BT 3002 Can create Bluetooth Sockets AID_INET 3003 Can create IPv4 and IPv6 Sockets
- 30. Middleware • Libraries for code execution • Libraries for services • Take care of device specific issues • Compiled to machine language • Native and Java code
- 31. Java Virtual Machine? • There is no JVM in Android platform • No byte code is executed • JAR file will not run on Android platform
- 33. Dalvik Virtual Machine • Dalvik does not align to Java SE or Java ME • Library built on a subset of the Apache Harmony Java • Highly optimized VM to support multiple VM instances • Register based architecture • Shared constant pool • Executes Dalvik executables (.dex)
- 34. .dex File Source Files Java Compiler JAR Tool DX Converter Dalvik VM Example.jar A.class B.class Strings.xml Icon.png Example.jar Classes.dex Strings.xml Icon.png
- 35. .dex File imsciences.edu.pk Dalvik optimizes class files
- 36. Dalvik Virtual Machine • No security manager • Permissions are enforced in OS and not in VM • As of Android 2.2 Dalvik has a JIT compiler • Dalvik Bytecode verification mainly for optimization • GC for each VM instance
- 37. Android Application Structure • Application is made of components • Activity: Define screens • Service: Background processing • Broadcast Receiver: Mailbox for messages from other applications • Content Provider: Relational database for sharing information
- 38. Android Application Structure • Applications communicate through Intents • Secure RPC using Binder • AndroidManifest.xml defines policy for application
- 39. Permission Protection Levels • Normal android.permission.VIBRATE com.android.alarm.permission.SET_ALARM • Dangerous android.permission.SEND_SMS android.permission.CALL_PHONE • Signature android.permission.FORCE_STOP_PACKAGES android.permission.INJECT_EVENTS • SignatureOrSystem android.permission.ACCESS_USB android.permission.SET_TIME All components are secured by permissions Developers can define their own permissions as well
- 40. Application Layer Security • Permissions restrict component interaction • Permission labels defined in AndroidManifest.xml • Applications are self-signed; no CA required • Signatures define persistence and authorship
- 41. Android Security Model • Linux process sandbox • Permission based component interaction • Dalvik is not a security boundary • All applications need to be signed • Signature define persistence and authorship • Install time security decisions • Crypto APIs
- 42. SUMMARY
- 43. Vision Protect host machine from malicious code Optimization for mobile platform
- 44. Install Time Checking Who are you? What do you want to do?
- 45. Sandbox Permissions + Code Sources + Policy + keystore + Protection Domains Linux Process Sandbox
- 46. Signature Identity and Trust Authorship and Persistence
- 47. Permissions Enforced by VM Enforced by OS
- 48. Protection Domain Code Sources + Permissions Process
- 49. Virtual Machine VM is a security boundary VM is NOT a security boundary
- 50. Security Enforcement Applets v/s Applications Native v/s Java code No exceptions!
Editor's Notes
- permission: type, name, and action of permissionCode source: location and signer of codeProtection domain: permission + codePolicy file: defines protection domainKeystore: verifies identity
- Total system RAM is 64 MB; available after low level startup: 40MB and after high level services have started: 20 MB and large system libs 10 MB
- "java.version" property returns "java.class.version" invariably returns 50"user.home" and "user.name" properties do not existHighly optimized VM to support multiple VM instances with own address space and separate memoryRelies on Linux kernel for underlying functionality such as threading and low-level memory managementLibrary built on a subset of the Apache Harmony JavaMemory is clean (mmap() and unwritten)) or dirty (malloc)Shared memory: used by many processesPrivate memory used by one process
- ExamplesDex structures are using valid indices and offsets and code can’t misbehaveOptimaization: byte swapping (not needed on ARM)m static linking, pruning empty methodsRelies on Linux kernel for underlying functionality Garbage Collector is independent for each process but respect sharingBytecode verifierOptimization“Exact” GCIntra-application SecurityAnalysis & Debugging