[1D7]안드로이드 L-Preview 보안 아키텍처 및 설비

안드로이드 L-Preview 보안 아키텍처 및 설비 2014. 9. 29. kandroid.org 운영자 양정수 (yangjeongsoo@gmail.com)

0
200
400
600
800
1000
1200
간단한 자기 소개 및 DEVIEW 발표를 하는 이유?
DEVIEW : 이경민 & 양정수
MinMax14th Android New Runtime : ART
1.ART Overview
2.ART AOT Compiler
3.ART Loader
4.ART Fast Memory Allocation
5.ART Garbage Collector Improvement
6.Android Developer Backstage Episode 10,11 Review

오늘 발표내용에서 담고자 하는 내용 요약
몇 가지 경험에 대한 공유
1.안드로이드 플랫폼 Porting : Kandroid ADP
2.구글 GMS 분석 : MITM(Man In The Middle) Attack L-Preview 이전의 보안 설비
1.보안 설비 히스토리
2.메모리 취약성 개선 : Facebook LinearAlloc Issue & ASLR
3.안드로이드 기본 보안모델 강화 : SELinux L-Preview의 신규 보안 설비
1.Sandbox 모델의 변화 : Process Isolation
2.Android Work : 삼성 KNOX란?
3.Malware 자동 탐지 서비스 : 보안 서비스 결론 : 향후 안드로이드 보안의 미래는?

안드로이드 플랫폼 Porting 세 번의 서로 다른 경험
2008년 10월 11일
2009년 1월 12일
2010년 12월 7일
출처
•http://www.kandroid.org/board/board.php?board=AndroidPorting&page=2&command=body&no=39
•http://www.kandroid.org/board/board.php?board=androidsource&command=body&no=22
•http://www.kandroid.org/board/board.php?board=HTCDream&command=body&no=123

안드로이드 플랫폼 Porting Kandroid ADP(칸드로이드 개발자 폰)

안드로이드 플랫폼 Porting
Kandroid ADP(칸드로이드 개발자 폰)

안드로이드 플랫폼 Porting Kandroid ADP 어떻게 만들었는가? Phone은 어떻게 만들어지는가?
AOSP
Linux
HAL
GMS
AOSP Ref HAL
AOSP
Linux
AOSP Ref HAL
AOSP
Linux
HAL
GMS
GMS

1.구글에 공식 또는 비공식 요청한다.
2.구글 또는 OHA 멤버사에서 비공식적으로 입수한다.
3.실제 디바이스에서 추출한다.
1.루팅(Rooting)
2.cp /system/app/Gmail.odex . cp /system/app/Gmail.apk . baksmali -d ./framework -x Gmail.odex => ./out smali -o classes.dex out cp classes.dex zip -r -q Gmail.apk classes.dex
안드로이드 플랫폼 Porting Kandroid ADP 어떻게 만들었는가? GMS는 어떻게 구할 수 있는가?

•구글은 왜 GMS를 포함한 에뮬레이터를 배포하지 않는가?
•Smali/Baksmali 사용처는?
•폰(Phone)이란 무엇인가? H/W가 없는 S/W 폰, 가능한가?
안드로이드 플랫폼 Porting Kandroid ADP 작업에서 생길 몇 가지 질문

APPLICATIONS
Browser
IM
SMS/MMS
Dialer
Alarm
…
Calendar
Email
Voice Dial
Contacts
APPLICATION FRAMEWORK
Activity Manager
Package Manager
Window Manager
Telephony Manager
Content
Provider
Resource
Manager
View System
Location Manager
Notification Manager
…
LIBRARIES
Surface Manager
ANDROID RUNTIME
Dalvik Virtual Machine
Core Libraries
LINUX KERNEL
Display Driver
Camera Driver
Bluetooth Driver
Shared Memory Driver
Binder (IPC)
Driver
USB Driver
Keypad Driver
WiFi Driver
Audio Driver
Power Management
OpenGL|ES
SGL
Media Framework
FreeType
Libc
SQLite
WebKit
…
GMS (Apps)
Market
Gmail
Talk
…
GoogleServiceFramework
Map lib
voice
구글 GMS 분석 구글 GMS란 무엇인가?

APPLICATIONS
Browser
IM
SMS/MMS
Dialer
Alarm
…
Calendar
Email
Voice Dial
Contacts
APPLICATION FRAMEWORK
Activity Manager
Package Manager
Window Manager
Telephony Manager
Content Provider
Resource
Manager
View
System
Location Manager
Notification Manager
…
LIBRARIES
Surface Manager
ANDROID RUNTIME
Dalvik Virtual Machine
Core Libraries
LINUX KERNEL
Display Driver
Camera Driver
Bluetooth Driver
Shared Memory Driver
Binder (IPC) Driver
USB Driver
Keypad Driver
WiFi Driver
Audio Driver
Power Management
OpenGL|ES
SGL
Media Framework
FreeType
Libc
SQLite
WebKit
…
GMS (Apps)
Market
Gmail
Talk
…
GoogleServiceFramework
Map lib
voice
구글 GMS 분석 구글 GMS란 무엇인가?

구글 GMS 분석 어떻게 분석할 것인가?
정적(Static) 분석
•Androidguard
•Apktool
•dex2jar
•dexter
•IDA Pro
•jd-gui
•Mobile Sandbox
•Smali/Backsmali
동적(Dynamic) 분석
•Andrubis
•Droidbox
•DroidScope
•Google Bouncer
•Taintdroid
난독화(Obfuscation)
•Identifier renaming
•Junk byte insertion
•Obfuscation strings
•Dynamic loading of code
•Dynamic code modification
•Callgraph Obfuscation
•Manifest Obfuscation
•ProGuard
•DexGuard
참조 : http://www.usmile.at/sites/default/files/publications/201306_obf_report_0.pdf

Package : GoogleServicesFramework.apk
Process : com.google.android.gapps
Activity : 39개
ContentProvider : 4개
Service : 8개
Include Dalvik VM
GSF Total Components : 60개
Intent : Bundle of Informations
•Explicit : Call Class
•Implicit : IntentFilter : 26개
 Action, Data, Category
BroadcastReceiver : 9개
permission-tree : 1개
permission : 54개
uses-permission : 55개
android:permission : 2개
android:readPermission : 4개
android:writePermission : 4개
path-permission : 1개
android:grantUriPermissions : 1개
구글 GMS 분석 무엇을 분석할 것인가?

GMS(Google Mobile Services)
GSF (GoogleService Framework)
mtalk.google.com 5228
Google Cloud Server
Google Account Server
Android Device
Google Services Google Mobile Services
•Google Play
•GCM
?
구글 GMS 분석 동적(Dynamic) 분석의 필요성-네트워킹 정보

fake
fake mtalk. google. com
MITM attack (Man In The Middle) at Internet
TLS/SSL
TLS/SSL
Google Connection Server mtalk. google.com
fake CA Server
fake Cert
Digital Signing
Custom Android Image
Packet Log
Packet Report
Custom Protocol Buffer Deserialzer
구글 GMS 분석 동적(Dynamic) 분석 : 중간자(MITM) 공격
2
3
1
5
4

구글 GMS 분석 동적(Dynamic) 분석 : 중간자(MITM) 공격 결과
출처 : http://www.kandroid.org/mtalk

0
50
100
150
200
250
300
350
400
450
1
7
13
19
25
31
37
43
49
55
61
67
73
79
85
91
97
103
109
115
121
127
133
139
145
151
157
163
169
175
181
187
193
199
205
211
217
223
229
235
Heartbeat Data Traffic Threshold
heartbeat
구글 GMS 분석 동적(Dynamic) 분석 Heartbeat 기술의 동작 원리 이해

Device Info
Device Info Register Client
Device Info Register Server
Google Service Framework
Install apk into myPhone
Google Play
install asset request
mtalk.google. com
install asset response
1
3
4
5
6
1
2
2
read device info
구글 GMS 분석 동적(Dynamic) 분석 구글 플레이를 통한 앱 인스톨 메커니즘 이해

구글 GMS 분석 GMS 분석의 최종 결과와 몇 가지 질문들
지금은 사라진 사이트 : Black Market(?) http://www.kandroid.org/market/ 구글은 왜 Heartbeat를 서버에서 제어하는가? 구글은 왜 앱 인스톨을 서버에서 제어하는가? 구글은 왜 GMS에 ProGuard를 사용하지 않는가?

2007
2008
2009
2010
2011
2012
2013
2014
2015
최초 SDK
M C D E F GH I J K
L Developer Preview 이전의 보안 설비
1.5
•MM(SE)
1)ProPolice to prevent stack buffer overruns (-fstack-protector)
2)safe_iop to reduce integer overflows
3)Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and to prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption.
4)OpenBSD calloc to prevent integer overflows during memory allocation 2.2
•User log-in authentication
•Device Administration API : Remote wipe
2.3
•MM(SE)
1)Format string vulnerability protections (-Wformat-security - Werror=format-security)
2)Hardware-based No eXecute (NX) to prevent code execution on the stack and heap
3)Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1) 3.0
•Pluggable DRM framework
•Encrypted storage
•Password security enhancements
4.0
•Secure management of credentials
•VPN client API
•Device policy management for camera
•MM(SE)
1)Address Space Layout Randomization (ASLR) to randomize key locations in memory 4.1
•App Encryption
•isolatedProcess
•MM(SE)
1)PIE (Position Independent Executable) support
2)Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)
3)dmesg_restrict enabled (avoid leaking kernel addresses)
4)kptr_restrict enabled (avoid leaking kernel addresses)

2007
2008
2009
2010
2011
2012
2013
2014
2015
최초 SDK
M C D E F GH I J K
4.2
•Application Verification
•More control of premium SMS
•Always-on VPN
•Certificate Pinning
•Improved display of Android permissions
•installd hardening
•init script hardening
•ContentProvider default configuration
•Crytography
•Security Fixes
•MM(SE)
1)FORTIFY_SOURCE for system code
4.3
•Android sandbox reinforced with SELinux
•No setuid/setgid programs
•ADB Authentication
•Restrict Setuid from Android Apps
•Capability bounding
•AndroidKeyStore Provider
•KeyChain isBoundKeyAlgorithm
•NO_NEW_PRIVS
•Relocation protections
•Improved EntroyMixer
•Security Fixes
•MM(SE)
1)FORTIFY_SOURCE enhancements
4.4
•Android sandbox reinforced with SELinux
•Per User VPN
•ECDSA Provider support in AndroidKeyStore
•Device Monitoring Warnings
•Certificate Pinning
•Security Fixes
•MM(SE)
1)FORTIFY_SOURCE level 2

2007
2008
2009
2010
2011
2012
2013
2014
2015
최초 SDK
M C D E F GH I J K
1.기본적인 보안은 리눅스에 기반함
•애플리케이션과 프로세스에 부여된 UID와 GID
•프로세스는 Sandbox 역할을 함
2.보다 섬세한 보안은 퍼미션에 기반함.
•자체 서명된 인증서와 사용자 확인과정에 의함

2007
2008
2009
2010
2011
2012
2013
2014
2015
최초 SDK
M C D E F GH I J K
1.Memory Management Security Enhancements
•코드 삽입 공격 / 코드 재사용 공격 / 코드 수정 공격
•ROP(Return-Oriented Programming) 공격
2.Security-Enhanced Linux
•Rooting 이슈 해결방법 : 1) 루팅 차단 2) 루팅 무용화

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements How Facebook Hit The Dalvik Limit?
참조 :
•http://techcrunch.com/2013/03/04/facebook-google-dalvik/
•https://www.facebook.com/notes/facebook-engineering/under-the-hood-dalvik-patch-for-facebook-for-android/10151345597798920

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements Facebook 해킹 이야기 : 방법

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements Facebook 해킹 이야기 : 결과
Facebook 07-04 03:28:39.958: I/dalvik-internals(5078): Successfully looked up JNI_GetCreatedJavaVMs 07-04 03:28:39.958: I/dalvik-internals(5078): Successfully looked up gDvm 07-04 03:28:39.958: E/dalvik-internals(5078): Failed to look up ladDumpProfiles 07-04 03:28:39.958: E/dalvik-internals(5078): Failed to look up ladResetProfiles 07-04 03:28:39.958: E/dalvik-internals(5078): Failed to look up ladPrintHeaderInfo 07-04 03:28:39.958: I/dalvik-internals(5078): gDvm has value 0x800aad38. Searching for vmList (initial offset in [704,1480]). 07-04 03:28:39.958: I/dalvik-internals(5078): Beginning search. Actual offset in [704,1444]. 07-04 03:28:39.958: I/dalvik-internals(5078): Found vmList at offset 744. 07-04 03:28:39.958: D/dalvik-internals(5078): Evaluating LinearAllocHdr candidate at 0x12418. 07-04 03:28:39.958: I/dalvik-internals(5078): Found LinearAllocHdr at expected offset from vmList.
Fake Facebook 07-04 15:35:36.748: I/dalvik-internals(8465): Successfully looked up JNI_GetCreatedJavaVMs 07-04 15:35:36.748: I/dalvik-internals(8465): Successfully looked up gDvm 07-04 15:35:36.748: E/dalvik-internals(8465): Failed to look up ladDumpProfiles 07-04 15:35:36.748: E/dalvik-internals(8465): Failed to look up ladResetProfiles 07-04 15:35:36.748: E/dalvik-internals(8465): Failed to look up ladPrintHeaderInfo 07-04 15:35:36.748: I/dalvik-internals(8465): gDvm has value 0x800aad38. Searching for vmList (initial offset in [704,1480]). 07-04 15:35:36.748: I/dalvik-internals(8465): Beginning search. Actual offset in [704,1444]. 07-04 15:35:36.748: I/dalvik-internals(8465): Found vmList at offset 744. 07-04 15:35:36.748: D/dalvik-internals(8465): Evaluating LinearAllocHdr candidate at 0x12418. 07-04 15:35:36.748: I/dalvik-internals(8465): Found LinearAllocHdr at expected offset from vmList.

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements Facebook 해킹 이야기 : No LinearAlloc Issue
method_ids_size
com.facebook.katana (2.0) files
filesize
48,476
classes.dex
5,686,680
1,596
./assets/pre-dexed-jars/jackson-core-2.0.5.dex.1.jar
104,268
5,864
./assets/pre-dexed-jars/jackson-databind-2.0.5.dex.1.jar
297,267
205
./assets/pre-dexed-jars/jackson-datatype-guava-2.0.4.dex.1.jar
14,288
14,551
./assets/secondary-program-dex-jars/secondary-1.dex.jar
601,815
70,692
6,704,318
method_ids_size
com.facebook.katana (3.3) files
filesize
17,720
classes.dex
2,495,944
8,471
363,816
43,710
2,016,576
41,859
1,961,432
573
./assets/pre-dexed-jars/libphonenumber-5.2.dex.2.jar
161,595
112,333
6,999,363

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements Prelink & ASLR(Address Space Layout Randomization)
출처 : http://wenke.gtisc.gatech.edu/papers/morula.pdf

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements Prelink & ASLR(Address Space Layout Randomization)
PIE
Main
Executable
Heap
Stack
Shard
Library
NDK
Library
Linker
4.0
N
N
N
N
Y
N
N
4.1
Y
Y
Y
Y
Y
Y
Y
Randomized per device boot

L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
Memory Errors: The Past, the Present, and the Future
출처 : http://www.isg.rhul.ac.uk/sullivan/pubs/tr/technicalreport-ir-cs-73.pdf

L Developer Preview 이전의 보안 설비 Security-Enhanced Linux
jsyang@jsyang-desktop:~/android-4.4_r1.2/frameworks/base/core/java/android/os$ ls *.java AsyncResult.java DropBoxManager.java Parcelable.java SELinux.java AsyncTask.java Environment.java ParcelableParcel.java ServiceManager.java BadParcelableException.java FactoryTest.java ParcelFileDescriptor.java ServiceManagerNative.java BatteryManager.java FileObserver.java ParcelFormatException.java StatFs.java BatteryProperties.java FileUtils.java Parcel.java StrictMode.java BatteryStats.java Handler.java ParcelUuid.java SystemClock.java Binder.java HandlerThread.java PatternMatcher.java SystemProperties.java Broadcaster.java IBinder.java PerformanceCollector.java SystemService.java Build.java IInterface.java PowerManager.java SystemVibrator.java Bundle.java IServiceManager.java Process.java TokenWatcher.java CancellationSignal.java Looper.java RecoverySystem.java Trace.java CommonClock.java MemoryFile.java Registrant.java TransactionTooLargeException.java CommonTimeConfig.java Message.java RegistrantList.java UEventObserver.java CommonTimeUtils.java MessageQueue.java RemoteCallback.java UpdateLock.java ConditionVariable.java Messenger.java RemoteCallbackList.java UserHandle.java CountDownTimer.java NetworkOnMainThreadException.java RemoteException.java UserManager.java DeadObjectException.java NullVibrator.java RemoteMailException.java Vibrator.java Debug.java OperationCanceledException.java ResultReceiver.java WorkSource.java
android.os.*

DAC Discretionary 자유재량에 의한 Access Control
MAC Mandatory 의무적인 Access Control Permissive 관대한 Mode
L Developer Preview 이전의 보안 설비 Security-Enhanced Linux
MAC Mandatory 의무적인 Access Control Enforcing 강제하는 Mode

L Developer Preview 이전의 보안 설비 Security-Enhanced Linux 에서 Rooting
SuperSU-JWR66N-S005-130625-1.41.zip
참조 : http://su.chainfire.eu/
root@maguro:/system/xbin # ls -lZ *su* -rwxr-xr-x root root u:object_r:system_file:s0 daemonsu -rwxr-xr-x root root u:object_r:system_file:s0 su root@maguro:/system/xbin # ps -Z u:r:shell:s0 shell 11517 11511 su u:r:init:s0 root 11520 21455 daemonsu:0:11517 u:r:init:s0 root 11521 11520 daemonsu

https://www.youtube.com/watch?v=FbVWtYPpzIs
https://www.youtube.com/watch?v=Ive8WaeldWA#t=15
http://www.youtube.com/watch?v=wtLJPvx7-ys
Google IO 2014에서 보안은 어떻게 그리고 왜 언급되었는가?

L Developer Preview 신규 보안 설비 IsolatedProcess
Use process separation
when the isolated code
Use isolatedProcess
when isolated code
Is pure Java,
Doesn’t contain an interpreter or similar, or
Interacts with other processes on your behalf
Is native code,
Performs complex operations like rendering,
Contains an interpreter or JIT, and
Doesn’t need to run as your user

L Developer Preview 신규 보안 설비 IsolatedProcess : 크롬 Sandbox 모델 차용
Main Thread (UI)
I/O Thread
Main Thread
Render Thread
Browser Process
Render Process
IPC
android:process=":sandboxed_process0" android:isolatedProcess="true“ android:process=":privileged_process2" android:isolatedProcess="false"
android:isolatedProcess
If set to true, this service will run under a special process that is isolated from the rest of the system and has no permissions of its own. The only communication with it is through the Service API (binding and starting).

• Customizable Secure Boot • TrustZone-based Integrity Measurement Architecture (TIMA) • Security Enhancements for Android
Source : http://www.samsung.com/my/business- images/resource/whitepaper/2013/11/Samsung_KNOX_whitepaper_An_Overview_of_Samsung_KNOX-0.pdf
Samsung KNOX Technology Overview
1.Platform Security
2.Application Security
3.Mobile Device Management
4.Theft Recovery
L Developer Preview 신규 보안 설비 Android Work vs. Samsung KNOX

L Developer Preview 신규 보안 설비 Malware Protection
Android Security Innovation
•Malware Protection
•Security Patches via Play Services
•Factory Reset Protection
•Universal Data Controls GoogleIO 2014 Keynote

참조 :
•http://www.youtube.com/watch?v=ZEIED2ZLEbQ
•https://jon.oberheide.org/files/summercon12-bouncer.pdf
L Developer Preview 신규 보안 설비
Malware Protection
Google Bouncer

Google Bouncer는 어떻게 동작하는가?
•Does Bouncer use static/dynamic analysis?
•When does Bouncer analyze the app? Are all apps analyzed?
•How do we get Market accounts to start figuring this out?
•Network access: open, filtered, emulated, unrestricted?
•Environment: what's the system execution environment look like?
•Timing: how long does our app run? Accelerated clock?
•Input: Artificial input to the app? Program state exploration?
•Any triggers, vulnerable services, etc?
Source : https://jon.oberheide.org/files/summercon12-bouncer.pdf

Malware, Spyware, Trojan이란 무엇인가? 우리는 정상/양성/악성의 경계선을 구분할 수 있는가? Malware에 대한 자동 분석 및 탐지는 가능한가? 정적 분석(Code)의 핵심적 한계는? Native or Dynamic Code Loading, Collusion Attacks 동적 분석(Logging)의 핵심적 한계는? Environment, Collusion Attacks 분석 시점과 분석환경의 한계는? Timing attack, Environment Fingerprinting

L Developer Preview 신규 보안 설비
Malware Protection
Source : https://www1.cs.fau.de/filepool/projects/android/divide-and-conquer.pdf
Sandbox Fingerprinting – Sand Finger

Source : https://www1.cs.fau.de/filepool/projects/android/divide-and-conquer.pdf
Divide-and-Conquer: Why Android Malware cannot be stopped 대책과 미래
A.Secure IPC Mechanisms for Android
B.Taming Dynamic Code Loading
C.Improving Sandboxes
D.Machine Learning Anti-fingerprinting techniques

향후 안드로이드 보안 기술의 미래는?
사용자 측면
개발자 측면
서비스 측면
정보유출 및 비용발생
기술보안 및 제품도용
컨텐츠보안 및 안심거래
플랫폼 측면
Anti-fingerprinting techniques
2010. 12. 7. Kandroid ADP (칸드로이드 개발자 폰)

감사합니다. 질문 받겠습니다.

[1D7]안드로이드 L-Preview 보안 아키텍처 및 설비

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à [1D7]안드로이드 L-Preview 보안 아키텍처 및 설비

Similaire à [1D7]안드로이드 L-Preview 보안 아키텍처 및 설비 (20)

Plus de NAVER D2

Plus de NAVER D2 (20)

[1D7]안드로이드 L-Preview 보안 아키텍처 및 설비