Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Android IPC Mechanism

6 461 vues

Publié le

Publié dans : Technologie
  • Soyez le premier à commenter

Android IPC Mechanism

  1. 1. ANDROID IPC MECHANISM nfsnfs @ Advanced Defense Lab 1
  2. 2. REFERENCE • ⼤大量引⽤用以下資料: • http://www.slideshare.net/yeg239/android-internals-06- binder-typical-subsystem-rev11 • http://marakana.com/s/post/1340/ Deep_Dive_Into_Binder_Presentation.htm • http://www.slideshare.net/jserv/android-ipc-mechanism • http://developer.android.com/guide/components/aidl.html • http://www.jbcreativgroup.com/pdf/an-empirical-study-of- the-robustness-of-inter-component-77091.pdf2
  3. 3. OUTLINE • IPC • Java Layer • Binder • Security Issue in IPC 3
  4. 4. WHAT IS IPC ? • IPC = Inter-Process Communication • Process 之間的溝通 • More ... ? 4
  5. 5. WHY IPC? • Android 中每個 process 都有⾃自⼰己的 address space • Data Isolation • IPC 可能造成很⼤大的 overhead,也可能造成安全問題 5
  6. 6. 有什麼不⼀一樣 ? • Traditional Linux • Pipe • Signal • Message Queue • Semaphore • Socket • Shared Memory 6
  7. 7. ANDROID IPC SYSTEM • Binder • 從 OpenBinder 來的 • BeOS / Palm • 完全重寫後成為 Android binder 7
  8. 8. SOCKETVS BINDER Socket ! File Descriptor Network Stream I/O Binder ! PID Local only IOCTL 8
  9. 9. BINDER ! Linux Kernel /dev/binder servicemanager system_server App3 App2 App1 9
  10. 10. WHY BINDER ? • Security • isolated process with distinct ID • Stability • crashed process • Memory Management • no need to free objects 10
  11. 11. BIONIC C • 不⽀支援傳統 SystemV IPCs • No SysV semaphores, shared memory, message queues • SysV IPC 會有 kernel resource leakage 的問題 11
  12. 12. COMMUNICATIONS Application ! Home Contacts Phone Browser IPC IPC IPC Application Framework IPC IPC & JNI Native Layer 12
  13. 13. ANDROID IPC • Intent • 在 Java 層,⽤用來傳送訊息的資料結構 • Asynchronous Communication • ContentResolver 跟 ContentProvider 是 Synchronous Communication • 透過 CRUD API 13
  14. 14. INTENT • 包含⼀一些基本資料 • data //表⽰示所需的資料 • action //表⽰示要作的事情 • category //action 的類型 • component //送給哪個 component • extras //要傳的額外資料 14
  15. 15. INTENT 分類 • Explicit Intent • 有指定 component 的 Intent • Implicit Intent • 無指定 component 的 Intent 15
  16. 16. EXPLICIT INTENT • Intent.setComponent(ComponentName) • Intent.setClass(Context, Class) • new Intent(Context, Class) 16
  17. 17. INTENT • 不適合⽤用在 low-latency 通訊 • 基於 Binder • Intent 實作 Cloneable 和 Parcelable • 是 Parcelable 才能透過 IPC 傳遞 • ... Or you are a primitive type 17
  18. 18. 與 ACTIVITY 互動 Activity Activity start return 18
  19. 19. ⽤用 INTENT 可以做什麼 ? • startActivity(Intent) • startActivityForResult(Intent, int) • 開啟⼀一個 Activity ... 19
  20. 20. 與 SERVICE 互動 Activity BroadcastReceiver Service start / stop / bind start / stop / bind 20
  21. 21. ⽤用 INTENT 可以做什麼 ? • startService(Intent) • 開啟⼀一個 Service ... • stopService(Intent) • 關閉⼀一個 Service ... 21
  22. 22. ⽤用 INTENT 可以做什麼 ? • bindService(Intent, ServiceConnection, int) • 跟⼀一個 Service 建⽴立連線 .. • ServiceConnection 裡⾯面可以初始化⼀一些 bind 後所需的 變數 22
  23. 23. 與 BROADCASTRECEVIER 互 動 BroadcastReceiverActivity Service System send Intent 23
  24. 24. ⽤用 INTENT 可以做什麼 ? • sendBroadcast(Intent) • sendOrderedBroadcast、sendStickyBroadcast、 sendStickyOrderedBroadcast • 送 Intent 到 BroadcastReceiver ... 24
  25. 25. 另外還有 ... ? • Messenger & Handler • 常⽤用於 Activity / Service 間通訊 • Message.what: 要做什麼 • Message.setData(Bundle): 要傳的資料 • 不同 process,請⽤用 Bundle • 如果同 process 內,可使⽤用 Message.obj 傳 object 25
  26. 26. MESSENGER & HANDLER App A App B Activity ServiceMessenger Handler call back start pass by reference call back reference / call 26
  27. 27. MESSENGER & HANDLER • 和 Intent 很像 • 但提供了雙向溝通! • Android Developer 網站說明: Reference to a Handler, which others can use to send messages to it. This allows for the implementation of message-based communication across processes, by creating a Messenger pointing to a Handler in one process, and handing that Messenger to another process. 27
  28. 28. MESSENGER & HANDLER • 特⾊色 • Low latency, but still asynchronous 28
  29. 29. MESSENGER & HANDLER • DEMO 29
  30. 30. MESSENGER & HANDLER • 在 Service 中註冊 Handler 和 Messenger 30
  31. 31. MESSENGER & HANDLER • 在 Service onBind 的時候 return ⼀一個 IBinder • 與 Service bind 在⼀一起的 Activity 可透過此 IBinder 物件傳送訊息 31
  32. 32. MESSAGE • ⽤用 Message.obtain() 從 mPool 拿⼀一個 Message object • 較不建議⽤用 new Message(); • replyTo: 回應給這個 Messenger 32
  33. 33. 所以來說說他們背後的 BINDER 吧 ! 33
  34. 34. BINDER ! • 超重要的! In the Android platform, the binder is used for nearly everything that happens across processes in the core platform. - Dianne Hackborn! [https://lkml.org/lkml/2009/6/25/3] 34
  35. 35. METHOD INVOCATION • 在同⼀一個 Process 內的時候 caller callee 35
  36. 36. OTHER PROCESS? • RPC ? • Messaging Passing ? • Socket ? • ... 36
  37. 37. BINDER 系統架構其實是 ... Java Binder ⽤用⼾戶端/伺服器端 Native Binder ⽤用⼾戶端/伺服器端 Java Binder Framework Native Binder Framework Binder 核⼼心程式庫 Binder Adapter
 ProcessState.cpp / IPCThreadState.cpp Binder Driver 37
  38. 38. BINDER COMMUNICATION Client Binder Service Process A Kernel Process B 38
  39. 39. BINDER DRIVER • Binder driver • ioctl(binderFd, BINDER_WRITE_READ, &bwd) system call • open / release / poll / mmap / flush / ioctl • /dev/binder 39
  40. 40. FLAT_BINDER_OBJECT • binder 和 handle 分別表⽰示 local object 和 remote object • binder 會幫忙作這對應 40
  41. 41. FLAT_BINDER_OBJECT 的TYPE • BINDER_TYPE_BINDER / BINDER_TYPE_WEAK_BINDER - 本機物件 • BINDER_TYPE_HANDLE / BINDER_TYPE_WEAK_HANDLE - 遠端物件參照 • BINDER_TYPE_FD - 檔案 41
  42. 42. FLAT_OBJECT_TYPE 的 FLAG • TF_ONE_WAY - 單向,⾮非同步,不需要返回 • TF_ROOT_OBJECT - 根物件,代表 type 是本機物件 • TF_STATUS_CODE - 狀態碼,代表 type 是 handle • TF_ACCEPT_FDS - 可以接受 file descriptor,所以 handle 就會是 file descriptor 42
  43. 43. 實際傳遞的資料 BINDER_TRANSACTION_DATA 43
  44. 44. BINDER_WRITE_READ • read_buffer 和 write_buffer 是⼀一 個指標(指向 user space 的 buffer) • BC_TRANSACTION • 解析將要被處理的資料 • BC_REPLY • 回傳結果資料 struct binder_write_read { signed long write_size; signed long write_consumed; unsigned long write_buffer; signed long read_size; signed long read_consumed; unsigned long read_buffer; } 44
  45. 45. BINDER COMMUNICATION • Native Level 來說,通常⽤用 libbinder 解決,不⽤用直接操作 ioctl driver • 但有時候想隱藏 binder,讓 client ⽐比較容易處理 ... • AIDL ! • A Java-like lanaguage 45
  46. 46. BINDER COMMUNICATION Client Binder Service Process A Kernel Process B StubProxy 46
  47. 47. AIDL • Proxy 和 Stub • Java-based • 可以⽤用 aidl ⼯工具產⽣生 • Android Studio 中,把 aidl 檔案放在 /main/aidl/ <package_name>/ 底下,會⾃自⼰己在 /build/source/aidl 產 ⽣生該 Interface 47
  48. 48. AIDL • AIDL example: 48
  49. 49. AIDL • AIDL 只是⽤用來產⽣生⼀一個 Interface • 包含 Proxy 和 Stub 這兩個 class! 49
  50. 50. AIDL • 產⽣生出的 interface: 50
  51. 51. AIDL • Service 中的 Stub 51
  52. 52. MARSHALLING AND UNMARSHALLING • Marshalling 就是做出 Parcel object 的⾏行為 • Unmarshalling 就是將 Parcel 還原回原本的 object 52
  53. 53. PARCEL • AIDL 會幫我們 handle 這件事 • 其實是將 object ⽤用 native binary encoding 的⽅方式重新包裝 53
  54. 54. ANDROID.OS.PARCEL • http://www.slideshare.net/jserv/android-ipc-mechanism 54
  55. 55. BINDER COMMUNICATION Client Binder Service Process A Kernel Process B StubManager Proxy 55
  56. 56. SYSTEM SERVICES • System Services 使⽤用的作法 • Clients 根本感覺不出他們在使⽤用 IPC • Context.getSystemService(String) 56
  57. 57. SYSTEM SERVICES • NOTIFICATION_SERVICE • LOCATION_SERVICE • CONNECTIVITY_SERVICE • WIFI_SERVICE • ... 族繁不及備載: http://developer.android.com/reference/ android/content/Context.html 57
  58. 58. 使⽤用 SYSTEM SERVICES 的⽅方式 • Example: 58
  59. 59. BINDER COMMUNICATION Binder Service Kernel Process B Service Manager Proxy Client Process A Manager Proxy Context Manager Framework register CM await reqs get CM register service registered service register svc tx get CM get svc tx init manager get service got service 59
  60. 60. CONTEXT MANAGER • Binder Driver 只會允許⼀一個 Context Manager 註冊 • 所以 servicemanager 是第⼀一個被啟動的 Android service • http://androidxref.com/4.3_r2.1/xref/frameworks/native/ cmds/servicemanager/service_manager.c • servicemanager a.k.a Context Manager 60
  61. 61. SERVICEMANAGER IN INIT.RC init.rc 裡⾯面有 service 的啟動順序 61
  62. 62. 設定 SERVICEMANAGER • frameworks/native/cmds/servicemanager/service_manager.c 這是 (void *) 0 等待 request 62
  63. 63. 設定 SERVICEMANAGER • BINDER_SET_CONTEXT_MGR • frameworks/native/cmds/servicemanager/binder.c 63
  64. 64. 設定 SERVICEMANAGER • http://lxr.linux.no/linux+v3.10.6/drivers/staging/android/binder.c#L2622 64
  65. 65. SVGMGR_HANDLER • http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/ servicemanager/service_manager.c#203 65
  66. 66. SERVICE MANAGER • 系統服務需要跟 service manager 註冊 • 應⽤用程式如果要⽤用系統服務要跟 service manager 查詢 66
  67. 67. 註冊系統服務 • http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/ servicemanager/service_manager.c#do_add_service 67
  68. 68. 檢查要註冊的服務是否有權限 • http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/ servicemanager/service_manager.c#svc_can_register 68
  69. 69. ⺫⽬目前註冊的 SERVICE • adb shell service list 69
  70. 70. 測試系統服務 • adb service call phone 1 s16 “1234567890” 70
  71. 71. 其實是... • AIDL 中的順序 • http://androidxref.com/4.3_r2.1/xref/frameworks/base/telephony/java/com/android/internal/ telephony/ITelephony.aidl 1 271
  72. 72. 整體流程 • http://marakana.com/s/post/1340/ Deep_Dive_Into_Binder_Presentation.htm 72
  73. 73. SECURITY • IPC 可能造成⼀一些安全問題 • 因為 Intent 可以是惡意的! 73
  74. 74. THREAT ! App A App B Malicious App Activity Service Broadcast Receiver Activity Service Broadcast Receiver Activity Service Broadcast Receiver Intent Intent Intent Intent System Intent System Intent 74
  75. 75. REFTO COMDROID • 請⾒見 ComDroid 投影⽚片 ! 75
  76. 76. QUESTIONS? • How well does an Android component behave in the presence of a semi-valid or random Intent? • How robust are Android’s ICC primitives? • How can we refine the implementation of Intents so that inpt validation can be improved? 76
  77. 77. TESTINGTOOL Package Manager startActivityForResult startService sendBroadcast Get a list of components 77
  78. 78. AVOID MANUAL INTERVENTION • startActivityForResult() and finishActivity() • Pause 100ms between sending of each successive Intent 78
  79. 79. SEMI-MANUAL ... • finishActivity() did not work in two situations • System alert was generated (crash or exception) • Activity was started as a new task Calling startActivity() from outside of an Activity context requires the FLAG_ACTIVITY_NEW_TASK flag. 79
  80. 80. GENERATING INTENTS • { Action / Data / Component / Extras } • Data URI := scheme/path?query 80
  81. 81. DATA URI SCHEME • content:// • file:// • folder:// • directory:// • geo: • google.streeview: • http:// • https:// • mailto: • ssh: • tel: • voicemail: 81
  82. 82. IMPLICIT INTENT • A.Valid Intent, unrestricted fields null: • Match only the restricted attributes of the Intent-filter • B. Semi-valid Intent: • Fuzz at least one fileds 82
  83. 83. VALID INTENT • Intent filter • Intent <intent-filter> <action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" /> </intent-filter> Intent i = new Intent(); i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE"); sendBroadcast(i); 83
  84. 84. SEMI-VALID INTENT • Intent filter • Intent <intent-filter> <action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" /> </intent-filter> Intent i = new Intent(); i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE"); i.addCategory("CATEGORY_ALTERNATIVE"); sendBroadcast(i); 84
  85. 85. EXPLICIT INTENT • FIC A. Semi-valid Action and Data • FIC B. Blank Action or Data • FIC C. Random Action or Data • FIC D. Random Extras * FIC : fuzz injection campaigns robustness of callee potential adversary 85
  86. 86. SEMI-VALID ACTION AND DATA • Total Intents: |Action|x|Data| for each component ! { act=ACTION_EDIT data=http://www.google.com comp=com.android.someCompon ent } Meaningless 86
  87. 87. BLANK DATA OR ACTION • Total Intents: |Action|+|Data| for each component ! { data=http://www.google.com comp=com.android.someCompon ent } No Action 87
  88. 88. RANDOM ACTION OR DATA { act=ACTION_EDIT data=a1b2c3d4 comp=com.android.someCompon ent } Random 88
  89. 89. RANDOM EXTRAS { act=ACTION_DIAL data=tel:123-456-789 comp=com.android.someComponent has Extras } 89
  90. 90. MACHINE • Moto Droid - Android 2.2 • HTC Evo 3D - Android 2.3.4 • Emulator - Android 4.0 90
  91. 91. FIRMWARE • com.android.* package • In Droid ... • 297 activities • 42 services • 59 receivers ! ! • In Emulator ... • 332 activities • 54 services • 69 receivers 91
  92. 92. MOST POPULAR FREE APPS • 3 Dec, 2011 • Facebook • Pandora Radio • Voxer WalkieTalkie • Angry Birds • Skype ! ! ! • 103 activities • 11 services 92
  93. 93. EXPERIMENTAL RESULTS 93
  94. 94. FAULT INJECTION • Choose one particular component and inject all the Intents targeted to that component 94
  95. 95. COLLECT LOGS • logcat • “Force Close” • “Application x stopped unexpectedly” • “FATAL EXCEPTION: main” 95
  96. 96. RESULTS FOR EXPLICIT INTENTS • 2148 crashes in Android 2.2 • 641 crashes in Android 4.0 • 152 crashes for Apps from Market 96
  97. 97. FAILED COMPONENTS ! • Many Android components do not perform null checks • 3 of the apps (from Market) had at least one component failed one or more experiments 97
  98. 98. EXCEPTIONTYPES Should be handled by the calling function 98
  99. 99. IN ANDROID 4.0 ... • Unpredictable environment-dependent errors in Android 4.0 • WindowManager$BadTokenException (26.83%) • IllegalStateException (23.56%) • RuntimeException (3.12%) • system_server restarts (GC) 99
  100. 100. SYSTEM CRASH • 3 Activities in built-in apps caused system_server to restart • Did not catch NullPointerExceptions • Need no extra permissions 100
  101. 101. SYSTEM CRASH 101
  102. 102. RESULTS FORVALID INTENTS • In HTC Evo 3D ... • 1910 Intent-filters startActivity() • Some of them is registered by Services • ActivityNotFoundException • Crashed 5 components • 12 unexpected exceptions 1. NullPointerException 2. IOException 3. Resource $NotFoundException 102
  103. 103. RESULTS FOR SEMI-VALID • From Intent-filters • 643 distinct Actions • 37 Categories 103
  104. 104. DISCUSSIONS • Poor exception handling • Environment-dependent errors in Android 4.0 • Privileged components with unrestricted access 104

×