Transcript pptx

ANDROID ACCESS
CONTROL
Presented by: Justin Williams
Masters of Computer Science Candidate
Introduction

Android is a widely used open source Operating
system for mobile devices.
 Has
become one of the worlds most popular mobile
platform.
 Although originally designed for smartphones, it now
powers tablets, TVs, and other devices.
Access Control

Access Control is a security technique that can be
used to regulate who or what can view or use
resources in a computing environment.
 Normally,
a user must first Login to a system, using some
Authentication system.
 subject:
a user
 object: a piece of data or a resource.
Linux Access Control

Discretionary Access Control (DAC) is the standard
security model for Linux.
 Access
privileges are based on the user identity and
object ownership.
 Access to data is entirely at the discretion of the
owner/creator of the data.
A
Strength of DAC

Flexible
Mandatory Access Control

MAC is a system-wide policy which decides who is
allowed to have access.
 Relies
on the system to control access.
 Individual users cannot alter that access
DAC and MAC together


MAC controls do not interfere with the DAC controls.
The kernel validates access using the DAC
permissions before checking the MAC permissions.
 If
the DAC permissions result in a permissions violation,
then the MAC permissions are never checked.
DAC and MAC together cont.
 The
kernel will authorize access to MAC permissions
only if DAC pass
 If the DAC and the MAC permissions pass, then the
kernel resource (for example, a file descriptor) is sent
back to user space.
SELinux

Security Enhanced Linux (SELinux), is a kernel
security model that supports mandatory access
control (MAC).
 Enforces
the separation of information based on
confidentiality and integrity requirements
 This limits potential harm from data that could become
compromised
SELinux Cont.

SELinux has been implemented as part of the Linux
Security Module (LSM) framework, which recognizes
various kernel objects, and sensitive actions
performed on them.
 LSM
hook function is called to determine whether or not
the action should be allowed.
The steps in the decision making chain
for DAC and MAC are shown below:
Android Architecture

Software stack comprising of:
 applications,
an operating system, run-time
environment, middleware, services and libraries.

Each layer of the stack are tightly integrated and
carefully tuned

provides the optimal application development and
execution environment for mobile devices.
The Android Software Stack
Linux Functions in Android

Android was built on the existing and familiar Linux
kernel
 Security
•
based on Linux Discretionary Access Control.
Has some significant different functions
 instead
of each user having a unique ID, each process
or application has their own UID.
Androids use of DAC

Isolates apps from each other
 At
install and Unique user and group ID is provided
 no app can access the private files of an application
without the same GID or via binder
Sandboxing

A mechanism for separating running processes.
 Prevents
an Android app to access the data of another
app
 reduces vulnerability to malicious attacks or
exploitation from vulnerable applications.
Androids use of MAC

Because of some vulnerabilities that existed with
DAC


SELinux was introduced to android, attaching
Mandatory Access Control (MAC) to the system.
The MAC policy is only consulted if the DAC allows
access to a resource.
 If
the DAC denies access (for example, based on file
permissions), denial is taken as the final security
decision.
SELinux

Controls that gives a structure to ensure software
runs only at the minimum privilege level.
 This
mitigates the effects of attacks and reduces the
likelihood of badly behaved processes overwriting or
even transmitting data.
Selinux + Android

SELinux decisions are based fundamentally on
labels assigned to these objects and the policy
defining how they may interact.
 Labels
determine what is allowed.
 Sockets,
files, and processes all have labels in SELinux.
The impact of SELinux

Strongly enforces Sandboxing which helps
preventing privilege escalation by apps.
 Prevent
data leakage by apps.
 Prevent bypass of security features.
 Enforce legal restrictions on data.
 Protect integrity of apps and data.
 Beneficial for consumers, businesses, and government.
Applications

Every Android application runs in its own process


with its own instance of the Dalvik virtual machine,
which ensures further isolation
The package manager is responsible for issuing
UIDs to applications at install
Application signing

Android requires every application to be signed.
 The
main purpose of application signing is to distinguish
applications from one to another.
 Developers always do the signing with their own
private keys, which are supposed to stay secret
Applications Cont.

An app can request permission to access device
data such as the user's contacts, SMS messages, the
mountable storage (SD card), camera, Bluetooth,
and more.
Android Permissions


Permissions are strings that denote the ability to
perform a particular action
Because each app is sandbox
 applications
request specific permissions in order to
interact with other apps or the system.
 request permissions by defining them in the
AndroidManifest.xml file.
Android Permissions Cont.

At application install time, Android inspects the list
of requested permissions and decides whether to
grant them or not.
 For
instance, an online game can never really be
connected to the internet if it is found missing a internet
connection permission.
Enforcement of Permissions

Linux Kernel

Small number of permissions are checked by Linux Kernel
Some permissions are assigned to Linux Groups
 Apps that requested these permissions are assigned to these
groups
 Linux automatically enforces the access to the resources that
belong to this group


Android APIs
Most of permissions are checked by Android APIs (ad-hoc)
 When an API is invoked, the API checks if the caller has the
permissions


checkCallingPermission()
How do Apps communicate?


Android apps and system services run in separate
processes for security, stability, and memory
management reasons, but they need to communicate
and share data.
Inter-process communication (IPC) is a framework for the
exchange of signals and data across multiple processes.
IPC is used for message passing, synchronization, shared
memory, and remote procedure calls (RPC).
 It enables information sharing, computational speedup,
modularity, convenience, privilege separation, data isolation,
stability.

Android Protection Levels

A parameter of a permission


needs to be specified when defining our own permissions.
Each level of protection enforces a different security policy.

Permission Groups





Normal
 Protect access to API calls that not harmful to users (e.g. Wall Paper)
Dangerous
 Harmful APIs that may gather private info or spend money (text message,
contacts)
Signature
 Only granted to applications that are signed by same certificate as app
SignatureorSystem
 APIs that change the Android system itself (e.g. uninstalling an app)
 Apps need to be signed with device manufacturer’s certificate
DEMO: Android Debug Bridge (ADB)

pm list permissions -f
Androids Permission: Permission Groups


Permissions belong to a group
Demo: List all permission-groups
 pm

List all the packages
 pm

list permission-groups
list packages –f
Finding the permissions of an app
 dumpsys
package <packagename>
 dumpsys
package com.android.browser
When Permissions Are Checked?


API calls requires permission.
User data is stored in Content Providers.
 Permission
may be required to access these data. E.g.
READ_CONTACT permission is needed to read contacts
content provider.

Send/Receive Intents requires permissions.
Permission Enforcement in API calls

API implementation calls the permission validation mechanism to
check that the invoking application has the necessary permissions.


Most common case
Based on Linux Groups




Small number of permissions
When an application is installed with these permissions they are
assigned to Linux group that has access to the pertinent sockets and files.
Linux Kernel enforces the access control policy for these permissions.
e.g. INTERNT, Write_External_Storage, Bluetooth
DEMO:



ps
cat /proc/<pid>/status
Id command