Transcript pptx
ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate Introduction Android is a widely used open source Operating system for mobile devices. Has become one of the worlds most popular mobile platform. Although originally designed for smartphones, it now powers tablets, TVs, and other devices. Access Control Access Control is a security technique that can be used to regulate who or what can view or use resources in a computing environment. Normally, a user must first Login to a system, using some Authentication system. subject: a user object: a piece of data or a resource. Linux Access Control Discretionary Access Control (DAC) is the standard security model for Linux. Access privileges are based on the user identity and object ownership. Access to data is entirely at the discretion of the owner/creator of the data. A Strength of DAC Flexible Mandatory Access Control MAC is a system-wide policy which decides who is allowed to have access. Relies on the system to control access. Individual users cannot alter that access DAC and MAC together MAC controls do not interfere with the DAC controls. The kernel validates access using the DAC permissions before checking the MAC permissions. If the DAC permissions result in a permissions violation, then the MAC permissions are never checked. DAC and MAC together cont. The kernel will authorize access to MAC permissions only if DAC pass If the DAC and the MAC permissions pass, then the kernel resource (for example, a file descriptor) is sent back to user space. SELinux Security Enhanced Linux (SELinux), is a kernel security model that supports mandatory access control (MAC). Enforces the separation of information based on confidentiality and integrity requirements This limits potential harm from data that could become compromised SELinux Cont. SELinux has been implemented as part of the Linux Security Module (LSM) framework, which recognizes various kernel objects, and sensitive actions performed on them. LSM hook function is called to determine whether or not the action should be allowed. The steps in the decision making chain for DAC and MAC are shown below: Android Architecture Software stack comprising of: applications, an operating system, run-time environment, middleware, services and libraries. Each layer of the stack are tightly integrated and carefully tuned provides the optimal application development and execution environment for mobile devices. The Android Software Stack Linux Functions in Android Android was built on the existing and familiar Linux kernel Security • based on Linux Discretionary Access Control. Has some significant different functions instead of each user having a unique ID, each process or application has their own UID. Androids use of DAC Isolates apps from each other At install and Unique user and group ID is provided no app can access the private files of an application without the same GID or via binder Sandboxing A mechanism for separating running processes. Prevents an Android app to access the data of another app reduces vulnerability to malicious attacks or exploitation from vulnerable applications. Androids use of MAC Because of some vulnerabilities that existed with DAC SELinux was introduced to android, attaching Mandatory Access Control (MAC) to the system. The MAC policy is only consulted if the DAC allows access to a resource. If the DAC denies access (for example, based on file permissions), denial is taken as the final security decision. SELinux Controls that gives a structure to ensure software runs only at the minimum privilege level. This mitigates the effects of attacks and reduces the likelihood of badly behaved processes overwriting or even transmitting data. Selinux + Android SELinux decisions are based fundamentally on labels assigned to these objects and the policy defining how they may interact. Labels determine what is allowed. Sockets, files, and processes all have labels in SELinux. The impact of SELinux Strongly enforces Sandboxing which helps preventing privilege escalation by apps. Prevent data leakage by apps. Prevent bypass of security features. Enforce legal restrictions on data. Protect integrity of apps and data. Beneficial for consumers, businesses, and government. Applications Every Android application runs in its own process with its own instance of the Dalvik virtual machine, which ensures further isolation The package manager is responsible for issuing UIDs to applications at install Application signing Android requires every application to be signed. The main purpose of application signing is to distinguish applications from one to another. Developers always do the signing with their own private keys, which are supposed to stay secret Applications Cont. An app can request permission to access device data such as the user's contacts, SMS messages, the mountable storage (SD card), camera, Bluetooth, and more. Android Permissions Permissions are strings that denote the ability to perform a particular action Because each app is sandbox applications request specific permissions in order to interact with other apps or the system. request permissions by defining them in the AndroidManifest.xml file. Android Permissions Cont. At application install time, Android inspects the list of requested permissions and decides whether to grant them or not. For instance, an online game can never really be connected to the internet if it is found missing a internet connection permission. Enforcement of Permissions Linux Kernel Small number of permissions are checked by Linux Kernel Some permissions are assigned to Linux Groups Apps that requested these permissions are assigned to these groups Linux automatically enforces the access to the resources that belong to this group Android APIs Most of permissions are checked by Android APIs (ad-hoc) When an API is invoked, the API checks if the caller has the permissions checkCallingPermission() How do Apps communicate? Android apps and system services run in separate processes for security, stability, and memory management reasons, but they need to communicate and share data. Inter-process communication (IPC) is a framework for the exchange of signals and data across multiple processes. IPC is used for message passing, synchronization, shared memory, and remote procedure calls (RPC). It enables information sharing, computational speedup, modularity, convenience, privilege separation, data isolation, stability. Android Protection Levels A parameter of a permission needs to be specified when defining our own permissions. Each level of protection enforces a different security policy. Permission Groups Normal Protect access to API calls that not harmful to users (e.g. Wall Paper) Dangerous Harmful APIs that may gather private info or spend money (text message, contacts) Signature Only granted to applications that are signed by same certificate as app SignatureorSystem APIs that change the Android system itself (e.g. uninstalling an app) Apps need to be signed with device manufacturer’s certificate DEMO: Android Debug Bridge (ADB) pm list permissions -f Androids Permission: Permission Groups Permissions belong to a group Demo: List all permission-groups pm List all the packages pm list permission-groups list packages –f Finding the permissions of an app dumpsys package <packagename> dumpsys package com.android.browser When Permissions Are Checked? API calls requires permission. User data is stored in Content Providers. Permission may be required to access these data. E.g. READ_CONTACT permission is needed to read contacts content provider. Send/Receive Intents requires permissions. Permission Enforcement in API calls API implementation calls the permission validation mechanism to check that the invoking application has the necessary permissions. Most common case Based on Linux Groups Small number of permissions When an application is installed with these permissions they are assigned to Linux group that has access to the pertinent sockets and files. Linux Kernel enforces the access control policy for these permissions. e.g. INTERNT, Write_External_Storage, Bluetooth DEMO: ps cat /proc/<pid>/status Id command