Transcript pptx
ANDROID ACCESS
CONTROL
Presented by: Justin Williams
Masters of Computer Science Candidate
Introduction
Android is a widely used open source Operating
system for mobile devices.
Has
become one of the worlds most popular mobile
platform.
Although originally designed for smartphones, it now
powers tablets, TVs, and other devices.
Access Control
Access Control is a security technique that can be
used to regulate who or what can view or use
resources in a computing environment.
Normally,
a user must first Login to a system, using some
Authentication system.
subject:
a user
object: a piece of data or a resource.
Linux Access Control
Discretionary Access Control (DAC) is the standard
security model for Linux.
Access
privileges are based on the user identity and
object ownership.
Access to data is entirely at the discretion of the
owner/creator of the data.
A
Strength of DAC
Flexible
Mandatory Access Control
MAC is a system-wide policy which decides who is
allowed to have access.
Relies
on the system to control access.
Individual users cannot alter that access
DAC and MAC together
MAC controls do not interfere with the DAC controls.
The kernel validates access using the DAC
permissions before checking the MAC permissions.
If
the DAC permissions result in a permissions violation,
then the MAC permissions are never checked.
DAC and MAC together cont.
The
kernel will authorize access to MAC permissions
only if DAC pass
If the DAC and the MAC permissions pass, then the
kernel resource (for example, a file descriptor) is sent
back to user space.
SELinux
Security Enhanced Linux (SELinux), is a kernel
security model that supports mandatory access
control (MAC).
Enforces
the separation of information based on
confidentiality and integrity requirements
This limits potential harm from data that could become
compromised
SELinux Cont.
SELinux has been implemented as part of the Linux
Security Module (LSM) framework, which recognizes
various kernel objects, and sensitive actions
performed on them.
LSM
hook function is called to determine whether or not
the action should be allowed.
The steps in the decision making chain
for DAC and MAC are shown below:
Android Architecture
Software stack comprising of:
applications,
an operating system, run-time
environment, middleware, services and libraries.
Each layer of the stack are tightly integrated and
carefully tuned
provides the optimal application development and
execution environment for mobile devices.
The Android Software Stack
Linux Functions in Android
Android was built on the existing and familiar Linux
kernel
Security
•
based on Linux Discretionary Access Control.
Has some significant different functions
instead
of each user having a unique ID, each process
or application has their own UID.
Androids use of DAC
Isolates apps from each other
At
install and Unique user and group ID is provided
no app can access the private files of an application
without the same GID or via binder
Sandboxing
A mechanism for separating running processes.
Prevents
an Android app to access the data of another
app
reduces vulnerability to malicious attacks or
exploitation from vulnerable applications.
Androids use of MAC
Because of some vulnerabilities that existed with
DAC
SELinux was introduced to android, attaching
Mandatory Access Control (MAC) to the system.
The MAC policy is only consulted if the DAC allows
access to a resource.
If
the DAC denies access (for example, based on file
permissions), denial is taken as the final security
decision.
SELinux
Controls that gives a structure to ensure software
runs only at the minimum privilege level.
This
mitigates the effects of attacks and reduces the
likelihood of badly behaved processes overwriting or
even transmitting data.
Selinux + Android
SELinux decisions are based fundamentally on
labels assigned to these objects and the policy
defining how they may interact.
Labels
determine what is allowed.
Sockets,
files, and processes all have labels in SELinux.
The impact of SELinux
Strongly enforces Sandboxing which helps
preventing privilege escalation by apps.
Prevent
data leakage by apps.
Prevent bypass of security features.
Enforce legal restrictions on data.
Protect integrity of apps and data.
Beneficial for consumers, businesses, and government.
Applications
Every Android application runs in its own process
with its own instance of the Dalvik virtual machine,
which ensures further isolation
The package manager is responsible for issuing
UIDs to applications at install
Application signing
Android requires every application to be signed.
The
main purpose of application signing is to distinguish
applications from one to another.
Developers always do the signing with their own
private keys, which are supposed to stay secret
Applications Cont.
An app can request permission to access device
data such as the user's contacts, SMS messages, the
mountable storage (SD card), camera, Bluetooth,
and more.
Android Permissions
Permissions are strings that denote the ability to
perform a particular action
Because each app is sandbox
applications
request specific permissions in order to
interact with other apps or the system.
request permissions by defining them in the
AndroidManifest.xml file.
Android Permissions Cont.
At application install time, Android inspects the list
of requested permissions and decides whether to
grant them or not.
For
instance, an online game can never really be
connected to the internet if it is found missing a internet
connection permission.
Enforcement of Permissions
Linux Kernel
Small number of permissions are checked by Linux Kernel
Some permissions are assigned to Linux Groups
Apps that requested these permissions are assigned to these
groups
Linux automatically enforces the access to the resources that
belong to this group
Android APIs
Most of permissions are checked by Android APIs (ad-hoc)
When an API is invoked, the API checks if the caller has the
permissions
checkCallingPermission()
How do Apps communicate?
Android apps and system services run in separate
processes for security, stability, and memory
management reasons, but they need to communicate
and share data.
Inter-process communication (IPC) is a framework for the
exchange of signals and data across multiple processes.
IPC is used for message passing, synchronization, shared
memory, and remote procedure calls (RPC).
It enables information sharing, computational speedup,
modularity, convenience, privilege separation, data isolation,
stability.
Android Protection Levels
A parameter of a permission
needs to be specified when defining our own permissions.
Each level of protection enforces a different security policy.
Permission Groups
Normal
Protect access to API calls that not harmful to users (e.g. Wall Paper)
Dangerous
Harmful APIs that may gather private info or spend money (text message,
contacts)
Signature
Only granted to applications that are signed by same certificate as app
SignatureorSystem
APIs that change the Android system itself (e.g. uninstalling an app)
Apps need to be signed with device manufacturer’s certificate
DEMO: Android Debug Bridge (ADB)
pm list permissions -f
Androids Permission: Permission Groups
Permissions belong to a group
Demo: List all permission-groups
pm
List all the packages
pm
list permission-groups
list packages –f
Finding the permissions of an app
dumpsys
package <packagename>
dumpsys
package com.android.browser
When Permissions Are Checked?
API calls requires permission.
User data is stored in Content Providers.
Permission
may be required to access these data. E.g.
READ_CONTACT permission is needed to read contacts
content provider.
Send/Receive Intents requires permissions.
Permission Enforcement in API calls
API implementation calls the permission validation mechanism to
check that the invoking application has the necessary permissions.
Most common case
Based on Linux Groups
Small number of permissions
When an application is installed with these permissions they are
assigned to Linux group that has access to the pertinent sockets and files.
Linux Kernel enforces the access control policy for these permissions.
e.g. INTERNT, Write_External_Storage, Bluetooth
DEMO:
ps
cat /proc/<pid>/status
Id command