Upload
naver-d2
View
844
Download
0
Embed Size (px)
DESCRIPTION
DEVIEW 2014 [1D7]안드로이드 L-Preview 보안 아키텍처 및 설비
Citation preview
0
200
400
600
800
1000
1200
간단한 자기 소개 및 DEVIEW 발표를 하는 이유?
DEVIEW : 이경민 & 양정수
MinMax14th
Android New Runtime : ART
1. ART Overview
2. ART AOT Compiler
3. ART Loader
4. ART Fast Memory Allocation
5. ART Garbage Collector Improvement
6. Android Developer Backstage
Episode 10,11 Review
오늘 발표내용에서 담고자 하는 내용 요약
몇 가지 경험에 대한 공유 1. 안드로이드 플랫폼 Porting : Kandroid ADP 2. 구글 GMS 분석 : MITM(Man In The Middle) Attack
L-Preview 이전의 보안 설비 1. 보안 설비 히스토리 2. 메모리 취약성 개선 : Facebook LinearAlloc Issue & ASLR 3. 안드로이드 기본 보안모델 강화 : SELinux
L-Preview의 신규 보안 설비
1. Sandbox 모델의 변화 : Process Isolation 2. Android Work : 삼성 KNOX란? 3. Malware 자동 탐지 서비스 : 보안 서비스
결론 : 향후 안드로이드 보안의 미래는?
안드로이드 플랫폼 Porting 세 번의 서로 다른 경험
2008년 10월 11일 2009년 1월 12일 2010년 12월 7일 출처
• http://www.kandroid.org/board/board.php?board=AndroidPorting&page=2&command=body&no=39
• http://www.kandroid.org/board/board.php?board=androidsource&command=body&no=22
• http://www.kandroid.org/board/board.php?board=HTCDream&command=body&no=123
안드로이드 플랫폼 Porting Kandroid ADP(칸드로이드 개발자 폰)
안드로이드 플랫폼 Porting Kandroid ADP(칸드로이드 개발자 폰)
안드로이드 플랫폼 Porting
Kandroid ADP 어떻게 만들었는가? Phone은 어떻게 만들어지는가?
AOSP
Linux
HAL
GMS
AOSP
Ref HAL
AOSP
Linux
AOSP
Ref HAL
AOSP
Linux
HAL
GMS
GMS
1. 구글에 공식 또는 비공식 요청한다.
2. 구글 또는 OHA 멤버사에서 비공식적으로 입수한다.
3. 실제 디바이스에서 추출한다.
1. 루팅(Rooting)
2. cp /system/app/Gmail.odex .
cp /system/app/Gmail.apk .
baksmali -d ./framework -x Gmail.odex => ./out
smali -o classes.dex out
cp classes.dex
zip -r -q Gmail.apk classes.dex
안드로이드 플랫폼 Porting
Kandroid ADP 어떻게 만들었는가? GMS는 어떻게 구할 수 있는가?
• 구글은 왜 GMS를 포함한
에뮬레이터를 배포하지 않는가?
• Smali/Baksmali 사용처는?
• 폰(Phone)이란 무엇인가?
H/W가 없는 S/W 폰, 가능한가?
안드로이드 플랫폼 Porting
Kandroid ADP 작업에서 생길 몇 가지 질문
A PP L I CAT IONS
Browser IM SMS/MMS Dialer Alarm
… Calendar Email Voice Dial Contacts
A PP L I CAT ION F RAMEWORK
Activity Manager
Package Manager
Window Manager
Telephony Manager
Content Provider
Resource Manager
View System
Location Manager
Notification Manager
…
L I B RAR I E S
Surface Manager
A NDRO ID RUNT IME
Dalvik Virtual Machine
Core Libraries
L I NUX K ERNEL
Display Driver Camera Driver Bluetooth Driver Shared Memory
Driver Binder (IPC)
Driver
USB Driver Keypad Driver WiFi Driver Audio Driver
Power Management
OpenGL|ES
SGL
Media Framework
FreeType
Libc
SQLite
WebKit
…
G M S ( A p p s )
Market Gmail Talk …
GoogleServiceFramework
Map lib
voice
구글 GMS 분석 구글 GMS란 무엇인가?
A PP L I CAT IONS
Browser IM SMS/MMS Dialer Alarm
… Calendar Email Voice Dial Contacts
A PPL I CAT ION F RAMEWORK
Activity Manager
Package Manager
Window Manager
Telephony Manager
Content Provider
Resource Manager
View System
Location Manager
Notification Manager
…
L I B RAR I E S
Surface Manager
A NDRO ID RUNT IME
Dalvik Virtual Machine
Core Libraries
L I NUX K ERNEL
Display Driver Camera Driver Bluetooth Driver Shared Memory
Driver Binder (IPC)
Driver
USB Driver Keypad Driver WiFi Driver Audio Driver
Power Management
OpenGL|ES
SGL
Media Framework
FreeType
Libc
SQLite
WebKit
…
G M S ( A p p s )
Market Gmail Talk …
GoogleServiceFramework
Map lib
voice
구글 GMS 분석 구글 GMS란 무엇인가?
구글 GMS 분석 어떻게 분석할 것인가?
정적(Static) 분석 • Androidguard
• Apktool
• dex2jar
• dexter
• IDA Pro
• jd-gui
• Mobile Sandbox
• Smali/Backsmali
동적(Dynamic) 분석 • Andrubis
• Droidbox
• DroidScope
• Google Bouncer
• Taintdroid
난독화(Obfuscation) • Identifier renaming
• Junk byte insertion
• Obfuscation strings
• Dynamic
loading of code
• Dynamic
code modification
• Callgraph Obfuscation
• Manifest Obfuscation
• ProGuard
• DexGuard
참조 : http://www.usmile.at/sites/default/files/publications/201306_obf_report_0.pdf
Package : GoogleServicesFramework.apk
Process : com.google.android.gapps
Activity : 39개
ContentProvider : 4개
Service : 8개
Include Dalvik VM
GSF Total Components : 60개
Intent : Bundle of Informations
• Explicit : Call Class
• Implicit : IntentFilter : 26개
Action, Data, Category
BroadcastReceiver : 9개
permission-tree : 1개
permission : 54개
uses-permission : 55개
android:permission : 2개
android:readPermission : 4개
android:writePermission : 4개
path-permission : 1개
android:grantUriPermissions : 1개
구글 GMS 분석 무엇을 분석할 것인가?
GMS(Google Mobile Services)
GSF
(GoogleService
Framework)
mtalk.google.com
5228
Google Cloud Server
Google Account
Server
Android Device
Google Services
Google Mobile
Services
• Google Play
• GCM
?
구글 GMS 분석 동적(Dynamic) 분석의 필요성-네트워킹 정보
fake
fake mtalk.
google.
com
MITM attack
(Man In The Middle)
at Internet
TLS/SSL TLS/SSL
Connection
Server
mtalk.
google.com
fake
CA
Server
fake
Cert Digital
Signing
Custom
Android
Image
Packet
Log
Packet
Report
Custom
Protocol
Buffer
Deserialzer
구글 GMS 분석 동적(Dynamic) 분석 : 중간자(MITM) 공격
2
3
1
5 4
구글 GMS 분석 동적(Dynamic) 분석 : 중간자(MITM) 공격 결과
출처 : http://www.kandroid.org/mtalk
0
50
100
150
200
250
300
350
400
450
1 7
13
19
25
31
37
43
49
55
61
67
73
79
85
91
97
103
109
115
121
127
133
139
145
151
157
163
169
175
181
187
193
199
205
211
217
223
229
235
Heartbeat Data Traffic Threshold
heartbeat
구글 GMS 분석 동적(Dynamic) 분석
Heartbeat 기술의 동작 원리 이해
Device Info
Device Info Register
Client
Device Info
Register Server
Google Service
Framework Install apk
into myPhone
Play
install asset
request
mtalk.google.
com
install asset
response
1 3
4
5
6
1
2 2 read
device info
구글 GMS 분석 동적(Dynamic) 분석
구글 플레이를 통한 앱 인스톨 메커니즘 이해
구글 GMS 분석 GMS 분석의 최종 결과와 몇 가지 질문들
지금은 사라진 사이트 : Black Market(?)
http://www.kandroid.org/market/
구글은 왜 Heartbeat를 서버에서 제어하는가?
구글은 왜 앱 인스톨을 서버에서 제어하는가?
구글은 왜 GMS에 ProGuard를 사용하지 않는가?
오늘 발표내용에서 담고자 하는 내용 요약
몇 가지 경험에 대한 공유 1. 안드로이드 플랫폼 Porting : Kandroid ADP 2. 구글 GMS 분석 : MITM(Man In The Middle) Attack
L-Preview 이전의 보안 설비 1. 보안 설비 히스토리 2. 메모리 취약성 개선 : Facebook LinearAlloc Issue & ASLR 3. 안드로이드 기본 보안모델 강화 : SELinux
L-Preview의 신규 보안 설비
1. Sandbox 모델의 변화 : Process Isolation 2. Android Work : 삼성 KNOX란? 3. Malware 자동 탐지 서비스 : 보안 서비스
결론 : 향후 안드로이드 보안의 미래는?
2007 2008 2009 2010 2011 2012 2013 2014 2015
최초 SDK M C D E F GH I J K
L Developer Preview 이전의 보안 설비
1.5
• MM(SE) 1) ProPolice to prevent stack buffer
overruns (-fstack-protector)
2) safe_iop to reduce integer overflows
3) Extensions to OpenBSD dlmalloc to
prevent double free() vulnerabilities
and to prevent chunk consolidation
attacks. Chunk consolidation attacks
are a common way to exploit heap
corruption.
4) OpenBSD calloc to prevent integer
overflows during memory allocation
2.2
• User log-in authentication
• Device Administration API :
Remote wipe
2.3
• MM(SE) 1) Format string vulnerability
protections (-Wformat-security -
Werror=format-security)
2) Hardware-based No eXecute (NX)
to prevent code execution on the
stack and heap
3) Linux mmap_min_addr to mitigate
null pointer dereference privilege
escalation (further enhanced in
Android 4.1)
3.0
• Pluggable DRM framework
• Encrypted storage
• Password security
enhancements
4.0
• Secure management of
credentials
• VPN client API
• Device policy management
for camera
• MM(SE) 1) Address Space Layout
Randomization (ASLR) to
randomize key locations in
memory
4.1
• App Encryption
• isolatedProcess
• MM(SE) 1) PIE (Position Independent
Executable) support
2) Read-only relocations / immediate
binding (-Wl,-z,relro -Wl,-z,now)
3) dmesg_restrict enabled (avoid
leaking kernel addresses)
4) kptr_restrict enabled (avoid leaking
kernel addresses)
2007 2008 2009 2010 2011 2012 2013 2014 2015
최초 SDK M C D E F GH I J K
L Developer Preview 이전의 보안 설비
4.2
• Application Verification
• More control of premium
SMS
• Always-on VPN
• Certificate Pinning
• Improved display of Android
permissions
• installd hardening
• init script hardening
• ContentProvider default
configuration
• Crytography
• Security Fixes
• MM(SE) 1) FORTIFY_SOURCE for system
code
4.3
• Android sandbox
reinforced with SELinux
• No setuid/setgid programs
• ADB Authentication
• Restrict Setuid from
Android Apps
• Capability bounding
• AndroidKeyStore Provider
• KeyChain
isBoundKeyAlgorithm
• NO_NEW_PRIVS
• Relocation protections
• Improved EntroyMixer
• Security Fixes
• MM(SE) 1) FORTIFY_SOURCE
enhancements
4.4
• Android sandbox reinforced
with SELinux
• Per User VPN
• ECDSA Provider support in
AndroidKeyStore
• Device Monitoring Warnings
• Certificate Pinning
• Security Fixes
• MM(SE) 1) FORTIFY_SOURCE level 2
2007 2008 2009 2010 2011 2012 2013 2014 2015
최초 SDK M C D E F GH I J K
L Developer Preview 이전의 보안 설비
1. 기본적인 보안은 리눅스에 기반함
• 애플리케이션과 프로세스에 부여된 UID와 GID
• 프로세스는 Sandbox 역할을 함
2. 보다 섬세한 보안은 퍼미션에 기반함.
• 자체 서명된 인증서와 사용자 확인과정에 의함
L Developer Preview 이전의 보안 설비
2007 2008 2009 2010 2011 2012 2013 2014 2015
최초 SDK M C D E F GH I J K
1. Memory Management Security Enhancements
• 코드 삽입 공격 / 코드 재사용 공격 / 코드 수정 공격
• ROP(Return-Oriented Programming) 공격
2. Security-Enhanced Linux
• Rooting 이슈 해결방법 : 1) 루팅 차단 2) 루팅 무용화
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
How Facebook Hit The Dalvik Limit?
참조 : • http://techcrunch.com/2013/03/04/facebook-google-dalvik/
• https://www.facebook.com/notes/facebook-engineering/under-the-hood-dalvik-patch-for-facebook-for-android/10151345597798920
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
Facebook 해킹 이야기 : 방법
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
Facebook 해킹 이야기 : 결과
Facebook 07-04 03:28:39.958: I/dalvik-internals(5078): Successfully looked up JNI_GetCreatedJavaVMs 07-04 03:28:39.958: I/dalvik-internals(5078): Successfully looked up gDvm 07-04 03:28:39.958: E/dalvik-internals(5078): Failed to look up ladDumpProfiles 07-04 03:28:39.958: E/dalvik-internals(5078): Failed to look up ladResetProfiles 07-04 03:28:39.958: E/dalvik-internals(5078): Failed to look up ladPrintHeaderInfo 07-04 03:28:39.958: I/dalvik-internals(5078): gDvm has value 0x800aad38. Searching for vmList (initial offset in [704,1480]). 07-04 03:28:39.958: I/dalvik-internals(5078): Beginning search. Actual offset in [704,1444]. 07-04 03:28:39.958: I/dalvik-internals(5078): Found vmList at offset 744.
07-04 03:28:39.958: D/dalvik-internals(5078): Evaluating LinearAllocHdr candidate at 0x12418.
07-04 03:28:39.958: I/dalvik-internals(5078): Found LinearAllocHdr at expected offset from vmList.
Fake Facebook 07-04 15:35:36.748: I/dalvik-internals(8465): Successfully looked up JNI_GetCreatedJavaVMs 07-04 15:35:36.748: I/dalvik-internals(8465): Successfully looked up gDvm 07-04 15:35:36.748: E/dalvik-internals(8465): Failed to look up ladDumpProfiles 07-04 15:35:36.748: E/dalvik-internals(8465): Failed to look up ladResetProfiles 07-04 15:35:36.748: E/dalvik-internals(8465): Failed to look up ladPrintHeaderInfo 07-04 15:35:36.748: I/dalvik-internals(8465): gDvm has value 0x800aad38. Searching for vmList (initial offset in [704,1480]). 07-04 15:35:36.748: I/dalvik-internals(8465): Beginning search. Actual offset in [704,1444]. 07-04 15:35:36.748: I/dalvik-internals(8465): Found vmList at offset 744.
07-04 15:35:36.748: D/dalvik-internals(8465): Evaluating LinearAllocHdr candidate at 0x12418. 07-04 15:35:36.748: I/dalvik-internals(8465): Found LinearAllocHdr at expected offset from vmList.
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements Facebook 해킹 이야기 : No LinearAlloc Issue
method_ids_size com.facebook.katana (2.0) files filesize
48,476 classes.dex 5,686,680
1,596 ./assets/pre-dexed-jars/jackson-core-2.0.5.dex.1.jar 104,268
5,864 ./assets/pre-dexed-jars/jackson-databind-2.0.5.dex.1.jar 297,267
205 ./assets/pre-dexed-jars/jackson-datatype-guava-2.0.4.dex.1.jar 14,288
14,551 ./assets/secondary-program-dex-jars/secondary-1.dex.jar 601,815
70,692 6,704,318
method_ids_size com.facebook.katana (3.3) files filesize
17,720 classes.dex 2,495,944
8,471 ./assets/secondary-program-dex-jars/secondary-3.dex.jar 363,816
43,710 ./assets/secondary-program-dex-jars/secondary-1.dex.jar 2,016,576
41,859 ./assets/secondary-program-dex-jars/secondary-2.dex.jar 1,961,432
573 ./assets/pre-dexed-jars/libphonenumber-5.2.dex.2.jar 161,595
112,333 6,999,363
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
Prelink & ASLR(Address Space Layout Randomization)
출처 : http://wenke.gtisc.gatech.edu/papers/morula.pdf
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
Prelink & ASLR(Address Space Layout Randomization)
PIE Main Executable
Heap Stack Shard Library
NDK Library
Linker
4.0 N N N N Y N N
4.1 Y Y Y Y Y Y Y
Randomized per device boot
L Developer Preview 이전의 보안 설비 Memory Management Security Enhancements
Memory Errors: The Past, the Present, and the Future
출처 : http://www.isg.rhul.ac.uk/sullivan/pubs/tr/technicalreport-ir-cs-73.pdf
L Developer Preview 이전의 보안 설비 Security-Enhanced Linux
jsyang@jsyang-desktop:~/android-4.4_r1.2/frameworks/base/core/java/android/os$ ls *.java
AsyncResult.java DropBoxManager.java Parcelable.java SELinux.java AsyncTask.java Environment.java ParcelableParcel.java ServiceManager.java BadParcelableException.java FactoryTest.java ParcelFileDescriptor.java ServiceManagerNative.java BatteryManager.java FileObserver.java ParcelFormatException.java StatFs.java BatteryProperties.java FileUtils.java Parcel.java StrictMode.java BatteryStats.java Handler.java ParcelUuid.java SystemClock.java Binder.java HandlerThread.java PatternMatcher.java SystemProperties.java Broadcaster.java IBinder.java PerformanceCollector.java SystemService.java Build.java IInterface.java PowerManager.java SystemVibrator.java Bundle.java IServiceManager.java Process.java TokenWatcher.java CancellationSignal.java Looper.java RecoverySystem.java Trace.java CommonClock.java MemoryFile.java Registrant.java TransactionTooLargeException.java CommonTimeConfig.java Message.java RegistrantList.java UEventObserver.java CommonTimeUtils.java MessageQueue.java RemoteCallback.java UpdateLock.java ConditionVariable.java Messenger.java RemoteCallbackList.java UserHandle.java CountDownTimer.java NetworkOnMainThreadException.java RemoteException.java UserManager.java DeadObjectException.java NullVibrator.java RemoteMailException.java Vibrator.java Debug.java OperationCanceledException.java ResultReceiver.java WorkSource.java
android.os.*
DAC
Discretionary
자유재량에 의한
Access
Control
MAC
Mandatory
의무적인
Access
Control
Permissive
관대한
Mode
L Developer Preview 이전의 보안 설비 Security-Enhanced Linux
MAC
Mandatory
의무적인
Access
Control
Enforcing
강제하는
Mode
L Developer Preview 이전의 보안 설비 Security-Enhanced Linux 에서 Rooting
SuperSU-JWR66N-S005-130625-1.41.zip
참조 : http://su.chainfire.eu/
root@maguro:/system/xbin # ls -lZ *su* -rwxr-xr-x root root u:object_r:system_file:s0 daemonsu -rwxr-xr-x root root u:object_r:system_file:s0 su
root@maguro:/system/xbin # ps -Z u:r:shell:s0 shell 11517 11511 su u:r:init:s0 root 11520 21455 daemonsu:0:11517 u:r:init:s0 root 11521 11520 daemonsu
오늘 발표내용에서 담고자 하는 내용 요약
몇 가지 경험에 대한 공유 1. 안드로이드 플랫폼 Porting : Kandroid ADP 2. 구글 GMS 분석 : MITM(Man In The Middle) Attack
L-Preview 이전의 보안 설비 1. 보안 설비 히스토리 2. 메모리 취약성 개선 : Facebook LinearAlloc Issue & ASLR 3. 안드로이드 기본 보안모델 강화 : SELinux
L-Preview의 신규 보안 설비
1. Sandbox 모델의 변화 : Process Isolation 2. Android Work : 삼성 KNOX란? 3. Malware 자동 탐지 서비스 : 보안 서비스
결론 : 향후 안드로이드 보안의 미래는?
https://www.youtube.com/watch?v=FbVWtYPpzIs https://www.youtube.com/watch?v=Ive8WaeldWA#t=15
http://www.youtube.com/watch?v=wtLJPvx7-ys
Google IO 2014에서
보안은 어떻게
그리고 왜 언급되었는가?
L Developer Preview 신규 보안 설비
IsolatedProcess
Use process separation
when the isolated code
Use isolatedProcess
when isolated code
Is pure Java,
Doesn’t contain an interpreter or
similar, or
Interacts with other processes on
your behalf
Is native code,
Performs complex operations like
rendering,
Contains an interpreter or JIT, and
Doesn’t need to run as your user
L Developer Preview 신규 보안 설비
IsolatedProcess : 크롬 Sandbox 모델 차용
Main
Thread
(UI)
I/O
Thread
Main
Thread
Render
Thread
Browser Process Render Process
IPC
android:process=":sandboxed_process0" android:isolatedProcess="true“
android:process=":privileged_process2" android:isolatedProcess="false"
android:isolatedProcess
If set to true, this service will run under a special process that is isolated from the rest of
the system and has no permissions of its own. The only communication with it is
through the Service API (binding and starting).
• Customizable Secure Boot
• TrustZone-based Integrity Measurement Architecture (TIMA)
• Security Enhancements for Android
Source : http://www.samsung.com/my/business-images/resource/white-paper/2013/11/Samsung_KNOX_whitepaper_An_Overview_of_Samsung_KNOX-0.pdf
Samsung KNOX Technology Overview
1. Platform Security
2. Application Security
3. Mobile Device Management
4. Theft Recovery
L Developer Preview 신규 보안 설비
Android Work vs. Samsung KNOX
L Developer Preview 신규 보안 설비
Malware Protection
Android Security Innovation
• Malware Protection
• Security Patches
via Play Services
• Factory Reset Protection
• Universal Data Controls
GoogleIO 2014 Keynote
참조 :
• http://www.youtube.com/watch?v=ZEIED2ZLEbQ
• https://jon.oberheide.org/files/summercon12-bouncer.pdf
L Developer Preview 신규 보안 설비
Malware Protection
Google Bouncer
L Developer Preview 신규 보안 설비
Malware Protection
Google Bouncer는 어떻게 동작하는가?
• Does Bouncer use static/dynamic analysis?
• When does Bouncer analyze the app? Are all apps analyzed?
• How do we get Market accounts to start figuring this out?
• Network access: open, filtered, emulated, unrestricted?
• Environment: what's the system execution environment look like?
• Timing: how long does our app run? Accelerated clock?
• Input: Artificial input to the app? Program state exploration?
• Any triggers, vulnerable services, etc?
Source : https://jon.oberheide.org/files/summercon12-bouncer.pdf
L Developer Preview 신규 보안 설비
Malware Protection
Malware, Spyware, Trojan이란 무엇인가?
우리는 정상/양성/악성의 경계선을 구분할 수 있는가?
Malware에 대한 자동 분석 및 탐지는 가능한가?
정적 분석(Code)의 핵심적 한계는? Native or Dynamic Code Loading, Collusion Attacks
동적 분석(Logging)의 핵심적 한계는? Environment, Collusion Attacks
분석 시점과 분석환경의 한계는? Timing attack, Environment Fingerprinting
L Developer Preview 신규 보안 설비
Malware Protection
Source : https://www1.cs.fau.de/filepool/projects/android/divide-and-conquer.pdf
Sandbox Fingerprinting – Sand Finger
L Developer Preview 신규 보안 설비
Malware Protection
Source : https://www1.cs.fau.de/filepool/projects/android/divide-and-conquer.pdf
Divide-and-Conquer:
Why Android Malware cannot be stopped
대책과 미래
A. Secure IPC Mechanisms for Android
B. Taming Dynamic Code Loading
C. Improving Sandboxes
D. Machine Learning
Anti-fingerprinting techniques
향후 안드로이드 보안 기술의 미래는?
사용자 측면
개발자 측면 서비스 측면
정보유출 및 비용발생
기술보안 및 제품도용
컨텐츠보안 및 안심거래
플랫폼 측면
Anti-fingerprinting
techniques
2010. 12. 7. Kandroid ADP (칸드로이드 개발자 폰)
감사합니다.
질문 받겠습니다.