Document

advertisement
The Peril of Fragmentation:
Security Hazards in
Android Device Driver Customizations
Xiaoyong Zhou*, Yeonjoon Lee*, Nan Zhang*,
Muhammad Naveed† and XiaoFeng Wang*
* School of Informatics and Computing, Indiana University, Bloomington
† Department of Computer Science, University of Illinois at Urbana-Champaign
35th IEEE Symposium on Security and Privacy (Oakland '14)
2014/5/19
Outline
• Introduction
• Vendor Customizations on Android
• Findings and Attacks
• A Large-scale Measurement Study
• Discussion and Conclusion
2
2014/5/19
3
Introduction
• Up to August 2013, Android has dominated global smartphone
shipments with nearly 80% market share.
• Android Open Source Project
• Since 2009, 19 official Android versions have been released.
2014/5/19
4
Security Risks in Customizations
• For each new Android version, Google first releases it to
mobile phone vendors, allowing them to add their apps,
device drivers and other new features to their corresponding
Android branches.
• Recent studies show that many pre-loaded apps on those
images are vulnerable, leaking system capabilities or sensitive
user information to unauthorized parties.
2014/5/19
5
Security Risks in Customizations
• The security risks here, however, go much deeper than those
on the app layer.
• Particularly, they almost always need to modify a few device
drivers (e.g., for camera, audio, etc.) and related system
settings to support their hardware.
2014/5/19
6
Security Risks in Customizations
• Device drivers work on the Linux layer and communicate with
Android users through framework services.
• Therefore, any customization on an Android device needs to
make sure that it remains well protected at both the Linux and
framework layers.
• However, vendors usually doesn't have the time to properly
address such problems.
2014/5/19
7
Vendor Customizations On Android
• The Android security model is built upon Linux user and
process protection. (UID/GID)
• Decisions on granting those permissions are made either by
the system through checking the app’s signatures or by the
user.
2014/5/19
8
Vendor Customization
• On a vendor-customized phone, only about 18% come from
AOSP, 65% from the vendors, 17% from third parties.
• Manufactures have only about 6 months to customize the
official version.
• it has been reported that over 60% of the app vulnerabilities
found in a study come from vendor customizations.
2014/5/19
9
Android Linux Devices
• Block devices (e.g., flash drives) and stream devices (e.g.,
virtual terminals) are placed under /dev.
• Other devices like network devices are placed under other
directories (e.g., /sys).
2014/5/19
10
Android Linux Devices
• However, there are no standards regarding hardware nodes.
• As an example, the near field communication (NFC) device
node is /dev/bcm2097x-12c on the Nexus 4 Android 4.2,
while on Samsung SII, it becomes /dev/pn544.
2014/5/19
11
Adversary Model
• To evaluate such risks, we assume the presence of malicious
apps on the phone running a customized Android OS.
• These apps do not have root privileges, nor do they have the
permissions to use the devices under investigation, such as
camera, audio, GPS, etc.
2014/5/19
12
Methodology
• Compare the source code of two popular vendor customized
phones – Samsung Galaxy SII and Samsung Galaxy Ace 3 with
corresponding AOSP references.
• For each pair, a diff-tool (DeltaWalker) is used to measure file
changes.
2014/5/19
Findings.
13
2014/5/19
Findings.
14
2014/5/19
15
Findings
• Changes made on the Linux layer mainly happen to the driver
source-code directory.
• On the framework layer, most of the customizations are either
related to device (/device/samsung/bcm_common) or new
apps (/vendor/samsung/common/packages)
2014/5/19
ADDICTED
• Android Device Customization Error Detector
16
2014/5/19
17
The Design
• To identify these files, ADDICTED runs a suite of test cases
that serve as an input to the dynamic analyzer.
• The analyzer traces the execution of the Android system when
it is processing these cases and operating on their related
devices.
• Then, compared with them in terms of individual files’ Linux
permission settings.
2014/5/19
The Design
18
2014/5/19
19
The Approach
• Device Miner is a dynamic analyzer that works on the system-
call level.
• Device Miner utilizes a suite of test cases to trigger device
operations such as taking pictures, requesting geo-locations,
etc., and attaches strace to the app that runs those cases.
• Also, an instrumented binder is made to follow the IPC call
and identify the system process that serves the app’s request.
2014/5/19
The Approach
20
2014/5/19
Test Cases
21
2014/5/19
22
Dynamic Analysis
• As soon as Device Miner starts the Test Runner, it attaches a
tracer (a wrapper of strace) to the app's process.
• API calls goes through the binder driver in the kernel, which
passes the request to a system service.
• Our approach instruments binder.c with the code for
inspecting individual transactions.
2014/5/19
23
Dynamic Analysis
• During its runtime, this modified binder checks the
transaction parameters of an IPC call to extract the source
Process Identifier (PID) of the transaction and its target PID,
along with the data (parameter).
• The source PID is directly retrieved from binder_proc.pid and the
target one is obtained from target_node, which is referred by
target_handler.
• If either party in the IPC is found to be the test app, Device
Miner attaches a tracer to the one that has not been
monitored yet.
2014/5/19
24
Dynamic Analysis
• Manufactures rarely modify the framework layer services
• Also, they tend to leave the package names of the services
intact.
• Assuming that the names of the services working on a device-
related request stay unchanged across different Android OSes.
2014/5/19
25
Differential Analysis
• To achieve portability, Device Miner tracks device operations
at the system-call level.
• To remove random noise, Device Miner performs a differential
analysis on the outcomes of an analysis, comparing them with
those produced by other independent tests.
2014/5/19
26
Risk Identifier
• we need to find out whether their security protection levels are
properly set.
• we simply take the way those device-related files are
configured on AOSP OSes as references.
2014/5/19
27
Device File Correlations
• the camera device node on Nexus 4 (with an Android 4.2) is
video0 or video1 under the group camera
• On Galaxy GRAND, it becomes vc-cam and affiliated with the
Linux group system.
2014/5/19
28
Device File Correlations
• Specifically, for each file, Device Miner look at the set of
system calls that touch the file, and the content and other
features of those calls’ arguments.
• Customized devices (camera, video, Bluetooth, etc.) tend to
follow their industry standards (e.g. camera devices designed
according to the V4L2 driver framework)
• They all share some arguments for the ioctl call that operates on them,
such as 0x560f (parsed into VIDIOC_QBUF).
2014/5/19
29
Device File Correlations
• An example is NFC, whose call sequence is always (select, read,
write) with the 2nd arguments of read and write being wellformatted.
2014/5/19
30
LCF Detection
• After pairing individual device files on a customized phone
with those in a reference, an analysis tool starts checking their
Linux file permissions.
(e.g. file permission and group owners)
2014/5/19
31
Finding And Attacks
• These phones includes:
• Google Nexus 4 with an Android 4.2
• Samsung Galaxy SII with a customized 4.0.3
• Galaxy ACE 3 with a 4.2.2
• Galaxy GRAND with a 4.1.2
• This study discovered 4 LCFs and all of them were confirmed
to be indeed problematic.
2014/5/19
Findings
• Device files:
32
2014/5/19
33
Attack: Touchscreen Keylogger
• On Galaxy SII, /dev/input/event2 were made public.
• The Android input system includes three components,
EventHub, EventReader and EventDispatcher.
• Attack: one can implemented its own reader, extracting X and
Y coordinates. Therefore, it is ableable to log the text user
inputs, without ANY permission required.
• Demo video:
https://www.youtube.com/watch?v=9-wAXRBd_uw
2014/5/19
34
Attack: Hidden Camera
• On Galaxy SII, the camera file /dev/video0 (both front and
back camera) is made public.
• Attack: construct an HAL, issuing custom ioctl commands
• Varies between chip/devices, may lead to device reboot -> DoS attack
• Have to select camera by issuing VIDEO_S_INPUT.
• Demo video:
https://www.youtube.com/watch?v=crYC2do37y4
2014/5/19
Attack: Hidden Camera
35
2014/5/19
36
Attack: Screen Capture
• On Galaxy ACE 3 GT-7270L (4.2.2), frame buffer
/dev/graphics/fb0 is publicly readable and writable.
• For Samsung Notes app maybe?
• Attack: malicious app can take screenshots without ANY
permission by reading directly to the frame buffer.
• Demo video:
https://www.youtube.com/watch?v=rIk6dXNUo5Q
2014/5/19
37
A Large-Scale Measurement Study
• Device nodes are typically located under /dev and /sys,
which are dynamic generated when kernel boots up.
• init calls ueventd, which loads ueventd.rc and
ueventd.$HARDWARE.rc
• Gathered 2423 images covering 417 phone models ranging
from android 4.0 to 4.3. (2.5TB disk size) by using a crawler.
• Unpack zImage, boot.img
• Parse the .rc files, than analyze the permissions
2014/5/19
A Large-Scale Measurement Study
• Gathered images
38
2014/5/19
39
Pervasiveness of LCFs
• 1290 (53.24%) images we studied contain LCFs.
• At least one device file permission is set to publicly readable/writable
• Such LCFs affect 75.65% of the distinct phone models and
86.65% of the carriers we studied.
2014/5/19
40
Distribution of The Flaws
• Developing countries (e.g., China, Brazil) host more vulnerable phone
models.
2014/5/19
Distribution of The Flaws
41
2014/5/19
42
Distribution of The Flaws
• When phones are upgraded from 4.0.3 to 4.1, the percentage
of vulnerable models drops to 18%.
• However, it goes up to round 30% for 4.1.2 and 4.3.
2014/5/19
Distribution of The Flaws
43
2014/5/19
44
Distribution of The Flaws
• 92 phone models have at least one of the LCFs, including the 3
confirmed vulnerabilities
• Only on 6 phone models, the vendors have completely
addressed all their LCFs through updates.
2014/5/19
Popular Open Device Files
45
2014/5/19
46
More Attacks
• vc-lmk (low memory killer)
• Malicious apps could kill any desired app without any permission by
issuing special crafted ioctl commands
• SurfaceFlinger
• Malicious could alter on-screen objects
• UMP (Unified Memory Provider)
• UMP_IOC_ALLOCATE for allocating memory and copying user data to
kernel, and UMP_IOC_MSYNC for cache maintenance.
2014/5/19
47
Discussion
• Under /dev, still dozens of files are there which we cannot
interpret.
• Confirmation of security flaws still needs a manual analysis.
• Also, ADDICTED is not designed to identify the device file
configuration problems on the official Android OSes.
2014/5/19
48
Conclusion
• The openness of Android has brought in a fragmented
ecosystem with significant security implications
• We found the presence of customization errors in the security
con- figurations of device-related files on a large number of
Android phones, across multiple OS versions, different
vendors, carriers and regions, leading to complete exposure of
critical system resources and capabilities.
Download