Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CSF665 – Advanced Operating Systems 高等作業系統 Android 吳俊興 國立高雄大學 資訊工程學系 Outline •System Overview – Applications, Development, Platform •Android System Security – Kernel and System Level Security – Security Enhancements •Android Application Security 2 System Overview • Android – Unveiled by Google along with the founding of Open Handset Alliance to advance open standards for mobile devices • Early SDK was released on 12 November 2007 – iPhone firstly announced on January 9 2007 • Google acquired Android Inc. on August 17, 2005 • The first Android-powered phone was sold in October 2008 – Designed primarily for touchscreen mobile devices such as smartphones and tablet computers • As of Q3 2012, there were 500 million devices activated and 1.3 million activations per day – Building on open-source Linux • Android code released as open source, under the Apache License 3 Android Applications • Applications are usually developed in the Java language using the Android Software Development Kit – Native Development Kit for applications or extensions in C or C++ – Installed from a single file with the .apk file extension • Android applications run in a sandbox – An isolated area of the OS that does not have access to the rest of the system's resources, unless access permissions are granted by the user when the application is installed • However, applications routinely requesting unnecessary permissions, reducing its effectiveness • The complexity of inter-application communication implies Android may have opportunities to run unauthorized code • Two primary sources for applications – Pre-Installed Applications – User-Installed Applications • Either through a store such as Google Play or the Amazon Appstore, or by • Downloading and installing the application's APK file from a third-party site 4 Android Development • Android consists of – A kernel based on the Linux kernel 2.6 and Linux Kernel 3.x (Android 4.0 onwards) • Does not have a native X Window System nor does it support the full set of standard GNU libraries • a power management feature called wakelocks • The flash storage is split into several partitions, such as "/system" for the operating system itself and "/data" for user data and app installations • Android device owners are not given root access – With middleware, libraries and APIs written in C and • Dalvik virtual machine with just-in-time compilation to run Dalvik dex-code (Dalvik Executable), which is usually translated from Java bytecode – Application software running on an application framework which includes Java-compatible libraries based on Apache Harmony – The main hardware platform for Android is the ARM architecture 5 Android Platform Building Blocks • Device Hardware – Including smart phones, tablets, and set-top-boxes – Processor-agnostic, but taking advantage of some hardware-specific security capabilities such as ARM v6 eXecute-Never • Android Operating System – The core operating system is built on top of the Linux kernel – All device resources, like camera functions, GPS data, Bluetooth functions, telephony functions, network connections, etc. are accessed through the operating system • Android Application Runtime – Most often written in the Java programming language and run in the Dalvik virtual machine – But core Android services and applications are native applications or include native libraries – Both Dalvik and native applications run within the same security environment, contained within the Application Sandbox • Applications get a dedicated part of the filesystem in which they can write private data, including databases and raw files 6 Architecture Diagram 7 Main Android Application Building Blocks • AndroidManifest.xml: the control file that – Tells the system what to do with all the top-level components in an application • specifically activities, services, broadcast receivers, and content providers – Also specifies which permissions are required • Activities: An Activity is the code for a single, userfocused task – Usually includes displaying a UI to the user • some Activities never display UIs – Typically, one of the application's Activities is the entry point to an application 8 Main Android Application Building Blocks (cont.) • Services: A Service is a body of code that runs in the background – It can run in its own process, or in the context of another application's process – Other components "bind" to a Service and invoke methods on it via remote procedure calls – An example of a Service is a media player • even when the user quits the media-selection UI, the user probably still intends for music to keep playing • A Service keeps the music going even when the UI has completed • Broadcast Receiver – A BroadcastReceiver is an object that is instantiated when an IPC mechanism known as an Intent is issued by the operating system or another application – For example, an application may register a receiver for the low battery message and change its behavior based on that information 9 Android Versions Version 4.1.x Jelly Bean 4.0.x Ice Cream Sandwich 3.x.x Honeycomb 2.3.x Gingerbread 2.2 Froyo 2.0, 2.1 Eclair 1.6 Donut 1.5 Cupcake Release date July 9, 2012 October 19, 2011 February 22, 2011 December 6, 2010 May 20, 2010 October 26, 2009 September 15, 2009 April 30, 2009 API level 16 14-15 11-13 9-10 8 7 4 3 10 Android Security Overview • Security objectives – Protect user data – Protect system resources (including the network) – Provide application isolation • Key security features – Linux security • Secure interprocess communication – Mandatory application sandbox for all applications • Exception of a small amount of Android OS code running as root, all code above the Linux Kernel is restricted by the Application Sandbox – Application signing – Application-defined and user-granted permissions 11 Kernel and System Level Security • Linux fundamental security features – Prevents user A from reading user B's files – Ensures that user A does not exhaust user B's memory – Ensures that user A does not exhaust user B's CPU resources – Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS, bluetooth) • Android security features – A user-based permissions model – Process isolation – Extensible mechanism for secure IPC – The ability to remove unnecessary and potentially insecure parts of the kernel 12 Android Security Enhancements • Application Sandbox • System Partition and Safe Mode • Filesystem Permissions • Filesystem Encryption • Device Administration • Password Protection • Memory Management Security Enhancements 13 Application Sandbox • Assign a unique user ID (UID) to each Android application – runs it as that user in a separate process • A kernel-level Application Sandbox – The kernel enforces security between applications and the system at the process level through standard Linux facilities, such as user and group IDs that are assigned to applications – By default, applications cannot interact with each other and applications have limited access to the operating system • Explicit user-granted permissions required 14 System Partition and Safe Mode • System Partition – Set to read-only – Containing Android's kernel as well as the operating system libraries, application runtime, application framework, and applications • Safe Mode • When a user boots the device into Safe Mode, only core Android applications are available 15 Filesystem: Permissions and Encryption • Filesystem Permissions – Each application runs as its own user – Files created by one application cannot be read or altered by another application unless the developer explicitly exposes files to other applications • Filesystem Encryption – Android 3.0 and later provides full filesystem encryption • All user data can be encrypted in the kernel using the dmcrypt implementation of AES128 with CBC and ESSIV:SHA256 – Filesystem encryption requires the use of a user password • The encryption key is protected by AES128 • A key derived from the user password, preventing unauthorized access to stored data without the user device password • The password is combined with a random salt and hashed repeatedly with SHA1 using the standard PBKDF2 algorithm http://source.android.com/tech/encryption/android_crypto_implementation.html 16 Device Administration and Password Protection • Device Administration API – Android 2.2 and later provide device administration features at the system level – A system administrator writes the device admin application to be installed on users’ devices • Administrators can enforce password policies — including alphanumeric passwords or numeric PINs — across devices • Administrators can also remotely wipe (that is, restore factory defaults on) lost or stolen handsets https://developer.android.com/guide/topics/admin/device-admin.html • Password Protection – Can be configured to verify a user-supplied password prior to providing access to a device • This password protects the cryptographic key for full filesystem encryption – Use of a password and/or password complexity rules can be required by a device administrator 17 Memory Management Security Enhancements •Android 1.5+ – ProPolice to prevent stack buffer overruns (-fstack-protector) – safe_iop to reduce integer overflows – Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and to prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption. – OpenBSD calloc to prevent integer overflows during memory allocation •Android 2.3+ – Format string vulnerability protections (-Wformat-security -Werror=format-security) – Hardware-based No eXecute (NX) to prevent code execution on the stack and heap – Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1) •Android 4.0+ – Address Space Layout Randomization (ASLR) to randomize key locations in memory •Android 4.1+ – – – – PIE (Position Independent Executable) support Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now) dmesg_restrict enabled (avoid leaking kernel addresses) kptr_restrict enabled (avoid leaking kernel addresses) 18 Android Application Security • Protected API: only accessible through the OS – Camera functions Location data (GPS) – Bluetooth functions Telephony functions – SMS/MMS functions Network/data connections • Steps 1. An application defines the capabilities it needs in its manifest 2. When preparing to install an application, the system displays a dialog to the user that indicates the permissions requested and asks whether to install 3. If continues, the user has granted all of the requested permissions • The user must grant or deny all of the requested permissions as a block • Applications included in the core OS or bundled by an OEM do not request permissions from the user 4. Once granted, the permissions are applied to the application as long as it is installed • Some device capabilities, such as the ability to send SMS broadcast intents, that are not available to third-party applications – That may be used by applications pre-installed by the OEM – These permissions use the signatureOrSystem permission 19 Interprocess Communication • Processes can communicate using traditional UNIX-type mechanisms – For examples, filesystem, local sockets, or signals – The Linux permissions still apply • New IPC mechanisms – Binder: A lightweight capability-based RPC mechanism designed for high performance when performing in-process and cross-process calls • Implemented using a custom Linux driver – Services: provide interfaces directly accessible using binder – Intents: An Intent is a simple message object that represents an "intention" to do something. For example, to display a web page • An app expresses its "Intent" by creating an Intent instance to view the URL • The system locates some other piece of code (in this case, the Browser) that knows how to handle that Intent, and runs it – ContentProviders: A ContentProvider is a data storehouse that provides access to data on the device • An application can access data that other applications have exposed via a ContentProvider, and • An application can define its own ContentProviders to expose data of its own 20 Cost-Sensitive APIs • A cost sensitive API is any function that might generate a cost for the user or the network – – – – – Telephony SMS/MMS Network/Data In-App Billing NFC Access • Placed in the list of protected APIs controlled by the OS • The user will have to grant explicit permission to third-party applications requesting use of cost sensitive APIs 21 SIM Card and Sensitive User Data • SIM Card Access – Low level access to SIM card not available to third-party apps – Cannot access AT commands • Sensitive User Data Accessed Only by Protected APIs – Personal information – Sensitive input devices: i.e. GPS, camera – Device metadata: i.e. system logs, browser history, phone number, or hardware / network identification information 22 Digital Rights Management • Two architectural layers – A DRM framework API, which is exposed to applications through the Android application framework and runs through the Dalvik VM for standard applications – A native code DRM manager, which implements the DRM framework and exposes an interface for DRM plug-ins (agents) to handle rights management and decryption for various DRM schemes 23 References • http://en.wikipedia.org/wiki/Android_(operating_system) • http://source.android.com/tech/security/ • http://developer.android.com/ 24