BIGMAC: Fine-Grained Policy Analysis Of Android Firmware PDF Free Download

1y ago

21 Views

1 Downloads

2.16 MB

58 Pages

Report/dmca

Download PDF

Transcription

BIGMAC: Fine-Grained Policy Analysis of Android FirmwareGrant Hernandez , Dave (Jing) Tian ‡, Anurag Swarnim Yadav , Byron J. Williams ,and Kevin R. B. Butler — University of FloridaFlorida Institute for Cybersecurity (FICS) Research‡ — Purdue University

Android Attack-surface "Florida Institute for Cybersecurity (FICS) Research#2

High Impact BugsFlorida Institute for Cybersecurity (FICS) Research3

High Impact Bugs CVE-2017-0737 - libstagefright (remoteMMS triggerable)Florida Institute for Cybersecurity (FICS) Research3

High Impact Bugs CVE-2017-0737 - libstagefright (remoteMMS triggerable) CVE-2018-9488 - Privilege escalation to fullroot compromise (USB)Florida Institute for Cybersecurity (FICS) Research3

High Impact Bugs CVE-2017-0737 - libstagefright (remoteMMS triggerable) CVE-2018-9488 - Privilege escalation to fullroot compromise (USB) CVE-2019-2215 - Binder Use After Free(app reachable)Florida Institute for Cybersecurity (FICS) Research3

Android Security MechanismsAppsNative Daemons &Privileged AppsSECCOMPMiddlewareDACCapabilitiesSELinuxKernel ObjectsFlorida Institute for Cybersecurity (FICS) Research4

Android Security Mechanisms Primary Access Control Linux DAC Linux Capabilities SELinux / SEAndroid (MAC)AppsNative Daemons &Privileged AppsSECCOMPMiddlewareDACCapabilitiesSELinuxKernel ObjectsFlorida Institute for Cybersecurity (FICS) Research4

Android Security Mechanisms Primary Access Control Linux DAC Linux Capabilities SELinux / SEAndroid (MAC)AppsNative Daemons &Privileged AppsSECCOMPMiddlewareDAC Other SECCOMP Android MiddlewareFlorida Institute for Cybersecurity (FICS) ResearchCapabilitiesSELinuxKernel Objects4

Android Security Core Filessepolicykernelproperty contextsfile contextsinit.rcinit/etc/services/*.rcservice contextsseapp m serverFlorida Institute for Cybersecurity (FICS) Researchmac permissions.xmlObject Read-byProcess Relation5

Android Security Core FilessepolicykernelSELinux forpropertiesproperty contextsfile contextsAssigns a SELinuxlabel to filesBoots system,manages propsinitinit.rc/etc/services/*.rcBinary SELinuxPolicyAndroid bootcommandsservice contextsseapp m serverFlorida Institute for Cybersecurity (FICS) Researchmac permissions.xmlObject Read-byProcess Relation5

Android Security Core FilessepolicykernelSELinux forpropertiesproperty contextsfile contextsAssigns a SELinuxlabel to filesBoots system,manages propsinitCreates devicefiles and permsseapp contextsinit.rc/etc/services/*.rcBinary SELinuxPolicyAndroid bootcommandsservice contextsueventdzygoteAssigns a SELinuxlabel to appsAll Java apps areforked from heresystem serverFlorida Institute for Cybersecurity (FICS) Researchservicemanagerueventd.rcmac permissions.xmlAssigns DACcontext to /devfilesObject Read-byProcess Relation5

Android Security Core FilessepolicykernelSELinux forpropertiesproperty contextsfile contextsAssigns a SELinuxlabel to filesBoots system,manages propsinitCreates devicefiles and permsseapp contextsinit.rc/etc/services/*.rcBinary SELinuxPolicyAndroid bootcommandsservice contextsueventdzygoteAssigns a SELinuxlabel to appsAll Java apps areforked from heresystem serverMediates App IPCwith Android permsFlorida Institute for Cybersecurity (FICS) Researchservicemanagerueventd.rcmac permissions.xmlAssigns DACcontext to /devfilesObject Read-byProcess RelationAssigns labels to signed apps5

Android Security Core FilessepolicykernelSELinux forpropertiesproperty contextsfile contextsAssigns a SELinuxlabel to filesBoots system,manages propsinit.rcinit/etc/services/*.rcCreates devicefiles and permsseapp contextsueventdservice contextsManages nativeservices and their IPCzygoteAssigns a SELinuxlabel to appsAll Java apps areforked from heresystem serverMediates App IPCwith Android permsFlorida Institute for Cybersecurity (FICS) Researchservicemanagerueventd.rcmac permissions.xmlBinary SELinuxPolicyAndroid bootcommandsAssigns SELinuxlabel to servicesAssigns DACcontext to /devfilesObject Read-byProcess RelationAssigns labels to signed apps5

BigMAC at a High LevelAttack GraphFile DAC/MACCtx.BigMACRuntime Maps MAC DAC CAPpolicies onto a fine-grainedattack-graph Only considers runningprocesses and present filesExtraction1QueryInputCtx.Ground Truth ComparisonInstantiated Policy Graph1Real-System (Ideal)Process TreeCredentialsProcesses/FilesPolicy InstantiationProcesses/ObjectsSEPolicy ParsingType RelationsFilesystem 1001111010000001111100101110101011001001011100File / ObjectSubject / ProcessFlorida Institute for Cybersecurity (FICS) ResearchFirmwareFilesystemsIPC Object6

Building an g FilesFlorida Institute for Cybersecurity (FICS) eGpProcess TreeSubjectsFlat DataflowFully InstantiatedAttack GraphGfInstantiatePOverlayGaProcesses7

Processes RecoveryFlorida Institute for Cybersecurity (FICS) Research8

Processes Recovery We want to know what objects processescan access based upon the system policyFlorida Institute for Cybersecurity (FICS) Research8

Processes Recovery We want to know what objects processescan access based upon the system policy This is based upon their permissions(UID, GID, label, capabilities)Florida Institute for Cybersecurity (FICS) Research8

Processes Recovery We want to know what objects processescan access based upon the system policy 0101010110101010This is based upon their permissions(UID, GID, label, capabilities)We have no processes in static firmware!?Florida Institute for Cybersecurity (FICS) Research?8

Processes Recovery We want to know what objects processescan access based upon the system policy 0101010110101010This is based upon their permissions(UID, GID, label, capabilities)We have no processes in static firmware! ?Can we recover processes and theircredentials just from firmware?Florida Institute for Cybersecurity (FICS) Research?8

Emulating Android’s BootsepolicykernelBoots system,manages propsproperty contextsfile contextsseapp contextsFlorida Institute for Cybersecurity (FICS) Researchinit.rcinit/etc/services/*.rcservice contexts9

Emulating Android’s Boot Android’s boot process is well-specified by the platformsepolicykernelBoots system,manages propsproperty contextsfile contextsseapp contextsFlorida Institute for Cybersecurity (FICS) Researchinit.rcinit/etc/services/*.rcservice contexts9

Emulating Android’s Boot Android’s boot process is well-specified by the platform Init.rc files are loaded describing services, or native daemonssepolicykernelBoots system,manages propsproperty contextsfile contextsseapp contextsFlorida Institute for Cybersecurity (FICS) Researchinit.rcinit/etc/services/*.rcservice contexts9

Emulating Android’s Boot Android’s boot process is well-specified by the platform Init.rc files are loaded describing services, or native daemons Explicit credential assignment for servicessepolicykernelBoots system,manages propsproperty contextsfile contextsseapp contextsFlorida Institute for Cybersecurity (FICS) Researchinit.rcinit/etc/services/*.rcservice contexts9

Emulating Android’s Boot Android’s boot process is well-specified by the platform Init.rc files are loaded describing services, or native daemons Explicit credential assignment for services Allows the capture of boot-time changes to the filesystemsepolicykernelBoots system,manages propsproperty contextsfile contextsseapp contextsFlorida Institute for Cybersecurity (FICS) Researchinit.rcinit/etc/services/*.rcservice contexts9

Emulating Android’s Boot Android’s boot process is well-specified by the platform Init.rc files are loaded describing services, or native daemons Explicit credential assignment for services Allows the capture of boot-time changes to the filesystem Without incorporating this, cross-vendor analysis doesn’t scaleand accuracy sufferssepolicykernelBoots system,manages propsproperty contextsfile contextsseapp contextsFlorida Institute for Cybersecurity (FICS) Researchinit.rcinit/etc/services/*.rcservice contexts9

Evaluation of BigMAC Ground Truth Evaluation How does BigMAC recovery compare toextracting security policies from a runningdevice? Attack Surface Case Studies Evaluation of our Prolog query engine todiscover attack paths from and to criticalAndroid componentsFlorida Institute for Cybersecurity (FICS) Research10

Ground-truth Evaluation (Files)Samsung S7 Edge acct167414.9%0.1%0.0%100%98.7%Total:3,405DAC/MAC Correct:Total:5,621DAC/MAC Correct:Florida Institute for Cybersecurity (FICS) ResearchPixel 1 (7.1.2)Count%Files100%98.6%11

Ground-truth Evaluation (Files)Samsung S7 Edge acct167414.9%0.1%0.0%100%98.7%Total:3,405DAC/MAC Correct:Total:5,621DAC/MAC Correct:Pixel 1 (7.1.2)Count%Files100%98.6%Our recovered file metadata is 98% accurate toan equivalent running device.Florida Institute for Cybersecurity (FICS) Research11

Ground-truth Evaluation (Proc.)160Correct (TP)Different DAC/Cap. (FP)Extra (FP)Process 9Samsung S7Edge (7.0.0)5.9%37.3%3.4%26.4% 22.0%2074.7%Pixel 1 (8.1.0)Pixel 1 (9.0.0)(a) Processes Recovered by BIGMACFlorida Institute for Cybersecurity (FICS) Research3655.5%6870.1%56.9%Pixel 1 (7.1.2)814513.7%30.8%Samsung S7Edge (7.0.0)30.4%5.8%39.6%7.7%484227.9%7.0%362061Pair Found (TP)Missing Native (FN)Missing App (FN)63.8%848865.1%52.7%Pixel 1 (7.1.2)Pixel 1 (8.1.0)Pixel 1 (9.0.0)(b) Actual device processes12

Ground-truth Evaluation (Proc.)160Correct (TP)Different DAC/Cap. (FP)Extra (FP)Process 9Samsung S7Edge (7.0.0)5.9%37.3%3.4%26.4% 22.0%2074.7%Pixel 1 (8.1.0)3655.5%6870.1%56.9%Pixel 1 (7.1.2)81Pixel 1 (9.0.0)(a) Processes Recovered by BIGMAC4513.7%30.8%Samsung S7Edge (7.0.0)30.4%5.8%39.6%7.7%484227.9%7.0%362061Pair Found (TP)Missing Native (FN)Missing App (FN)63.8%848865.1%52.7%Pixel 1 (7.1.2)Pixel 1 (8.1.0)Pixel 1 (9.0.0)(b) Actual device processesOf the paired processes, we achieve, at best,74.7% accuracy of process credentialsFlorida Institute for Cybersecurity (FICS) Research12

Prolog Query InterfaceWe developed a Prolog query engine to find attack-paths withMAC, DAC, CAP, and external attack surface filteringquery mac(S,T,C,P).query mac dac(S,T,C,P).query mac dac cap(S,T,C,B,P).query mac dac cap ext(S,T,C,B,E,P).Florida Institute for Cybersecurity (FICS) Research13

Prolog Query InterfaceWe developed a Prolog query engine to find attack-paths withMAC, DAC, CAP, and external attack surface filteringquery mac(S,T,C,P).query mac dac(S,T,C,P).query mac dac cap(S,T,C,B,P).query mac dac cap ext(S,T,C,B,E,P).As a case study, we ran queries against a 1.3million edge Samsung S8 and a 2 millionedge LG G7 imageFlorida Institute for Cybersecurity (FICS) Research13

Layered Path Reduction#Paths Time (s)query mac(untrusted app,mediaserver,4,P).query mac dac(untrusted app,mediaserver,4,P).Florida Institute for Cybersecurity (FICS) Research102,91522.485,146518.6214

Layered Path Reduction#Paths Time (s)query mac(untrusted app,mediaserver,4,P).query mac dac(untrusted app,mediaserver,4,P).102,91522.485,146518.62Each additional layer reduces the numberof possible paths.MAC to MAC DAC has a 20x reduction inthe number of paths to be considered.Florida Institute for Cybersecurity (FICS) Research14

Process StrengthImagequery mac dac(init, ,1,P).query mac dac(system server, ,1,P).query mac dac(lpm, ,1,P).query mac dac(init, ,1,P).query mac dac(system server, ,1,P).query mac dac(hal usb, ,1,P).Florida Institute for Cybersecurity (FICS) ResearchSamsungS8 LG G7Process# Writable# IPCinit2,066296system server1,398458lpm6348init1,233418system server573368hal usb default5081915

Process StrengthImagequery mac dac(init, ,1,P).query mac dac(system server, ,1,P).query mac dac(lpm, ,1,P).query mac dac(init, ,1,P).query mac dac(system server, ,1,P).query mac dac(hal usb, ,1,P).SamsungS8 LG G7Process# Writable# IPCinit2,066296system server1,398458lpm6348init1,233418system server573368hal usb default50819Some of the most powerful processes (system server) onAndroid deal with some of the most untrusted data.Florida Institute for Cybersecurity (FICS) Research15

Process StrengthImagequery mac dac(init, ,1,P).query mac dac(system server, ,1,P).query mac dac(lpm, ,1,P).query mac dac(init, ,1,P).query mac dac(system server, ,1,P).query mac dac(hal usb, ,1,P).SamsungS8 LG G7Process# Writable# IPCinit2,066296system server1,398458lpm6348init1,233418system server573368hal usb default50819Some of the most powerful processes (system server) onAndroid deal with some of the most untrusted data.system server should be refactored into smaller, lessprivileged processes, similar to mediaserverFlorida Institute for Cybersecurity (FICS) Research15

Privilege Escalation Analysis#1 query mac dac(zygote,vold,3,P).process:zygote CAP SYS ADMIN *:writecrash dump exec:transitionprocess:crash dump various files CVE-2018-9488vold:ptraceprocess:vold uid 0 #2 query mac dac cap( ,crash dump,1,CAP SYS ADMIN,P).22 additional processes beyond zygote could escalateFlorida Institute for Cybersecurity (FICS) Research16

Conclusion AttWe create BigMAC, one of the most fine-grained policyanalysis frameworks for Android devices, and recover arunning system’s security state from static firmwareBigMAC surpasses previous MAC-only policy analysisapproaches through its layered path reduction, improvinganalysis results and discarding impossible runtime pathsWe highlight BigMACs ability to investigate escalationpaths and examine the strength of .com/fics/BigMAChttps://hernan.de/zFlorida Institute for Cybersecurity (FICS) Research@Digital Cold17

Florida Institute for Cybersecurity (FICS) Research BIGMAC: Fine-Grained Policy Analysis of Android Firmware Grant Hernandez , Dave (Jing) Tian ‡, Anurag Swarnim Yadav , Byron J. Williams , and Kevin R. B. Butler . — University of Florida ‡ — Purdue University