Transcription
Android Securityand the Elusive HSMMobile Digital Wallet Security SummitJon OberheideDuo Securityjono@duosecurity.comAndroid Security and the Elusive HSM – Jon OberheideSlide #1
Introduction Jon Oberheide CTO, Duo Security Today High level look at Androidsecurity and how HSMscan helpOnly 30 minutes!Lots of external refs!Android Security and the Elusive HSM – Jon OberheideSlide #2
Use case Mobile platform securityis important (surprise!)Apps have data to protect(confidentiality/integrity)Examples Duo Mobile 2FA app Visa Mobile app? V.me?Android Security and the Elusive HSM – Jon OberheideSlide #3
Threat model Attacker wants access to sensitive data Stages of attack/capability Points of attack disruption/mitigationAttackerUnprivilegedcode execution?Privilegedcode execution?App tamperingand data theft?Android Security and the Elusive HSM – Jon OberheideSlide #4
AgendaIntroduction Gaining code execution Escalating privileges Recent HSM developments Wrap-up Android Security and the Elusive HSM – Jon OberheideSlide #5
Code execution First step is getting a foothold on the mobiledevice Need code execution on victim's deviceA couple easy vectors for attackers: Social vector: malicious applicationsTechnical vector: exploitation of existingapplicationsAndroid Security and the Elusive HSM – Jon OberheideSlide #6
PoC malicious apps In the past, mostly researcher PoCsAndroid Security and the Elusive HSM – Jon OberheideSlide #7
Real-world malicious apps Nowadays, real-world malware is out thereAndroid Security and the Elusive HSM – Jon OberheideSlide #8
Stopping malicious apps Mobile antivirus Reactive signature-based detection ofmalicious appsMobile malware exists, but these folks tendto push the hype a bit beyond realityAndroid Security and the Elusive HSM – Jon OberheideSlide #9
Google's Bouncer Google's Bouncer Guards the entry point to the Android MarketDynamically analyze submitted apps and blockmalicious apps from being published Dynamic analysis is hard Fingerprinting Bouncer is easy Catches some malware, but easy to ouncer.pdfAndroid Security and the Elusive HSM – Jon OberheideSlide #10
Google's BouncerAndroid Security and the Elusive HSM – Jon OberheideSlide #11
Client-side exploitation Threat of client-side applications Large attack surface of native code Traditional memory corruption vulns Similar to desktop client-side threats Browser/PDF/Docs huge attack surface Standard Linux hardening mechanisms NX, ASLR, RELRO, BIND NOW, etcAndroid exploit mitigations are gettingbetter.Android Security and the Elusive HSM – Jon OberheideSlide #12
Exploit mitigation evolution Android exploit mitigations have slowlyevolved over the years.Before Android 2.3.x, no NX/ASLR:Android Security and the Elusive HSM – Jon OberheideSlide #13
Exploit mitigation evolution Android 2.3.x – Gingerbread Finally got NX support! But still ineffective ASLR:Android Security and the Elusive HSM – Jon OberheideSlide #14
Exploit mitigation evolution Android 4.0 – ICS ASLR listed in the releasenotes as a new security feature!But upon deeper roid Security and the Elusive HSM – Jon OberheideSlide #15
Exploit mitigation evolution Android 4.1 – Jelly Bean Ok, this time we have ASLRfor mitigations-in-android-jelly-bean-4-1/Android Security and the Elusive HSM – Jon OberheideSlide #16
Code execution wrap-up First goal of attacker is getting a foot holdon the device with code executionEither by compromising an existing app ortricking user into installing a malicious app Some strides made in exploit mitigations More general problem of malicious apps is hardBest to assume that malicious code/appswill be present on the user's device!Android Security and the Elusive HSM – Jon OberheideSlide #17
AgendaIntroduction Gaining code execution Escalating privileges Recent HSM developments Wrap-up Android Security and the Elusive HSM – Jon OberheideSlide #18
So what happens now? With code execution the attacker can: Change the behavior of the exploited app Steal data used by the exploited appThe attacker can't: Affected other apps on the device Steal data from other appsThanks to the Android “sandbox”Android Security and the Elusive HSM – Jon OberheideSlide #19
Android app “sandboxing” Calling it a sandbox is a stretchEach application gets a unique uid/gidupon installAndroid Security and the Elusive HSM – Jon OberheideSlide #20
Escalating privileges What does the privileged attack surfacelook like on an Android device? Entire vanilla Linux kernel custom kernel modifications by Google custom drivers by third-party devs Privileged system daemons (vold, etc) Poorly written setuid binariesBottom line: Lots of attack surface to exploit!Android Security and the Elusive HSM – Jon OberheideSlide #21
Overview of privesc vulns Some vulns affect nearly all Android Componentkernelinit daemonvold daemonkernel device driverkerneladb daemonkernellibsysutilszygoteNotescustom Google modnetlink source checknetlink source checkthird-party kernel modaffected vanilla kernelsetuid(2) return valueaffected vanilla kernelmemory corruptionsetuid(2) return ootrobots.pdfAndroid Security and the Elusive HSM – Jon OberheideSlide #22
Levitator exploit Levitator exploit Targeted PowerVR vulnerability: /dev/pvrsrvkm Allowed arbitrary kmem read/write Affected popular S series devices Patched in 2.3.6 after 10 monthsChain of custody? Researcher Google Samsung Imagination Tech Manufacturers Android Security and the Elusive HSM – Jon OberheideSlide #23
Carrier patching problem Carriers are terrible at patching Slow, conservative patch practices Inverted user/economic incentives 6 months typical vulnerability windowOne of the biggest causes of mobileinsecurity Carrier's tight grip on control Complex ecosystem of software responsibility Third-parties have no opportunity to interveneAndroid Security and the Elusive HSM – Jon OberheideSlide #24
Carrier patching problemAndroid Security and the Elusive HSM – Jon OberheideSlide #25
Vulnerability assessment on mobile We can't patch the vulns*,can we at least enumerate?X-Ray app Vulnerability assessmentfor Android devicesLaunched just weeks agoFull stats coming nextmonth at United Summithttp://xray.ioAndroid Security and the Elusive HSM – Jon OberheideSlide #26
A privileged attacker If attacker escalates privileges, it's gameover, right? Can break out of “sandbox” Tamper with applications Sensitive data can be accessed/stolenHow can we maintain security guaranteesgiven this threat model? Generally speaking, we can't! But for some use cases.Android Security and the Elusive HSM – Jon OberheideSlide #27
AgendaIntroduction Gaining code execution Escalating privileges Recent HSM developments Wrap-up Android Security and the Elusive HSM – Jon OberheideSlide #28
How a HSM helps If we're dealing with privileged attacker,assume that all system memory iscompromised So, key material must be kept out of memoryHSM can provide: Smartcard-style crypto engine Hardware-backed tamper-proof credential storage Key generation, signature computationAndroid Security and the Elusive HSM – Jon OberheideSlide #29
Past approaches SIM-based SOC approahces mSign, etcOMAP M-Shield, ARM TrustZones, etcAndroid-specific initatives Google Wallet, SEEK, etcAndroid Security and the Elusive HSM – Jon OberheideSlide #30
Recent Android developments Keychain API released in Android 4.0 Primitives for credential ng-ics-keychain-api.htmlAndroid Security and the Elusive HSM – Jon OberheideSlide #31
Recent Android developments Further HSM support in Android 4.1 Galaxy Nexus hardware support keymaster framework implementationOMAP 4, TI M-Shield platformBasic HSM crypto operations generate keypair, import keypair, sign data,verify data, get keypair public, delete keypair,delete ean-hardware-backed-credential.htmlAndroid Security and the Elusive HSM – Jon OberheideSlide #32
Changes in threat model With a HSM, attacker can no longer extractsensitive data / key material postexploitationExample: Duo Push private key generated on-device Signatures generated within the HSM Key material never leaves the credential storeAndroid Security and the Elusive HSM – Jon OberheideSlide #33
Why HSM approach? Need HSM failure of system security Similar to some virtualization use cases Need for third-party availability Not the only feasible approach Other avenues to contain/survive exploitation On-device system containers On-device hardware-level virtualization Threshold crypto techniques?Android Security and the Elusive HSM – Jon OberheideSlide #34
AgendaIntroduction Gaining code execution Escalating privileges Recent HSM developments Wrap-up Android Security and the Elusive HSM – Jon OberheideSlide #35
Wrap-up Multiple parties are attacking the mobilesecurity problem at a variety of layersAttackerUnprivilegedcode executionPrivilegedcode executionApp tamperingand data theftHSM plays an important role in device security todisrupt the attack chain even if fully compromised.Android Security and the Elusive HSM – Jon OberheideSlide #36
Android Security and the Elusive HSM - Jon Oberheide Slide #10 Google's Bouncer Google's Bouncer Guards the entry point to the Android Market Dynamically analyze submitted apps and block malicious apps from being published Dynamic analysis is hard Fingerprinting Bouncer is easy Catches some malware, but easy to bypass
