Post on 30-May-2018
8/14/2019 Enhancing Security - Presentation
1/32
Enhancing Security of Linux-based
Android DevicesAubrey-Derrick Schmidt, Hans-Gunther Schmidt,
Jan Clausen, Kamer Ali Y ksel, Osman Kiraz, Ahmet Camtepe, and Sahin Albayrak
This work was funded by Deutsche Telekom Laboratories
8/14/2019 Enhancing Security - Presentation
2/32
07.11.2007 CC SEC Folie 2
DAI-Labor TU Berlin
Research Institute with ~100 employeesSix core departments:
Agent Core Technologies
Next Generation ServicesInformation RetrievalCognitive ArchitecturesEducation
Security
8/14/2019 Enhancing Security - Presentation
3/32
07.11.2007 CC SEC Folie 3
DAI-Labor Security Department
Works on:Smartphone securityAgent Security
Network Security SimulationCritical InfrastructuresPKI / Cryptography
Next Generation Homes - Security
8/14/2019 Enhancing Security - Presentation
4/32
07.11.2007 CC SEC Folie 4
TOC
MotivationAndroid Security
Adding Linux Security Tools to Android
Enhancing Security with self-built IDS
8/14/2019 Enhancing Security - Presentation
5/32
07.11.2007 CC SEC Folie 5
Motivation
Smartphones getting increasingly popularVarious smartphone malwares appeared
Signature-based approaches only efficient for
known malwareAnti-Virus engines need avg. time of 48 days toget capable of detecting new malware [Oberheide08]
More than 700,000 can be infected via MMS inabout three hours [Bulygin07]
8/14/2019 Enhancing Security - Presentation
6/32
07.11.2007 CC SEC Folie 6
Motivation
Android already very popular, although notreleased, yet
Android will be set open-sourceOpportunity to develop low-level security toolsfor commonly used smartphones the first time
Linux security research is matureA lot lessons learnedA lot of open source tools available
8/14/2019 Enhancing Security - Presentation
7/32
07.11.2007 CC SEC Folie 7
TOC
MotivationAndroid Security
Adding Linux Security Tools to Android
Enhancing Security with self-built IDS
8/14/2019 Enhancing Security - Presentation
8/32
07.11.2007 CC SEC Folie 8
Android Security
Images on emulatorSystem Image (65 MB / 21 MB free)
OS files, libraries, drivers, system bins
Android config filesAndroid frameworkAndroid base applications (e.g. Browser)
+R(W)X
8/14/2019 Enhancing Security - Presentation
9/32
07.11.2007 CC SEC Folie 9
Android Security
Images on emulatorUserdata Image (65 MB / 40 MB free)
Mounted to /dataUsed for applications, user data, DRM, ...+RWX
Cache Image (u sage not specified yet)SD-Card Image (no obvious size limitations)
Mounted to /sdcardFiles created as user and group system+RW
8/14/2019 Enhancing Security - Presentation
10/32
07.11.2007 CC SEC Folie 10
Android Security
Application are location-awareCan only be executed in /data or /systemAny changes on file permissions succeed there
Changes in e.g. /sdcard do not succeed (e.g.set execute bit)Most probably, (Linux) applications cannot be
started via SD-Card
8/14/2019 Enhancing Security - Presentation
11/32
07.11.2007 CC SEC Folie 11
Android Security
(Java) Application signing is requiredLinux state not cleardeveloper signs his application with own
certificate at the momentSystem might change to something similar toSymbian OS
Central authority for assigning certificates
Limited access to APIs
Each, Goole and T-Mobile announced application store(might include application testing and verification)
8/14/2019 Enhancing Security - Presentation
12/32
07.11.2007 CC SEC Folie 12
Android Security
File rights:/data/data/application landdrwxr-xr-x app_14 app_14 2008-09-17 14:26 com.android.sample
Application can access other applicationdirectories signed with identical certificates
Certification land
8/14/2019 Enhancing Security - Presentation
13/32
07.11.2007 CC SEC Folie 13
TOC
MotivationAndroid Security
Adding Linux Security Tools to Android
Enhancing Security with self-built IDS
8/14/2019 Enhancing Security - Presentation
14/32
07.11.2007 CC SEC Folie 14
Adding Linux Security Tools to AndroidGeneral Information
Emulator is used as basisOHA/Google modified a lot of libraries andbinaries of the Linux kernel
Reason: opportunity for business costumers toclaim intellectual property
Application space is limited (~40 MB)Increasing space is not that easy
Common security tools were testedBut: special build environment needed
8/14/2019 Enhancing Security - Presentation
15/32
07.11.2007 CC SEC Folie 15
Creating a Build Environment for Android
Ubuntu 8.04Two toolkits can be used
Sourcery cross-compile toolchain
Scratchbox cross-compilation toolkitEmulated ARM environmentCommon Linux file system layout
8/14/2019 Enhancing Security - Presentation
16/32
07.11.2007 CC SEC Folie 16
Creating a Build Environment for AndroidImportant Facts
Files are located in:System files are placed in /systemBinaries in /system/binLibraries in /system/libConfig files in /system/etc
System configuration in OpenBinder
Page alignment causes changes in linking
Only way to get available applications run iscompiling them statically
8/14/2019 Enhancing Security - Presentation
17/32
07.11.2007 CC SEC Folie 17
Adding Tools
Top 100 Network Security Tools [Insec06]Tested from 5 main categories:
Anti-Virus: ClamAV
Firewall: iptablesRootkit Detectors: chkrootkitIntrusion Detection: SnortOther useful tools: Busybox, Bash, OpenSSH,strace, Nmap
8/14/2019 Enhancing Security - Presentation
18/32
07.11.2007 CC SEC Folie 18
Anti-Virus: ClamAV
Android Compatibility: Works
Problems, solutions, and size:
Static compilation (linking) required
Dependent on static compiled version of "zlib"
(zlib-1.2.3)Total size of all ClamAV relevant files (approx. 28MB)exceeds available size in System image
(21MB). ClamAV virus signature database needs to beplaced in a different location.
Size (approx.): 11140 KB libraries and binaries (/opt),17324 KB database (/data)
8/14/2019 Enhancing Security - Presentation
19/32
07.11.2007 CC SEC Folie 19
Anti-Virus: ClamAV Results
----------- SCAN SUMMARY -----------Known viruses: 407205Engine version: 0.94Scanned directories: 0
Scanned files: 106Infected files: 0Data scanned: 5.12 MBTime: 107.236 sec (1 m 47 s)
#
8/14/2019 Enhancing Security - Presentation
20/32
8/14/2019 Enhancing Security - Presentation
21/32
07.11.2007 CC SEC Folie 21
Rootkit Detector: Chkrootkit
Android Compatibility: Works with minordependencies
Problems, solutions, and size:Static compilation (linking) requiredRequires "netstat" (provided by "busybox")
Requires standard directories (/lib, /etc, etc.)
provided by symbolic links pointing to the correctAndroid directories
Size (approx.): 588 KB
8/14/2019 Enhancing Security - Presentation
22/32
07.11.2007 CC SEC Folie 22
Rootkit Detector: Chkrootkit Results
# ./chkrootkit
[: gid: unknown operandROOTDIR is `/'Checking `amd'... not foundChecking `basename'... INFECTEDChecking `biff'... not foundChecking `cron'... not infectedChecking `echo'... INFECTED
Checking `egrep'... not infectedChecking `env'... INFECTEDChecking `find'... not infectedSearching for common ssh-scanners default files... nothing foundSearching for suspect PHP files... find: /var/tmp: No such file ordirectorynothing found
Searching for anomalies in shell history files... nothing foundchkproc: Warning: Possible LKM Trojan installedchkdirs: Warning: Possible LKM Trojan installedChecking `sniffer'... ./chkrootkit: ./ifpromisc: not found
8/14/2019 Enhancing Security - Presentation
23/32
07.11.2007 CC SEC Folie 23
Intrusion Detection: Snort
Problems:Dependencies to libpcap, libdnet, libnet, pcreand iptables (all as statically compiled/linked
solutions)Requires statically compiled/linked libc partswhich are not available on Android
8/14/2019 Enhancing Security - Presentation
24/32
07.11.2007 CC SEC Folie 24
Other Useful Tools: Busybox, Bash,OpenSSH, strace, Nmap
Busybox: worksBash: works
OpenSSH: Can be executed but is not fullyfunctional (requires users that do not existin the android environment)
strace: worksNmap: works with minor dependencies
8/14/2019 Enhancing Security - Presentation
25/32
07.11.2007 CC SEC Folie 25
TOC
MotivationAndroid Security
Adding Linux Security Tools to Android
Enhancing Security with self-built IDS
8/14/2019 Enhancing Security - Presentation
26/32
07.11.2007 CC SEC Folie 26
Enhancing Security with a Self-builtIntrusion Detection System
8/14/2019 Enhancing Security - Presentation
27/32
07.11.2007 CC SEC Folie 27
Detecting Intrusions and MalwareOverview
8/14/2019 Enhancing Security - Presentation
28/32
07.11.2007 CC SEC Folie 28
Detecting Intrusions and MalwareStatic Function Call Approach
Planned to present metric for weighingsuspiciousness of function/system callsSolution far more easier on Android
Simple decision tree can achieve 95%detection rate
Tested with Linux malware
Some of them were recompiled for Android, but onlyminor differences
Still has to be tested on real device!
d l
8/14/2019 Enhancing Security - Presentation
29/32
07.11.2007 CC SEC Folie 29
Detecting Intrusions and MalwareStatic Function Decision Tree
__bss_start = y| gethostbyname = y| | sigaction = y: normal| | sigaction = n: malicious
| gethostbyname = n| | fork = y| | | strerror = y| | | | getgrgid = y: malicious| | | | getgrgid = n: normal| | | strerror = n: malicious| | fork = n: normal
continued on the right side
... continued
__bss_start = n| printf = y: malicious| printf = n| | fprintf = y: malicious| | fprintf = n| | | execv = y: malicious| | | execv = n| | | | memmove = y: malicious| | | | memmove = n| | | | | perror = y: malicious| | | | | perror = n: malicious
8/14/2019 Enhancing Security - Presentation
30/32
07.11.2007 CC SEC Folie 30
References
[Bulygin07] Y. Bulygin, Epidemics of mobile worms, in Proceedings of the26th IEEE International Performance Computing and CommunicationsConference, IPCCC 2007, April 11-13, 2007, New Orleans, Louisiana, USA.IEEE Computer Society, 2007, pp. 475478.
[Oberheide08] J. Oberheide, E. Cooke, and F. Jahanian, Cloudav: N-versionantivirus in the network cloud, in Proceedings of the 17th USENIX SecuritySymposium (Security08), San Jose, CA, July 2008.
[Insec06] INSECURE.ORG, Top 100 network security tools, 2006. [Online].Available: http://sectools.org/
8/14/2019 Enhancing Security - Presentation
31/32
07.11.2007 CC SEC Folie 31
Thank you for your patience!
8/14/2019 Enhancing Security - Presentation
32/32
07.11.2007 CC SEC Folie 32
Dipl.-Inf. Aubrey-Derrick SchmidtResearcher +49 (0) 30 / 314 74 039
+49 (0) 30 / 314 74 003
aubrey.schmidt@dai-labor.de
Contact
Hans-Gunther SchmidtStudent Researcher +49 (0) 30 / 314 74 041
+49 (0) 30 / 314 74 003
hans-gunther.schmidt@dai-labor.de