1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing...
-
Upload
molly-lindsey -
Category
Documents
-
view
215 -
download
1
Transcript of 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing...
![Page 1: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/1.jpg)
1
Introduction to Information Security0368-3065, Spring 2014
Lecture 10:Trusted computing architecture (cont.),Smartphone security
Eran Tromer
Slides credit:Dan Boneh, Stanford
Roei Schuster, Tel Aviv University
![Page 2: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/2.jpg)
2
Trusted Computing Architecture(continued)
![Page 3: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/3.jpg)
3
Components on TPM chip
I/O
Crypto Engine:RSA, SHA-1, HMAC, RNG
Non Volatile Storage
(> 1280 bytes)PCR Registers
(16 registers)
OtherJunk
RSA: 1024, 2048 bit modulus
SHA-1: Outputs 20 byte digest
LPCbus
API calls
![Page 4: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/4.jpg)
4
Protected storage (sealing)
Encrypt data using RSA key on TPM TPM_Seal (some) Arguments:
keyhandle: which TPM key to encrypt with KeyAuth: Password for using key
`keyhandle’ PcrValues: PCRs to embed in encrypted blob data block: at most 256 bytes (2048 bits)
Used to encrypt symmetric key (e.g. AES) Returns encrypted blob.
Blob can only be decrypted with TPM_Unseal when PCR-reg-vals = PCR-vals in blob. TPM_Unseal will fail othrwise
![Page 5: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/5.jpg)
5
Security?Resetting TPM after boot Attacker can disable TPM until after boot, then
extend PCRs arbitrarily(one-byte change to boot block)
[Kauer 07]
Software attack: send TPM_Init on LPC bus allows calling TPM_Startup again (to reset PCRs)
Simple hardware attack: use a wire to connect TPM reset pin to ground
Once PCRs are reset, they can be extended to reflect a fake configuration.
Rollback attack on encrypted blobs undo security patches
![Page 6: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/6.jpg)
6
Better root of trustLate launch: securely load OS/VMM,even on a potentially-compromised machineDRTM – Dynamic Root of Trust MeasurementNew CPU instruction:Intel TXT: SENTER AMD: SKINIT Atomically does: Reset CPU. Reset PCR 17 to 0. Load given Secure Loader (SL) code into I-
cache Extend PCR 17 with SL Jump to SL
BIOS boot loader is no longer root of trustAvoids TPM_Init attack: TPM_Init sets PCR 17 to
![Page 7: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/7.jpg)
7
Protecting code on an untrusted platform
Can we run sensitive code on a potentially-compromised platform, without rebooting/replacing it? Many ways to read and corrupt code!
Secure enclave using hardware Possible with SENTER/SKINIT but cumbersome
(Flicker project) Intel Software Guard Extensions (SGX) ARM TrustZone
Cryptography Fully-homomorphic encryption encryption Succinct zero-knowledge proofs (SNARKs) and
Proof-Carrying Data
![Page 8: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/8.jpg)
Attestation
8
![Page 9: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/9.jpg)
9
Attestation: what it doesGoal: prove to remote party what software is running on my machine.
Good applications: Bank allows money transfer only if customer’s
machine runs “up-to-date” OS patches. Enterprise allows laptop to connect to its
network only if laptop runs “authorized” software
Quake players can join a Quake network only if their Quake client is unmodified.
DRM: MusicStore sells content for authorized players
only.
![Page 10: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/10.jpg)
10
Attestation: how it works
Recall: EK private key on TPM. Cert for EK public-key issued by TPM vendor.
Step 1: Create Attestation Identity Key (AIK) Involves interaction with a trusted remote
issuer to verify EK Generated:
AIK private+public keys, and a certificate signed by issuer
![Page 11: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/11.jpg)
11
Attestation: how it works
Step 2: sign PCR values (after boot) Call TPM_Quote (some) Arguments:
keyhandle: which AIK key to sign with KeyAuth: Password for using key
`keyhandle’ PCR List: Which PCRs to sign. Challenge: 20-byte challenge from remote
server Prevents replay of old signatures.
Userdata: additional data to include in sig. Returns signed data and signature.
![Page 12: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/12.jpg)
12
Using attestation(to establish an SSL tunnel)
RemoteServer
PC
TPM
OS
App• Generate pub/priv key pair• TPM_Quote(AIK, PcrList, chal, pub-key)• Send pub-key and certs
Attestation Request (20-byte challenge)
(SSL) Key Exchange using CertValidate:1. Certs
2. PCR vals3. ChallengeCommunicate with app using SSL tunnel
• Attestation must include key-exchange• App must be isolated from rest of system
![Page 13: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/13.jpg)
13
Trusted Computing Architecture:Discussion
(on whiteboard)
![Page 14: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/14.jpg)
14
Smartphone security
![Page 15: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/15.jpg)
15
Capabilities
• Sensors:– Microphone– Camera– Touch screen (capacitance sensor array)– Fingerprint sensor – GPS– Accelerometer– Digital compass– Power– Proximity sensor
![Page 16: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/16.jpg)
16
Data
• Phone calls• SMSs• Contacts• Pictures & videos taken• E-mails• Credentials (social networks, email accounts)• More credentials (password reminders)• Calendar (events, meetings…)• Bank accounts, stock exchange...• Browser history• Location history• Phone number, IMEI• …
![Page 17: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/17.jpg)
17
Attack vectors
• Physical– Lunchtime– Instrusive
• Connectivity– Cellular
• Data• SMS• Low-level GSM
– WiFi– Bluetooth– Wired– NFC
![Page 18: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/18.jpg)
18
SMS Fuzzing
• By fuzzing various fields (including application ports, DCS, PID, etc…) researchers managed to:– Crash/DoS iPhone– Disconnect iPhone– Lock your SIM card
on Android
"Fuzzing the Phone in your Phone", BH USA '09, Mulliner
![Page 19: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/19.jpg)
19
Bluetooth Vulnerability(‘09, Alberto Moreno Talbado)
• Applies to HTC Smartphones running Windows Mobile 6/6.1
• Bluetooth attack enables full file system access– directory traversal– download files (incl. contacts, mail…)– upload files (“trojan.exe” to \Windows\Startup)
![Page 20: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/20.jpg)
20
Bluetooth Vulnerability (cont.)
• “Users worried about the vulnerability should avoid pairing their phones with an untrusted handset or computer. They may also want to delete any devices that are already paired with their phones”
![Page 21: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/21.jpg)
21
Near Field Communication
• RFID tag• Samsung TecTiles• Open URL, call phone, send SMS,
change mode, open app, send contact info…
• Trigger vulnerability[EUSecWest’12 Pwn2Own]
![Page 22: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/22.jpg)
22
Attack vectors
• Physical– Lunchtime– Instrusive
• Connectivity– Cellular
• Data• SMS• Low-level GSM
– WiFi– Bluetooth– Wired– NFC
• Content– Files– Applications– Software updates
• The Cloud
![Page 23: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/23.jpg)
23
Malware [Felt Finifter Chin Hanna Wagner 2011]
• Analyzed 48 malware pieces (Android, iOS, Symbian), 4 root exploits
• 61% collect info• 52% premium SMS• Credential theft, SEO, SMS span, ransom
![Page 24: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/24.jpg)
24
Who owns our information?
• Government’s powers– Any data transmitted over the mobile network
exposes this data to the government via LI mechanisms.
• Phone provider’s powers– iOS updates delete data for jailbroken phones– Amazon “Big Brother” Kindle– iOS and Android’s location recording scandal– Legal issues, technical non-issues
![Page 25: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/25.jpg)
![Page 26: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/26.jpg)
26
Android Security Updates
• From the Android Security FAQ:– “The manufacturer of each device is responsible for
distributing software upgrades for it, including security fixes. Many devices will update themselves automatically with software downloaded "over the air", while some devices require the user to upgrade them manually.”
– De facto updates?
![Page 27: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/27.jpg)
27
“App Attack”
• Apps may need to have access to sensitive information (call history, bank account, etc..).
• Some apps don’t need it (e.g. Angry Birds).• Calls for a special security mechanism – or
does it?• You needn’t be Microsoft/Adobe to build one
that people will use– New, unexploited, easy-to-implement ideas.– App Stores – more equal exposure, easy to
access."App Attack", Mahhaffey & Herring
![Page 28: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/28.jpg)
28
Advertisement SDKs
• 3rd party (Actually, 4th party) components piggy-backed on an application.
• Developers don’t know the code inside their own application.
• SDKs will always want to perform targeted marketing…
![Page 29: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/29.jpg)
29
Application Security Models
• Sandboxing– Permissions– Isolation
• App stores verification– Open or disclosed source– Apps must prove themselves secure
• It’s no longer enough to just be secure
– Vendors must prove themselves trustworthy– Sometimes signed (BB/Symbian/iOS/Android..)– Some automated review– Some manual review
![Page 30: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/30.jpg)
30
Example: iOS App Store
• To use an application on your own iOS device you must have a special Developer Account– You yourself have to be approved
• Costs 99$ • Takes time
– Still does not mean you can get it on the App Store.
![Page 31: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/31.jpg)
31
Apple developer program enrollment
Dear Troy Hakala,We are currently in the process of reviewing your iPhone Developer Program enrollment information.Please fax one of the following forms of identity for your business based on your company form. To assist with this process, please ensure your business documents match your Enrollment information.…Please include your main company corporate telephone number with your faxed documents.…
…Articles of incorporationBusiness licenseCertificate of FormationDBA (Doing Business As…)Fictitious name statementRegistration of trademarkCharter documentsPartnership papersReseller or vendor license
…Thank you,iPhone Developer Program
![Page 32: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/32.jpg)
32
Example: iOS App Store (cont.)
• “Let us see for ourselves”.– Can’t get an app on App Store without verifying it.– Not 100% effective. Pulled back:
• Flashlight kid• Aurora Faint – contact emails, 20M downloads• MogoRoad – Sent phone numbers, customers got
commercial calls
– “Polymorphic” apps (change at runtime)– 10K apps submitted per week, 10% of rejections
related to malware
"iPhone Privacy", Seriot
![Page 33: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/33.jpg)
33
App Store review process(guessed)
• Static analysis looking
for particular strings,
API calls etc..• Dynamic analysis
– Sniffing– Monitor I/O, API calls– “Fuzzing”
• Lots of innocent appspunished
![Page 34: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/34.jpg)
34
Android Application Security Model
• Applications run in a virtual machine called Dalvik– Java Java Byte Code Dalvik Byte Code
• Dalvik itself is no sandbox– Sandboxing at process level– Each app process has a distinct UID, GID, and
belongs to some groups.• “Permissions” declared statically
![Page 35: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/35.jpg)
35
Android app permission: example
(Example by David William Wood)
List of permissions in Android API:https://developer.android.com/reference/android/Manifest.permission.html
![Page 36: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/36.jpg)
36
Android Security User Experience
• First, obvious problem: users treat permission prompting similar to browser pop-up warnings.– They just don’t care. “Want to get pony
wallpapers now.”
![Page 37: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/37.jpg)
37
Android Application Security Model (cont.)
• How does Android enforce permissions?• Enforcement mechanisms:
– OS kernel level (files, I/O…)• Some behavior inherited from Linux• The kernel is patched in some places s.t. process
group list is checked in some system calls. This is similar to Linux capabilities (only for non-root processes, and with no one reference monitor).
– Inter-Component Communication level• Google’s own implementation
– Recently: SELinux (Mandatory Access Controls)
“Understanding Android Security”Enck, Ongtang & McDaniel
![Page 38: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/38.jpg)
38
Security Expressiveness
• Microphone AND web access == permission to record you and send it home?
• User can’t add/remove permissions after install– Permissions are absolute upon granting. An app
can’t request one-time permission for specific operations.
![Page 39: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/39.jpg)
39
Analyzing Inter-process Communication in Android[Chin Felt Greenwood Wagner 2011 ]
• Characterize types of IPC vulnerabilities:– Unauthorized Intent Receipt:
• Broadcast Theft• Activity Hijacking• Service Hijacking
– Intent Spoofing:• Malicious Broadcast Injection• Malicious Activity Launch• Malicious Service Launch
• For each – specify how it can happen, how to avoid it.– Avoidance complexity varies.
![Page 40: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/40.jpg)
40
Analyzing Inter-process Communication in Android[Chin Felt Greenwood Wagner 2011 ]
• ComDroid: Analyzed 100 applications to identify suspicious IPC implementation (e.g. not declaring permissions to use a broadcast receiver..). Outputted warnings.
• Manually examined 20 applications for:– Vulnerabilities (e.g. sensitive information exposure)– Spoofing Vulnerabilities (security depends on user’s
choices in activity intent-resolution dialog)– Unintentional bugs (ignoring good code convention)
![Page 41: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/41.jpg)
41
Results
• Results show that the Android permission system is confusing to developers, and they misuse it.
![Page 42: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/42.jpg)
42
Jailbreaking / rooting
• Give application “root” permissions• Method:
– Flash firmware– Exploit vulnerability
• Needed for– Backups– Copying apps – Various advanced features
• Less effective with SELinux– E.g., Samsung Knox– … so users disable SELinux too
• Vendors detect and:– Void warranty– Prevent security updates
![Page 43: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/43.jpg)
43
Android Application Security Model - Conclusions
• IPC and shared resources (logs, internet) are a major security issue.
• Protection of application and user is the developer’s responsibility– Any form of ICC/shared resources should be
carefully examined.– In real life, this does not happen. Many apps
expose their (and your) secret information through these mechanisms. This includes Android’s built-in applications (e.g. browser).
![Page 44: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/44.jpg)
44
Android’s Application Security Model – Conclusions (cont.)
• Protection of user’s data is his own responsibility– Security vs. Usability– Users don’t understand security concerns
• What does CLEAR_APP_CACHE mean?
• Android’s permission model lacks important expressiveness
• Android’s Open-Market App Security Model is an extreme and unique choice.
![Page 45: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/45.jpg)
45
iOS Application Security Model
• Permissions:– No pre-install user prompting– Only one type of exercise-time prompting – “app
wants to use your location”• Every app is completely isolated from others
– If an IPC hack exists, it will probably not be “Apple-Approved”
• Hidden APIs exist.
![Page 46: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/46.jpg)
46
Caught by App Genome Project (cont.)
• Lots of simple apps(wallpaper/flasllight etc.)
• Accessing IMEI, IMSI,Phone number…
• AND internet…• Some don’t hide that
they do.
![Page 47: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/47.jpg)
47
Wiresharked – HTTP POST
POST /api/wallpapers/log/device_info?locale=enrUS&version_code=422&w=320&h=480&uniquely_code=000000000000000&api_key=CIEhu15fY4bO4SGcGTq6g&nonce=9fe79a6119a9c650eb8f9615e2b88a8d×tamp=1279591671671&api_sig=11404ee56654c3ad52649fb1e0589e5fHTTP/1.1Content-Length: 1146Content-Type: application/x-www-form-urlencodedHost: www.imnet.usConnection: Keep-AliveUser-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)Expect: 100-Continue
HTTP/1.1 100 Continue
uniquely_code=000000000000000&device_info=device_id%3D000000000000000%26device_software_version%3Dnull%26build_board%3Dunknown%26build_brand%3Dgeneric%26build_device%3Dgeneric%26build_display%3Dsdk-eng+2.2+FRF42+36942+test-keys%26build_fingerprint%3Dgeneric%2Fsdk%2Fgeneric%2F%3A2.2%2FFRF42%2F36942%3Aeng%2Ftest-keys%26build_model%3Dsdk%26build_product%3Dsdk%26build_tags%3Dtest-keys%26build_time%3D1273720406000%26build_user%3Dandroid-build%26build_type%3Deng%26build_id%3DFRF42%26build_host%3De-honda.mtv.corp.google.com%26build_version_release%3D2.2%26build_version_sdk_int%3D8%26build_version_incremental%3D36942%26density%3D1.0%26height_pixels%3D480%26scaled_density%3D1.0%26width_pixels%3D320%26xdpi%3D160.0%26ydpi%3D160.0%26line1_number%3D15555218135%26network_country_iso%3Dus%26network_operator%3D310260%26network_operator_name%3DAndroid%26network_type%3D3%26phone_type%3D1%26sim_country_iso%3Dus%26sim_operator%3D310260%26sim_operator_name%3DAndroid%26sim_serial_number%3D89014103211118510720%26sim_state%3D5%26subscriber_id%3D310260000000000%26voice_mail_number%3D%2B15552175049%26imsi_mcc%3D310%26imsi_mnc%3D260%26total_mem%3D35885056
![Page 48: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/48.jpg)
48
Mobile vs. PC
Easier:• Remote control
(uninstall)• Jail• Finer-grained
permissions• Single user• More uniform hardware• Biometrics• “Clean slate”
Harder:• Input• Output• Patience• Sensitivity
![Page 49: 1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.](https://reader035.fdocuments.us/reader035/viewer/2022062515/56649cc95503460f94991440/html5/thumbnails/49.jpg)
49
What can the platform can do about it?
• Encryption• Virtualization (+TrustZone, TXT)
• Stop the need for jailbreaking• Fine-grained permissions• Fine-grain protection domains• Information flow control
– Inadvertant (logs)– Hard to analyze (app interaction)– Malicious– Runtime: TaintDroid– Static (PiOS)