Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)

Japan Linux Symposium 2009 2009.10.23 Daisuke Numaguchi Tetsuo Handa Giuseppe La Tona NTT DATA CORPORATION

TOMOYO overview MAC implementation for Linux Behavior oriented system analyzer and protector Pathname-based MAC tools It consists of: a kernel patch ( ccspatch ) a set of utilities ( ccstools ) for managing access control settings (a.k.a. policy) Copyright (C) 2009 NTT Data Corporation 2009/10/23

MAC(Mandatory Access Control) Restrict access according to policy. No exception, no bypass Performed inside kernel space SELinux, Smack, TOMOYO, AppArmor, LIDS, grsecurity, etc. 2009/10/23 Copyright (C) 2009 NTT Data Corporation

Android Kernel Linux Kernel 2.6 with some changes Reduced set of standard Linux utilities -> toolbox No support glibc -> Bionic libraries No standard IPC -> Binder , specific IPC driver No native windowing system Optimized Power Management Low memory killer, Alarm etc. Copyright (C) 2009 NTT Data Corporation 2009/10/23

Dalvik and Zygote Runtime is made by Java programs running in Dalvik : Virtual Machine for mobile devices slow CPU, small RAM, no swap space, battery Not a JVM, no JIT: only interpreter of DEX (optimized bytecode obtained from Java .class) Multiple VM instances can run efficiently. Zygote process : first instance of Dalvik VM, partially initialized load preload classes and resources is kept always alive in idle state When an application execution request occurs: zygote fork() s to a new process… … which loads the requested package (Biology concept of “zygote”: duplicate, specialize and differentiate ) Copyright (C) 2009 NTT Data Corporation 2009/10/23

Dalvik and Zygote Runtime is made by Java programs running in Dalvik : Virtual Machine for mobile devices slow CPU, small RAM, no swap space, battery Not a JVM, no JIT: only interpreter of DEX (optimized bytecode obtained from Java .class) Multiple VM instances can run efficiently. Zygote process : first instance of Dalvik VM, partially initialized load preload classes and resources is kept always alive in idle state When an application execution request occurs: zygote fork() s to a new process… … which loads the requested package (Biology concept of “zygote”: duplicate, specialize and differentiate ) Copyright (C) 2009 NTT Data Corporation 2009/10/23 fork() application zygote Dalvik VM

Android boot sequence adbd vold (mount) rild (radio) debuggerd installd … Binder Copyright (C) 2009 NTT Data Corporation 2009/10/23 systemserver service manager service manager System Services Dalvik VM fork() Dalvik VM Dalvik VM Dalvik VM GUI service manager service manager Applications Home Runtime Kernel init init Daemons init init init Native Servers servicemanager registration mediaserver zygote exec() fork() Dalvik specialization

Android security model (1/2) Each application runs in its own process Runtime in separate instances of Dalvik virtual machine Copyright (C) 2009 NTT Data Corporation 2009/10/23 Dalvik VM Application 1 Zygote Dalvik VM Application 2 Dalvik VM Application 3 Dalvik VM Application 4

Android security model (2/2) Each process is a “secure sandbox” Linux Discretionary Access Control (DAC) for file access: all applications are assigned a unique UID (constant) UID for system services are hard-coded UID for user packages are progressively assigned at install-time, starting from uid 10000 (and mapped to app_0, app_1, …) ; they are saved in a file and are maintained constant during the life of the package on the device. Application specific files are saved in /data/data in separate folders owned by specific UID users Copyright (C) 2009 NTT Data Corporation 2009/10/23

TOMOYO Linux versions There are 2 development lines: Fully equipped version (1.x series) provides full functionalities of pathname-based MAC (MAC for files, network, capabilities…) Mainlined version (2.x series) uses Linux Security Modules (LSM) subset of MAC functionalities (only for files, so far) missing functionalities will be added in the future supports only kernels 2.6.30 and later Copyright (C) 2009 NTT Data Corporation 2009/10/23

Android kernel Android SDK 1.6 ("donut") comes with kernel 2.6.29 . TOMOYO 2.x is available since kernel 2.6.30 TOMOYO 2.2 function is only file access control Copyright (C) 2009 NTT Data Corporation 2009/10/23

Android kernel Android SDK 1.6 ("donut") comes with kernel 2.6.29 . TOMOYO 2.x is available since kernel 2.6.30 TOMOYO 2.2 function is only file access control So, choose TOMOYO 1.x !! Copyright (C) 2009 NTT Data Corporation 2009/10/23

Porting TOMOYO to Android Patching Android Kernel with TOMOYO patch Adapting ccstools Cross-compiling for Android Adding TOMOYO Policy Loader to Android boot Creating policy Copyright (C) 2009 NTT Data Corporation 2009/10/23

Patching Android Kernel TOMOYO 1.7.x (Fully equipped version ) Emulator (no real Android device needed)  Linux kernel version: Goldfish v2.6.29 “ Goldfish” is the name given to the ARM architecture emulated by Android SDK Emulator ccspatch 1.7.1-pre for Goldfish v2.6.29 Copyright (C) 2009 NTT Data Corporation  2009/10/23 Kernel TOMOYO Linux

Adapting ccstools Ccstools is for managing TOMOYO’s policy. Ccstools was intended for use on PC Ccstools has been enhanced with Network mode for embedded systems More convenient for developing policies and debugging Two utilities are needed for the device: ccs-init, ccs-editpolicy-agent Copyright (C) 2009 NTT Data Corporation 2009/10/23

Modifying Android boot (1/2) Put "ccs-init (program for activating TOMOYO)" inside /sbin/ the kernel will call /sbin/ccs-init before /init starts. Copy below files needed by /sbin/ccs-init /system/bin/linker /system/ partition is not mounted yet when /sbin/ccs-init starts. /lib/libc.so /lib/libm.so Environment variable LD_LIBRARY_PATH="/system/lib" is not set yet when /sbin/ccs-init starts. Copyright (C) 2009 NTT Data Corporation 2009/10/23

Modifying Android boot (2/2) Put "ccs-editpolicy-agent (program for managing TOMOYO remotely)" inside /sbin/ Append to /init.rc ccs-editpolicy-agent will listen to tcp port 7000 We can issue "adb forward tcp:10000 tcp:7000" to connect from host environment. Copyright (C) 2009 NTT Data Corporation service ccs_agent /sbin/ccs-editpolicy-agent 0.0.0.0:7000 oneshot 2009/10/23

Creating policy Put access control settings (a.k.a. policy) in /etc/ccs /sbin/ccs-init will load them Details: http://tomoyo.sourceforge.jp/1.7/android-arm.html Copyright (C) 2009 NTT Data Corporation 2009/10/23

Copyright (C) 2009 NTT Data Corporation Android emulator (Goldfish) TOMOYO Linux (kernel patch) Android runtime Application framework TOMOYO Agent ccs-editpolicy-agent app Ubuntu 8.04 app app app Libraries Policy editor ccs-editpolicy TCP/IP 2009/10/23

Problem with splitting domains The applications are executed with different UID (i.e.: root, system, app_#, …) and different process name, but… Copyright (C) 2009 NTT Data Corporation 2009/10/23 Adapting ccstools service manager service manager Applications System Server

Problem with splitting domains The applications are executed with different UID (i.e.: root, system, app_#, …) and different process name, but… … they are all fork()ed from app_process! Copyright (C) 2009 NTT Data Corporation 2009/10/23 Adapting ccstools service manager service manager Applications System Server zygote Dalvik VM Dalvik VM Dalvik VM fork()

Problem with splitting domains New and unexpected situation for TOMOYO Linux In TOMOYO Linux, domain transitions occur after process invocation, that is execve(), not fork()  Splitting domain <kernel> /init /system/bin/app_process in different domains according to each single application is impossible . . . ? Copyright (C) 2009 NTT Data Corporation 2009/10/23

TOMOYO’s MAC and Android DAC Android security rule : data files of one application should be prevented from being accessed by other applications This is performed by using DAC permissions, as said before TOMOYO can provide with conditional ACL a further insurance that this rule is respected, especially in cases when: DAC permissions are poorly configured root process (zygote) would be hijacked allow_read/write @APP_DATA_FILE if task.uid=path1.uid allow_unlink @APP_DATA_FILE if task.uid=path1.uid allow_mkdir @APP_DATA_DIR if task.uid=path1.parent.uid1 Copyright (C) 2009 NTT Data Corporation 2009/10/23

TOMOYO’s MAC and Android DAC DAC’s ability to restrict by UID has a low granularity: only “owner”, “group”, “others”. TOMOYO, on the other hand, allows minimal and customizable permissions to any group of specific UIDs. Example: users are app_1, app_2, app_3, app_4; some files owned by app_2 (uid=10002) need to be accessed by app_1 (uid=10001) also, but not by all the “others”. allow_read/write @SOME_FILES if task.uid= 10001-10002 Copyright (C) 2009 NTT Data Corporation 2009/10/23

An example We want to allow only the Browser to connect to Internet. In this way any process running under “<kernel> /init /system/app/process” domain would be allowed to open TCP connection on any IP, port 80.  least-privilege principle violated Copyright (C) 2009 NTT Data Corporation 2009/10/23

Solution TOMOYO Linux allows conditional ACL Using task’s UID as a condition , for access grant. In this way only the process with UID in HTTP_USERS group will be able to connect Copyright (C) 2009 NTT Data Corporation 2009/10/23

Saving access logs You can save access logs by starting ccs-auditd (host computer) as shown below. Copyright (C) 2009 NTT Data Corporation /usr/sbin/ccs-auditd /tmp/grant_log /tmp/reject_log 127.0.0.1:10000 2009/10/23 #2009-10-19 10:07:15# profile=1 mode=learning (global-pid=36) task={ pid=36 ppid=1 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 type!=execute_handler } path1={ uid=0 gid=2000 ino=537 major=31 minor=0 perm=0755 type=file } path1.parent={ uid=0 gid=2000 ino=468 perm=0755 } exec={ realpath="/system/bin/app_process" argc=5 envc=10 argv[]={ "/system/bin/app_process" "-Xzygote" "/system/bin" "--zygote" "--start-system-server" } envp[]={ "PATH=/sbin:/system/sbin:/system/bin:/system/xbin" "LD_LIBRARY_PATH=/system/lib" "ANDROID_BOOTLOGO=1" "ANDROID_ROOT=/system" "ANDROID_ASSETS=/system/app" "ANDROID_DATA=/data" "EXTERNAL_STORAGE=/sdcard" "BOOTCLASSPATH=/system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar" "ANDROID_PROPERTY_WORKSPACE=9,32768" "ANDROID_SOCKET_zygote=10" } } <kernel> /init allow_execute /system/bin/app_process You can create advanced policy settings from access logs.

Policy error handler Similar to “page fault handler” Copyright (C) 2009 NTT Data Corporation Access request Permitted by policy? Permitted by handler? YES Access granted Access rejected YES NO NO 2009/10/23

Conclusions TOMOYO Linux suits well on Android Will suits on other embedded devices as well MAC enforced for system services and user applications Whole system or targeted applications Why not to try TOMOYO? Copyright (C) 2009 NTT Data Corporation 2009/10/23

Thank you for your attention Copyright (C) 2009 NTT Data Corporation Daisuke Numaguchi <numaguchid@nttdata.co.jp> Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Giuseppe La Tona <giuseppelatona@gmail.com> 2009/10/23

Copyrights Linux is a registered trademark of Linus Torvalds in Japan and other countries Android is a registered trademark of Google TOMOYO is a registered trademark of NTT Data Corporation in Japan Other names and trademarks are the property of their respective owners. Copyright (C) 2009 NTT Data Corporation 2009/10/23

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)

More Related Content

What's hot

Similar to Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)

More from Toshiharu Harada, Ph.D

Recently uploaded

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)

Editor's Notes