Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform
description
Transcript of Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform
Beyond Kernel-level Integrity Measurement:Enabling Remote Attestation for the Android PlatformMohammad Nauman, Sohail Khan, Xinwen Zhang, Jean-Pierre Seifert TU Berlin & Deutsche Telekom Laboratories, Berlin, [email protected]
09.11.2009 2Deutsche Telekom Laboratories
Android introduction
Problem motivation
Solution proposal
Evaluation / Measurement numbers
Q & A
Agenda
Android introduction
09.11.2009 4Deutsche Telekom Laboratories
Android Introduction
A framework for mobile devices
09.11.2009 5Deutsche Telekom Laboratories
Android Introduction
A framework for mobile devices Backed by many industry leaders
09.11.2009 6Deutsche Telekom Laboratories
Significance of Android “AdMob: Android Passes iPhone Web Traffic In U.S”
http://techcrunch.com/2010/04/27/admob-android-passes-iphone-web-traffic-in-u-s/
09.11.2009 7Deutsche Telekom Laboratories
Android Architecture
Problem motivation
09.11.2009 9Deutsche Telekom Laboratories
Problem motivation
Consider an organization that provides its employee, say Angela, with a G1 handset running several applications that she might require for carrying out her job responsibilities.
The employer, being the owner of the device, allows Angela to install applications that she might need for her daily use.
However, since the organization releases sensitive information to Angela's mobile, it is required that the integrity of Angela´s Android is intact and that there is no malicious software or application running on the mobile device.
Otherwise, sensitive information could be leaked, …
Consider an organization that provides its employee, say Angela, with a G1 handset running several applications that she might require for carrying out her job responsibilities.
The employer, being the owner of the device, allows Angela to install applications that she might need for her daily use.
However, since the organization releases sensitive information to Angela's mobile, it is required that the integrity of Angela´s Android is intact and that there is no malicious software or application running on the mobile device.
Otherwise, sensitive information could be leaked, …
Primary Use Case
Let´s see a real life example!Let´s see a real life example!
09.11.2009 10Deutsche Telekom Laboratories
proudly presents
Chancellor Angela Merkel
09.11.2009 11Deutsche Telekom Laboratories
The problem
09.11.2009 12Deutsche Telekom Laboratories
Android´s Dalvik Problem
Establish the trustworthiness of an Android-powered mobile device (Phone, tablet, netbook, …)
Traditional approach of signing applications doesn’t work “All applications are created equal”
Existing approaches towards remote attestation fail All application code is “dex” – invisible to the kernel
Dex code executed by the Dalvik VM Even if the VM is benign, the application running on top of it
may be malicious
Solution proposal
09.11.2009 14Deutsche Telekom Laboratories
Solution
Extend the chain-of-trust to within the VM (Just as IMA extended it from the pre-bootloader to within
the OS)
Choices:
1. Measure all loaded applications
2. Measure all loaded classes
09.11.2009 15Deutsche Telekom Laboratories
Attestation Architecture
Angela´s Employer
09.11.2009 16Deutsche Telekom Laboratories
Basic requirements
Establishment of a chain-of-trust
Basic TPM/MTM replacement TPM implements basic functionality Meant to serve as a placeholder (earlier efforts at MTM/TPM implementation on mobiles
…)
(Slightly) modified IMA code Communicate with TPM instead of non-existent TPM
09.11.2009 17Deutsche Telekom Laboratories
Small IMA extensions Beside the communication with our TPM , we have not modied any
functionality of IMA. It measures all executables loaded on the Android platform by the Linux
operating system. This includes the Android VM as well as any libraries (such as libdvm.so, libandroid-runtime.so and libandroid-system.so).
This ensures that all the executables loaded outside the Dalvik virtual machine as well as the native code of Dalvik itself gets measured and stored in the Stored Measurement Log (SML).
Similarly, the semantics of SML are also unmodied. This is because we opted not to interleave the Linux executable hashes with
the Dalvik executable hashes but keep the two logs separate. The aggregate up to the point of the Dalvik load is stored in the Android
Measurement Log (AML). Once the chain of trust up to the Dalvik virtual machine is established,
we provide two alternatives for measurement of code that is loaded on top of the Dalvik VM.
09.11.2009 18Deutsche Telekom Laboratories
Application Level Attestation
Modify the Application Framework Layer to measure all loaded .apk files – packages (Implementation details in the paper)
Incomplete!
Chain of trust breaks as the application framework layer itself isn’t measured/stored in the PCR
More is required!
09.11.2009 19Deutsche Telekom Laboratories
Class level attestation Measure all loaded classes Different from IMA because:
Classes can come from arbitrary sources Internet, local streams, files …
Same class files can reside in multiple jars (dex in case of Android) For example, an application may write a class loader that reads from a
byte stream to load a class. This is substantially unlike the Linux/IMA scenario in which all
executables are loaded from the lesystem. It is therefore possible in Linux to measure an executable before it is
loaded. In case of Dalvik (or any Java-based VM), this is not always possible due
to the fact of arbitrary class loaders. It is for this reason that the semantics of our binary attestation are:
we measure a class after it is loaded but before it can be executed!
09.11.2009 20Deutsche Telekom Laboratories
Class level attestation
VM level implementation
Selected Hash computed over the complicated class structure:
09.11.2009 21Deutsche Telekom Laboratories
Android Measurement Log:capturing the hash of the class and its descriptor 133A57C0CB942D5F74376BD6A89A3DD98EAB4886 vmaggregate
…4FC88626E94A631D9FF4BD7C39C57F6EA8847C3F Landroid/widget/AbsListView;FC060385A2B800175CE68D96AFC4A49E965A8E8F Landroid/widget/AbsListView\$CheckForLongPress;8863C28E92E47E3B38BAAD68BA489C893D24912D Landroid/widget/AbsListView\$CheckForTap;B1DBC173355024025D79614CA72A4E6A6DA7DD3A Landroid/widget/AbsListView\$LayoutParams;23B710A1C427555733403F095C20865554B7CB85 Landroid/widget/AbsListView\$PerformClick;22A21B6943A575D4A47499EAEA60B9E6970A06C8 Landroid/widget/AbsListView\$RecycleBin;A12A6EFC33FB485769ED9914428DF19DEC67F4B5 Landroid/widget/AbsListView\$SavedState;59517950D7280DC0CB4517B40E812D9E2B1BAFB2 Landroid/widget/AbsListView\$SavedState\$1;A4A5A5D0D44B5D3AF19427D5F7B09D43CDD7F4A1 Landroid/widget/AbsSeekBar;665C10F925950A4E9F65EBBF26D629453DD5D4B2 Landroid/widget/AbsSpinner;69CEB9E9ED1398EFFF0C2C0705C7D45506481BA1 Landroid/widget/AbsoluteLayout;457F0C258A8B76B4C03C3A89B1B7BAC8E306ECA1 Landroid/widget/AbsoluteLayout\$LayoutParams;8E84D83A9BFE50BDC7F41714769AB48CE55E208D Landroid/widget/AdapterView;AE8BB8B2E8585395EB697DC8403C3EC1E2BFF7ED Lcom/android/internal/telephony/Phone;5CB11877BF82DA663722AFBF19CB3DE2DBC03F3B Lcom/android/internal/telephony/Phone\$State;AE1700E2564503F96ED5D277B2E5D886A12E68EA Lcom/android/internal/telephony/PhoneBase;
…
Evaluation / Measurement numbers
09.11.2009 23Deutsche Telekom Laboratories
Evaluation for Android cupcake
Application-level results:
Caching is helping here to mediate that time overhead! Faster hw hashing would be helpful – instead of JAVA! Power consumption, …
09.11.2009 24Deutsche Telekom Laboratories
Evaluation for Android cupcake
Class-level results:
Caching is helping here to mediate that time overhead! Faster hw hashing would be helpful – instead of JAVA! Power consumption, …
09.11.2009 25Deutsche Telekom Laboratories
Other points to note
TPM is just a placeholder. We’re waiting for an MTM implementation
Bootloader needs modification for a full the chain-of-trust.
The new Android Scripting Support isn’t supported yet. Another reason why IMA can’t work … but our architecture fails here
too
Time of measurement, time of use race condition was a major concern in the original IMA technique. The issue is that when reading from a filesystem, the file may change
after it is measured but before it gets loaded for execution. Since we measure classes or applications only after they are loaded
and not from the filesystem, our architecture does not suffer from this drawback.
09.11.2009 26Deutsche Telekom Laboratories
Thank you for your attention!
Questions?