Enhancing Security - Presentation

download Enhancing Security - Presentation

of 32

Transcript of Enhancing Security - Presentation

  • 8/14/2019 Enhancing Security - Presentation

    1/32

    Enhancing Security of Linux-based

    Android DevicesAubrey-Derrick Schmidt, Hans-Gunther Schmidt,

    Jan Clausen, Kamer Ali Y ksel, Osman Kiraz, Ahmet Camtepe, and Sahin Albayrak

    This work was funded by Deutsche Telekom Laboratories

  • 8/14/2019 Enhancing Security - Presentation

    2/32

    07.11.2007 CC SEC Folie 2

    DAI-Labor TU Berlin

    Research Institute with ~100 employeesSix core departments:

    Agent Core Technologies

    Next Generation ServicesInformation RetrievalCognitive ArchitecturesEducation

    Security

  • 8/14/2019 Enhancing Security - Presentation

    3/32

    07.11.2007 CC SEC Folie 3

    DAI-Labor Security Department

    Works on:Smartphone securityAgent Security

    Network Security SimulationCritical InfrastructuresPKI / Cryptography

    Next Generation Homes - Security

  • 8/14/2019 Enhancing Security - Presentation

    4/32

    07.11.2007 CC SEC Folie 4

    TOC

    MotivationAndroid Security

    Adding Linux Security Tools to Android

    Enhancing Security with self-built IDS

  • 8/14/2019 Enhancing Security - Presentation

    5/32

    07.11.2007 CC SEC Folie 5

    Motivation

    Smartphones getting increasingly popularVarious smartphone malwares appeared

    Signature-based approaches only efficient for

    known malwareAnti-Virus engines need avg. time of 48 days toget capable of detecting new malware [Oberheide08]

    More than 700,000 can be infected via MMS inabout three hours [Bulygin07]

  • 8/14/2019 Enhancing Security - Presentation

    6/32

    07.11.2007 CC SEC Folie 6

    Motivation

    Android already very popular, although notreleased, yet

    Android will be set open-sourceOpportunity to develop low-level security toolsfor commonly used smartphones the first time

    Linux security research is matureA lot lessons learnedA lot of open source tools available

  • 8/14/2019 Enhancing Security - Presentation

    7/32

    07.11.2007 CC SEC Folie 7

    TOC

    MotivationAndroid Security

    Adding Linux Security Tools to Android

    Enhancing Security with self-built IDS

  • 8/14/2019 Enhancing Security - Presentation

    8/32

    07.11.2007 CC SEC Folie 8

    Android Security

    Images on emulatorSystem Image (65 MB / 21 MB free)

    OS files, libraries, drivers, system bins

    Android config filesAndroid frameworkAndroid base applications (e.g. Browser)

    +R(W)X

  • 8/14/2019 Enhancing Security - Presentation

    9/32

    07.11.2007 CC SEC Folie 9

    Android Security

    Images on emulatorUserdata Image (65 MB / 40 MB free)

    Mounted to /dataUsed for applications, user data, DRM, ...+RWX

    Cache Image (u sage not specified yet)SD-Card Image (no obvious size limitations)

    Mounted to /sdcardFiles created as user and group system+RW

  • 8/14/2019 Enhancing Security - Presentation

    10/32

    07.11.2007 CC SEC Folie 10

    Android Security

    Application are location-awareCan only be executed in /data or /systemAny changes on file permissions succeed there

    Changes in e.g. /sdcard do not succeed (e.g.set execute bit)Most probably, (Linux) applications cannot be

    started via SD-Card

  • 8/14/2019 Enhancing Security - Presentation

    11/32

    07.11.2007 CC SEC Folie 11

    Android Security

    (Java) Application signing is requiredLinux state not cleardeveloper signs his application with own

    certificate at the momentSystem might change to something similar toSymbian OS

    Central authority for assigning certificates

    Limited access to APIs

    Each, Goole and T-Mobile announced application store(might include application testing and verification)

  • 8/14/2019 Enhancing Security - Presentation

    12/32

    07.11.2007 CC SEC Folie 12

    Android Security

    File rights:/data/data/application landdrwxr-xr-x app_14 app_14 2008-09-17 14:26 com.android.sample

    Application can access other applicationdirectories signed with identical certificates

    Certification land

  • 8/14/2019 Enhancing Security - Presentation

    13/32

    07.11.2007 CC SEC Folie 13

    TOC

    MotivationAndroid Security

    Adding Linux Security Tools to Android

    Enhancing Security with self-built IDS

  • 8/14/2019 Enhancing Security - Presentation

    14/32

    07.11.2007 CC SEC Folie 14

    Adding Linux Security Tools to AndroidGeneral Information

    Emulator is used as basisOHA/Google modified a lot of libraries andbinaries of the Linux kernel

    Reason: opportunity for business costumers toclaim intellectual property

    Application space is limited (~40 MB)Increasing space is not that easy

    Common security tools were testedBut: special build environment needed

  • 8/14/2019 Enhancing Security - Presentation

    15/32

    07.11.2007 CC SEC Folie 15

    Creating a Build Environment for Android

    Ubuntu 8.04Two toolkits can be used

    Sourcery cross-compile toolchain

    Scratchbox cross-compilation toolkitEmulated ARM environmentCommon Linux file system layout

  • 8/14/2019 Enhancing Security - Presentation

    16/32

    07.11.2007 CC SEC Folie 16

    Creating a Build Environment for AndroidImportant Facts

    Files are located in:System files are placed in /systemBinaries in /system/binLibraries in /system/libConfig files in /system/etc

    System configuration in OpenBinder

    Page alignment causes changes in linking

    Only way to get available applications run iscompiling them statically

  • 8/14/2019 Enhancing Security - Presentation

    17/32

    07.11.2007 CC SEC Folie 17

    Adding Tools

    Top 100 Network Security Tools [Insec06]Tested from 5 main categories:

    Anti-Virus: ClamAV

    Firewall: iptablesRootkit Detectors: chkrootkitIntrusion Detection: SnortOther useful tools: Busybox, Bash, OpenSSH,strace, Nmap

  • 8/14/2019 Enhancing Security - Presentation

    18/32

    07.11.2007 CC SEC Folie 18

    Anti-Virus: ClamAV

    Android Compatibility: Works

    Problems, solutions, and size:

    Static compilation (linking) required

    Dependent on static compiled version of "zlib"

    (zlib-1.2.3)Total size of all ClamAV relevant files (approx. 28MB)exceeds available size in System image

    (21MB). ClamAV virus signature database needs to beplaced in a different location.

    Size (approx.): 11140 KB libraries and binaries (/opt),17324 KB database (/data)

  • 8/14/2019 Enhancing Security - Presentation

    19/32

    07.11.2007 CC SEC Folie 19

    Anti-Virus: ClamAV Results

    ----------- SCAN SUMMARY -----------Known viruses: 407205Engine version: 0.94Scanned directories: 0

    Scanned files: 106Infected files: 0Data scanned: 5.12 MBTime: 107.236 sec (1 m 47 s)

    #

  • 8/14/2019 Enhancing Security - Presentation

    20/32

  • 8/14/2019 Enhancing Security - Presentation

    21/32

    07.11.2007 CC SEC Folie 21

    Rootkit Detector: Chkrootkit

    Android Compatibility: Works with minordependencies

    Problems, solutions, and size:Static compilation (linking) requiredRequires "netstat" (provided by "busybox")

    Requires standard directories (/lib, /etc, etc.)

    provided by symbolic links pointing to the correctAndroid directories

    Size (approx.): 588 KB

  • 8/14/2019 Enhancing Security - Presentation

    22/32

    07.11.2007 CC SEC Folie 22

    Rootkit Detector: Chkrootkit Results

    # ./chkrootkit

    [: gid: unknown operandROOTDIR is `/'Checking `amd'... not foundChecking `basename'... INFECTEDChecking `biff'... not foundChecking `cron'... not infectedChecking `echo'... INFECTED

    Checking `egrep'... not infectedChecking `env'... INFECTEDChecking `find'... not infectedSearching for common ssh-scanners default files... nothing foundSearching for suspect PHP files... find: /var/tmp: No such file ordirectorynothing found

    Searching for anomalies in shell history files... nothing foundchkproc: Warning: Possible LKM Trojan installedchkdirs: Warning: Possible LKM Trojan installedChecking `sniffer'... ./chkrootkit: ./ifpromisc: not found

  • 8/14/2019 Enhancing Security - Presentation

    23/32

    07.11.2007 CC SEC Folie 23

    Intrusion Detection: Snort

    Problems:Dependencies to libpcap, libdnet, libnet, pcreand iptables (all as statically compiled/linked

    solutions)Requires statically compiled/linked libc partswhich are not available on Android

  • 8/14/2019 Enhancing Security - Presentation

    24/32

    07.11.2007 CC SEC Folie 24

    Other Useful Tools: Busybox, Bash,OpenSSH, strace, Nmap

    Busybox: worksBash: works

    OpenSSH: Can be executed but is not fullyfunctional (requires users that do not existin the android environment)

    strace: worksNmap: works with minor dependencies

  • 8/14/2019 Enhancing Security - Presentation

    25/32

    07.11.2007 CC SEC Folie 25

    TOC

    MotivationAndroid Security

    Adding Linux Security Tools to Android

    Enhancing Security with self-built IDS

  • 8/14/2019 Enhancing Security - Presentation

    26/32

    07.11.2007 CC SEC Folie 26

    Enhancing Security with a Self-builtIntrusion Detection System

  • 8/14/2019 Enhancing Security - Presentation

    27/32

    07.11.2007 CC SEC Folie 27

    Detecting Intrusions and MalwareOverview

  • 8/14/2019 Enhancing Security - Presentation

    28/32

    07.11.2007 CC SEC Folie 28

    Detecting Intrusions and MalwareStatic Function Call Approach

    Planned to present metric for weighingsuspiciousness of function/system callsSolution far more easier on Android

    Simple decision tree can achieve 95%detection rate

    Tested with Linux malware

    Some of them were recompiled for Android, but onlyminor differences

    Still has to be tested on real device!

    d l

  • 8/14/2019 Enhancing Security - Presentation

    29/32

    07.11.2007 CC SEC Folie 29

    Detecting Intrusions and MalwareStatic Function Decision Tree

    __bss_start = y| gethostbyname = y| | sigaction = y: normal| | sigaction = n: malicious

    | gethostbyname = n| | fork = y| | | strerror = y| | | | getgrgid = y: malicious| | | | getgrgid = n: normal| | | strerror = n: malicious| | fork = n: normal

    continued on the right side

    ... continued

    __bss_start = n| printf = y: malicious| printf = n| | fprintf = y: malicious| | fprintf = n| | | execv = y: malicious| | | execv = n| | | | memmove = y: malicious| | | | memmove = n| | | | | perror = y: malicious| | | | | perror = n: malicious

  • 8/14/2019 Enhancing Security - Presentation

    30/32

    07.11.2007 CC SEC Folie 30

    References

    [Bulygin07] Y. Bulygin, Epidemics of mobile worms, in Proceedings of the26th IEEE International Performance Computing and CommunicationsConference, IPCCC 2007, April 11-13, 2007, New Orleans, Louisiana, USA.IEEE Computer Society, 2007, pp. 475478.

    [Oberheide08] J. Oberheide, E. Cooke, and F. Jahanian, Cloudav: N-versionantivirus in the network cloud, in Proceedings of the 17th USENIX SecuritySymposium (Security08), San Jose, CA, July 2008.

    [Insec06] INSECURE.ORG, Top 100 network security tools, 2006. [Online].Available: http://sectools.org/

  • 8/14/2019 Enhancing Security - Presentation

    31/32

    07.11.2007 CC SEC Folie 31

    Thank you for your patience!

  • 8/14/2019 Enhancing Security - Presentation

    32/32

    07.11.2007 CC SEC Folie 32

    Dipl.-Inf. Aubrey-Derrick SchmidtResearcher +49 (0) 30 / 314 74 039

    +49 (0) 30 / 314 74 003

    [email protected]

    Contact

    Hans-Gunther SchmidtStudent Researcher +49 (0) 30 / 314 74 041

    +49 (0) 30 / 314 74 003

    [email protected]