Tizen Security
-
Upload
jason-ross -
Category
Technology
-
view
76 -
download
2
Transcript of Tizen Security
![Page 1: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/1.jpg)
TIZEN SecurityHacking the New Mobile OS
![Page 2: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/2.jpg)
05/03/2023 Intrepidus Group - Confidential
Mark Manning
• Sr. Security Consultant with Intrepidus Group• Mobile:
– Android– Windows Phone– Brew– iOS– Blackberry
• BSidesROC, Rochester 2600, Interlock Rochester
2
![Page 3: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/3.jpg)
05/03/2023 Intrepidus Group - Confidential
Jason Ross
• Sr. Security Consultant with Intrepidus Group– Android– Web apps– Network
• Extra Curricular– TOOOL.ROC, DC585, BSidesROC– Security BSides*, Dragon Research Group
![Page 4: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/4.jpg)
05/03/2023 Intrepidus Group - Confidential
What we are going to tell you
What Tizen is & Where it might be going
The Tizen security model
How to perform Tizen security assessments
Predictions for the future
![Page 5: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/5.jpg)
Tizen (/ˈtaɪzɛn/) is…
• An open source mobile operating system– Started life as Samsung SLP (then Bada), & Intel MeeGo– Governed by Linux Foundation
• Organized by a board of directors – The Tizen Association
• Supported by large companies– Intel, Samsung, Fujitsu
• Based on W3C standards for its applications– HTML5 APIs– Touch Events– Web Storage– WARP
![Page 6: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/6.jpg)
05/03/2023 Intrepidus Group - Confidential
Tizen wants to…
• Be the ubiquitous solution for “smart” consumer devices
• Release a high end device this year
• Grab a 15% market share of smartphones
• Replace Android as the most versatile operating system
• Be installed on:– Smart TV’s– Cars– Smart Phones– Tablets– Anything that is designed for high end user experience
![Page 7: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/7.jpg)
05/03/2023 Intrepidus Group - Confidential
Tizen Family Tree
![Page 8: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/8.jpg)
05/03/2023 Intrepidus Group - Confidential
Tizen History
• February 2010 – Nokia and Intel announce MeeGo– Nokia drops out of MeeGo in favor of Windows Phone
• September 2011 – Intel suspends MeeGo & announces Tizen as its replacement
• January 2012 – Tizen source code and SDK released
• May 2013 – Tizen 2.1 released
• July 2013 – Tizen 2.2 released
• August 2013 – Tizen IVI 3.0 beta released
![Page 9: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/9.jpg)
05/03/2023 Intrepidus Group - Confidential
Vapor Hardware
9
![Page 10: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/10.jpg)
05/03/2023 Intrepidus Group - Confidential
Quick Comparison
Android iOS Firefox OS Ubuntu Tizen
Web App Support None None Yes Yes Yes
Native App Support Yes Yes No Yes Yes
Primary Application
Isolation Mechanism
Linux UIDs XNU /Seatbelt
B2G / Gecko
D-BUS / App Armor
SMACK labels
IDE Eclipse Xcode Good luck! Ubuntu SDK Eclipse
Application Signing Model
Developer Distributor Distributor Developer Distributor & Developer
![Page 11: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/11.jpg)
05/03/2023 Intrepidus Group - Confidential
Technical Steering Group
• In charge of development and working with OEMs (and advocacy)
• Consists of Samsung, Intel and now Huawei
• Coordinates development of the operating system
![Page 12: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/12.jpg)
05/03/2023 Intrepidus Group - Confidential
Tizen Association
• Always represented by 12 companies
• Always changing
• Current members:
![Page 13: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/13.jpg)
05/03/2023 Intrepidus Group - Confidential
HTML5 Scores
![Page 14: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/14.jpg)
APPLICATIONS
![Page 15: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/15.jpg)
05/03/2023 Intrepidus Group - Confidential
Tizen Application Stack
![Page 16: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/16.jpg)
05/03/2023 Intrepidus Group - Confidential
Types of Apps
• Web Applications: – Written in HTML5 – JavaScript makes calls to Privileged APIs– Supports libraries like jQuery Mobile– Can be either “Packaged Web Apps” or “Hosted Web Apps”
• Native Applications– C / C++– Native APIs unrelated to web app APIs– Focused on gaming
• Hybrid Applications– Little bit of both
![Page 17: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/17.jpg)
05/03/2023 Intrepidus Group - Confidential
WebRT
• WebRT is to Tizen what DalvikVM is to Android
• Execution of web applications
• Each application runs its own instance
• Access to device resources via JavaScript API
• Access control of web applications
![Page 18: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/18.jpg)
05/03/2023 Intrepidus Group - Confidential
The Widget Stack
![Page 19: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/19.jpg)
05/03/2023 Intrepidus Group - Confidential
Luckily Webkit is universally secure…
![Page 20: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/20.jpg)
05/03/2023 Intrepidus Group - Confidential
WGT
• Web applications or widgets
• W3C standard way of packaging an HTML5 application
• Zip archive with .wgt extension
![Page 21: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/21.jpg)
05/03/2023 Intrepidus Group - Confidential
Application Signing
• Each application is signed with 2 signatures– W3C Recommended way of handling widget signing– As opposed to Android’s one
• Author signature– The author of the application used to verify who created the app
• Distributer signature– from the publisher, or app store verifying where the application was
distributed from
21
![Page 22: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/22.jpg)
05/03/2023 Intrepidus Group - Confidential
Privileged Device APIs
• Public: – Any developer can access – Example: Filesystem – access a location on the device
• Partner: – Only those developers that have been verified and approved can access it. – Partners are given a special Partner CA to sign their applications– Example: ApplicationManager – manage application certificates
• Platform– Reserved to OEMs and Tizen implementers– System level access to a device– Example: BluetoothAdapter
22
![Page 23: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/23.jpg)
05/03/2023 Intrepidus Group - Confidential
config.xml File
• Similar to a manifest
• Declare Features: device capabilities
• Declare Privileges: API access required by the app
• Set policy: lets you set a “content security policy” for the application– White list the sites it should be connecting to– Based on W3C’s WARP
![Page 24: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/24.jpg)
05/03/2023 Intrepidus Group - Confidential
config.xml Example
![Page 25: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/25.jpg)
05/03/2023 Intrepidus Group - Confidential
Install Directory == Package Name
![Page 26: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/26.jpg)
05/03/2023 Intrepidus Group - Confidential
Installation Directory Structure
bin
APPID.AppName
res
wgt
shared
data
res
trusted
tmp
tmp
![Page 27: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/27.jpg)
05/03/2023 Intrepidus Group - Confidential
![Page 28: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/28.jpg)
05/03/2023 Intrepidus Group - Confidential
Encryption Support
• Web apps support encryption of Javascript, HTML, CSS, etc
• Install-time encryption only
• Key configuration is located in /usr/share/secure-storage/config– Usually points to /csa/.seckey
• Magic(key, wgt) = encryption
![Page 29: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/29.jpg)
SMACK
![Page 30: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/30.jpg)
05/03/2023 Intrepidus Group - Confidential
SMACK - Introduction
• Linux Kernel Module
• Basis of the Tizen security sandbox model
• “Labels” are the metaphor– similar to how Android uses UIDs
• Tizen 2.1 has 41,000 SMACK rules– Tizen 3 is looking to reduce these
![Page 31: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/31.jpg)
05/03/2023 Intrepidus Group - Confidential
Smack - Control Mechanisms
• File control– Extended attributes (xattrs) give filesystem objects a label– The label corresponds to a SMACK rule
• IPC traffic
• Network traffic– A CIPSO header is attached to each network packet
• Processes– Can read /proc/self/attr/current to discover what SMACK labels they are running under
![Page 32: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/32.jpg)
05/03/2023 Intrepidus Group - Confidential
SMACK - Definitions
• Subject
• Object
• Access
• Label
![Page 33: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/33.jpg)
05/03/2023 Intrepidus Group - Confidential
SMACK - Access Rule Format
<subject-label> <object-label> <access-rule>
![Page 34: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/34.jpg)
05/03/2023 Intrepidus Group - Confidential
SMACK - Access Rule Examples
contacts-service _ arwxt
com.Intrepidus.pwn * arwx-
org.tizen.setting miracast-server rwx--
/opt/usr/apps/3FRIz5CoAw.Test = testApp/tmp/file.txt = myFiletestApp myFile r
![Page 35: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/35.jpg)
05/03/2023 Intrepidus Group - Confidential
Security Server
Application[Subject]
Resource[Object]
Smack Rulesets
SMACK – Access Request Process
![Page 36: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/36.jpg)
/DEV/RANDOM
![Page 37: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/37.jpg)
05/03/2023 Intrepidus Group - Confidential
Content Security Framework
• McAfee contributed solution to a problem first noticed in Android– How does an app get access to the system to perform effective
scans?
• Provides API for anti-virus vendors– Low-level hooks into the system to bypass usual application
restrictions
![Page 38: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/38.jpg)
05/03/2023 Intrepidus Group - Confidential
Tizen Push Service
• Functionally similar to GCM on Android
• Messages limited to text data of 1024 bytes
![Page 39: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/39.jpg)
05/03/2023 Intrepidus Group - Confidential
ASLR
• “Fully implemented" in the Linux Kernel but some additional security measures are not currently implemented
Securiy protection Purpose
fstack-protector-all adds canary based buffer overflow checks on the stack and shuts down if it's corrupt
D_FORTIFY_SOURCE=2 replaces unbouncd string function calls with bounded ones. Done where GCC can determine the buffer size.
fpic, fpie position independent code for libraries (fpic) and executables (fpie). Protects against return to libc attacks
NX Bit No Execute bit
![Page 40: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/40.jpg)
05/03/2023 Intrepidus Group - Confidential
Weirdness
• Zypper is on the device• Install all the things!
• OpenSSH: Running by default on the device
• Root login is permitted
![Page 41: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/41.jpg)
PERFORMING ASSESSMENTS
![Page 42: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/42.jpg)
05/03/2023 Intrepidus Group - Confidential
Attackers we are emulating
• A malicious application on the device
• A remote attacker that has hijacked another application’s backend
• Lost or stolen devices
Props to Katy Levinson/HackerDojo for this image
![Page 43: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/43.jpg)
05/03/2023 Intrepidus Group - Confidential
Attack Vectors
• Malicious application store / third party store– Helped out by the distributor signing model
• SMishing, phishing to install an application
• “Drive by” content (malicious ad networks)– Helped by defining WARP access tags or setting the
content-security-policy correctly
![Page 44: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/44.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools
• Tizen SDK – Eclipse IDE
• Web simulator
• Tizen Device Emulator
• SDB
![Page 45: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/45.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools - Tizen SDK IDE
• Eclipse based
• Comes with the Tizen device emulator
• And the web simulator
![Page 46: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/46.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools - Web Simulator
• Lets you run aWGT inside of Google Chrome
• App assessment tool
![Page 47: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/47.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools - Web Simulator Controls
• Allows you to manipulate the web simulator environment
• Contains functions to simulate device events
• Incoming calls / messages• Push messages• Orientation change• GeoLocation
![Page 48: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/48.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools - Device Emulator
• Very similar to Android Emulator
• Create virtual devices and run them
• Devices are qemu VMs,– qcow format disk images
![Page 49: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/49.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools - Device Emulator Configuration
• Change skin• Phone• General Purpose
• Configure RAM
• Control hardware acceleration
![Page 50: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/50.jpg)
05/03/2023 Intrepidus Group - Confidential
Tools - SDB
• Smart Development Bridge
• AKA:“It’s not ADB, we swear”
![Page 51: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/51.jpg)
05/03/2023 Intrepidus Group - Confidential
Definitely not ADB…
![Page 52: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/52.jpg)
05/03/2023 Intrepidus Group - Confidential
Using SDB + WRT to install apps
![Page 53: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/53.jpg)
05/03/2023 Intrepidus Group - Confidential
Assessment Methodology
• Static Analysis
• File System Analysis
• Dynamic Analysis
• Network Analysis
![Page 54: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/54.jpg)
05/03/2023 Intrepidus Group - Confidential
Static Analysis
• Improper permission requests– Overprivileged applications are a greater threat
• Unprotected shared content– SQLite databases– Temporary files with 777 access
• Encryption used– Custom encryption or built-in APIs?– Static keys saved in the application
• Cross origin access restrictions– Which domains are restricted
![Page 55: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/55.jpg)
05/03/2023 Intrepidus Group - Confidential
File System Analysis
• Storing information on the SDCARD
• Unrestrictive file permissions
• Temporary files with 777 permissions
![Page 56: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/56.jpg)
05/03/2023 Intrepidus Group - Confidential
Dynamic Analysis
• Sensitive file storage
• Overly permissive content sharing– Inter-application messaging– Shared SQLite database– Sensitive temp files
![Page 57: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/57.jpg)
05/03/2023 Intrepidus Group - Confidential
Network Analysis
• XSS means a privilege leakage– Similar to an Android permission hijack but with JavaScript
• Cross origin attacks– Can we evade the network restrictions
• SQLi (client side and server)– Parameterized queries are not used
• Handling untrusted server input– Testing both the web server and the web client in this model
• Secure data transport– SSL used throughout
![Page 58: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/58.jpg)
05/03/2023 Intrepidus Group - Confidential
Network MiTM Setup
• Set up a proxy in the WiFi Settings
• IPTables configuration
• Add CA certificates to the trusted system store
![Page 59: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/59.jpg)
Trusted root certificate store
• Anything in /etc/ssl/certs that’s in PEM format and is named <8hexChars>.0 is considered a trusted cert
• So… openssl x509 -in burpCA.der -inform DER -out burpCA.pem -outform PEM
sdb push burpCA.pem /tmp/sdb shellsumv /tmp/burpCA.pem /etc/ssl/certs/ffffffff.0
![Page 60: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/60.jpg)
Verification of Certificates
• Use the certificate viewer from to verify the certificate was “installed” correctly.
![Page 61: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/61.jpg)
05/03/2023 Intrepidus Group - Confidential
Review
• Applications– HTML5 / WebRT / Webkit– Privileged APIs
• SMACK– Subject / Object / Labels– 41K rules
• Assessments– IDE / SDK / Emulator / Simulator– Network MiTM
![Page 62: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/62.jpg)
05/03/2023 Intrepidus Group - Confidential
Predictions
• A Tizen phone will be released next year &adoption will be slow– It will be rooted within the first week
• Smart devices like cars, TV’s, and refrigerators will be pushed by Samsung
• A webkit exploit affecting Tizen will break their security model – This will cause devastating results to the platform, unlike any other mobile vulnerability
• Tizen will be adopted faster in non-American countries as a low cost, feature rich, alternative to Android
![Page 63: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/63.jpg)
05/03/2023 Intrepidus Group - Confidential
Questions
![Page 64: Tizen Security](https://reader036.fdocuments.in/reader036/viewer/2022081511/58873d911a28abc0748b7181/html5/thumbnails/64.jpg)
05/03/2023 Intrepidus Group - Confidential
Contact
• http://intrepidusgroup.com/insight