Slide 1: Enhancing Security of Linuxbased Android Devices
AubreyDerrick Schmidt, HansGunther Schmidt, Jan Clausen, Kamer Ali Yüksel, Osman Kiraz, Ahmet Camtepe, and Sahin Albayrak
This work was funded by Deutsche Telekom Laboratories
Slide 2: www.DAILabor.de
Research Institute with ~100 employees Six core departments:
Agent Core Technologies Next Generation Services Information Retrieval Cognitive Architectures Education Security
07.11.2007 CC SEC Folie 2
Slide 3: DAILabor Security Department
Works on:
Smartphone Security Agent Security Network Security Simulation Critical Infrastructures PKI / Cryptography Next Generation Homes Security
07.11.2007
CC SEC
Folie 3
Slide 4: TOC
Motivation Android Security Adding Linux Security Tools to Android Enhancing Security with selfbuilt IDS
07.11.2007
CC SEC
Folie 4
Slide 5: Motivation
Smartphones getting increasingly popular Various smartphone malwares appeared Signaturebased approaches only efficient for “known” malware AntiVirus engines need avg. time of 48 days to get capable of detecting new malware [Oberheide08] More than 700,000 can be infected via MMS in about three hours [Bulygin07]
07.11.2007
CC SEC
Folie 5
Slide 6: Motivation
Android already very popular (Java on Linux) Android sources will be set opensource
Opportunity to develop lowlevel security tools for commonly used smartphones the first time
Linux security research is mature
A lot lessons learned A lot of open source tools available
07.11.2007 CC SEC Folie 6
Slide 7: TOC
Motivation Android Security Adding Linux Security Tools to Android Enhancing Security with selfbuilt IDS
07.11.2007
CC SEC
Folie 7
Slide 8: Android Security
Images on emulator
System Image (YAFFS2, 65 MB / 21 MB free) Mounted to /system OS files, libraries, drivers, system bins Android config files Android framework Android base applications (e.g. Browser) +R(W)X
07.11.2007 CC SEC Folie 8
Slide 9: Android Security
Images on emulator
Userdata Image (YAFFS2, 65 MB / 40 MB free)
Mounted to /data Used for applications, user data, DRM, ... +RWX
Cache Image (YAFFS2, usage not specified yet) SDCard Image (no “obvious” size limitations)
Mounted to /sdcard Files created as user and group “system” +RW
07.11.2007 CC SEC Folie 9
Slide 10: Android Security
Applications are “locationaware”
Can only be executed in /data or /system Any changes on file permissions succeed there Changes in e.g. /sdcard do not succeed (e.g. set execute bit) Most probably, (Linux) applications cannot be started via SDCard
07.11.2007
CC SEC
Folie 10
Slide 11: Android Security
(Java) Application signing is required
Linux state not clear developer signs his application with own certificate at the moment System might change to something similar to Symbian OS
Central authority for assigning certificates Limited access to APIs Each, Goole and TMobile announced application store (might include application testing and verification)
07.11.2007 CC SEC Folie 11
Slide 12: Android Security
File rights:
/data/data/<package.application_name> “application land”
drwxr-xr-x app_14 app_14 2008-09-17 14:26 com.android.sample
Application can access other application directories signed with identical certificates
“Certification land”
07.11.2007
CC SEC
Folie 12
Slide 13: TOC
Motivation Android Security Adding Linux Security Tools to Android Enhancing Security with selfbuilt IDS
07.11.2007
CC SEC
Folie 13
Slide 14: Adding Linux Security Tools to Android General Information Emulator is used as basis OHA/Google modified a lot of standard libraries and binaries Reason: opportunity for business costumers to claim “intellectual property” Application space is limited (~40 MB) Common security tools were tested But: special build environment needed
07.11.2007
CC SEC
Folie 14
Slide 15: Creating a Build Environment for Android
Ubuntu 8.04 Two toolkits can be used
Sourcery crosscompile toolchain Scratchbox crosscompilation toolkit
Emulated ARM environment “Common” Linux file system layout
07.11.2007
CC SEC
Folie 15
Slide 16: Creating a Build Environment for Android Important Facts Files are located in:
System files are placed in /system Binaries in /system/bin Libraries in /system/lib Config files in /system/etc
System configuration in OpenBinder Page alignment causes changes in linking Only way to get available applications run is compiling them statically
07.11.2007 CC SEC Folie 16
Slide 17: Adding Tools
“Top 100 Network Security Tools” [Insec06] Tested from 5 main categories:
AntiVirus: ClamAV Firewall: iptables Rootkit Detectors: chkrootkit Intrusion Detection: Snort Other useful tools: Busybox, Bash, OpenSSH, strace, Nmap
07.11.2007 CC SEC Folie 17
Slide 18: AntiVirus: ClamAV
Android Compatibility: Works Problems, solutions, and size: Static compilation (linking) required Dependent on static compiled version of "zlib" (zlib1.2.3) Total size of all ClamAV relevant files (approx. 28MB) exceeds available size in System image (21MB). ClamAV virus signature database needs to be placed in a different location. Size (approx.): 11140 KB libraries and binaries (/opt), 17324 KB database (/data)
07.11.2007 CC SEC Folie 18
Slide 19: AntiVirus: ClamAV Results
----------- SCAN SUMMARY ----------Known viruses: 407205 Engine version: 0.94 Scanned directories: 0 Scanned files: 106 Infected files: 0 Data scanned: 5.12 MB Time: 107.236 sec (1 m 47 s) #
07.11.2007
CC SEC
Folie 19
Slide 20: Firewall: iptables
Problems:
Kernel needs to be recompiled from source. Sources can be freely downloaded from Android Project website. Enable NETFILTER in kernel configuration and recompile! “iptables” cannot be compiled due to linker issues: It requires statically compiled parts of libc which Android does not provide.
07.11.2007
CC SEC
Folie 20
Slide 21: Rootkit Detector: Chkrootkit
Android Compatibility: Works with minor dependencies Problems, solutions, and size:
Static compilation (linking) required Requires "netstat" (provided by "busybox") Requires standard directories (/lib, /etc, etc.) provided by symbolic links pointing to the correct Android directories Size (approx.): 588 KB
07.11.2007 CC SEC Folie 21
Slide 22: Rootkit Detector: Chkrootkit Results
# ./chkrootkit [: gid: unknown operand ROOTDIR is `/' Checking `amd'... not found Checking `basename'... INFECTED Checking `biff'... not found Checking `cron'... not infected Checking `echo'... INFECTED Checking `egrep'... not infected Checking `env'... INFECTED Checking `find'... not infected Searching for common ssh-scanners default files... nothing found Searching for suspect PHP files... find: /var/tmp: No such file or directory nothing found Searching for anomalies in shell history files... nothing found chkproc: Warning: Possible LKM Trojan installed chkdirs: Warning: Possible LKM Trojan installed Checking `sniffer'... ./chkrootkit: ./ifpromisc: not found
07.11.2007
CC SEC
Folie 22
Slide 23: Intrusion Detection: Snort
Problems:
Dependencies to libpcap, libdnet, libnet, pcre and iptables (all as statically compiled/linked solutions) Requires statically compiled/linked libc parts which are not available on Android
07.11.2007
CC SEC
Folie 23
Slide 24: Other Useful Tools: Busybox, Bash, OpenSSH, strace, Nmap
Busybox: works Bash: works OpenSSH: Can be executed but is not fully functional (requires users that do not exist in the android environment) strace: works Nmap: works with minor dependencies
07.11.2007 CC SEC Folie 24
Slide 25: TOC
Motivation Android Security Adding Linux Security Tools to Android Enhancing Security with selfbuilt IDS
07.11.2007
CC SEC
Folie 25
Slide 26: Enhancing Security with a Selfbuilt Intrusion Detection System
07.11.2007
CC SEC
Folie 26
Slide 27: Detecting Intrusions and Malware Overview
07.11.2007
CC SEC
Folie 27
Slide 28: Detecting Intrusions and Malware Static Function Call Approach
Planned to present metric for weighing suspiciousness of function/system calls Solution far more easier on Android Simple decision tree can achieve 95% detection rate
Tested with Linux malware
Some of them were recompiled for Android, but only minor differences
Still has to be tested on real device!
07.11.2007 CC SEC Folie 28
Slide 29: Detecting Intrusions and Malware Static Function Decision Tree
__bss_start = y | gethostbyname = y | | sigaction = y: normal | | sigaction = n: malicious | gethostbyname = n | | fork = y | | | strerror = y | | | | getgrgid = y: malicious | | | | getgrgid = n: normal | | | strerror = n: malicious | | fork = n: normal
... continued __bss_start = n | printf = y: malicious | printf = n | | fprintf = y: malicious | | fprintf = n | | | execv = y: malicious | | | execv = n | | | | memmove = y: malicious | | | | memmove = n | | | | | perror = y: malicious | | | | | perror = n: malicious
CC SEC Folie 29
continued on the right side
07.11.2007
Slide 30: Summary
Android Security How to enhance security
Add Linux security tools Light weight IDS
07.11.2007
CC SEC
Folie 30
Slide 31: References
[Bulygin07] Y. Bulygin, “Epidemics of mobile worms,” in Proceedings of the 26th IEEE International Performance Computing and Communications Conference, IPCCC 2007, April 1113, 2007, New Orleans, Louisiana, USA. IEEE Computer Society, 2007, pp. 475–478. [Oberheide08] J. Oberheide, E. Cooke, and F. Jahanian, “Cloudav: Nversion antivirus in the network cloud,” in Proceedings of the 17th USENIX Security Symposium (Security’08), San Jose, CA, July 2008. [Insec06] INSECURE.ORG, “Top 100 network security tools,” 2006. [Online]. Available: http://sectools.org/
07.11.2007
CC SEC
Folie 31
Slide 32: Thank you for your patience! Q&A
07.11.2007
CC SEC
Folie 32
Slide 33: Contact
Dipl.Inf. AubreyDerrick Schmidt
Researcher
+49 (0) 30 / 314 – 74 039 +49 (0) 30 / 314 – 74 003
HansGunther Schmidt
Student Researcher
+49 (0) 30 / 314 – 74 041 +49 (0) 30 / 314 – 74 003
aubrey.schmidt@dailabor.de
hansgunther.schmidt@dailabor.de
07.11.2007
CC SEC
Folie 33
![[Finance]File For Bankruptcy Online[1167]](http://d2hm5emlmiiqke.cloudfront.net/p/3LH6j7NppJA/thumbs/thumb120.jpg)
