By Jake Edge
February 28, 2013
In a two-hour session at the 2013 Android Builders Summit,
Marko Gargenta described the "underpinnings" of Android security. It was a
wide-ranging talk that filled in many details of the Android
security model and its implementation.
There are multiple layers in the Android stack, Gargenta said, showing a slide [JavaScript] of
the Android architecture. He broke the stack up into four layers:
kernel, native code, API, and apps. Each of those has its own security
concerns, he said.
Apps
In the Android security architecture, apps cannot directly interact with each
other, nor
with any of the other processes on the system. Those other processes come
about as
the Android system is initialized. After the kernel boots, init
launches a
few daemons
needed by the rest of the system (vold, netd, installd), then starts the
servicemanager. In turn, the servicemanager launches zygote, which is the
"initial app" and the root of the app tree. All of those processes run as
the root user, but anything started after that (including the
system_server
and any apps) run under its own user ID (UID).
Each app runs in its own process, and by default is not allowed do anything to
adversely affect any other app, the system, or the user. That separation
is enforced by the kernel's normal user permissions. On top of that,
Android adds a fine-grained permission system that allows users to grant
specific privileges to apps, but the apps must declare the privileges they
want ahead of time.
Apps can explicitly share resources and data with other apps via the binder
inter-process
communication (IPC) mechanism, ContentProviders,
Intents,
the filesystem,
local sockets, and so on. That sharing is outside of the scope of the
Android security model. All apps are treated equally by the system, with
the same level of application sandboxing.
The sole enforcement mechanism for the application sandbox is the Linux
kernel. The Dalvik virtual machine (VM) does not provide a security
boundary (unlike the Java VM). Each app has its own Dalvik VM as well as
all the Android resources (activities, services, receivers, providers,
etc.) in its process space.
Apps are stored in a .apk files, which must be signed. The
signature is meant to uniquely identify the owner of the app, but that
doesn't necessarily translate to a real life entity. It is, instead,
used to create a trust relationship between apps. The signature is also
used to verify that the contents of .apk file have been correctly
signed with the owner's key and have not been corrupted.
App signing uses public-key cryptography as defined by the Java JAR
specification. Most developers will already
have a key that was created by Eclipse and lives in
.android/debug.keystore. The keytool utility should
be used to create a more permanent keystore. No third party
certificate authority (CA) is needed for signing the keys as they can be
self-signed. Google Play store policy for apps requires a key that is valid
until at least October 2033, but
keys should be valid for 25 years or more, Gargenta said.
Once an app is signed, it is "zipped" into a archive file, which is essentially
what an .apk is. Each file in the zip archive is individually
signed, and those signatures are stored in a file in the META-INF
directory. The .apk contains the classes, resources, and the
manifest, along with META-INF. One can use jarsigner to
sign the files, and keytool to verify keys and signatures.
The platform itself has four different keys, which are often overlooked by
people creating their own ROM. There is a "platform" key used to sign the
core frameworks, a "shared" key for ContentProviders, a "media" key for the
media frameworks and applications (e.g. Gallery, DrmProvider), and a
"testkey" for everything else. Those can be created using
keytool. Shipping a ROM with the default keys is a big mistake,
Gargenta said, because anyone can create an update.zip firmware
update file to
replace any part of the system they want.
Users
Android doesn't use Linux users (and UIDs) in the usual way. There are
"virtual users" that correspond to each app. When installed, an app gets a
UID (and
identical group ID)
assigned to it. Up until Ice Cream Sandwich (ICS, Android 4.0), the UIDs
were assigned starting at 10,001 and given names like app_N,
where N is the offset from 10,000. After ICS, the mapping took
multiple human users into account, so the names became uM_aN, where
M corresponds to the human user, and uses a different formula
(100,000 * user + appnum, so u10_a3 becomes 101,003 1,010,003).
There is no passwd file on an Android system, but the mapping
from app to UID can be found in the /system/packages.list file.
That file lists the app name, UID, and the location of the app's private data
storage in the filesystem. When an app is first downloaded, it is put into
a quarantine space and examined by installd; if the signature
check passes, a UID/GID is assigned and the app is installed. It is possible
to have multiple apps (all signed with the same key) running under the same
UID, but they are really
considered by the system to be part of the same app.
Files
Android has a few separate filesystems. The /system filesystem is
"essentially the ROM", Gargenta said. It is mounted read-only and contains
the Android OS, system libraries and apps, system executables, and so on.
The application developer and user have no access to that filesystem
(unless the device is rooted), and it contains no user data, so it doesn't
need to be backed up or encrypted.
The /data partition is mounted read-write and contains all of the
downloaded apps and the storage for all apps (including the system apps).
The /data/data directory is the location where apps store their
data. A
a subdirectory named after the app is created that is owned by its UID/GID
and has
permissions that does not allow access from other UIDs. This is how the storage sandbox is
handled. There is a lib directory in the app's storage, which holds
the native libraries that the app needs. That directory is
added to the LD_LIBRARY_PATH of apps before they are started.
The init process mounts the filesystems and sets the permissions
for the files in those filesystems, which can be seen in the
init.rc file. It ensures that
/system is mounted read-only as it may have previously been
mounted read-write for an over-the-air (OTA) update.
In Android 4.2 ("Jelly Bean"), support for multiple human users was added
for uses like tablets that are shared by multiple family members. The
number of supported users is set in a configuration file; for phones the
value is 1, but tablets it is often set to 8. When there are multiple users,
apps can be installed for one or more of them. In that case, the data is
not shared—instead, each user gets their own copy of the app's data
directory, but the code and libraries are shared (the latter using a
symbolic link from the lib directory).
Permissions
Permissions are at the heart of the app security model for Android. One
can see the list of all permissions in the system using the
"pm list permissions" command in the adb shell.
Also, the "run-as" command can be used to test permissions as
granted to
specific apps. That is useful for debugging and testing, Gargenta said.
Some permissions are better than others, at least in terms of being
featured in the Google Play store, he said. He listed the Top Ten Bad
Permissions. These are permissions that, if requested by an app, make
it less likely to be featured in the store. For the most part, these are
somewhat dangerous permissions that are a
red flag that the application is asking for more than it needs—or
more than it should need.
For example, the SEND_SMS and RECEIVE_SMS permissions
(for sending and receiving text messages) were at the top of the list.
Unless the app is an SMS program, it shouldn't be using those. Instead, it
should start an SMS composer activity, which will activate an existing SMS
app to handle the message. Similarly, using an intent for
ACTION_IMAGE_CAPTURE will bring up the camera to allow the user to
take a picture and return the result. That avoids requiring the
CAMERA permission. He had suggestions for several other
permissions as well.
Permissions in Android map to groups (i.e. GIDs). If a particular app is
granted a permission, it is added to the group. For example, Android's
"paranoid networking" works by checking if the user is in the
"inet" group; if so, it allows network access, otherwise not.
The permissions for files and devices are set by the init process
Gargenta also briefly looked at some other Android security topics,
including encryption, malware, and device administration for companies that
are issuing phones to their employees (or allowing those employees to use
their own). Those topics were something of an aside to the deep dive into
Android security. Overall, there was a lot to digest in a fairly short
period of time, as Gargenta's slides would
suggest. A longer time slot might have been harder to allocate for a
two-day conference like ABS, but there was certainly material enough to
fill it.
[ Thanks to the Linux Foundation for assisting with travel costs to San Francisco for ABS. ]
Comments (6 posted)
Brief items
A possible outcome is that the distributions who care about signed modules will all just carry this patchset anyway, and the ones who don't won't. That's probably going to be interpreted by many as giving too much responsibility to Microsoft, but it's worth emphasising that these patches change nothing in that respect - if your firmware trusts Microsoft, you already trust Microsoft. If your firmware doesn't trust Microsoft, these patches will not cause your kernel to trust Microsoft. If you've set up your own chain of trust instead, anything signed by Microsoft will be rejected.
What's next? It wouldn't surprise me too much if nothing happens until someone demonstrates how to use a signed Linux system to attack Windows. Microsoft's response to that will probably determine whether anyone ends up caring.
--
Matthew Garrett on
third-party keys in a secure boot world
First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything.
Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems could work for a larger group would be through a pyramid-like mechanism, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.
And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good.
--
Bruce
Schneier considers the possibility of hacking the election of a new pope
It's very hard to use cryptography effectively if you assume an APT
[advanced persistent threat] is
watching everything on a system. We need to think about security in a
post-cryptography world.
--
Adi
Shamir, the "S" in RSA
Comments (9 posted)
Over the weekend, the networking tree accepted
a fix for an out-of-bounds access error that
appears to be exploitable by an unprivileged local user to gain root
access. Even worse, there are
indications
that this bug (which affects kernels from 3.3 onward) has been known about
since mid-2012; exploits exist in the wild. No distributor updates exist
as of this writing; presumably they will not be long in coming.
[Update February 27: Distributions have started putting out updates for the vulnerability.]
Comments (68 posted)
New vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2012-3499
CVE-2012-4558
|
| Created: | February 26, 2013 |
Updated: | April 5, 2013 |
| Description: |
From the Mandriva advisory:
Various XSS (cross-site scripting vulnerability) flaws due to unescaped
hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
mod_ldap, and mod_proxy_ftp (CVE-2012-3499).
XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
interface (CVE-2012-4558). |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2012-5689
|
| Created: | February 22, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the CVE entry:
ISC BIND 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for an AAAA record. |
| Alerts: |
|
Comments (none posted)
django: multiple vulnerabilities
| Package(s): | python-django |
CVE #(s): | CVE-2013-0305
CVE-2013-0306
|
| Created: | February 27, 2013 |
Updated: | March 22, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-0305:
Orange Tsai discovered that the bundled administrative interface
of django could expose supposedly-hidden information via its history
log.
CVE-2013-0306:
Mozilla discovered that an attacker can abuse django's tracking of
the number of forms in a formset to cause a denial-of-service attack
due to extreme memory consumption. |
| Alerts: |
|
Comments (none posted)
dovecot: restriction bypass/directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2011-2166
CVE-2011-2167
|
| Created: | February 21, 2013 |
Updated: | February 27, 2013 |
| Description: |
From the CVE entries:
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. (CVE-2011-2166)
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. (CVE-2011-2167)
|
| Alerts: |
|
Comments (none posted)
evolution: information disclosure
| Package(s): | evolution |
CVE #(s): | CVE-2011-3201
|
| Created: | February 21, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the Red Hat advisory:
The way Evolution handled mailto URLs allowed any file to be attached to
the new message. This could lead to information disclosure if the user did
not notice the attached file before sending the message. With this update,
mailto URLs cannot be used to attach certain files, such as hidden files or
files in hidden directories, files in the /etc/ directory, or files
specified using a path containing "..". |
| Alerts: |
|
Comments (none posted)
fusionforge: multiple privilege escalation flaws
| Package(s): | fusionforge |
CVE #(s): | CVE-2013-1423
|
| Created: | February 27, 2013 |
Updated: | February 27, 2013 |
| Description: |
From the Debian advisory:
Helmut Grohne discovered multiple privilege escalation flaws in FusionForge, a
web-based project-management and collaboration software. Most of the
vulnerabilities are related to the bad handling of privileged operations on
user-controlled files or directories. |
| Alerts: |
|
Comments (none posted)
hplip: insecure temp files
| Package(s): | hplip |
CVE #(s): | CVE-2013-0200
|
| Created: | February 21, 2013 |
Updated: | February 28, 2013 |
| Description: |
From the Red Hat advisory:
Tim Waugh of Red Hat discovered temporary file handling flaws in HPLIP. A local attacker could use these flaws to perform a symbolic link attack, overwriting arbitrary files accessible to a process using HPLIP. |
| Alerts: |
|
Comments (none posted)
java: unspecified vulnerability
| Package(s): | java |
CVE #(s): | CVE-2013-1487
|
| Created: | February 21, 2013 |
Updated: | February 27, 2013 |
| Description: |
From the CVE entry:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE 7 Update 13 and earlier and 6 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2012-4542
CVE-2013-0309
CVE-2013-0310
CVE-2013-0311
|
| Created: | February 21, 2013 |
Updated: | March 15, 2013 |
| Description: |
From the Red Hat advisory:
It was found that the default SCSI command filter does not accommodate
commands that overlap across device classes. A privileged guest user could
potentially use this flaw to write arbitrary data to a LUN that is
passed-through as read-only. (CVE-2012-4542)
A flaw was found in the way pmd_present() interacted with PROT_NONE
memory ranges when transparent hugepages were in use. A local, unprivileged
user could use this flaw to crash the system. (CVE-2013-0309)
A flaw was found in the way CIPSO (Common IP Security Option) IP options
were validated when set from user mode. A local user able to set CIPSO IP
options on the socket could use this flaw to crash the system.
(CVE-2013-0310)
A flaw was found in the way the vhost kernel module handled descriptors
that spanned multiple regions. A privileged guest user in a KVM guest could
use this flaw to crash the host or, potentially, escalate their privileges
on the host. (CVE-2013-0311)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2013-0228
CVE-2013-0313
CVE-2013-0871
|
| Created: | February 22, 2013 |
Updated: | April 3, 2013 |
| Description: |
From the Mageia advisory:
Linux kernel when returning from an iret assumes that %ds segment is
safe and uses it to reference various per-cpu related fields. Unfortunately
the user can modify the LDT and provide a NULL one. Whenever an iret is
called we end up in xen_iret and try to use the %ds segment and cause an
general protection fault.
Malicious or buggy unprivileged user space can cause the guest kernel to
crash, or permit a privilege escalation within the guest, or operate
erroneously. (CVE-2013-0228)
Linux kernel built with Extended Verification Module(EVM) and configured
properly, is vulnerable to a NULL pointer de-reference flaw, caused by
accessing extended attribute routines of sockfs inode object.
An unprivileged user/program could use this to crash the kernel,
resulting in DoS. (CVE-2013-0313)
A race condition in ptrace can lead to kernel stack corruption and
arbitrary kernel-mode code execution. (CVE-2013-0871)
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2013-1763
|
| Created: | February 26, 2013 |
Updated: | March 22, 2013 |
| Description: |
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator. This patch fixes the problem. |
| Alerts: |
|
Comments (none posted)
keystone: multiple vulnerabilities
| Package(s): | keystone |
CVE #(s): | CVE-2013-0282
CVE-2013-1664
CVE-2013-1665
|
| Created: | February 21, 2013 |
Updated: | March 22, 2013 |
| Description: |
From the Ubuntu advisory:
Nathanael Burton discovered that Keystone did not properly verify disabled
users. An authenticated but disabled user would continue to have access
rights that were removed. (CVE-2013-0282)
Jonathan Murray discovered that Keystone would allow XML entity processing.
A remote unauthenticated attacker could exploit this to cause a denial of
service via resource exhaustion. Authenticated users could also use this to
view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665) |
| Alerts: |
|
Comments (none posted)
mozilla: distinguishing and plaintext-recovery attacks
| Package(s): | firefox thunderbird nss |
CVE #(s): | CVE-2013-1620
|
| Created: | February 22, 2013 |
Updated: | April 5, 2013 |
| Description: |
From the CVE entry:
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. |
| Alerts: |
|
Comments (none posted)
openssh: code execution
| Package(s): | openssh |
CVE #(s): | CVE-2012-5536
|
| Created: | February 21, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the Red Hat advisory:
Due to the way the pam_ssh_agent_auth PAM module was built in Red Hat
Enterprise Linux 6, the glibc's error() function was called rather than the
intended error() function in pam_ssh_agent_auth to report errors. As these
two functions expect different arguments, it was possible for an attacker
to cause an application using pam_ssh_agent_auth to crash, disclose
portions of its memory or, potentially, execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssl: denial of service
| Package(s): | openssl |
CVE #(s): | CVE-2012-2686
|
| Created: | February 21, 2013 |
Updated: | February 27, 2013 |
| Description: |
From the Ubuntu advisory:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. |
| Alerts: |
|
Comments (none posted)
pigz: information disclosure
| Package(s): | pigz |
CVE #(s): | CVE-2013-0296
|
| Created: | February 26, 2013 |
Updated: | March 27, 2013 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in the way pigz, a parallel implementation of gzip, created temporary files to (temporary) store / represent 'to be compressed archive content' (the files were created with world readable permissions). A local attacker could use this flaw to obtain sensitive information (archive content). |
| Alerts: |
|
Comments (none posted)
pixman: stack-based buffer overflow
| Package(s): | pixman |
CVE #(s): | CVE-2013-1591
|
| Created: | February 27, 2013 |
Updated: | March 28, 2013 |
| Description: |
From the Red Hat bugzilla:
Stack-based buffer overflow in libpixman, as used in Pale Moon before 15.4, has unspecified impact and attack vectors.
The upstream commit to correct this flaw:
http://cgit.freedesktop.org/pixman/commit...
The affected code (pixman/pixman-inlines.h, fast_composite_scaled_bilinear()) is present in the version of pixmap shipped with Fedora 17 (0.24.4), but is not present in Red Hat Enterprise Linux 5 or 6 (the fast_composite_scaled_bilinear() function is in pixman/pixman-fast-path.h, but the vulnerable code is not there and I don't detect anything comparable). So it's likely that the vulnerable code was introduced after 0.22.0. |
| Alerts: |
|
Comments (none posted)
rails: multiple vulnerabilities
| Package(s): | RubyOnRails |
CVE #(s): | CVE-2013-0262
CVE-2013-0263
|
| Created: | February 25, 2013 |
Updated: | March 15, 2013 |
| Description: |
From the CVE entries:
rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." (CVE-2013-0262)
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. (CVE-2013-0263)
|
| Alerts: |
|
Comments (none posted)
rdma: multiple vulnerabilities
| Package(s): | RDMA |
CVE #(s): | CVE-2012-4517
CVE-2012-4518
|
| Created: | February 21, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the Red Hat advisory:
A denial of service flaw was found in the way ibacm managed reference
counts for multicast connections. An attacker could send specially-crafted
multicast packets that would cause the ibacm daemon to crash.
(CVE-2012-4517)
It was found that the ibacm daemon created some files with world-writable
permissions. A local attacker could use this flaw to overwrite the
contents of the ibacm.log or ibacm.port file, allowing them to mask
certain actions from the log or cause ibacm to run on a non-default port.
(CVE-2012-4518) |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby1.9.1 |
CVE #(s): | CVE-2013-0269
|
| Created: | February 21, 2013 |
Updated: | April 4, 2013 |
| Description: |
From the CVE entry:
The JSON gem 1.7.x before 1.7.7, 1.6.x before 1.6.8, and 1.5.x before 1.5.5 allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability." |
| Alerts: |
|
Comments (none posted)
transmission: code execution
| Package(s): | transmission |
CVE #(s): | CVE-2012-6129
|
| Created: | February 25, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that Transmission incorrectly handled certain micro
transport protocol packets. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code.
|
| Alerts: |
|
Comments (none posted)
util-linux-ng: information disclosure
| Package(s): | util-linux-ng |
CVE #(s): | CVE-2013-0157
|
| Created: | February 21, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the Red Hat advisory:
An information disclosure flaw was found in the way the mount command
reported errors. A local attacker could use this flaw to determine the
existence of files and directories they do not have access to. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
