Security
SELinux on Android
One of the more surprising bits from this year's Linux Security Summit (LSS) was the progress that has been made with SELinux on Android. The project has been around for some time now and has made some impressive strides over the years. SELinux developer Stephen Smalley presented the current status of Security Enhancements for Android (SE Android) project, along with what is coming in the next Android release.
Smalley works for the US National Security Agency (NSA), but not for the signals intelligence (i.e. communication gathering) branch he was quick to point out. The job for his part of the NSA is to find ways to protect information held by the government. SELinux was originally developed by the NSA for just that purpose; extending that to work on phones is another piece of the puzzle.
![[Stephen Smalley]](https://static.lwn.net/images/2014/lss-smalley-sm.jpg)
At around the time of the 2013 LSS in September, the Samsung Galaxy S4 phone was shipping with SELinux and the official Android 4.3 ("Jelly Bean") included it, though both were in permissive mode, he said. That was a "baby step", but after that, 4.3 updates to the S4 and other Samsung devices put SELinux into enforcing mode, as did the Android 4.4 ("KitKat") release.
Smalley's presentation looked at the Android Trusted Computing Base (TCB) and how SELinux and other techniques are being used to protect it. All of that work has been done in public by the NSA, Google, and others—in the Android Open Source Project (AOSP) master branch. He said that he would start with what was in Android 4.4, before moving on to what is expected in the upcoming Android "L" release.
Android TCB
The Android TCB consists of the totality of the hardware and software that makes up the system. For the purposes of his talk, though, Smalley said that he would just be looking at the full Android software stack. The Linux kernel is the base of the Android TCB, but user-space code that is privileged in various ways also requires protection.
There is a loose hierarchy that runs from the kernel through the root daemons and non-root daemons (which have some capabilities) to the privileged apps that are run from /system/priv-app. It is a layering of the privileges, going from most trusted to least, he said, though the layering is "not clean". There is no easy separation between what is trusted and what isn't, nor any real attempt to determine what the applications and daemons need to be trusted to do.
Prior to adding SELinux to Android, some kernel hardening and other techniques had been applied to Android. That included setting various kernel parameters (e.g. mmap_min_addr, kptr_restrict) and using kernel features that help block privilege escalation (e.g. NOSUID, NO_NEW_PRIVS). There were also efforts to minimize the number of full-root daemons running in the system and to reduce the capability set of others. In addition, techniques to reduce the exploitability of applications like address-space layout randomization (ASLR), no-execute data sections, FORTIFY_SOURCE, and so on, were applied.
Android 4.4 was the first Google release to ship with SELinux in enforcing mode. It focused on protecting four full-root daemons (installd, netd, vold, and zygote). The intent was to protect the daemons from misuse and to contain the damage that any exploit could do. One example of the kinds of exploits that SELinux can prevent on Android is a local root vulnerability in vold from 2010—fixed in 4.4.3—that was prevented by SELinux.
Unlike standard Linux distributions, SELinux in enforcing mode is mandatory on Android 4.4 (and beyond) systems. The Android compatibility definition and tests both require SELinux. That is an advantage, Smalley said, because other parts of the system can rely on the presence of SELinux.
Another difference between Android and regular distributions is that there is no generic unconfined domain in the Android SELinux policy. Specific domains can be marked with an unconfineddomain attribute, but that is not exactly the same thing. Domains that are marked that way are not completely unrestricted by the policy, as unconfined domains are in other distributions.
Post 4.4, the strategy is to shrink the set of daemons that run with the unconfineddomain attribute. But OEMs may still add daemons with that attribute, so, in parallel, there is an effort to reduce the permissions allowed to those processes. There will also be targeted improvements to the confined domains to further reduce their ability to wreak havoc if they get compromised.
For Android 4.4, only the 4 daemons mentioned (out of a total of 47) are confined. But the Android L developer preview confines 49 out of 61 daemons and privileged apps; it also adds all third-party apps to the confined set. The current AOSP master branch, which is what Smalley expects will end up in the L release, has 62 of 65 daemons and applications confined.
Protections from the policy
Smalley then switched gears to talk about the protections that are embodied in the Android SELinux policies. In order to try to protect the kernel, there are a number of actions the policies prevent, including any process mapping low memory and reading or writing /dev/kmem and /dev/mem. Only the init process can modify process security settings (e.g. mmap_min_addr) or load SELinux policy. No domain can switch SELinux to permissive mode. All of those restrictions apply to "unconfined" domains as well.
Loadable kernel modules are supported on some Android devices, though the Nexus devices turn off CONFIG_MODULES. Only the system_server is allowed to load modules for those devices that do support it; that is done to support loading a wireless driver. In the future, some of the restrictions on module loading that Kees Cook has added may be employed on Android, Smalley said.
The user-mode helpers for hotplug have traditionally been a way to subvert the kernel by assigning an attacker-controlled helper to a particular event, then causing that event to occur. That is prevented on Android by only allowing init to configure the helpers and to only allow helpers to be executed from the root filesystem or /system.
The policies also seek to protect the integrity of files on an Android system. The /system partition has always been mounted read-only, but attacks would simply remount it read-write. The policies now lock down which processes can mount and remount. In addition, write access to /system is only allowed to the recovery process, which is only available in recovery images. Beyond that, writing to block devices, raw I/O, and mknod() are also locked down, even for objects with the unconfineddomain attribute.
Access to ptrace() has also been limited. Only the debuggerd process is allowed to ptrace other domains. Most domains have no ptrace access even within their own domain, and that includes the unconfined domains. Certain sensitive domains (e.g. init, keystore, app-to-non-app ptrace) are further protected with "neverallow" rules in the policy; those prevent any policy change from (mistakenly) overriding them.
There has been a lot of effort to ensure that there is a bare minimum that is both writable and executable. Rootfs files cannot be written, while /system can only be written from recovery—most domains can only execute files from one or the other. Except for Dalvik processes, domains cannot have executable anonymous mappings, nor change file mappings to be executable. Once again, these protections are also active for unconfined domains.
Protections against both symbolic link attacks and malicious socket IPC have been added. No domains can read symbolic links created by apps or the shell. Also, netlink sockets and sockets opened by daemons cannot be accessed by apps or the shell.
It is not just system data that is being protected, either, as there are restrictions on the /data (app data) partition as well. The original 4.4 policy allowed installd and system_server to have largely unrestricted write access to /data, but that has been tightened up considerably in the AOSP master branch. In addition, even more protections have been placed on specific security-critical data files (e.g. /data/property, the system property store, and /data/misc/keystore, the certificate and key store).
There is an additional set of restrictions on the increasingly badly named "unconfined" domain. No process operations (e.g. signals) can be made to other domains and those processes cannot execute other programs without transitioning to some other domain. Those processes also have no internet access, no syslog access, and no audit access.
Protecting the policy
But what policy takes away, it can also give back, Smalley said. An OEM can "remove the goodness we baked in". Part of preventing that is the neverallow rules, but those can simply be commented out by OEMs. In order for devices to pass the compatibility test suite, however, there are two SELinux tests that must be passed. One of those ensures that the neverallow rules are still present through testing—without inspecting the policy itself.
But the project is not just applying SELinux policy. There has been a concerted effort to go beyond just creating policy to "improve the state of security on Android", he said. The need for certain capabilities has been removed from some daemons, others have been de-privileged entirely. Descriptor leaks across fork()/exec() have been found and eliminated as well. Some of those fixes have made their way back to the regular distributions to help provide better security throughout the Linux ecosystem.
SELinux has always focused on more than just the kernel, he said. It can (and does) restrict user-space programs. In 4.4, that was applied to the property service and zygote; in AOSP master that has been extended further. In addition, the hardcoded UID-based access control lists have been replaced with SELinux policy.
There have been some practical challenges in bringing SELinux to Android. Upgrades from non-SELinux devices with unlabeled filesystems required some work. Upgrading to newer policies with different labels had similar challenges. There have been other labeling issues as well, he said.
Next up are projects like simplifying the process of bringing up new devices with SELinux support, applying isolation and sandboxing features to apps, hardening the multi-user boundary in Android, and more. He encouraged anyone interested to check out the home page and the mailing list. Smalley's slides [PDF] are also available.
Brief items
Security quote of the week
[...]
I realize I sound a bit cranky about this stuff. But as they say: a PGP critic is just a PGP user who's actually used the software for a while. At this point so much potential in this area and so many opportunities to do better. It's time for us to adopt those ideas and stop looking backwards.
FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
The Free Software Foundation blog has posted an article detailing a
newly discovered government surveillance project as well as a new
technological countermeasure. The surveillance project is known as
HACIENDA, as is reportedly a multi-national effort "to map every
server in twenty-seven countries, employing a technique known as port
scanning.
" The countermeasure, developed by Julian Kirsch,
Christian Grothoff, Jacob Appelbaum, and Holger Kenn, is called TCP Stealth. According
to the TCP Stealth whitepaper, the system "replaces the
traditional random TCP SQN number with a token that authenticates the
client and (optionally) the first bytes of the TCP payload. Clients
and servers can enable TCP Stealth by explicitly setting a socket
option or linking against a library that wraps existing network system
calls.
" A Linux implementation of the scheme is available.
The poisoned NUL byte, 2014 edition (Project Zero)
For those interested in the gory details of a complex exploit, Google's Project Zero page describes the process of getting arbitrary code execution from a single NUL byte written to the heap by glibc in an off-by-one error. "The main point of going to all this effort is to steer industry narrative away from quibbling about whether a given bug might be exploitable or not. In this specific instance, we took a very subtle memory corruption with poor levels of attacker control over the overflow, poor levels of attacker control over the heap state, poor levels of attacker control over important heap content and poor levels of attacker control over program flow. Yet still we were able to produce a decently reliable exploit! And there’s a long history of this over the evolution of exploitation: proclamations of non-exploitability that end up being neither advisable nor correct."
New vulnerabilities
ansible: code execution
| Package(s): | ansible | CVE #(s): | CVE-2014-4678 | ||||||||
| Created: | August 25, 2014 | Updated: | August 27, 2014 | ||||||||
| Description: | From the Mageia advisory:
The Ansible platform before version 1.6.7 suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables. | ||||||||||
| Alerts: |
| ||||||||||
drupal7-date: cross-site scripting
| Package(s): | drupal7-date | CVE #(s): | CVE-2014-5169 | ||||||||
| Created: | August 21, 2014 | Updated: | August 27, 2014 | ||||||||
| Description: | From the Drupal advisory: Date module provides flexible date/time field type Date field and a Date API that other modules can use. The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability. | ||||||||||
| Alerts: |
| ||||||||||
eglibc: code execution
| Package(s): | eglibc | CVE #(s): | CVE-2014-5119 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 27, 2014 | Updated: | October 20, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
glance: denial of service
| Package(s): | glance | CVE #(s): | CVE-2014-5356 | ||||||||||||||||||||
| Created: | August 22, 2014 | Updated: | October 23, 2014 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory: Thomas Leaman and Stuart McLaren discovered that OpenStack Glance did not properly honor the image_size_cap configuration option. A remote authenticated attacker could exploit this to cause a denial of service via disk consumption. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
horizon: cross-site scripting
| Package(s): | horizon | CVE #(s): | CVE-2014-3594 | ||||||||||||||||||||
| Created: | August 22, 2014 | Updated: | October 1, 2014 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory: Dennis Felsch and Mario Heiderich discovered that OpenStack Horizon did not properly perform input sanitization when creating host aggregates. If an admin user were tricked into viewing the Host Aggregates page containing a crafted availability zone name, an attacker could conduct cross-site scripting attacks. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
keystone: multiple vulnerabilities
| Package(s): | keystone | CVE #(s): | CVE-2014-5251 CVE-2014-5252 CVE-2014-5253 | ||||||||||||
| Created: | August 22, 2014 | Updated: | September 3, 2014 | ||||||||||||
| Description: | From the Ubuntu advisory: Brant Knudson and Lance Bragstad discovered that OpenStack Keystone would not always revoke tokens correctly. If Keystone were configured to use revocation events, a remote authenticated attacker could continue to have access to resources. (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253) | ||||||||||||||
| Alerts: |
| ||||||||||||||
libgcrypt: side-channel attack
| Package(s): | libgcrypt | CVE #(s): | CVE-2014-5270 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2014 | Updated: | November 17, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
libgcrypt was updated to 1.5.4 to prevent a side-channel attack on Elgamal encryption subkeys. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libndp: code execution
| Package(s): | libndp | CVE #(s): | CVE-2014-3554 | ||||||||
| Created: | August 21, 2014 | Updated: | August 27, 2014 | ||||||||
| Description: | From the Red Hat bug: libndp provides a library for the IPv6 Neighbor Discovery Protocol. A buffer overflow flaw was found in the ndp_msg_opt_dnssl_domain() function when handling the DNS Search List (DNSSL) in IPv6 router advertisements. A malicious router or man-in-the-middle attacker could use this flaw to cause an application using libndp to crash or, potentially, execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
oxide-qt: multiple vulnerabilities
| Package(s): | oxide-qt | CVE #(s): | CVE-2014-3165 CVE-2014-3166 CVE-2014-3167 | ||||||||||||
| Created: | August 21, 2014 | Updated: | August 27, 2014 | ||||||||||||
| Description: | From the Ubuntu advisory: A use-after-free was discovered in the websockets implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash. (CVE-2014-3165) An issue was discovered in the Public Key Pinning implementation in Chromium. An attacker could potentially exploit this to obtain sensitive information. (CVE-2014-3166) Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-3167) | ||||||||||||||
| Alerts: |
| ||||||||||||||
pen: unspecified vulnerability
| Package(s): | pen | CVE #(s): | |||||
| Created: | August 25, 2014 | Updated: | August 27, 2014 | ||||
| Description: | Pen 0.25.1 fixes an unspecified vulnerability. | ||||||
| Alerts: |
| ||||||
php5: multiple vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2014-3587 CVE-2014-3597 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 21, 2014 | Updated: | October 3, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2014-3587 - It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. CVE-2014-3597 - It was discovered that the original fix for CVE-2014-4049 did not completely address the issue. A malicious server or man-in-the-middle attacker could cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php-htmlpurifier-htmlpurifier: "Hash Length Extension" attack
| Package(s): | php-htmlpurifier-htmlpurifier | CVE #(s): | |||||||||
| Created: | August 25, 2014 | Updated: | August 27, 2014 | ||||||||
| Description: | From the Red Hat bugzilla:
HTMLPurifier, a standards-compliant HTML filter library written in PHP, was found to have a vulnerability, which allows the attacker to carry out a "Hash Length Extension" attack. Class HTMLPurifier_URIFilter_Munge implements a URI filter that replaces all links with a formatted URL. To prevent links from being altered HTMLPurifier allows specifying a secret key via "URI.MungeSecretKey" configuration directive. However, this signature generation method is susceptible to a hash length extension attack. This vulnerability allows attackers to append an arbitrary value to the signed data without knowing the secret key. This may cause other vulnerabilities in the web applications, which use signature generated by HTMLPurifier to keep the links from being altered. | ||||||||||
| Alerts: |
| ||||||||||
phpmyadmin: multiple vulnerabilities
| Package(s): | phpmyadmin | CVE #(s): | CVE-2014-5273 CVE-2014-5274 | ||||||||||||||||||||
| Created: | August 21, 2014 | Updated: | September 2, 2014 | ||||||||||||||||||||
| Description: | From the Mageia advisory: In phpMyAdmin before 4.1.14.3, multiple XSS vulnerabilities exist in browse table, ENUM editor, monitor, query charts and table relations pages (CVE-2014-5273). In phpMyAdmin before 4.1.14.3, with a crafted view name it is possible to trigger an XSS when dropping the view in view operation page (CVE-2014-5274). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
ppp: privilege escalation
| Package(s): | ppp | CVE #(s): | CVE-2014-3158 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2014 | Updated: | March 29, 2015 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the ppp-2.4.7 release announcement:
The main reason for the release is to fix a potential security vulnerability that has been discovered. The vulnerability may enable an unprivileged attacker to access privileged options, though I am not aware of any complete working exploit. This vulnerability has a CVE id, CVE-2014-3158. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
python-django: multiple vulnerabilities
| Package(s): | python-django | CVE #(s): | CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2014 | Updated: | December 15, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2014-0480: Florian Apolloner discovered that in certain situations, URL reversing could generate scheme-relative URLs which could unexpectedly redirect a user to a different host, leading to phishing attacks. CVE-2014-0481: David Wilson reported a file upload denial of service vulnerability. Django's file upload handling in its default configuration may degrade to producing a huge number of `os.stat()` system calls when a duplicate filename is uploaded. A remote attacker with the ability to upload files can cause poor performance in the upload handler, eventually causing it to become very slow. CVE-2014-0482: David Greisen discovered that under some circumstances, the use of the RemoteUserMiddleware middleware and the RemoteUserBackend authentication backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions. CVE-2014-0483: Collin Anderson discovered that it is possible to reveal any field's data by modifying the "popup" and "to_field" parameters of the query string on an admin change form page. A user with access to the admin interface, and with sufficient knowledge of model structure and the appropriate URLs, could construct popup views which would display the values of non-relationship fields, including fields the application developer had not intended to expose in such a fashion. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
python-imaging, python-pillow: denial of service
| Package(s): | python-imaging, python-pillow | CVE #(s): | CVE-2014-3589 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 21, 2014 | Updated: | September 2, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory: The Python Imaging Library is vulnerable to a denial of service attack in the IcnsImagePlugin (CVE-2014-3589). | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
ror40-rubygem-activerecord: strong parameter protection bypass
| Package(s): | ror40-rubygem-activerecord | CVE #(s): | CVE-2014-3514 | ||||||||
| Created: | August 27, 2014 | Updated: | August 27, 2014 | ||||||||
| Description: | From the CVE entry:
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls. | ||||||||||
| Alerts: |
| ||||||||||
sks: cross-site scripting
| Package(s): | sks | CVE #(s): | CVE-2014-3207 | ||||||||
| Created: | August 27, 2014 | Updated: | August 27, 2014 | ||||||||
| Description: | From the CVE entry:
Cross-site scripting (XSS) vulnerability in wserver.ml in SKS Keyserver before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to pks/lookup/undefined1. | ||||||||||
| Alerts: |
| ||||||||||
xen: denial of service
| Package(s): | xen | CVE #(s): | CVE-2014-5146 CVE-2014-5149 | ||||||||||||||||||||||||||||
| Created: | August 25, 2014 | Updated: | October 1, 2014 | ||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Some MMU virtualization operations on HVM guests must process every page assigned to a guest. For larger guests, this can tie up a vcpu for a significant amount of time, as the operations are not preemptible. A malicious HVM guest with a large allocation of shadow/p2m RAM can mount a denial of service attack affecting the whole system. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>