|
|
Log in / Subscribe / Register

SELinux on Android

SELinux on Android

Posted Aug 28, 2014 17:16 UTC (Thu) by drag (guest, #31333)
In reply to: SELinux on Android by brugolsky
Parent article: SELinux on Android

> While I'm glad to see this being done, the Linux kernel is as awfully bloated "TCB". Is work underway to also incorporate the most useful bits of Grsecurity?

I don't think it would plausible to do this. Gresecurity has it's own role based mechanism and approach to Linux security that is separate from what you'd get with LSM modules like SELinux.

The upshot, though, is that since Gresecurity is largely compatible with SELinux you should be able to mesh these things together if you really wanted to.

> Tightening security is also a dual-edged sword; if devices remain locked and under the control of the manufacturer or telco carrier, it will make mainstream consumer devices more difficult to root and use for our own purposes.

There are phones on the market that are purposely left open (relatively) by their manufacturers. The key is really to steer people towards those devices.

Besides the security situations, Android users can benefit massively from this sort of approach. Many people I know who does not have a 'rooted' phone and the ability to install their own firmwares tends to end up with a unusable device after a couple years, while my phone (and others in similar positions) is faster and better behaved then it was when it was new.

> Until then, the only secure "smartphone" is one with a physically separate modem communicating over an auditable wire protocol such as USB.

The radio is the probably most important part of the 'smartphone', from a security perspective, unfortunately. If not the most, it's certainly very important. It can intercept and manipulate any of the traffic going in and out of the phone, as well as publishing information about the user and the user's location and such things. It has it's own processor and operating system-like environment.

What would be ideal would be to have a 'dumb radio' similar to how most people ended up with 'dumb modems' towards the end of the dial-up internet era. (aka winmodem/linmodem/etc). In this way the hardware is rather minimal and instead of using the processor and firmware built into the radio to manage connections you use the main cpu and use a open source kernel driver to do most of the 'heavy lifting'. Essentially be a 'software defined radio' type setup.

Now, of course, this approach has a large number of problems. Besides technical issues with battery life, reliability, and so on and so forth... The government is not going to want to allow people to know what is going on with their phone's radio.

Right now government surveillance techniques at important events (riots, protests, public appearances of officials) involve setting up fake/temporary cellular radio towers and then sending commands to phone's and phone's radios to disable power management features and report continuously on the identities and locations of people in the vicinity of the 'event'. They don't want to loosen any potential FCC rules to allow people to control their own devices in a way that could potentially defeat that sort of thing. Luckily 'dumb radios' will probably end up much cheaper then full blown radios over a dedicated usb (or whatever) style connection and the economics of technology has a way of overruling the regulator's concerns.. thank goodness.

Now I don't know how realistic 'software radios' for cellular communication actually is, but I am just suggesting that it's the better approach when thinking about things security-wise.

to post comments

SELinux on Android

Posted Aug 28, 2014 18:51 UTC (Thu) by brugolsky (guest, #28) [Link] (2 responses)

Some random thoughts in reply while I'm waiting for this compile to finish...

Grsecurity is much more than RBAC; the kernel hardening aspects come with some (usually minor) performance penalties, which might be an issue on battery-operated devices, but I'm willing to trade some battery life for better protection against 0days.

I'm fairly optimistic that unlocked phones and tablets will be remain available. We're getting to the point where the functionality of devices several generations old is still perfectly usable.

For USAians, it would be nice if our Congress got rid of the DMCA and demanded more openness for devices, perhaps arguing that device owners have a right to engage in self-service once a device is abandoned by the manufacturer (no more updates). [Though I can hear the wails of protest by lobbyists that the world economy will collapse if the "new shiny" can't be forced upon consumers every 2-3 years.] This might go hand-in-hand with Dan Geer's proposal to hold vendors liable for security, and only allow them to disclaim liability only via openness.

As for softmodems, Nvidia acquired Icera and now uses the Icera LTE softmodem running on the baseband processor of the Tegra 4i. Whether we'll ever get to a place where similar code is, if not open source, at least wrapped in a sandbox with verifiable inputs and outputs, is difficult to say, though I think it unlikely.

If people want to avoid having their communications monitored or blocked at protests, and other events, then they need to ditch telco service and use WiFi with random MACs on their rooted devices. If cruise lines can supply passengers with messaging apps that work on-board, surely we can put better technology in the hands of protesters, particularly since we have mesh networking already available in the Linux networking stack. Sure, then WiFi jammers will be deployed, and the response will eventually require full-on SDR.

Afterwards, needless to say, people will get in their cars all amped up and discuss the whole event, while OnStar or your Android or Tizen-based IVI relays unique IDs and perhaps whole conversations to the interested parties. :-/

SELinux on Android

Posted Sep 1, 2014 14:44 UTC (Mon) by raven667 (subscriber, #5198) [Link] (1 responses)

> I'm willing to trade some battery life for better protection against 0days

You are probably in a tiny minority with that opinion, battery life is a sell-able feature on phones and anything which reduces it is going to be perceived as a negative, you will get beaten up in the marketplace by the vendor without security but one more hour of battery life.

I too would love better protections by default but as you can see from the trends of past history only a small fraction are willing to pay any performance cost for security, those people are the current grsecurity customer base 8-)

SELinux on Android

Posted Sep 1, 2014 16:11 UTC (Mon) by spender (guest, #23067) [Link]

Yes, because it seems Samsung and other vendors who have adopted SELinux with its marginal benefit and 10% performance hit are being pummeled in the market. With users reporting KNOX using up to 62% of their battery (http://forums.androidcentral.com/samsung-safe-knox/326105..., http://forums.androidcentral.com/samsung-safe-knox/304515..., http://forums.androidcentral.com/samsung-galaxy-note-2/35..., etc) Or the ones that have taken on the performance hit of SSP on ARM with its nonexistent security benefit.

In fact, we just got an email within the past hour from a company that's enabled basically all grsecurity features from https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecur... on a system processing ~50 emails a second through anti-virus and anti-spam at only a 14% performance hit. The kernel they were running had full memory sanitization on free enabled, which caught a use-after-free bug in the upstream netfilter code.

I'm leaning towards you being the small fraction, and this just being one big straw man.

-Brad


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds