Boxify: Full-fledged App Sandboxing for Stock Android Michael Backes♢, Sven Bugiel♦, Christian Hammer♦, Oliver Schranz♦, Philipp von Styp-Rekowsky♦ ♢CISPA, Saarland University & MPI-SWS ♦CISPA, Saarland University the 24th USENIX Security Symposium (Aug., 2015)
Outline Introduction Background on Android OS Requirements Analysis and Existing Solutions Boxify Architecture Evaluation
1. Introduction Status quo of deploying Android security extensions The sweet spot Contributions
Status quo of deploying Android security extensions UID-centered security architecture of Android Inlined reference monitoring (IRM) OS security extensions
Status quo of deploying Android security extensions Move the reference monitor to the application layer. The reference monitor and the untrusted application share the same process space.
The sweet spot Combine the security guarantees of OS security extensions with the deployability of IRM solutions. OS-isolated reference monitor. Without modifications to the firmware or code of the monitored applications.
Contributions Isolated process: allows apps to totally de- privilege selected components. App virtualization environment: proxies all syscall and Binder channels of isolated apps.
2. Background on Android OS Android Security Model Isolated Process
Android Security Model Android assigns a unique Linux user ID (UID) to every application at installation time. The kernel enforces discretionary access control (DAC) on syscalls based on the UID of the application process. Each application UID is associated with a set of platform permissions, which are checked at runtime by reference monitors.
Android Security Model The primary channel for inter-application communication is Binder Inter-Process Communication (IPC).
Isolated Process introduced in Android version 4.1 It allows an app developer to request that certain service components within her app should run in a special process that is isolated from the rest of the system and has no permissions of its own. Most prominently used in the Chrome browser.
Isolated Process Randomly assigns UID on process startup and differs from any existing UID. No access to the private app directory of the application. Limited to reading/writing world readable/writable files. Runs with no permissions.
Isolated Process Forbidden to perform any of the core Android IPC functions. The only way to interact with the isolated process from other application components is through the Service API (binding and starting).
3. Requirements Analysis and Existing Solutions 3.1 Objectives and Threat Model 3.2 Existing Solutions
3.1 Objectives and Threat Model O1 No firmware modification O2 No app modification O3 Robust reference monitor a strong security boundary & the monitor cannot be bypassed O4 Secure isolation of untrusted code fail-safe defaults and mediation by the reference monitors
3.2 Existing Solutions Android Security Extensions Operating system extensions Application layer solutions Separate app
Operating system extensions
Application layer solutions
Separate app
Comparison
4.1 Design Overview 4.2 Target 4.3 Broker 4.4 System Integration 4. Boxify Architecture 4.1 Design Overview 4.2 Target 4.3 Broker 4.4 System Integration
4.1 Design Overview
4.1 Design Overview Isolated processes Dynamically loading and executing the untrusted app A privileged controller process a mandatory proxy manage lifecycle and relay component
4.2 Target
4.2 Target Control channel for loading/terminating apps Divert Binder IPC to Broker Divert Syscalls to Broker
4.2.1 SandboxService
4.2.1 SandboxService
4.2.2 Binder IPC Interceptor Binder IPC handle handle Java Reflection API and native code Binder handle of Broker ServiceManager of Target Reference
4.2.3 Syscall Interceptor Rely on a technique called libc hooking [59] Applications use Android’s implementation of the Standard C library Bionic libc to initiate system calls. Intercept calls to libc functions and redirect these calls to a service client. This client forwards the function calls via IPC to a custom service component.
4.2.3 Syscall Interceptor Selective about calls: granted to an isolated process (x) security-critical (v) not permitted for isolated processes (v) calls depends on the given parameter (?)
4.3 Broker Pr oxy
4.3 Broker Establish compatibility across Android versions Translate between Boxify and Android system Baseline enforcement & virtual system services
4.3.1 API Layer Boxify must semantically interpret the intercepted Binder parcels. Since the system service interfaces describe the internal Android API, these interfaces change frequently between Android versions. SafeParcel carries structural information about the data stored in it, which allows the receiver of an IPC request to selectively read parts of the payload.
4.3.2 Core Logic Layer This layer provides a minimal implementation of the PackageManager, which manages the packages installed into the Boxify environment. This layer decides whether an Android API call is emulated using a replicated service or forwarded to the system. Enable direct communication between the target app and the requested Android system service.
4.3.2 Core Logic Layer This Layer implements the policy enforcement points (PEP) for Binder IPC services and syscalls. The syscall PEP enforces system call policies with respect to network and filesystem operations. The file-system structure of the Android data partition. The access control of the Linux kernel.
4.3.3 Virtualization Layer The Virtualization Layer maintains a mapping between Target and Boxify component names. Target Target Virtualization Layer Boxify Boxify
4.4 System Integration Launcher App Stores
5. Evaluation 5.1 Performance Impact 5.2 Runtime Robustness 5.3 Portability 5.4 Use-cases 5.5 Security Discussion
5.1 Performance Impact
5.1 Performance Impact
5.1 Performance Impact
5.2 Runtime Robustness 1079 of the most popular, free apps from Google Play 93 (8.6%) experienced a crash during testing exotic syscalls rarely used Android APIs which are not covered by Boxify yet
5.3 Portability
5.4 Use-cases Fine-Grained Permission Control Domain Isolation
5.5 Security Discussion Privilege escalation Escalate its privileges through a root or kernel exploit Violating Least-Privilege Principle It is hard to predict a reasonable set of permissions beforehand Red Pill hide its true intentions or refuse to run in a sandboxed environment.