Presentation is loading. Please wait.

Presentation is loading. Please wait.

Boxify: Full-fledged App Sandboxing for Stock Android

Published byMerry McKenzie Modified over 6 years ago

Similar presentations

Presentation on theme: "Boxify: Full-fledged App Sandboxing for Stock Android"— Presentation transcript:

1 Boxify: Full-fledged App Sandboxing for Stock Android
Michael Backes♢, Sven Bugiel♦, Christian Hammer♦, Oliver Schranz♦, Philipp von Styp-Rekowsky♦ ♢CISPA, Saarland University & MPI-SWS ♦CISPA, Saarland University the 24th USENIX Security Symposium (Aug., 2015)

2 Outline Introduction Background on Android OS
Requirements Analysis and Existing Solutions Boxify Architecture Evaluation

3 1. Introduction Status quo of deploying Android security extensions
The sweet spot Contributions

4 Status quo of deploying Android security extensions
UID-centered security architecture of Android Inlined reference monitoring (IRM) OS security extensions

5 Status quo of deploying Android security extensions
Move the reference monitor to the application layer. The reference monitor and the untrusted application share the same process space.

6 The sweet spot Combine the security guarantees of OS security extensions with the deployability of IRM solutions. OS-isolated reference monitor. Without modifications to the firmware or code of the monitored applications.

7 Contributions Isolated process: allows apps to totally de- privilege selected components. App virtualization environment: proxies all syscall and Binder channels of isolated apps.

8 2. Background on Android OS
Android Security Model Isolated Process

9 Android Security Model
Android assigns a unique Linux user ID (UID) to every application at installation time. The kernel enforces discretionary access control (DAC) on syscalls based on the UID of the application process. Each application UID is associated with a set of platform permissions, which are checked at runtime by reference monitors.

10 Android Security Model
The primary channel for inter-application communication is Binder Inter-Process Communication (IPC).

11 Isolated Process introduced in Android version 4.1
It allows an app developer to request that certain service components within her app should run in a special process that is isolated from the rest of the system and has no permissions of its own. Most prominently used in the Chrome browser.

12 Isolated Process Randomly assigns UID on process startup and differs from any existing UID. No access to the private app directory of the application. Limited to reading/writing world readable/writable files. Runs with no permissions.

13 Isolated Process Forbidden to perform any of the core Android IPC functions. The only way to interact with the isolated process from other application components is through the Service API (binding and starting).

14 3. Requirements Analysis and Existing Solutions
3.1 Objectives and Threat Model 3.2 Existing Solutions

15 3.1 Objectives and Threat Model
O1 No firmware modification O2 No app modification O3 Robust reference monitor a strong security boundary & the monitor cannot be bypassed O4 Secure isolation of untrusted code fail-safe defaults and mediation by the reference monitors

16 3.2 Existing Solutions Android Security Extensions
Operating system extensions Application layer solutions Separate app

17 Operating system extensions

18 Application layer solutions

19 Separate app

20 Comparison

21 4.1 Design Overview 4.2 Target 4.3 Broker 4.4 System Integration
4. Boxify Architecture 4.1 Design Overview 4.2 Target 4.3 Broker 4.4 System Integration

22 4.1 Design Overview

23 4.1 Design Overview Isolated processes
Dynamically loading and executing the untrusted app A privileged controller process a mandatory proxy manage lifecycle and relay component

24 4.2 Target

25 4.2 Target Control channel for loading/terminating apps
Divert Binder IPC to Broker Divert Syscalls to Broker

26 4.2.1 SandboxService

27 4.2.1 SandboxService

28 4.2.2 Binder IPC Interceptor
Binder IPC handle handle Java Reflection API and native code Binder handle of Broker ServiceManager of Target Reference

29 4.2.3 Syscall Interceptor Rely on a technique called libc hooking [59]
Applications use Android’s implementation of the Standard C library Bionic libc to initiate system calls. Intercept calls to libc functions and redirect these calls to a service client. This client forwards the function calls via IPC to a custom service component.

30 4.2.3 Syscall Interceptor Selective about calls:
granted to an isolated process (x) security-critical (v) not permitted for isolated processes (v) calls depends on the given parameter (?)

31 4.3 Broker Pr oxy

32 4.3 Broker Establish compatibility across Android versions
Translate between Boxify and Android system Baseline enforcement & virtual system services

33 4.3.1 API Layer Boxify must semantically interpret the intercepted Binder parcels. Since the system service interfaces describe the internal Android API, these interfaces change frequently between Android versions. SafeParcel carries structural information about the data stored in it, which allows the receiver of an IPC request to selectively read parts of the payload.

34 4.3.2 Core Logic Layer This layer provides a minimal implementation of the PackageManager, which manages the packages installed into the Boxify environment. This layer decides whether an Android API call is emulated using a replicated service or forwarded to the system. Enable direct communication between the target app and the requested Android system service.

35 4.3.2 Core Logic Layer This Layer implements the policy enforcement points (PEP) for Binder IPC services and syscalls. The syscall PEP enforces system call policies with respect to network and filesystem operations. The file-system structure of the Android data partition. The access control of the Linux kernel.

36 4.3.3 Virtualization Layer The Virtualization Layer maintains a mapping between Target and Boxify component names. Target Target Virtualization Layer Boxify Boxify

37 4.4 System Integration Launcher App Stores

38 5. Evaluation 5.1 Performance Impact 5.2 Runtime Robustness
5.3 Portability 5.4 Use-cases 5.5 Security Discussion

39 5.1 Performance Impact

40 5.1 Performance Impact

41 5.1 Performance Impact

42 5.2 Runtime Robustness 1079 of the most popular, free apps from Google Play 93 (8.6%) experienced a crash during testing exotic syscalls rarely used Android APIs which are not covered by Boxify yet

43 5.3 Portability

44 5.4 Use-cases Fine-Grained Permission Control Domain Isolation

45 5.5 Security Discussion Privilege escalation
Escalate its privileges through a root or kernel exploit Violating Least-Privilege Principle It is hard to predict a reasonable set of permissions beforehand Red Pill hide its true intentions or refuse to run in a sandboxed environment.

Download ppt "Boxify: Full-fledged App Sandboxing for Stock Android"

Similar presentations

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Operating System Security

Operating System Security
Aurasium: Practical Policy Enforcement for Android Applications

Aurasium: Practical Policy Enforcement for Android Applications
Syracuse University, New York, USA

Syracuse University, New York, USA
Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Vinay Gangasani vcg110020.

Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Vinay Gangasani vcg
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Introduction to Android Platform Overview 19.3.2013.

Introduction to Android Platform Overview
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Similar presentations

Ads by Google