SN-719 at Amrita
Android Security

Prabhaker Mateti

Wright State University

www.cs.wright.edu/~pmateti

DAC (Discretionary Access Control)

Prabhaker Mateti

Wright State University

www.cs.wright.edu/~pmateti

Table of Contents

1 Discretionary Access Control (DAC)

  1. "Trusted Computer System Evaluation Criteria" TCSEC, US DoD Standard 5200.28-STD.
  2. My opinion: "Discretionary", "Mandatory" both misleading
  3. Generally speaking: The security model of the old (1980s) Unix
  4. Concepts
    1. Entities: Users, Files, Processes, …
    2. Ownership
    3. Permissions: read, write, execute, …
    4. Granting of permissions
  5. Android inherits from Linux all of DAC.

2 Authentication

  1. Machines
  2. Users
  3. Services/Servers

3 User Authentication Approaches

  1. What You Know
  2. What You Have
  3. What You Are

3.1 What You Know

  1. Passwords on a Linux System
  2. Cracking the Passwords
    1. Current consensus: Given enough time, any password can be cracked.
  3. Prevention of Password Cracking

3.2 Two Factor Authentication

  1. https://en.wikipedia.org/wiki/Two-factor_authentication Reading Assignment

4 Set User ID (suid)

  1. Privilege Acqusition Mechanism
  2. Invoke a program (file) that has suid set.
  3. Expected to be invoked by non-root users.
  4. suid can be set to non-root owner.
  5. The created process runs with the privileges of the owner, not the invoker

4.1 suid root

  1. An attacker arrives with non-root privileges.
  2. Exploits an suid-root process to spawn a root owned shell.
  3. The classsic "buffer overflow attack" injects the shellcode onto the stack.

5 Capabilities

see slides in the Refs

6 Android UID setup

  1. Android does not have /etc/passwd, /etc/shadow, and /etc/group files. The file named android-filesystem-config.h in the AOSP source tree has the equivalent code.
  2. E.g.,
    1. #define AID_ROOT 0 /* traditional unix root user */
    2. #define AID_GPS 1021 /* GPS daemon */
  3. % adb shell The rest of what is shown below is within AVD pmNX5a.
    1. root@generic:/ # ls -l /acct/uid shows "uid" directories
    2. root@generic:/ # more /data/system/packages.list shows how the application name is tied up with uid/gid.
    3. Ex: com.android.keyguard 10007 0 /data/data/com.android.keyguard platform 1028,1015,1035,3002,3001

7 References

  1. Prabhaker Mateti, Password Cracking, 2013. Skip the Lab experiment. Required Reading.
  2. https://en.wikipedia.org/wiki/Discretionary_access_control Required Reading.
  3. P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments." In Proceedings of the 21st National Information Systems Security Conference, pp. 303–14, Oct. 1998. A classic paper. Recommended Reading
  4. http://faculty.cs.nku.edu/~waldenj/classes/2014/spring/cit380/lectures/AccessControl.pdf Slides. Required Reading.
  5. Karim Yaghmour, ./android-security-yaghmour-2014.pdf Android Security, From the Ground Up, ELCE 2014. Required Reading.
  6. Secuirty features in Ubuntu https://wiki.ubuntu.com/Security/Features
Copyright © 2015 pmateti@wright.eduwww.wright.edu/~pmateti 2015-08-13