Striptease of the Android permission system
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 46 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/47162 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
Fächer <Mathematik>Physikalisches SystemSoftwareschwachstelleInteraktives FernsehenComputersicherheitApp <Programm>Kontextbezogenes SystemHumanoider RoboterVorlesung/Konferenz
00:36
MereologieProdukt <Mathematik>Mobiles InternetSoftwareentwicklerPhysikalisches SystemRechter WinkelKartesische KoordinatenGenerizitätVorlesung/Konferenz
01:08
GenerizitätOrdnung <Mathematik>AutorisierungGenerizitätSchlussregelRelativitätstheoriePhysikalisches SystemVorlesung/KonferenzBesprechung/InterviewXMLComputeranimation
01:29
MereologieEindringerkennungGruppenoperationVorlesung/Konferenz
02:20
Lesen <Datenverarbeitung>GruppenkeimSchreiben <Datenverarbeitung>RootkitElektronische PublikationKonvexe HülleDateiverwaltungElektronische PublikationGruppenoperationWort <Informatik>Vorlesung/KonferenzComputeranimation
02:41
Lipschitz-StetigkeitElektronische PublikationLesen <Datenverarbeitung>GruppenkeimSchreiben <Datenverarbeitung>RootkitTouchscreenProzess <Informatik>HauptidealringBefehlsprozessorMailing-ListeFreewareGruppenoperationDifferenteSchreiben <Datenverarbeitung>BinärcodeVerzeichnisdienstLesen <Datenverarbeitung>Prozess <Informatik>Elektronische PublikationDatensichtgerätRechter WinkelZeiger <Informatik>RootkitBenutzerfreundlichkeitProgrammierungVorlesung/KonferenzComputeranimation
04:06
DateisystemProzess <Informatik>Elektronische PublikationProgrammierungProzess <Informatik>DateiverwaltungGruppenoperationPhysikalisches SystemComputeranimation
04:56
ARM <Computerarchitektur>ProgrammierungVorlesung/Konferenz
05:17
Humanoider RoboterWiederkehrender ZustandVererbungshierarchiePhysikalisches SystemDefaultGoogolHumanoider RoboterSpannweite <Stochastik>Physikalisches SystemGruppenoperationKartesische KoordinatenDämon <Informatik>UnrundheitMereologieVorlesung/KonferenzComputeranimation
06:16
Humanoider RoboterElektronische PublikationKartesische KoordinatenGruppenoperationPhysikalisches SystemEindringerkennungVorlesung/Konferenz
06:52
Humanoider RoboterDefaultPhysikalisches SystemKartesische KoordinatenKonfiguration <Informatik>Physikalisches SystemGemeinsamer SpeicherApp <Programm>Computeranimation
07:18
Humanoider RoboterVerzeichnisdienstNabel <Mathematik>CachingDisk-ArrayKartesische KoordinatenGemeinsamer SpeicherKonfiguration <Informatik>Data DictionaryVerzeichnisdienstDateiverwaltungMultiplikationsoperatorRechter WinkelVorlesung/KonferenzXMLComputeranimation
08:10
MereologieRechter WinkelDateiverwaltungTermersetzungssystemPhysikalisches SystemSchreiben <Datenverarbeitung>Kartesische KoordinatenDämon <Informatik>Vorlesung/Konferenz
08:30
Nabel <Mathematik>HydrostatikStellenringHumanoider RoboterHardwareComputersicherheitDatenmodellKartesische KoordinatenElektronische UnterschriftSinusfunktionMultiplikationsoperatorApp <Programm>EinfügungsdämpfungFlächeninhaltComputeranimation
09:25
Kartesische KoordinatenDomain <Netzwerk>Physikalisches SystemComputersicherheitArithmetisches MittelObjektorientierte ProgrammierspracheVorlesung/Konferenz
09:59
DifferenteTouchscreenPhysikalisches SystemSpeicherabzugFramework <Informatik>Humanoider RoboterPERM <Computer>E-MailTypentheorieNormalvektorElektronische UnterschriftMAPPhysikalisches SystemErschütterungArithmetisches MittelGruppenoperationValiditätQuellcodeRechter WinkelZeichenketteTopologieHumanoider RoboterBenutzerbeteiligungXMLComputeranimation
11:11
Humanoider RoboterMAPPlastikkarteRechter WinkelInformationsspeicherungVorlesung/Konferenz
11:36
Humanoider RoboterMailing-ListeDefaultTouchscreenGoogolPhysikalisches SystemPlastikkarteMapping <Computergraphik>Kartesische KoordinatenElektronische PublikationHumanoider RoboterMultiplikationsoperatorRechter WinkelMereologieSchreiben <Datenverarbeitung>Syntaktische AnalyseXMLComputeranimation
12:43
PlastikkarteGruppenoperationVorlesung/Konferenz
13:08
Computerunterstützte ÜbersetzungPhysikalisches SystemInformationDigitales ZertifikatMailing-ListeInformationsspeicherungKartesische KoordinatenDatenbankMultiplikationsoperatorElektronische PublikationMessage-PassingHumanoider RoboterElektronische UnterschriftEindeutigkeitPlastikkarteDatenverwaltungComputeranimationFlussdiagramm
14:53
CAN-BusKartesische KoordinatenElektronische PublikationRootkitPhysikalisches SystemHauptidealringVorlesung/Konferenz
15:21
Inklusion <Mathematik>ZeichenketteFunktion <Mathematik>Elektronische PublikationPhysikalisches SystemProgrammierumgebungProzess <Informatik>Dienst <Informatik>ARM <Computerarchitektur>Kartesische KoordinatenForcingSchreiben <Datenverarbeitung>ProgrammierungSelbstrepräsentationHumanoider RoboterAppletFramework <Informatik>SichtenkonzeptProgrammbibliothekGrundsätze ordnungsmäßiger DatenverarbeitungGüte der AnpassungMultiplikationsoperatorFunktionalGruppenoperationApp <Programm>RootkitSchnittmengeBildschirmmaskeDatenbankSpeicherabzugLaufzeitfehlerErschütterungKlasse <Mathematik>Message-PassingRechter WinkelComputeranimationFlussdiagramm
18:02
Wiederkehrender ZustandServerPhysikalisches SystemMessage-PassingAnwendungsschichtFramework <Informatik>Physikalisches SystemDatenverwaltungSchnelltasteDienst <Informatik>InformationMessage-PassingCASE <Informatik>Kartesische KoordinatenGewicht <Ausgleichsrechnung>Vorlesung/KonferenzComputeranimationFlussdiagramm
19:15
Rechter WinkelDienst <Informatik>ErschütterungKartesische KoordinatenDatenverwaltungPhysikalisches SystemDämon <Informatik>Prozess <Informatik>ServerVorlesung/Konferenz
19:41
OvalProgrammierumgebungKontextbezogenes SystemErschütterungDienst <Informatik>DatenverwaltungSondierungCodeFunktionalPhysikalisches SystemInhalt <Mathematik>AusnahmebehandlungXML
20:52
OvalExt-FunktorProzess <Informatik>CodeKartesische KoordinatenErschütterungMereologieKernel <Informatik>Interface <Schaltung>Humanoider RoboterPhysikalisches SystemMAPFramework <Informatik>Minkowski-MetrikDickeMessage-PassingRechter WinkelForcingVorlesung/KonferenzXML
22:18
ServerPhysikalisches SystemMessage-PassingAnwendungsschichtFramework <Informatik>ErschütterungProgrammbibliothekFunktionalCodeDienst <Informatik>ComputeranimationFlussdiagrammVorlesung/Konferenz
22:44
Physikalisches SystemServerMessage-PassingAnwendungsschichtFramework <Informatik>Physikalisches SystemErschütterungProgrammbibliothekAppletProzess <Informatik>Video GenieZweiComputeranimationFlussdiagramm
23:19
Elektronische PublikationGruppenoperationMAPErschütterungComputersicherheit
23:45
Humanoider RoboterComputersicherheitQuarkmodellTouchscreenGoogolMultiplikationsoperatorBitPunktComputeranimationVorlesung/Konferenz
24:06
Kartesische KoordinatenVorlesung/Konferenz
24:31
DigitalfilterHumanoider RoboterGruppenoperationHumanoider RoboterNabel <Mathematik>Gemeinsamer SpeicherArithmetisches MittelGruppenoperationPhysikalisches SystemKartesische KoordinatenRechter WinkelXMLComputeranimation
25:29
Kontextbezogenes SystemHumanoider RoboterMultiplikationsoperatorPhysikalisches SystemCoxeter-GruppeGoogol
25:54
Humanoider RoboterPhysikalisches SystemDruckspannungMultiplikationsoperatorXMLComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:05
So hi, everyone. OK, in the actual context, we have problem with security with Android. And I'm going to present you Android permission, because I want to show you how the system interact
00:25
with the permission you're setting in your apps, and how, if you don't use them, how it leads to a security hole. OK, so I will already be presented. I'm part of Genium Mobile Company,
00:41
and I'm an active developer in Genium Motion products. So feel free to come to see us and talk about Genium Motion. We're downstairs, and you can talk to us about it. So I am a system developer, right? I do not dev any application. So I'm here to explain to you how it works,
01:00
and how the permission influences the systems. So what is a permission? Generic definition. You have authorization to do something, according as a law, a right, or a rule, in order that you protect something. OK, that's the generic definition of anything.
01:22
So please? OK, so who is aware about Linux-based system? Please, people who write your hands. Great, so I can move very fast on this part. So OK, so you know that under Linux,
01:42
users are defined with IDs. And these users are included in groups, also defined by IDs. These IDs, these IDs, oh, no, go away. The one of the main IDs, which is very important,
02:01
is the zero ID, because it's a super user. And when you're a normal user, you have an ID of 1,000 on Linux, according to the standard. These users and group give you permissions.
02:21
These permissions are separating three kind of team for file system on file system. You have the owner permission, you have the group permission, and you have the rest of the word permission. It's here.
02:42
You can see here, the first letter is the owner, the free list is for the group, and the free list letters is for the worldwide. This different permission group have his own action, read, write, and execution. That's what I'm showing you right here.
03:00
So of course, we don't display ID when you're listing a directory. It's absolutely not user friendly, so we show the name. So of course, here I have, so it's me, I'm in the Genymotion directory, and over here, where is my pointer?
03:21
Over here, I have the read write execution on the binary of Genymotion. And as root, you see that all the rest of the word, including me, I'm not able to read, write, or do any execution on this file. All right, so what about the process?
03:41
You have to understand that the file and the directories are attached to your group and users, but also your process. A process has its own ID. When you run a program, you have its own ID, but it's attached to a user. That's what I'm showing here, just here.
04:02
So the process has the same write as the user who launched it. So if the binary wants to do access to a file, this file has to be on the same user and group than the program. Okay, so that's what is run on the Linux,
04:22
is to protect file system and running programs. There is over protection system in Linux, there is extra Linux and capabilities, extra Linux and more grain permission system. I won't go further in this one because it's a self-talk about it for like one hour.
04:45
And capabilities in the other way too. Okay, I have a program, for example, who I want to mount my hard device. If I just do it in this way, I need to be able to run this program because I don't have the permission to do it. So the capabilities is something you said in your program,
05:03
said, I just want the capability to mount the device, then when you are going to run your program, you will be able to run it with your own user. Okay, so what's going on on Android? Android is something very special
05:21
because when you have a device, Google realized that there is only a physical user of this device. Even now we have multiple support. I won't talk about it because we don't have time. But at the beginning, it was only physical user on your device. So that means it's all the application you're going to run was only on the same users
05:43
and group permission. And said, not really well because if an application is doing something wrong, then it has access to the data of the others and not very secured. So the idea is, okay, the application is going to have its own user ID and group ID, all right?
06:02
So how it's work under Android, there are different range for the UID, for the 1,000 user ID will be for the system part, for daemons, and up to 10,000 it will be for the application user ID.
06:22
These values are the same, they use the same values for the GID for the groups. But that is what you can see. There is a file under the, in your system, which store the UID of your application and the GIDs.
06:47
So let's go further. Okay, but sometimes when you're developing an app, you use a very special option called share user ID,
07:01
which means that, in fact, in the system, the application is that all the application using this option will have the same user ID. So if you say the same user ID, for example, as system, your application will have the system user ID. This, for example, what you can see, for example, the user dictionary and contacts,
07:22
they have the same user ID, so that means the application has been declared with the share user ID option. So the way it acts on the file system is exactly like on the Linux. So, of course, here, as you see,
07:42
there is a name, it's not the user ID, because the ID is mapped to name to be more friendly, of course. Your user, the application user ID is determined at the end, when you install your application, right? And, of course, in the installation time, your application will have its own directory,
08:03
a dedicated directory. So, for example, I took the calendar application and say, okay, this is your directory and you have this right on it. So, as you see, you have the execution, write, and rewrite execution in this part of the file system.
08:24
Okay, what's about system application, system demands? They have to be statically defined to be sure that from device to another, it won't change. But, for your application, as is determined at the installation time,
08:42
this ID will be generated with a signature. So that means when you install an application on your device, the UID won't be the same as your colleague's device, you have another ID, because it's generated with the signature.
09:00
Okay. Come on, no? Okay, so, at the beginning, your application is sandboxed. It's self-contained, and in this way, your application don't do many things
09:20
and what you want to do is that your application can talk to another application and sometimes you will have to, to do that, you need some permission. The permission you're using in your application you declare it in your Android manifest. So, but we have to keep the system secure. So, that's why Google gives you the mean to do it.
09:45
And when you install your application, everybody knows that your application is, you grant the permission at the installation. But, hello, oops.
10:02
So, you know in Android manifest how it works, right? You have, for example, you put in Android manifest the permission you need, for example, I want to access to the vibrator. So that is the permission. And this permission are a predefined permission that the system give it to you. It's already defined in the system.
10:22
And you can find it in the source tree at this path over there. But you have also the mean to do your own permission. And I do recommend you to use them. And you'll see later why. So, how is defined permission? The very main thing is defined by a name,
10:41
which is a string, permission group. Okay, this one is going in this group and this group gives you the JID, right? And you have the protection level. Is it normal, dangerous, or not? Normal, you know that in normal levels,
11:02
the system won't wait for the user validation to grant the permission. You don't see it at all. You will only see the permission, grant the permission to free over level.
11:24
Okay, so now, okay, so for example, some of the permission is asking to access for your SD card storage, right? And it's considered to be very dangerous. And that means if you are normal application,
11:41
you need to have higher privilege to get them. And in this, for example, writing to the SD card, you need to, the system provide you to what we call a GAD mapping. At the installation time, you're going to,
12:01
we'll see later, you're going to parse on Android manifest XML, right? And then realize, oh, this guy wants to write on the SD card. And in the system, you said, but this permission, I need to have higher privilege to do this. So you have a file in your system,
12:23
and the system said, for this permission, I need to map this permission to a specific GID because this GID have higher privilege and the application will need it. So it will add this GID to your application.
12:40
And this is what you have here. That's the GID for higher privilege. And I think like for the SD card, for example, this is the GID for writing and reading on the SD card.
13:03
So we see that, okay, everything is managing about UID, GID, but what happened in the lifetime of your application? So first of all, of course, the first thing you want to do is to install it. So for example, MMS application,
13:21
when the packet manager, the first step of the packet manager is doing is say, okay, I'm going to part the Android manifest XML just to watch what the permission, the application do need. So after that, it's going to fix the UID
13:44
for your application with the signature, okay? So you have a unique UID. And because, for example, MMS, you can start some message on your SD card, you will have
14:01
my ping GID that we saw just before. And the packet manager stores a database, okay, where all your application is listed. It contains all the information about your application.
14:22
The UID, of course, the signature, the certificate signature, what else? Permissions, of course, permission, sorry. And so each time you install an application, the database is update and stored. System package list is a file where the store
14:43
only the UID and the GID needed by the application. So all the information about your Android permission is stored in a database. But when you started an application, how an application is started on an Android device,
15:03
some of you may know that at the startup of your system, you have an init file which will have a PID one. And has root permissions, so the GID and the UID is 00, right?
15:26
And for the application will, sorry, the init will launch the zigot service. Zigot is a program. This program is the Dalvik GVM
15:43
which contains the preload libraries from the framework and the core Java libraries. And if it's init launch zigot, that means that zigot do have root permission for user and for the group.
16:02
But what we want is that our application has its own UID and GID. So what it's doing, on the step, okay, on the step two, Zigot received a, I want to start the application. Zigot, on the step three, going to fork the zigot.
16:21
Then the application have his own Java environment, runtime, sorry, Java runtime. But at this step, your application has a root permission. And what's happened, just after the fork, the system sets and saves the UID and the GID
16:41
for your application according to what have been declared in the database we saw just before. And then when you have finished that, your application has a good user ID and write ID according what you declare in your Android XML file. So at the end of the process, everything is fine.
17:03
The UID and GID are correctly set. So let's see how this happen when you're running an application like MMS. And for example, when you receive a message,
17:20
most of the time your device is vibrating because MMS can have access to the vibrator. So let's see now in the system, deeply, how is happening when your permission is grant or check, sorry, when your permission is enforced in the system.
17:43
So in the framework, it does exist a representation of the vibrator, it's an abstract class, okay. So what we want to do to find is this famous vibrate function right here. This function is using an abstract function.
18:03
And as you see here, there's something very interesting. This is asking for the UID. It's what we're going to try to find in the system. So let's go. Act one, I just received a message, okay. So in the MMS application, you have a notification
18:23
and a messaging notification and you're going to check in the preference activity if you ask for the vibrator because on the MMS, this information is stored in the shared preference. So he's going to check, does the user ask for vibrating
18:43
as an incoming message, in our case, of course, yes. And he said, okay, so I will build my messaging notification and I send it to the notification manager. Say, okay, now I will send, the manager is aware
19:02
that the notification is pending and he will say to the notification services that hey, you have to treat this notification. Here, for your, a huge shortcut in the notification manager because a lot of things are happening, but at the end,
19:24
when the notification is treated, you access to vibrator service. Vibrator service is a system demon, right? It's running the same process that the system server, okay? And so when this process is running,
19:44
it has system, okay, permission. So in the, what's happened in the vibrator service? Some code. Okay, in vibrator service, oh cool, I have my vibrate
20:01
function asking for your ID and everything. And as you can see on the first, on the top of there, there is here that your Android permission is checked. So it asks, this is, if this, sorry.
20:21
Checking the contents that, to see if the, the, sorry, in checking the contents that does the Android manifest permission is okay and it has been granted also in a package manager to check that. If it's not, the system is raised an exception.
20:45
But, and after, it said yes, it's okay, the contents do have the permission to do it. Okay, but that's not enough at all to see, to be sure that your application can access the vibrator. So what it says I need to do is to verify the UID,
21:02
the UID of the incoming process, the calling process. So what it's doing here is in the other part of the code. You asked binder. Do you, does everyone know what's binder in the Android system? So binder, yeah, binder is the IPC system.
21:22
It's the interface that your application use to communicate between each other, for sharing data, sending message, and all that stuff. So you have to ask the binder, said can I get the calling UID? Can I get the calling PID?
21:40
If, are they okay? Does they, do they match? If they match, okay. Now you are able to enforce the permission to access to the vibrator. So you are at the framework level, right? And for this example is how your permission is enforced.
22:02
There is different, the enforce permission can be at different level, can be in the kernel space, can be in other levels, but in our example is done in the framework level. So what happened?
22:21
Because, okay, cool, I have the permission to do it, but you don't have yet access to the device. So you say the binder here tells, okay, you have the access to the stuff. So go back in vibrator service, and then in the function you will call vibrate for millisecond, and this vibrate will load
22:41
a GNE library. In this GNE library you have the C code, because of course vibrator is a device, which means that you need to go in the C world, you have a Java world, the C world here, so you have to use GNE to say, okay, I want to vibrate for x seconds,
23:01
and then you will be able, that's why you are able to access to your vibrator and vibrate your phone as a notification trigger. So you see all the process running in your system just to enforce a permission,
23:20
but just declare it in a simple XML file. And as far as you know, is that this permission for vibrator is a normal level. So this permission haven't been run by the user. So just imagine what happened when you use other level groups. Can be more complicated.
23:42
Okay, now we're talking about security. You know, you see a bit better. May I ask a question? How long will you, okay, you're running out of time. You have already run out of time. Okay. How long will this take, this use case? Okay, I can switch that if you want to. I just went to the end. I can give you, if we refrain from asking questions,
24:00
I can give you two more minutes. Okay, one minute will be enough. Okay. Just I want to show you is that one guy in the, give me, so I wish, this was an example of when you're not using correctly a permission, don't use a permission correctly.
24:22
I just want to show that, what was the beginning? The beginning was, okay, the guy was in application declared receiver and for this receiver, for one action, you have a permission to do the action and on the other action, no permission.
24:40
And the first action, what it was doing, is to do a shell command on your device. Pop a shell command. And what happened is it was not protected by Android permission, right? So anybody who use, was able to pop it using ADB AM command.
25:07
So that's why here, you need when you action, you perform an action which have, and also this application had the share ID with a system,
25:20
the UID system user. So that means you are able to do a shell command with a system user permission. As a conclusion, I just want to say talk about Android AM because it just happened last week. It seems that Google have refactoring all the system and not so yet what is going on exactly
25:43
because they don't have the time to see it. But I'm aware that all I have present to you may change a lot. So in the Android AM it will going to be redifferent so I hope I will do a talk later about it. I'm sorry, take a long time.
26:01
Thank you for being here. It was like my first talk in English and first talk in Joycon and I hope you enjoyed it as much as I did. Thank you, Lizzie.