Lecture 7 L4Android: A Generic Operating System Framework for Secure Smartphones
Matthias Lange, Adam Lackorzynski et al.
Operating Systems Practical
19 November, 2014
OSP Lecture 7, L4Android 1/38 Contents
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 2/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 3/38 Context
I Ubiquity of smartphones I Need for secure apps
I Near Field Communication I SIM cards
I Inherent lack of security in smartphone software
OSP Lecture 7, L4Android 4/38 Security issues: delayed updates
I Mainline Android development done by Google
I Phone vendors deploy customized Android versions I “Maintenance nightmare”:
I Provide periodic updates that fix vulnerabilities I Or no updates at all because of high costs
OSP Lecture 7, L4Android 5/38 Security issues: Linux kernel
I Monolithic kernels are difficult to certify/verify
I Device drivers run with full privileges
I Kernel components aren’t isolated
I Device manufacturers develop custom (often proprietary) drivers
OSP Lecture 7, L4Android 6/38 Security issues: rooted phones
I Root privileges allow full access to:
I All the user data I Manufacturer settings I The kernel I “Rooted” phones are more vulnerable
I Android phones don’t allow root access by default I Root access can be obtained
I Manually by the user I By malicious software (via exploits)
OSP Lecture 7, L4Android 7/38 Security issues: Android permission system
I Permissions in Android
I Based on Mandatory Access Control (MAC) I “All or nothing” paradigm I Too coarse-grained
I E.g.: grant access to Internet and Address Book I → Software can send user Address Book to any remote location
OSP Lecture 7, L4Android 8/38 Security issues: Android permission system
I Permissions in Android
I Chrome 39
OSP Lecture 7, L4Android 9/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 10/38 A solution
I Isolate OS inside a virtual machine
I Run secure apps outside the OS I Use a microkernel-based framework
I ”Extended hardware” I Small Trusted Computing Base (TCB) I Drivers as user space services
OSP Lecture 7, L4Android 11/38 A solution: L4Android
I Framework for developing secure smartphone apps I Components:
I Microkernel: Fiasco.OC µkernel I Services: L4Re runtime environment 4 I Paravirtualized kernel: L Android I User space: Android libraries, apps, ...
OSP Lecture 7, L4Android 12/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 13/38 Fiasco.OC: Overview
I Based on Jochen Liedtke’s L4 microkernel I Implements basic OS abstractions
I Address Spaces I Threads I Scheduling I Inter-Process Communication (IPC) I Interrupt Delivery (via Asynchronous IPC)
OSP Lecture 7, L4Android 14/38 Fiasco.OC: Protection Domains
I Protection Domains:
I Equivalent to Linux namespaces/containers I Host tasks on top of the microkernel I Provide isolation
I Among virtual machines I Between VMs and the TCB
OSP Lecture 7, L4Android 15/38 Fiasco.OC: Capabilities
I Capabilities provide access control to:
I Kernel objects
I Address spaces I Threads I Communication channels
I Interrupts
I Fine-grained control over resources
OSP Lecture 7, L4Android 16/38 Fiasco.OC: Verification
I Microkernel exposes minimal interface
I Small number of system calls
I Code base is small (∼20,000 lines of code)
I Kernel is formally verifiable
OSP Lecture 7, L4Android 17/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 18/38 L4 Runtime Environment
I Software layer on top of the microkernel
I Simplifies development in microkernel user space I Consists of:
I Basic functionality: allocators, data structures, etc. I User libraries: C, C++, pthread etc. I Servers providing access to I/O devices
OSP Lecture 7, L4Android 19/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 20/38 L4Android
4 I L Linux: Linux kernel modified to run paravirtualized
I On top of Fiasco.OC + L4Re I With fine-grained access to devices via I/O servers 4 I An L Linux instance can run without any access to peripherals I Or it can be used as a driver provider 4 I L Android Kernel 4 I Based on L Linux I Contains Android patches (wakelocks, binder etc.) I Therefore it is able to run the Android user stack
OSP Lecture 7, L4Android 21/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 22/38 Evaluation: Overview
I Four proposed scenarios
I Software Smartcard I Mobile Rootkit Detection I Hardware Abstraction Layer I Unified Corporate and Private Phone
I Last scenario implemented as a demo I Runnable on ARM and x86 architectures
I Freescale iMX.51 (Cortex-A8) I Aava Mobile developer phone (Moorestown)
OSP Lecture 7, L4Android 23/38 Evaluation: Software Smartcard
I Smartcard:
I Processor and memory integrated on a plastic card I Cryptographic coprocessor smarcards for:
I Mobile phones (SIM, NFC) I Credit cards I USB tokens I “Software smartcard”:
I Performing the same computations on a general-purpose processor I Cheaper and more flexible than a physical smartcard I Usually unfeasible due to high security demands
OSP Lecture 7, L4Android 24/38 Evaluation: Software Smartcard
Possible Smartcard setup:
OSP Lecture 7, L4Android 25/38 Evaluation: Software Smartcard
I Fiasco.OC provides a secure computing base
I The smartcard operations run on top of the microkernel I L4Re and microkernel syscalls offer a trusted interface 4 I Isolation from the L Android domain is achieved
I Timing attacks are deflected by secure scheduling
I Vendors can implement various virtual smartcard configurations
OSP Lecture 7, L4Android 26/38 Evaluation: Hardware Abstraction Layer
OSP Lecture 7, L4Android 27/38 Evaluation: Hardware Abstraction Layer
I HAL: proposed L4-based development model for Linux drivers
I Move driver logic to a layer between L4Re and the guest kernel I Develop generic driver stub in the guest OS
I Easier to port drivers to new kernel versions
I By updating the Linux-HAL interface
I Driver faults are isolated from the rest of the system
OSP Lecture 7, L4Android 28/38 Evaluation: Dual Android Phone
I Corporate smartphones contain sensitive information I Employees routinely carry two smartphones:
I A company-provided smartphone configured according to the company’s security policy I A personal, unrestricted phone
I Alternative: Bring Your Own Device (BYOD)
OSP Lecture 7, L4Android 29/38 Evaluation: Dual Android Phone
I Solution: a single phone running two Android virtual machines
I Private Android: can even be rooted I Secure Android: implements corporate security policies
I User can easily switch between instances at runtime
OSP Lecture 7, L4Android 30/38 Evaluation: Dual Android Phone
OSP Lecture 7, L4Android 31/38 Evaluation: Dual Android Phone
I Access to devices is multiplexed between instances
I Stub drivers in the guest kernels I Driver servers in the L4 Runtime Environment I Virtualization requirements:
I Secure GUI server I Virtual Ethernet interfaces I Mobile telephony, hardware graphics/sound acceleration
I Drivers are binaries in the Linux kernel or Android user space I Difficult to virtualize
OSP Lecture 7, L4Android 32/38 Evaluation: Dual Android Phone
I Demo: http://l4android.org
OSP Lecture 7, L4Android 33/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 34/38 Keywords
I smartphones I Trusted Computing Base
I operating system security I paravirtualization
I Mandatory Access Control I microkernel
I protection domain I L4
I capability I I/O server
OSP Lecture 7, L4Android 35/38 Resources
I http://l4android.org
I http://l4linux.org
I http://os.inf.tu-dresden.de/L4/ I http://users.sec.t-labs.tu-berlin.de/~steffen/ papers/spsm03-lange.pdf
I Jochen Lietdke: On µ-Kernel Construction
OSP Lecture 7, L4Android 36/38 Outline
Context
Proposed solution
Fiasco.OC
L4Re
L4Android
Evaluation
Keywords
Questions
OSP Lecture 7, L4Android 37/38 Questions
?
OSP Lecture 7, L4Android 38/38