Lecture 7 L4Android: A Generic Operating System Framework for Secure Smartphones Matthias Lange, Adam Lackorzynski et al. Operating Systems Practical 19 November, 2014 OSP Lecture 7, L4Android 1/38 Contents Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 2/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 3/38 Context I Ubiquity of smartphones I Need for secure apps I Near Field Communication I SIM cards I Inherent lack of security in smartphone software OSP Lecture 7, L4Android 4/38 Security issues: delayed updates I Mainline Android development done by Google I Phone vendors deploy customized Android versions I \Maintenance nightmare": I Provide periodic updates that fix vulnerabilities I Or no updates at all because of high costs OSP Lecture 7, L4Android 5/38 Security issues: Linux kernel I Monolithic kernels are difficult to certify/verify I Device drivers run with full privileges I Kernel components aren't isolated I Device manufacturers develop custom (often proprietary) drivers OSP Lecture 7, L4Android 6/38 Security issues: rooted phones I Root privileges allow full access to: I All the user data I Manufacturer settings I The kernel I \Rooted" phones are more vulnerable I Android phones don't allow root access by default I Root access can be obtained I Manually by the user I By malicious software (via exploits) OSP Lecture 7, L4Android 7/38 Security issues: Android permission system I Permissions in Android I Based on Mandatory Access Control (MAC) I \All or nothing" paradigm I Too coarse-grained I E.g.: grant access to Internet and Address Book I ! Software can send user Address Book to any remote location OSP Lecture 7, L4Android 8/38 Security issues: Android permission system I Permissions in Android I Chrome 39 OSP Lecture 7, L4Android 9/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 10/38 A solution I Isolate OS inside a virtual machine I Run secure apps outside the OS I Use a microkernel-based framework I "Extended hardware" I Small Trusted Computing Base (TCB) I Drivers as user space services OSP Lecture 7, L4Android 11/38 A solution: L4Android I Framework for developing secure smartphone apps I Components: I Microkernel: Fiasco.OC µkernel I Services: L4Re runtime environment 4 I Paravirtualized kernel: L Android I User space: Android libraries, apps, ::: OSP Lecture 7, L4Android 12/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 13/38 Fiasco.OC: Overview I Based on Jochen Liedtke's L4 microkernel I Implements basic OS abstractions I Address Spaces I Threads I Scheduling I Inter-Process Communication (IPC) I Interrupt Delivery (via Asynchronous IPC) OSP Lecture 7, L4Android 14/38 Fiasco.OC: Protection Domains I Protection Domains: I Equivalent to Linux namespaces/containers I Host tasks on top of the microkernel I Provide isolation I Among virtual machines I Between VMs and the TCB OSP Lecture 7, L4Android 15/38 Fiasco.OC: Capabilities I Capabilities provide access control to: I Kernel objects I Address spaces I Threads I Communication channels I Interrupts I Fine-grained control over resources OSP Lecture 7, L4Android 16/38 Fiasco.OC: Verification I Microkernel exposes minimal interface I Small number of system calls I Code base is small (∼20,000 lines of code) I Kernel is formally verifiable OSP Lecture 7, L4Android 17/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 18/38 L4 Runtime Environment I Software layer on top of the microkernel I Simplifies development in microkernel user space I Consists of: I Basic functionality: allocators, data structures, etc. I User libraries: C, C++, pthread etc. I Servers providing access to I/O devices OSP Lecture 7, L4Android 19/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 20/38 L4Android 4 I L Linux: Linux kernel modified to run paravirtualized I On top of Fiasco.OC + L4Re I With fine-grained access to devices via I/O servers 4 I An L Linux instance can run without any access to peripherals I Or it can be used as a driver provider 4 I L Android Kernel 4 I Based on L Linux I Contains Android patches (wakelocks, binder etc.) I Therefore it is able to run the Android user stack OSP Lecture 7, L4Android 21/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 22/38 Evaluation: Overview I Four proposed scenarios I Software Smartcard I Mobile Rootkit Detection I Hardware Abstraction Layer I Unified Corporate and Private Phone I Last scenario implemented as a demo I Runnable on ARM and x86 architectures I Freescale iMX.51 (Cortex-A8) I Aava Mobile developer phone (Moorestown) OSP Lecture 7, L4Android 23/38 Evaluation: Software Smartcard I Smartcard: I Processor and memory integrated on a plastic card I Cryptographic coprocessor smarcards for: I Mobile phones (SIM, NFC) I Credit cards I USB tokens I \Software smartcard": I Performing the same computations on a general-purpose processor I Cheaper and more flexible than a physical smartcard I Usually unfeasible due to high security demands OSP Lecture 7, L4Android 24/38 Evaluation: Software Smartcard Possible Smartcard setup: OSP Lecture 7, L4Android 25/38 Evaluation: Software Smartcard I Fiasco.OC provides a secure computing base I The smartcard operations run on top of the microkernel I L4Re and microkernel syscalls offer a trusted interface 4 I Isolation from the L Android domain is achieved I Timing attacks are deflected by secure scheduling I Vendors can implement various virtual smartcard configurations OSP Lecture 7, L4Android 26/38 Evaluation: Hardware Abstraction Layer OSP Lecture 7, L4Android 27/38 Evaluation: Hardware Abstraction Layer I HAL: proposed L4-based development model for Linux drivers I Move driver logic to a layer between L4Re and the guest kernel I Develop generic driver stub in the guest OS I Easier to port drivers to new kernel versions I By updating the Linux-HAL interface I Driver faults are isolated from the rest of the system OSP Lecture 7, L4Android 28/38 Evaluation: Dual Android Phone I Corporate smartphones contain sensitive information I Employees routinely carry two smartphones: I A company-provided smartphone configured according to the company's security policy I A personal, unrestricted phone I Alternative: Bring Your Own Device (BYOD) OSP Lecture 7, L4Android 29/38 Evaluation: Dual Android Phone I Solution: a single phone running two Android virtual machines I Private Android: can even be rooted I Secure Android: implements corporate security policies I User can easily switch between instances at runtime OSP Lecture 7, L4Android 30/38 Evaluation: Dual Android Phone OSP Lecture 7, L4Android 31/38 Evaluation: Dual Android Phone I Access to devices is multiplexed between instances I Stub drivers in the guest kernels I Driver servers in the L4 Runtime Environment I Virtualization requirements: I Secure GUI server I Virtual Ethernet interfaces I Mobile telephony, hardware graphics/sound acceleration I Drivers are binaries in the Linux kernel or Android user space I Difficult to virtualize OSP Lecture 7, L4Android 32/38 Evaluation: Dual Android Phone I Demo: http://l4android.org OSP Lecture 7, L4Android 33/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 34/38 Keywords I smartphones I Trusted Computing Base I operating system security I paravirtualization I Mandatory Access Control I microkernel I protection domain I L4 I capability I I/O server OSP Lecture 7, L4Android 35/38 Resources I http://l4android.org I http://l4linux.org I http://os.inf.tu-dresden.de/L4/ I http://users.sec.t-labs.tu-berlin.de/~steffen/ papers/spsm03-lange.pdf I Jochen Lietdke: On µ-Kernel Construction OSP Lecture 7, L4Android 36/38 Outline Context Proposed solution Fiasco.OC L4Re L4Android Evaluation Keywords Questions OSP Lecture 7, L4Android 37/38 Questions ? OSP Lecture 7, L4Android 38/38.