SlideShare a Scribd company logo
1 of 64
Download to read offline
TIZEN Security
Hacking the New Mobile OS
Mark Manning
• Sr. Security Consultant with Intrepidus Group
• Mobile:
– Android
– Windows Phone
– Brew
– iOS
– Blackberry
• BSidesROC, Rochester 2600, Interlock Rochester
1/17/2017 Intrepidus Group - Confidential 2
Jason Ross
• Sr. Security Consultant
with Intrepidus Group
– Android
– Web apps
– Network
• Extra Curricular
– TOOOL.ROC, DC585, BSidesROC
– Security BSides*, Dragon Research Group
1/17/2017 Intrepidus Group - Confidential
What we are going to tell you
What Tizen is &
Where it might be going
The Tizen security model
How to perform Tizen security assessments
Predictions for the future
1/17/2017 Intrepidus Group - Confidential
Tizen (/ˈtaɪzɛn/) is…
• An open source mobile operating system
– Started life as Samsung SLP (then Bada), & Intel MeeGo
– Governed by Linux Foundation
• Organized by a board of directors
– The Tizen Association
• Supported by large companies
– Intel, Samsung, Fujitsu
• Based on W3C standards for its applications
– HTML5 APIs
– Touch Events
– Web Storage
– WARP
Tizen wants to…
• Be the ubiquitous solution for “smart” consumer
devices
• Release a high end device this year
• Grab a 15% market share of smartphones
• Replace Android as the most versatile operating system
• Be installed on:
– Smart TV’s
– Cars
– Smart Phones
– Tablets
– Anything that is designed for high end user experience
1/17/2017 Intrepidus Group - Confidential
Tizen Family Tree
1/17/2017 Intrepidus Group - Confidential
Tizen History
• February 2010
– Nokia and Intel announce MeeGo
– Nokia drops out of MeeGo in favor of Windows Phone
• September 2011
– Intel suspends MeeGo & announces Tizen as its replacement
• January 2012
– Tizen source code and SDK released
• May 2013
– Tizen 2.1 released
• July 2013
– Tizen 2.2 released
• August 2013
– Tizen IVI 3.0 beta released
1/17/2017 Intrepidus Group - Confidential
Vapor Hardware
1/17/2017 Intrepidus Group - Confidential 9
Quick Comparison
Android iOS
Firefox
OS
Ubuntu Tizen
Web App
Support
None None Yes Yes Yes
Native App
Support
Yes Yes No Yes Yes
Primary
Application
Isolation
Mechanism
Linux UIDs
XNU /
Seatbelt
B2G /
Gecko
D-BUS /
App Armor
SMACK
labels
IDE Eclipse Xcode Good luck!
Ubuntu
SDK
Eclipse
Application
Signing
Model
Developer Distributor Distributor Developer
Distributor &
Developer
1/17/2017 Intrepidus Group - Confidential
Technical Steering Group
• In charge of development and working with
OEMs (and advocacy)
• Consists of Samsung, Intel and now Huawei
• Coordinates development of the operating system
1/17/2017 Intrepidus Group - Confidential
Tizen Association
• Always represented by 12 companies
• Always changing
• Current members:
1/17/2017 Intrepidus Group - Confidential
HTML5 Scores
1/17/2017 Intrepidus Group - Confidential
APPLICATIONS
Tizen Application Stack
1/17/2017 Intrepidus Group - Confidential
Types of Apps
• Web Applications:
– Written in HTML5
– JavaScript makes calls to Privileged APIs
– Supports libraries like jQuery Mobile
– Can be either “Packaged Web Apps” or “Hosted Web Apps”
• Native Applications
– C / C++
– Native APIs unrelated to web app APIs
– Focused on gaming
• Hybrid Applications
– Little bit of both
1/17/2017 Intrepidus Group - Confidential
WebRT
• WebRT is to Tizen what DalvikVM is to Android
• Execution of web applications
• Each application runs its own instance
• Access to device resources via JavaScript API
• Access control of web applications
1/17/2017 Intrepidus Group - Confidential
The Widget Stack
1/17/2017 Intrepidus Group - Confidential
Luckily Webkit is universally secure…
1/17/2017 Intrepidus Group - Confidential
WGT
• Web applications or widgets
• W3C standard way of packaging an HTML5 application
• Zip archive with .wgt extension
1/17/2017 Intrepidus Group - Confidential
Application Signing
• Each application is signed with 2 signatures
– W3C Recommended way of handling widget signing
– As opposed to Android’s one
• Author signature
– The author of the application used to verify who created the app
• Distributer signature
– from the publisher, or app store verifying where the application was
distributed from
1/17/2017 Intrepidus Group - Confidential 21
Privileged Device APIs
• Public:
– Any developer can access
– Example: Filesystem – access a location on the device
• Partner:
– Only those developers that have been verified and approved can access it.
– Partners are given a special Partner CA to sign their applications
– Example: ApplicationManager – manage application certificates
• Platform
– Reserved to OEMs and Tizen implementers
– System level access to a device
– Example: BluetoothAdapter
1/17/2017 Intrepidus Group - Confidential 22
config.xml File
• Similar to a manifest
• Declare Features: device capabilities
• Declare Privileges: API access required by the app
• Set policy: lets you set a “content security policy” for the application
– White list the sites it should be connecting to
– Based on W3C’s WARP
1/17/2017 Intrepidus Group - Confidential
config.xml Example
1/17/2017 Intrepidus Group - Confidential
Install Directory == Package Name
1/17/2017 Intrepidus Group - Confidential
Installation Directory Structure
bin
APPID.AppName
res
wgt
shared
data
res
trusted
tmp
tmp
1/17/2017 Intrepidus Group - Confidential
1/17/2017 Intrepidus Group - Confidential
Encryption Support
• Web apps support encryption of Javascript,
HTML, CSS, etc
• Install-time encryption only
• Key configuration is located in /usr/share/secure-storage/config
– Usually points to /csa/.seckey
• Magic(key, wgt) = encryption
1/17/2017 Intrepidus Group - Confidential
SMACK
SMACK - Introduction
• Linux Kernel Module
• Basis of the Tizen security sandbox model
• “Labels” are the metaphor
– similar to how Android uses UIDs
• Tizen 2.1 has 41,000 SMACK rules
– Tizen 3 is looking to reduce these
1/17/2017 Intrepidus Group - Confidential
Smack - Control Mechanisms
• File control
– Extended attributes (xattrs) give filesystem objects a label
– The label corresponds to a SMACK rule
• IPC traffic
• Network traffic
– A CIPSO header is attached to each network packet
• Processes
– Can read /proc/self/attr/current to discover what SMACK labels they are running under
1/17/2017 Intrepidus Group - Confidential
SMACK - Definitions
• Subject
• Object
• Access
• Label
1/17/2017 Intrepidus Group - Confidential
SMACK - Access Rule Format
<subject-label> <object-label> <access-rule>
1/17/2017 Intrepidus Group - Confidential
SMACK - Access Rule Examples
1/17/2017 Intrepidus Group - Confidential
contacts-service _ arwxt
com.Intrepidus.pwn * arwx-
org.tizen.setting miracast-server rwx--
/opt/usr/apps/3FRIz5CoAw.Test = testApp
/tmp/file.txt = myFile
testApp myFile r
SMACK – Access Request Process
1/17/2017 Intrepidus Group - Confidential
/DEV/RANDOM
Content Security Framework
• McAfee contributed solution to a problem
first noticed in Android
– How does an app get access to the system to perform effective
scans?
• Provides API for anti-virus vendors
– Low-level hooks into the system to bypass usual application
restrictions
1/17/2017 Intrepidus Group - Confidential
Tizen Push Service
• Functionally similar to
GCM on Android
• Messages limited to text
data of 1024 bytes
1/17/2017 Intrepidus Group - Confidential
ASLR
• “Fully implemented" in the Linux Kernel but some additional
security measures are not currently implemented
1/17/2017 Intrepidus Group - Confidential
Securiy protection Purpose
fstack-protector-all adds canary based buffer overflow
checks on the stack and shuts down if
it's corrupt
D_FORTIFY_SOURCE=2 replaces unbouncd string function calls
with bounded ones. Done where GCC
can determine the buffer size.
fpic, fpie position independent code for libraries
(fpic) and executables (fpie). Protects
against return to libc attacks
NX Bit No Execute bit
Weirdness
• Zypper is on the device
• Install all the things!
• OpenSSH: Running by default
on the device
• Root login is permitted
1/17/2017 Intrepidus Group - Confidential
PERFORMING ASSESSMENTS
Attackers we are emulating
• A malicious application
on the device
• A remote attacker that
has hijacked another
application’s backend
• Lost or stolen devices
1/17/2017 Intrepidus Group - Confidential
Props to Katy Levinson/HackerDojo for this image
Attack Vectors
• Malicious application store / third party store
– Helped out by the distributor signing model
• SMishing, phishing to install an application
• “Drive by” content (malicious ad networks)
– Helped by defining WARP access tags or setting the
content-security-policy correctly
1/17/2017 Intrepidus Group - Confidential
Tools
• Tizen SDK – Eclipse IDE
• Web simulator
• Tizen Device Emulator
• SDB
1/17/2017 Intrepidus Group - Confidential
Tools - Tizen SDK IDE
• Eclipse
based
• Comes with the
Tizen device
emulator
• And the web
simulator
1/17/2017 Intrepidus Group - Confidential
Tools - Web Simulator
• Lets you run a
WGT inside of
Google Chrome
• App assessment tool
1/17/2017 Intrepidus Group - Confidential
Tools - Web Simulator Controls
• Allows you to manipulate the web
simulator environment
• Contains functions to simulate
device events
• Incoming calls / messages
• Push messages
• Orientation change
• GeoLocation
1/17/2017 Intrepidus Group - Confidential
Tools - Device Emulator
• Very similar to Android
Emulator
• Create virtual devices and run
them
• Devices are qemu VMs,
– qcow format disk images
1/17/2017 Intrepidus Group - Confidential
Tools - Device Emulator Configuration
• Change skin
• Phone
• General Purpose
• Configure RAM
• Control hardware
acceleration
1/17/2017 Intrepidus Group - Confidential
Tools - SDB
• Smart
Development
Bridge
• AKA:
“It’s not ADB, we swear”
1/17/2017 Intrepidus Group - Confidential
Definitely not ADB…
1/17/2017 Intrepidus Group - Confidential
Using SDB + WRT to install apps
1/17/2017 Intrepidus Group - Confidential
Assessment Methodology
• Static Analysis
• File System Analysis
• Dynamic Analysis
• Network Analysis
1/17/2017 Intrepidus Group - Confidential
Static Analysis
• Improper permission requests
– Overprivileged applications are a greater threat
• Unprotected shared content
– SQLite databases
– Temporary files with 777 access
• Encryption used
– Custom encryption or built-in APIs?
– Static keys saved in the application
• Cross origin access restrictions
– Which domains are restricted
1/17/2017 Intrepidus Group - Confidential
File System Analysis
• Storing information on the SDCARD
• Unrestrictive file permissions
• Temporary files with 777 permissions
1/17/2017 Intrepidus Group - Confidential
Dynamic Analysis
• Sensitive file storage
• Overly permissive content sharing
– Inter-application messaging
– Shared SQLite database
– Sensitive temp files
1/17/2017 Intrepidus Group - Confidential
Network Analysis
• XSS means a privilege leakage
– Similar to an Android permission hijack but with JavaScript
• Cross origin attacks
– Can we evade the network restrictions
• SQLi (client side and server)
– Parameterized queries are not used
• Handling untrusted server input
– Testing both the web server and the web client in this model
• Secure data transport
– SSL used throughout
1/17/2017 Intrepidus Group - Confidential
Network MiTM Setup
• Set up a proxy in the WiFi Settings
• IPTables configuration
• Add CA certificates to the trusted system store
1/17/2017 Intrepidus Group - Confidential
Trusted root certificate store
• Anything in /etc/ssl/certs that’s in PEM format and is named
<8hexChars>.0 is considered a trusted cert
• So…
openssl x509 -in burpCA.der
-inform DER -out burpCA.pem
-outform PEM
sdb push burpCA.pem /tmp/
sdb shell
su
mv /tmp/burpCA.pem /etc/ssl/certs/ffffffff.0
Verification of Certificates
• Use the certificate viewer from
to verify the certificate was
“installed” correctly.
Review
• Applications
– HTML5 / WebRT / Webkit
– Privileged APIs
• SMACK
– Subject / Object / Labels
– 41K rules
• Assessments
– IDE / SDK / Emulator / Simulator
– Network MiTM
1/17/2017 Intrepidus Group - Confidential
Predictions
• A Tizen phone will be released next year &
adoption will be slow
– It will be rooted within the first week
• Smart devices like cars, TV’s, and refrigerators will be pushed by Samsung
• A webkit exploit affecting Tizen will break their security model
– This will cause devastating results to the platform, unlike any other mobile vulnerability
• Tizen will be adopted faster in non-American countries as a low cost, feature rich,
alternative to Android
1/17/2017 Intrepidus Group - Confidential
Questions
1/17/2017 Intrepidus Group - Confidential
Contact
• mark.manning@intrepidusgroup.com
• jason.ross@intrepidusgroup.com
• http://intrepidusgroup.com/insight
1/17/2017 Intrepidus Group - Confidential

More Related Content

What's hot

Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Tizen introduction & architecture
Tizen introduction & architectureTizen introduction & architecture
Tizen introduction & architectureYoonsoo Kim
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Edureka!
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U -  L'Aquila2014  - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U -  L'Aquila2014  - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 

What's hot (20)

Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Tizen introduction & architecture
Tizen introduction & architectureTizen introduction & architecture
Tizen introduction & architecture
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U -  L'Aquila2014  - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U -  L'Aquila2014  - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 

Similar to Tizen Security

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Securely Deploying Android Device - ISSA (Ireland)
 Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds -  Performing JavaScript Static AnalysisBSides Leeds -  Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisLewis Ardern
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Tizen Operating System
Tizen Operating SystemTizen Operating System
Tizen Operating SystemUday_Peddur
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 

Similar to Tizen Security (20)

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Securely Deploying Android Device - ISSA (Ireland)
 Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds -  Performing JavaScript Static AnalysisBSides Leeds -  Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Open Source & Cybersecurity
Open Source & CybersecurityOpen Source & Cybersecurity
Open Source & Cybersecurity
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_eng
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Tizen Operating System
Tizen Operating SystemTizen Operating System
Tizen Operating System
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 

More from Jason Ross

Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
AC2DM For Security
AC2DM For SecurityAC2DM For Security
AC2DM For SecurityJason Ross
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'dJason Ross
 
WHOIS the Master
WHOIS the MasterWHOIS the Master
WHOIS the MasterJason Ross
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzzJason Ross
 

More from Jason Ross (7)

Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
AC2DM For Security
AC2DM For SecurityAC2DM For Security
AC2DM For Security
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'd
 
WHOIS the Master
WHOIS the MasterWHOIS the Master
WHOIS the Master
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzz
 

Recently uploaded

99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 

Recently uploaded (20)

99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 

Tizen Security

  • 2. Mark Manning • Sr. Security Consultant with Intrepidus Group • Mobile: – Android – Windows Phone – Brew – iOS – Blackberry • BSidesROC, Rochester 2600, Interlock Rochester 1/17/2017 Intrepidus Group - Confidential 2
  • 3. Jason Ross • Sr. Security Consultant with Intrepidus Group – Android – Web apps – Network • Extra Curricular – TOOOL.ROC, DC585, BSidesROC – Security BSides*, Dragon Research Group 1/17/2017 Intrepidus Group - Confidential
  • 4. What we are going to tell you What Tizen is & Where it might be going The Tizen security model How to perform Tizen security assessments Predictions for the future 1/17/2017 Intrepidus Group - Confidential
  • 5. Tizen (/ˈtaɪzɛn/) is… • An open source mobile operating system – Started life as Samsung SLP (then Bada), & Intel MeeGo – Governed by Linux Foundation • Organized by a board of directors – The Tizen Association • Supported by large companies – Intel, Samsung, Fujitsu • Based on W3C standards for its applications – HTML5 APIs – Touch Events – Web Storage – WARP
  • 6. Tizen wants to… • Be the ubiquitous solution for “smart” consumer devices • Release a high end device this year • Grab a 15% market share of smartphones • Replace Android as the most versatile operating system • Be installed on: – Smart TV’s – Cars – Smart Phones – Tablets – Anything that is designed for high end user experience 1/17/2017 Intrepidus Group - Confidential
  • 7. Tizen Family Tree 1/17/2017 Intrepidus Group - Confidential
  • 8. Tizen History • February 2010 – Nokia and Intel announce MeeGo – Nokia drops out of MeeGo in favor of Windows Phone • September 2011 – Intel suspends MeeGo & announces Tizen as its replacement • January 2012 – Tizen source code and SDK released • May 2013 – Tizen 2.1 released • July 2013 – Tizen 2.2 released • August 2013 – Tizen IVI 3.0 beta released 1/17/2017 Intrepidus Group - Confidential
  • 9. Vapor Hardware 1/17/2017 Intrepidus Group - Confidential 9
  • 10. Quick Comparison Android iOS Firefox OS Ubuntu Tizen Web App Support None None Yes Yes Yes Native App Support Yes Yes No Yes Yes Primary Application Isolation Mechanism Linux UIDs XNU / Seatbelt B2G / Gecko D-BUS / App Armor SMACK labels IDE Eclipse Xcode Good luck! Ubuntu SDK Eclipse Application Signing Model Developer Distributor Distributor Developer Distributor & Developer 1/17/2017 Intrepidus Group - Confidential
  • 11. Technical Steering Group • In charge of development and working with OEMs (and advocacy) • Consists of Samsung, Intel and now Huawei • Coordinates development of the operating system 1/17/2017 Intrepidus Group - Confidential
  • 12. Tizen Association • Always represented by 12 companies • Always changing • Current members: 1/17/2017 Intrepidus Group - Confidential
  • 13. HTML5 Scores 1/17/2017 Intrepidus Group - Confidential
  • 15. Tizen Application Stack 1/17/2017 Intrepidus Group - Confidential
  • 16. Types of Apps • Web Applications: – Written in HTML5 – JavaScript makes calls to Privileged APIs – Supports libraries like jQuery Mobile – Can be either “Packaged Web Apps” or “Hosted Web Apps” • Native Applications – C / C++ – Native APIs unrelated to web app APIs – Focused on gaming • Hybrid Applications – Little bit of both 1/17/2017 Intrepidus Group - Confidential
  • 17. WebRT • WebRT is to Tizen what DalvikVM is to Android • Execution of web applications • Each application runs its own instance • Access to device resources via JavaScript API • Access control of web applications 1/17/2017 Intrepidus Group - Confidential
  • 18. The Widget Stack 1/17/2017 Intrepidus Group - Confidential
  • 19. Luckily Webkit is universally secure… 1/17/2017 Intrepidus Group - Confidential
  • 20. WGT • Web applications or widgets • W3C standard way of packaging an HTML5 application • Zip archive with .wgt extension 1/17/2017 Intrepidus Group - Confidential
  • 21. Application Signing • Each application is signed with 2 signatures – W3C Recommended way of handling widget signing – As opposed to Android’s one • Author signature – The author of the application used to verify who created the app • Distributer signature – from the publisher, or app store verifying where the application was distributed from 1/17/2017 Intrepidus Group - Confidential 21
  • 22. Privileged Device APIs • Public: – Any developer can access – Example: Filesystem – access a location on the device • Partner: – Only those developers that have been verified and approved can access it. – Partners are given a special Partner CA to sign their applications – Example: ApplicationManager – manage application certificates • Platform – Reserved to OEMs and Tizen implementers – System level access to a device – Example: BluetoothAdapter 1/17/2017 Intrepidus Group - Confidential 22
  • 23. config.xml File • Similar to a manifest • Declare Features: device capabilities • Declare Privileges: API access required by the app • Set policy: lets you set a “content security policy” for the application – White list the sites it should be connecting to – Based on W3C’s WARP 1/17/2017 Intrepidus Group - Confidential
  • 25. Install Directory == Package Name 1/17/2017 Intrepidus Group - Confidential
  • 27. 1/17/2017 Intrepidus Group - Confidential
  • 28. Encryption Support • Web apps support encryption of Javascript, HTML, CSS, etc • Install-time encryption only • Key configuration is located in /usr/share/secure-storage/config – Usually points to /csa/.seckey • Magic(key, wgt) = encryption 1/17/2017 Intrepidus Group - Confidential
  • 29. SMACK
  • 30. SMACK - Introduction • Linux Kernel Module • Basis of the Tizen security sandbox model • “Labels” are the metaphor – similar to how Android uses UIDs • Tizen 2.1 has 41,000 SMACK rules – Tizen 3 is looking to reduce these 1/17/2017 Intrepidus Group - Confidential
  • 31. Smack - Control Mechanisms • File control – Extended attributes (xattrs) give filesystem objects a label – The label corresponds to a SMACK rule • IPC traffic • Network traffic – A CIPSO header is attached to each network packet • Processes – Can read /proc/self/attr/current to discover what SMACK labels they are running under 1/17/2017 Intrepidus Group - Confidential
  • 32. SMACK - Definitions • Subject • Object • Access • Label 1/17/2017 Intrepidus Group - Confidential
  • 33. SMACK - Access Rule Format <subject-label> <object-label> <access-rule> 1/17/2017 Intrepidus Group - Confidential
  • 34. SMACK - Access Rule Examples 1/17/2017 Intrepidus Group - Confidential contacts-service _ arwxt com.Intrepidus.pwn * arwx- org.tizen.setting miracast-server rwx-- /opt/usr/apps/3FRIz5CoAw.Test = testApp /tmp/file.txt = myFile testApp myFile r
  • 35. SMACK – Access Request Process 1/17/2017 Intrepidus Group - Confidential
  • 37. Content Security Framework • McAfee contributed solution to a problem first noticed in Android – How does an app get access to the system to perform effective scans? • Provides API for anti-virus vendors – Low-level hooks into the system to bypass usual application restrictions 1/17/2017 Intrepidus Group - Confidential
  • 38. Tizen Push Service • Functionally similar to GCM on Android • Messages limited to text data of 1024 bytes 1/17/2017 Intrepidus Group - Confidential
  • 39. ASLR • “Fully implemented" in the Linux Kernel but some additional security measures are not currently implemented 1/17/2017 Intrepidus Group - Confidential Securiy protection Purpose fstack-protector-all adds canary based buffer overflow checks on the stack and shuts down if it's corrupt D_FORTIFY_SOURCE=2 replaces unbouncd string function calls with bounded ones. Done where GCC can determine the buffer size. fpic, fpie position independent code for libraries (fpic) and executables (fpie). Protects against return to libc attacks NX Bit No Execute bit
  • 40. Weirdness • Zypper is on the device • Install all the things! • OpenSSH: Running by default on the device • Root login is permitted 1/17/2017 Intrepidus Group - Confidential
  • 42. Attackers we are emulating • A malicious application on the device • A remote attacker that has hijacked another application’s backend • Lost or stolen devices 1/17/2017 Intrepidus Group - Confidential Props to Katy Levinson/HackerDojo for this image
  • 43. Attack Vectors • Malicious application store / third party store – Helped out by the distributor signing model • SMishing, phishing to install an application • “Drive by” content (malicious ad networks) – Helped by defining WARP access tags or setting the content-security-policy correctly 1/17/2017 Intrepidus Group - Confidential
  • 44. Tools • Tizen SDK – Eclipse IDE • Web simulator • Tizen Device Emulator • SDB 1/17/2017 Intrepidus Group - Confidential
  • 45. Tools - Tizen SDK IDE • Eclipse based • Comes with the Tizen device emulator • And the web simulator 1/17/2017 Intrepidus Group - Confidential
  • 46. Tools - Web Simulator • Lets you run a WGT inside of Google Chrome • App assessment tool 1/17/2017 Intrepidus Group - Confidential
  • 47. Tools - Web Simulator Controls • Allows you to manipulate the web simulator environment • Contains functions to simulate device events • Incoming calls / messages • Push messages • Orientation change • GeoLocation 1/17/2017 Intrepidus Group - Confidential
  • 48. Tools - Device Emulator • Very similar to Android Emulator • Create virtual devices and run them • Devices are qemu VMs, – qcow format disk images 1/17/2017 Intrepidus Group - Confidential
  • 49. Tools - Device Emulator Configuration • Change skin • Phone • General Purpose • Configure RAM • Control hardware acceleration 1/17/2017 Intrepidus Group - Confidential
  • 50. Tools - SDB • Smart Development Bridge • AKA: “It’s not ADB, we swear” 1/17/2017 Intrepidus Group - Confidential
  • 51. Definitely not ADB… 1/17/2017 Intrepidus Group - Confidential
  • 52. Using SDB + WRT to install apps 1/17/2017 Intrepidus Group - Confidential
  • 53. Assessment Methodology • Static Analysis • File System Analysis • Dynamic Analysis • Network Analysis 1/17/2017 Intrepidus Group - Confidential
  • 54. Static Analysis • Improper permission requests – Overprivileged applications are a greater threat • Unprotected shared content – SQLite databases – Temporary files with 777 access • Encryption used – Custom encryption or built-in APIs? – Static keys saved in the application • Cross origin access restrictions – Which domains are restricted 1/17/2017 Intrepidus Group - Confidential
  • 55. File System Analysis • Storing information on the SDCARD • Unrestrictive file permissions • Temporary files with 777 permissions 1/17/2017 Intrepidus Group - Confidential
  • 56. Dynamic Analysis • Sensitive file storage • Overly permissive content sharing – Inter-application messaging – Shared SQLite database – Sensitive temp files 1/17/2017 Intrepidus Group - Confidential
  • 57. Network Analysis • XSS means a privilege leakage – Similar to an Android permission hijack but with JavaScript • Cross origin attacks – Can we evade the network restrictions • SQLi (client side and server) – Parameterized queries are not used • Handling untrusted server input – Testing both the web server and the web client in this model • Secure data transport – SSL used throughout 1/17/2017 Intrepidus Group - Confidential
  • 58. Network MiTM Setup • Set up a proxy in the WiFi Settings • IPTables configuration • Add CA certificates to the trusted system store 1/17/2017 Intrepidus Group - Confidential
  • 59. Trusted root certificate store • Anything in /etc/ssl/certs that’s in PEM format and is named <8hexChars>.0 is considered a trusted cert • So… openssl x509 -in burpCA.der -inform DER -out burpCA.pem -outform PEM sdb push burpCA.pem /tmp/ sdb shell su mv /tmp/burpCA.pem /etc/ssl/certs/ffffffff.0
  • 60. Verification of Certificates • Use the certificate viewer from to verify the certificate was “installed” correctly.
  • 61. Review • Applications – HTML5 / WebRT / Webkit – Privileged APIs • SMACK – Subject / Object / Labels – 41K rules • Assessments – IDE / SDK / Emulator / Simulator – Network MiTM 1/17/2017 Intrepidus Group - Confidential
  • 62. Predictions • A Tizen phone will be released next year & adoption will be slow – It will be rooted within the first week • Smart devices like cars, TV’s, and refrigerators will be pushed by Samsung • A webkit exploit affecting Tizen will break their security model – This will cause devastating results to the platform, unlike any other mobile vulnerability • Tizen will be adopted faster in non-American countries as a low cost, feature rich, alternative to Android 1/17/2017 Intrepidus Group - Confidential
  • 64. Contact • mark.manning@intrepidusgroup.com • jason.ross@intrepidusgroup.com • http://intrepidusgroup.com/insight 1/17/2017 Intrepidus Group - Confidential

Editor's Notes

  1. Introduction to Tizen A review of Tizen’s architecture Application components & how we might break them Assessment tools and methods
  2. We’ve already seen it installed on a Nexus 7 and an S4
  3. Highlights: Ubuntu Touch Sailfish OS – from Jolla and Nemo which is from MeeGo and Mobline that was started by Intel and Ubuntu Lets scope this down a bit…
  4. https://meego.com/community/blogs/imad/2011/whats-next-meego
  5. This is just pieces of acrylic that has been replaced by a Tizen home screen. Pay no attention
  6. WEB APPS VS NATIVE APPS WRT
  7. 3 types of apps We’re focusing on web apps because: Time Most interesting Because the API’s couldn’t be any more different between eachother
  8. http://download.tizen.org/misc/media/conference2012/tuesday/ballroom-a/2012-05-08_1515-1555-tizen_web_runtime.pdf
  9. In Tizen 3 all applications will be placed into the same SMACK domain unless they explicitly set a domain in their manifest file. See: http://lwn.net/Articles/552787/
  10. The contacts service has system level access to append, read, write, x, and transmutate Calendar service has system level access to write The tizen settings app, can access the miracast-server object, with rwx The Intrepidus app has universal access.
  11. 33 minutes
  12. Application on device registers for the service The device establishes a session with the Tizen push server The application receives a registration ID Application sends the registration ID to the application server Application server calls the Tizen server’s API Tizen server sends the push message to the device
  13. Malicious application on the device can potentially: Root the device Attack another application Steal personal data
  14. Smishing is limited
  15. Temporary files: Files used to download, and then run, will sometimes save with 777 rights and be accessible in a race condition
  16. Don’t need the extra bullets but just adding more information so you see where I’m going