NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS DEVELOPMENT AND ANALYSIS OF SECURITY POLICIES IN SECURITY ENHANCED ANDROID by Ryan A. Rimando December 2012 Thesis Advisor: George W. Dinolt Second Reader: Karen Burke Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704–0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202–4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704–0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED December 2012 Master’s Thesis 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS Development and Analysis of Security Policies in Security Enhanced Android 6. AUTHOR(S) Rimando, Ryan 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Postgraduate School REPORT NUMBER Monterey, CA 93943–5000 9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING N/A AGENCY REPORT NUMBER 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. IRB Protocol number N/A. 12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution is unlimited A 13. ABSTRACT (maximum 200 words) This thesis examines Security Enhanced Android. Both its policy and its additional security features are explored. The policy is examined in depth, providing a better understanding of the security provided by SE Android. We analyze the default SE Android policy. We identify a potential weakness and change the policy to facilitate control over communication channels. A proof-of- concept set of applications is developed to demonstrate how SE Android can be used to improve application security. The proof-of- concept policy is then analyzed to determine if security goals are met. 14. SUBJECT TERMS Android, SE Android, SE Linux, Security Policy 15. NUMBER OF PAGES 121 16. PRICE CODE 17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION OF CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF ABSTRACT REPORT PAGE ABSTRACT Unclassified Unclassified Unclassified UU NSN 7540–01–280–5500 Standard Form 298 (Rev. 2–89) Prescribed by ANSI Std. 239–18 i THIS PAGE INTENTIONALLY LEFT BLANK i i Approved for public release; distribution is unlimited DEVELOPMENT AND ANALYSIS OF SECURITY POLICIES IN SECURITY ENHANCED ANDROID Ryan A. Rimando Civilian, Federal Cyber Corps B.S., College of Charleston, 2010 Submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN COMPUTER SCIENCE from the NAVAL POSTGRADUATE SCHOOL December 2012 Author: Ryan A. Rimando Approved by: George W. Dinolt Thesis Advisor Karen Burke Second Reader Peter J. Denning Chair, Department of Computer Science ii i THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT This thesis examines Security Enhanced Android. Both its policy and its additional security features are explored. The policy is examined in depth, providing a better understanding of the security provided by SE Android. We analyze the default SE Android policy. We identify a potential weakness and change the policy to facilitate control over communication channels. A proof-of-concept set of applications is developed to demonstrate how SE Android can be used to improve application security. The proof-of-concept policy is then analyzed to determine if security goals are met. v THIS PAGE INTENTIONALLY LEFT BLANK v i TABLE OF CONTENTS I. INTRODUCTION........................................................................................................1 A. DISCUSSION ...................................................................................................1 B. SCOPE ..............................................................................................................1 C. ORGANIZATION OF THESIS .....................................................................2 II. BACKGROUND ..........................................................................................................3 A. INTRODUCTION ............................................................................................3 B. CIA PRINCIPLES ...........................................................................................3 C. ACCESS CONTROL.......................................................................................3 1. Discretionary Access Control..............................................................5 2. Mandatory Access Control ..................................................................5 a. Role-Based Access Control Model ...........................................5 b. Type Enforcement Model..........................................................7 c. Bell-LaPadula Model ................................................................8 3. Capability-based Systems ....................................................................9 D. SECURITY ENHANCED LINUX ...............................................................10 E. ANDROID ......................................................................................................10 F. SE ANDROID.................................................................................................12 G. RELATED WORK ........................................................................................12 III. ANDROID AND ITS SECURITY FEATURES .....................................................15 A. ANDROID FRAMEWORK ..........................................................................15 B. ANDROID SECURITY MODEL .................................................................17 C. ANDROID PERMISSIONS ..........................................................................19 D. APPLICATION COMPONENTS ................................................................21 1. Activities..............................................................................................21 2. Services................................................................................................22 3. Content Providers ..............................................................................22 4. Broadcast Receivers ...........................................................................23 E. INTENTS ........................................................................................................23 F. BINDER ..........................................................................................................25 IV. SE LINUX ...................................................................................................................29 A. INTRODUCTION..........................................................................................29 B. SE LINUX ACCESS CONTROL MODELS ..............................................29 1. Type Enforcement ..............................................................................29 2. Role-based Access Control ................................................................31 3. Multi-Level Security ..........................................................................32 C. SE LINUX POLICIES ...................................................................................32 D. SE LINUX POLICY TOOLS .......................................................................33 V. SE LINUX IN ANDROID (SE ANDROID).............................................................35 A. INTRODUCTION..........................................................................................35 B. FEATURES ....................................................................................................35 vi i C. REFERENCE POLICY ................................................................................36 1. Domain Rules .....................................................................................36 2. Application Domains .........................................................................37 3. Seapp_contexts ...................................................................................39 4. Install-time MAC ...............................................................................40 5. Important System Applications ........................................................42 a. General System Apps ..............................................................43 b. Init............................................................................................43 c. Zygote ......................................................................................44 d. Service Manager .....................................................................44 e. Media Server ...........................................................................44 f. Installd .....................................................................................45 6. Macros .................................................................................................45 7. MLS .....................................................................................................47 D. SE MANAGER...............................................................................................48 E. SE ANDROID VS EXPLOITS .....................................................................48 1. RageAgainstTheCage ........................................................................48 2. Exploid ................................................................................................49 VI. PROOF OF CONCEPT APPLICATIONS AND POLICY ...................................51 A. SCENARIO INTRODUCTION ...................................................................51 B. ARCHITECTURE OF APPLICATIONS ...................................................51 1. Main Application ...............................................................................51 2. Trusted Controller .............................................................................53 3. Calendar Applications .......................................................................54 C. SECURITY GOALS/REQUIREMENTS ....................................................55 D. ANDROID SECURITY .................................................................................56 1. Deficiencies .........................................................................................56 E. SE LINUX POLICY DEVELOPMENT ......................................................57 1. App.te ..................................................................................................57 2. Seapp_contexts ...................................................................................58 3. Poc_app.te ...........................................................................................59 4. Mac_permissions.xml ........................................................................60 F. SE LINUX POLICY ANALYSIS .................................................................60 1. Apol .....................................................................................................60 2. Qisaq....................................................................................................62 G. DISCUSSION .................................................................................................63 VII. CONCLUSION ..........................................................................................................67 A. FUTURE WORK ...........................................................................................67 B. SUMMARY ....................................................................................................69 APPENDIX A. PROOF OF CONCEPT CODE ........................................................71 A. PACKAGE COM.PROC.DISPLAYAPP ....................................................71 1. MainActivity.java...............................................................................71 2. DisplayActivity.java ...........................................................................72 3. AndroidManifest.xml.........................................................................76 vi ii