android ipc mechanism
TRANSCRIPT
ANDROID IPC MECHANISMnfsnfs @ Advanced Defense Lab
1
REFERENCE•⼤大量引⽤用以下資料:
• http://www.slideshare.net/yeg239/android-internals-06-binder-typical-subsystem-rev11
• http://marakana.com/s/post/1340/Deep_Dive_Into_Binder_Presentation.htm
• http://www.slideshare.net/jserv/android-ipc-mechanism
• http://developer.android.com/guide/components/aidl.html
• http://www.jbcreativgroup.com/pdf/an-empirical-study-of-the-robustness-of-inter-component-77091.pdf
2
OUTLINE
• IPC
• Java Layer
• Binder
• Security Issue in IPC
3
WHAT IS IPC ?
• IPC = Inter-Process Communication
• Process 之間的溝通
• More ... ?
4
WHY IPC?
• Android 中每個 process 都有⾃自⼰己的 address space
• Data Isolation
• IPC 可能造成很⼤大的 overhead,也可能造成安全問題
5
有什麼不⼀一樣 ?• Traditional Linux
• Pipe
• Signal
• Message Queue
• Semaphore
• Socket
• Shared Memory 6
ANDROID IPC SYSTEM
• Binder
•從 OpenBinder 來的
• BeOS / Palm
•完全重寫後成為 Android binder
7
SOCKET VS BINDER
Socket !
File Descriptor Network
Stream I/O
Binder !
PID Local only
IOCTL
8
BINDER
!
Linux Kernel/dev/binder
servicemanager system_server
App3
App2
App1
9
WHY BINDER ?
• Security
• isolated process with distinct ID
• Stability
• crashed process
• Memory Management
• no need to free objects10
BIONIC C
•不⽀支援傳統 System V IPCs
• No SysV semaphores, shared memory, message queues
• SysV IPC 會有 kernel resource leakage 的問題
11
COMMUNICATIONSApplication
!Home Contacts Phone Browser
IPC IPC IPC
Application FrameworkIPC
IPC & JNINative Layer
12
ANDROID IPC
• Intent
•在 Java 層,⽤用來傳送訊息的資料結構
• Asynchronous Communication
• ContentResolver 跟 ContentProvider 是 Synchronous Communication
•透過 CRUD API
13
INTENT•包含⼀一些基本資料
• data //表⽰示所需的資料
• action //表⽰示要作的事情
• category //action 的類型
• component //送給哪個 component
• extras //要傳的額外資料
14
INTENT 分類
• Explicit Intent
•有指定 component 的 Intent
• Implicit Intent
•無指定 component 的 Intent
15
EXPLICIT INTENT
• Intent.setComponent(ComponentName)
• Intent.setClass(Context, Class)
• new Intent(Context, Class)
16
INTENT
•不適合⽤用在 low-latency 通訊
•基於 Binder
• Intent 實作 Cloneable 和 Parcelable
•是 Parcelable 才能透過 IPC 傳遞
• ... Or you are a primitive type
17
與 ACTIVITY 互動
Activity Activity
start
return
18
⽤用 INTENT 可以做什麼 ?
• startActivity(Intent)
• startActivityForResult(Intent, int)
•開啟⼀一個 Activity ...
19
與 SERVICE 互動
Activity
BroadcastReceiver
Service
start / stop / bind
start / stop / bind20
⽤用 INTENT 可以做什麼 ?
• startService(Intent)
•開啟⼀一個 Service ...
• stopService(Intent)
•關閉⼀一個 Service ...
21
⽤用 INTENT 可以做什麼 ?
• bindService(Intent, ServiceConnection, int)
•跟⼀一個 Service 建⽴立連線 ..
• ServiceConnection 裡⾯面可以初始化⼀一些 bind 後所需的變數
22
與 BROADCASTRECEVIER 互動
BroadcastReceiverActivity
Service
System
send Intent
23
⽤用 INTENT 可以做什麼 ?
• sendBroadcast(Intent)
• sendOrderedBroadcast、sendStickyBroadcast、sendStickyOrderedBroadcast
•送 Intent 到 BroadcastReceiver ...
24
另外還有 ... ?
• Messenger & Handler
•常⽤用於 Activity / Service 間通訊
• Message.what: 要做什麼
• Message.setData(Bundle): 要傳的資料
•不同 process,請⽤用 Bundle
•如果同 process 內,可使⽤用 Message.obj 傳 object25
MESSENGER & HANDLERApp A App B
Activity
ServiceMessenger
Handler
call back
start
pass by reference
call back
reference / call
26
MESSENGER & HANDLER•和 Intent 很像
•但提供了雙向溝通!
• Android Developer 網站說明:
Reference to a Handler, which others can use to send messages to it. This allows for the implementation of message-based communication across processes, by creating a Messenger pointing to a Handler in one process, and handing that Messenger to another process.
27
MESSENGER & HANDLER
•特⾊色
• Low latency, but still asynchronous
28
MESSENGER & HANDLER
• DEMO
29
MESSENGER & HANDLER
•在 Service 中註冊 Handler 和 Messenger
30
MESSENGER & HANDLER
•在 Service onBind 的時候 return ⼀一個 IBinder
•與 Service bind 在⼀一起的 Activity 可透過此 IBinder 物件傳送訊息
31
MESSAGE•⽤用 Message.obtain() 從 mPool 拿⼀一個 Message
object
•較不建議⽤用 new Message();
• replyTo: 回應給這個 Messenger
32
所以來說說他們背後的 BINDER 吧 !
33
BINDER !
•超重要的!
In the Android platform, the binder is used for nearly everything that happens across processes in the core platform. - Dianne Hackborn!
[https://lkml.org/lkml/2009/6/25/3]
34
METHOD INVOCATION
•在同⼀一個 Process 內的時候
caller
callee
35
OTHER PROCESS?
• RPC ?
• Messaging Passing ?
• Socket ?
• ...
36
BINDER 系統架構其實是 ...Java Binder
⽤用⼾戶端/伺服器端 Native Binder ⽤用⼾戶端/伺服器端
Java Binder Framework
Native Binder Framework
Binder 核⼼心程式庫
Binder AdapterProcessState.cpp / IPCThreadState.cpp
Binder Driver37
BINDER COMMUNICATIONClient Binder Service
Process A Kernel Process B38
BINDER DRIVER
• Binder driver
• ioctl(binderFd, BINDER_WRITE_READ, &bwd) system call
• open / release / poll / mmap / flush / ioctl
• /dev/binder
39
FLAT_BINDER_OBJECT
• binder 和 handle 分別表⽰示 local object 和 remote object
• binder 會幫忙作這對應
40
FLAT_BINDER_OBJECT 的 TYPE
• BINDER_TYPE_BINDER / BINDER_TYPE_WEAK_BINDER - 本機物件
• BINDER_TYPE_HANDLE / BINDER_TYPE_WEAK_HANDLE - 遠端物件參照
• BINDER_TYPE_FD - 檔案
41
FLAT_OBJECT_TYPE 的 FLAG
• TF_ONE_WAY - 單向,⾮非同步,不需要返回
• TF_ROOT_OBJECT - 根物件,代表 type 是本機物件
• TF_STATUS_CODE - 狀態碼,代表 type 是 handle
• TF_ACCEPT_FDS - 可以接受 file descriptor,所以 handle 就會是 file descriptor
42
實際傳遞的資料 BINDER_TRANSACTION_DATA
43
BINDER_WRITE_READ• read_buffer 和 write_buffer 是⼀一個指標(指向 user space 的 buffer)
• BC_TRANSACTION
•解析將要被處理的資料
• BC_REPLY
•回傳結果資料
struct binder_write_read { signed long write_size; signed long write_consumed; unsigned long write_buffer ; signed long read_size; signed long read_consumed; unsigned long read_buffer ;
}
44
BINDER COMMUNICATION
• Native Level 來說,通常⽤用 libbinder 解決,不⽤用直接操作 ioctl driver
•但有時候想隱藏 binder,讓 client ⽐比較容易處理 ...
• AIDL !
• A Java-like lanaguage
45
BINDER COMMUNICATIONClient Binder Service
Process A Kernel Process B
StubProxy
46
AIDL
• Proxy 和 Stub
• Java-based
•可以⽤用 aidl ⼯工具產⽣生
• Android Studio 中,把 aidl 檔案放在 /main/aidl/<package_name>/ 底下,會⾃自⼰己在 /build/source/aidl 產⽣生該 Interface
47
AIDL
• AIDL example:
48
AIDL
• AIDL 只是⽤用來產⽣生⼀一個 Interface
•包含 Proxy 和 Stub 這兩個 class!
49
AIDL
•產⽣生出的 interface:
50
AIDL
• Service 中的 Stub
51
MARSHALLING AND UNMARSHALLING
• Marshalling 就是做出 Parcel object 的⾏行為
• Unmarshalling 就是將 Parcel 還原回原本的 object
52
PARCEL
• AIDL 會幫我們 handle 這件事
•其實是將 object ⽤用 native binary encoding 的⽅方式重新包裝
53
ANDROID.OS.PARCEL• http://www.slideshare.net/jserv/android-ipc-mechanism
54
BINDER COMMUNICATIONClient Binder Service
Process A Kernel Process B
StubManager Proxy
55
SYSTEM SERVICES
• System Services 使⽤用的作法
• Clients 根本感覺不出他們在使⽤用 IPC
• Context.getSystemService(String)
56
SYSTEM SERVICES
• NOTIFICATION_SERVICE
• LOCATION_SERVICE
• CONNECTIVITY_SERVICE
• WIFI_SERVICE
• ... 族繁不及備載: http://developer.android.com/reference/android/content/Context.html
57
使⽤用 SYSTEM SERVICES 的⽅方式
• Example:
58
BINDER COMMUNICATIONBinder Service
Kernel Process B
Service Manager Proxy
Client
Process A
Manager Proxy Context Manager
Framework
register CM
await reqs
get CM register service
registered service
register svc tx
get CM
get svc tx
init manager
get service
got service
59
CONTEXT MANAGER
• Binder Driver 只會允許⼀一個 Context Manager 註冊
•所以 servicemanager 是第⼀一個被啟動的 Android service
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/servicemanager/service_manager.c
• servicemanager a.k.a Context Manager
60
SERVICEMANAGER IN INIT.RC
init.rc 裡⾯面有 service 的啟動順序
61
設定 SERVICEMANAGER
• frameworks/native/cmds/servicemanager/service_manager.c
這是 (void *) 0
等待 request
62
設定 SERVICEMANAGER
• BINDER_SET_CONTEXT_MGR
• frameworks/native/cmds/servicemanager/binder.c
63
設定 SERVICEMANAGER
• http://lxr.linux.no/linux+v3.10.6/drivers/staging/android/binder.c#L2622
64
SVGMGR_HANDLER• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/
servicemanager/service_manager.c#203
65
SERVICE MANAGER
•系統服務需要跟 service manager 註冊
•應⽤用程式如果要⽤用系統服務要跟 service manager 查詢
66
註冊系統服務
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/servicemanager/service_manager.c#do_add_service
67
檢查要註冊的服務是否有權限
• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/servicemanager/service_manager.c#svc_can_register
68
⺫⽬目前註冊的 SERVICE
• adb shell service list
69
測試系統服務
• adb service call phone 1 s16 “1234567890”
70
其實是...
• AIDL 中的順序 • http://androidxref.com/4.3_r2.1/xref/frameworks/base/telephony/java/com/android/internal/
telephony/ITelephony.aidl
1
271
整體流程• http://marakana.com/s/post/1340/
Deep_Dive_Into_Binder_Presentation.htm
72
SECURITY
• IPC 可能造成⼀一些安全問題
•因為 Intent 可以是惡意的!
73
THREAT !App A App B Malicious App
Activity
Service
Broadcast Receiver
Activity
Service
Broadcast Receiver
Activity
Service
Broadcast Receiver
Intent Intent Intent
Intent
System Intent
System Intent
74
REF TO COMDROID
•請⾒見 ComDroid 投影⽚片 !
75
QUESTIONS?
• How well does an Android component behave in the presence of a semi-valid or random Intent?
• How robust are Android’s ICC primitives?
• How can we refine the implementation of Intents so that inpt validation can be improved?
76
TESTING TOOL
Package Manager
startActivityForResult
startService
sendBroadcast
Get a list of components
77
AVOID MANUAL INTERVENTION
• startActivityForResult() and finishActivity()
• Pause 100ms between sending of each successive Intent
78
SEMI-MANUAL ...
• finishActivity() did not work in two situations
• System alert was generated (crash or exception)
• Activity was started as a new task
Calling startActivity() from outside of an Activity context requires the FLAG_ACTIVITY_NEW_TASK flag.
79
GENERATING INTENTS
• { Action / Data / Component / Extras }
• Data URI := scheme/path?query
80
DATA URI SCHEME
• content://
• file://
• folder ://
• directory://
• geo:
• google.streeview:
• http://
• https://
• mailto:
• ssh:
• tel:
• voicemail:81
IMPLICIT INTENT
• A. Valid Intent, unrestricted fields null:
• Match only the restricted attributes of the Intent-filter
• B. Semi-valid Intent:
• Fuzz at least one fileds
82
VALID INTENT
• Intent filter
• Intent
<intent-filter><action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" /></intent-filter>
Intent i = new Intent();i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE");sendBroadcast(i);
83
SEMI-VALID INTENT
• Intent filter
• Intent
<intent-filter><action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" /></intent-filter>
Intent i = new Intent();i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE");i.addCategory("CATEGORY_ALTERNATIVE");sendBroadcast(i);
84
EXPLICIT INTENT
• FIC A. Semi-valid Action and Data
• FIC B. Blank Action or Data
• FIC C. Random Action or Data
• FIC D. Random Extras
* FIC : fuzz injection campaigns
robustness of callee
potential adversary
85
SEMI-VALID ACTION AND DATA
• Total Intents: |Action|x|Data| for each component
! { act=ACTION_EDIT data=http://www.google.com comp=com.android.someComponent }
Meaningless
86
BLANK DATA OR ACTION
• Total Intents: |Action|+|Data| for each component
!{ data=http://www.google.com comp=com.android.someComponent }
No Action
87
RANDOM ACTION OR DATA
{ act=ACTION_EDIT data=a1b2c3d4 comp=com.android.someComponent }
Random
88
RANDOM EXTRAS
{ act=ACTION_DIAL data=tel:123-456-789 comp=com.android.someComponent has Extras }
89
MACHINE
• Moto Droid - Android 2.2
• HTC Evo 3D - Android 2.3.4
• Emulator - Android 4.0
90
FIRMWARE
• com.android.* package
• In Droid ...
• 297 activities
• 42 services
• 59 receivers
!
!
• In Emulator ...
• 332 activities
• 54 services
• 69 receivers
91
MOST POPULAR FREE APPS
• 3 Dec, 2011
• Pandora Radio
• Voxer Walkie Talkie
• Angry Birds
• Skype
!
!
!
• 103 activities
• 11 services
92
EXPERIMENTAL RESULTS93
FAULT INJECTION
• Choose one particular component and inject all the Intents targeted to that component
94
COLLECT LOGS
• logcat
• “Force Close”
• “Application x stopped unexpectedly”
• “FATAL EXCEPTION: main”
95
RESULTS FOR EXPLICIT INTENTS
• 2148 crashes in Android 2.2
• 641 crashes in Android 4.0
• 152 crashes for Apps from Market
96
FAILED COMPONENTS
!
• Many Android components do not perform null checks
• 3 of the apps (from Market) had at least one component failed one or more experiments
97
EXCEPTION TYPES
Should be handled by the calling
function
98
IN ANDROID 4.0 ...
• Unpredictable environment-dependent errors in Android 4.0
• WindowManager$BadTokenException (26.83%)
• IllegalStateException (23.56%)
• RuntimeException (3.12%)
• system_server restarts (GC)
99
SYSTEM CRASH
• 3 Activities in built-in apps caused system_server to restart
• Did not catch NullPointerExceptions
• Need no extra permissions
100
SYSTEM CRASH
101
RESULTS FOR VALID INTENTS
• In HTC Evo 3D ...
• 1910 Intent-filters startActivity()
• Some of them is registered by Services
• ActivityNotFoundException
• Crashed 5 components
• 12 unexpected exceptions
1. NullPointerException 2. IOException 3. Resource$NotFoundException
102
RESULTS FOR SEMI-VALID
• From Intent-filters
• 643 distinct Actions
• 37 Categories
103
DISCUSSIONS
• Poor exception handling
• Environment-dependent errors in Android 4.0
• Privileged components with unrestricted access
104