windows phone 7 oems microsoft bluehat …...2011/11/08 · windows phone 7 oems – microsoft...
TRANSCRIPT
![Page 1: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/1.jpg)
Windows Phone 7
OEMS – Microsoft
BlueHat Executive
Briefings
Alex Plaskett – November
2011
![Page 2: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/2.jpg)
Main Objectives
• High level overview
• Demonstrate that OEM’s negatively
impact the security posture of
phones
• Provide independent viewpoint on
security
• Provide thoughts for future
2
![Page 3: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/3.jpg)
05/10/11
Introduction
![Page 4: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/4.jpg)
05/10/11
Who am I?
• Security Consultant @ MWR
InfoSecurity
• Presented on WP7 at 44con, T2
etc..
• Breaking stuff for fun for a while
![Page 5: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/5.jpg)
What this talk will cover
5
• OEM Features and Risks
• OEM Vulnerabilities
• Future Thoughts
![Page 6: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/6.jpg)
05/10/11
Platform OEM Comparisons
• WP7: HTC, Samsung, LG, Dell
• Android: Acer, HTC, LG, Motorola
• iOS: Apple
• BBOS: RIM
WP7 and Android: greater attack
surface/more complex security
ecosystems
![Page 7: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/7.jpg)
05/10/11
WP7 Security Model
• Process Sandbox
• Code Signing
• Centralised Security Policy
• Exploit Mitigations
![Page 8: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/8.jpg)
05/10/11
Chamber Based Security Model
![Page 9: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/9.jpg)
05/10/11
WP7 OEM Features
Third Party Development
OEM/MO Development
Managed Code Only Managed + Native Code
User space Only User space and Kernel
LPC Sandbox Applications
Up to high privilege chambers
No accessible services Globally Accessible Services
![Page 10: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/10.jpg)
05/10/11
WP7 OEM Risks
• Vulnerabilities in OEM Apps or
Drivers
• Privileged Application Functionality
• Extra Delay in Patching OEM Code
• Vulnerabilities in OEM code
misattributed to MS vulnerabilities?
![Page 11: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/11.jpg)
05/10/11
Vulnerabilities
![Page 12: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/12.jpg)
05/10/11
Other Platform OEM Vulnerabilities
• Android
HTC Browser INSTALL Permissions
HTC Sound Recorder
HTC Logger
• iPhone / BlackBerry:
N/A
![Page 13: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/13.jpg)
05/10/11
WP7 Potentially Dangerous
OEM Functionality
• Samsung Diagnostic Application
• LG MFG Application
• HTC Debug Code
![Page 14: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/14.jpg)
05/10/11
Concerning OEM Code
![Page 15: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/15.jpg)
05/10/11
WP7 OEM Vulnerabilities
• HTC Kernel Arbitrary Read/Write
• Samsung PROVXML Privilege
Escalation
![Page 16: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/16.jpg)
05/10/11
Browser Exploitation
• Samsung Diagnostic Application
For Debugging
• Samsung PROVXML Vulnerability
For File System Access
=> Not Directly Using OEM
Vulnerabilities
• Browser lacks
ID_CAP_INTEROPSERVICES
![Page 17: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/17.jpg)
05/10/11
Demo
![Page 18: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/18.jpg)
05/10/11
Identified Problems
• Gap between MS and OEM code
quality
• OEM’s introduce dangerous
features to offer customers / internal
developers extra functionality at the
potential expense of security
• MSFT gets blamed for OEM
mistakes?
![Page 19: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/19.jpg)
05/10/11
Future Thoughts
![Page 20: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/20.jpg)
05/10/11
Mango and onwards
• Restricts method I used to debug and
develop exploits against the platform
(ID_CAP_INTEROPSERVICES) and
new web browser.
• However, design and policy still allows
OEM applications to use driver
functionality
• OEM code could still expose MS to an
unnecessary level of risk
![Page 21: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/21.jpg)
05/10/11
Discussion Points
• Better Integration between MS SDL
with OEM’s Development?
• More granular permissions for OEMs
– Provide secure APIs for OEM
requirements?
• Does MS have oversight in what the
OEM’s are shipping?
• More stringent controls on what
OEM’s ship?
![Page 22: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/22.jpg)
05/10/11
• Strong Granular Security Model
• Attackers need multiple vulnerabilities
• MS needs to motivate OEM’s to deliver
better code
• Attackers could use OEM vulnerabilities
Conclusions
![Page 23: Windows Phone 7 OEMS Microsoft BlueHat …...2011/11/08 · Windows Phone 7 OEMS – Microsoft BlueHat Executive Briefings Alex Plaskett – November 2011 Main Objectives](https://reader034.vdocuments.us/reader034/viewer/2022050113/5f4a30ec23897263cd5b7a48/html5/thumbnails/23.jpg)
05/10/11
Questions?