17 Aug Android 4.3 and SELinux
18 May NoSuchCon 2013
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Not many weeks ago Google released a new revision of its flagship mobile operating system, Android 4.3. Although some say that this time updates have been quite scarce, from a security perspective there have been some undeniable improvements (among others, the "MasterKey" vulnerability has been finally patched). One of the most prominent is SELinux. Many cheered the event as a long-awaited move, while others criticized its implementation. Personally, I think that the impact is not that easy to assess, especially if we were to question the benefits for end-users. In order to shed some light we can't help but analyze a bit more what SELinux is, and what is its threat model.
Here we are, attending once again USENIX Security Symposium (22nd edition) this time organized in Washington DC, US. This conference is known to be a leading forum to discuss and present novel and scientifically significant practical works in computer security. It is not that common to see two terms like practical and scientifically significant used in the same sentence, right? This is the reason why I have a weak spot for this conference. It really attracts that kind of research that lets you dream of what computer security can be, without losing contact with reality. It is also a wonderful way to catch up with former colleagues from academia, especially if they are presenting some of their ongoing research (but I will get to that later).
Last weeks have been quite busy with announcements of either master keys or Chinese master keys being unveiled, both qualifying as critical vulnerabilities for the Android platform. Although things have finally calmed a bit, we are still waiting for the final act in Las Vegas at Black Hat USA, where Jeff Forristal (the researcher who discovered one of the two afore-mentioned vulnerabilities) will discuss all the pertaining details (you never know whether some surprise is to be expected). Nevertheless, we now have enough information to assess its impact.
First off, the term "master key" is a bit deceiving; the vulnerability, in fact, does not involve any cryptographic primitive, but instead it is all about stashing inside an Android application (the apk file) two versions of the same resource so to partially evade some integrity checks. The impact is, however, prominent, since it means that an adversary is able to tamper with an apk file signed by a trusted authority, so to include a modified resource thereby replacing the genuine one (it is easy too see the case of a modified classes.dex as the most dangerous).
From the user's perspective, this means that an application released and signed by "FamousCompany (tm)" might include some pieces of malicious code without the user noticing. This whole matter, however, is heavily mitigated by the fact that the Play Store (the most widely adopted application store) has been patched so to refuse applications packed as zip files including the same file twice. Nevertheless, based on some reports, some applications in the Play Store are packed like that, although harmlessly, and very likely by mistake (the zip file of the app in question included the same png resource twice). This means, however, that the security checks are only performed upon newly uploaded applications, and do not cover the whole set of applications.
If that was not enough, only few devices (reportedly only the Samsung Galaxy S4) are known to run the code patching this vulnerability. This is quite of interest if we consider that many users retrieve applications from third-party applications stores, which might not vet the uploaded apk files. If the widely discussed device fragmentation is not killing the development industry, we wonder how many users would be likely to accept it if that would result in a constant exposure to bugs like this. Anyway, this is another reason why the very same researchers have released an application checking whether your device is exposed. Kaspersky Lab products actively check that the device is clean from applications exploiting either vulnerabilities by querying the Kaspersky Security Network (KSN). That being said, best way to keep yourself safe from this unwinding chain of events is also avoiding third-party application stores, and leaving the check box "Install from Unknown Source" unselected.
Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)) .
Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam. This year’s conference is taking place on March 14-15 at the NH Grand Hotel Krasnapolsky, right Dam Square, the heart of Amsterdam. As spring doesn’t necessarily equal warm days here in Europe right now, the 500 or so BlackHat participants hit the conference rooms to attend quite a few interesting talks. Here’s a summary of the best talks at BlackHat Europe 2013.
We’ve recently experienced yet another case of a root certificate authority (CA from now on) losing control of its own certificates. And yet again, we have been waiting for either the CA or the browser to do something about it. This whole mess stems, once again, from both a governance and a technical problem. First, only the very same CA that issued a certificate can later revoke it. Second, although web browsers implement several techniques to check the certificate’s revocation status, errors in the procedure are rarely considered hard failures.
The last week of 2012 marked the 29th installment of the Chaos Communication Congress. Organized by the Chaos Computer Club (CCC), the congress is an annual conference on technology and its impact on society. Although the scope may look quite loose, both lectures and workshops typically revolve around privacy, freedom of information, data security and other hacking issues. Needless to say, it has always been a great success; huge, considering that black-hat sized events here in Europe are not that common. Take, for instance, the fact that this year the congress had to be held in Hamburg, as Berlin could not offer a congress center fit enough to host more than 6000 attendees. Trust me, this number was not an exaggeration at all!
I admit my expectations were quite high: after four long years of scientific symposia going back to more technical venues was indeed putting my brain in hunger-mode. However, having experienced what it means organizing events for medium sized scientific conferences, I was honestly puzzled about turning a huge building such as the Congress Center of Hamburg in a functional place ready to host lectures, workshops, and hack spaces. Boy I was wrong to be worried about it. The event lasted 4 whole days (from the 27th to the 30th) with an impeccable organization: not only were all lectures and workshops flawlessly organized, streamed, and chaired; but also all open spaces were collectivized and used for all kind of hacking purposes, from playing CTF to entry-level courses on the Arduino platform.
The speakers on the other hand could take advantage of extremely well-sized rooms, with the most important talks having available an auditorium able to host more than 2000 people. Nevertheless, I have to say I was forced to learn one thing pretty fast: if you are interested in a topic, and that topic happens to be quite a hot one, well, be ready to get to the room at least 15 minutes before show-time; seriously, being on time never worked; any room, regardless of the capacity, was liable to get full. Believe me, I was really thankful for the flawless streaming infrastructure (watching a talk on my laptop that was taking place just few meters away was indeed paradoxical :) ).
The first day's line up was respectable. The keynote was given by Jacob Appelbaum, known for his contributions to "The Tor Project", and also former spokesperson for WikiLeaks. After the usual introductions, he explained the reasons of this year's congress' zeitgeist "Not My Department". We all have heard this sentence at least once in our lives; usually uttered to belittle other people's arguments, it has always been used as an example of a closed mindset at work. Jacob's point was that this attitude is even more detrimental in an inter-connected world. What is the use of a privacy-preserving bill if our data flows through the routers of oppressive governments potentially assembling huge data sets about our lives? A new level of awareness is therefore suggested.