The whole mobile/android world was shocked when a new vulnerability was disclosed which, to sum it up, weakens the security of the built-in KeyStore. However, the Android fanboy in me, couldn’t help but notice that a lot of media fail to cover the story in a correct manner. Bear with me here, it will get a little bit technical.
“The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. The advisory said Google has patched the stack-based buffer overflow only in version 4.4, aka KitKat, of Android. In an update, IBM said the vulnerability affected only version 4.3, which runs on about 10.3 percent of handsets.”
Now, a stack-based overflow itself is not that hard to exploit. However, every self-respecting security team in a big software company knows and implements countermeasures against these exploits/overflows. Android for example uses as 2 major ones: data execution prevention and address space layout randomization (ASLR). Without the technical details, this makes it pretty hard for an attacker to execute its own malicious code. But assume for now, that an attacker has the possibility to do this. It’s still pretty difficult to actually exploit this. Whenever you inject code into the stack on the Android OS, the code is converted to an ASCII 7-bit representation. So what, you may ask. Well basically this reduces the set of instructions that can be executed. Because of this 7-bit representation, the most significant bit is changed to 0 and you can’t encode values less than b’0011000. This restricts us to code words of the form b’ 0xxxxxxx 0xxxxxxx 0xxxxxxx 0xxxxxxx. Now consider this chart which represents the instruction set for an ARMv7 CPU, frequently used in Android devices.
Instruction set ARMv7 CPU
If you look at the chart and interpret the 7-bit representation explained above correctly, you can see that all condition codes must start with a 0. That immediately throws out “always execute”. So every instruction you encode will be conditional. Furthermore, your Rd register always starts with a 0, pain in the ass but not something you can’t bypass. Basically you can only write to half the registers, bummer. Consider the compare functions, these require all a non-ASCII character. Whoops, no comparisons for you. To finish off with, the ADD instruction. The values you can add are constrained by the requirement that they do not include ASCII values below 0x30, so depending on what operand you choose you can only pass in certain values. To sum it up, you can’t use most of the instructions, write to most of the registers and your immediate operands are sharply constrained. Nevertheless the exploit is something that should be taken care off, but not something that should keep you awake at night.
Halfway through my first week, I learned already a lot of new things. Monday was pretty chill, did some touring in the city with the secretary and got to know my boss in person. Everyone was friendly and easy going. In the afternoon I got introduced to the company’s products and fields of business which are Smart-card systems and Public Key Infrastructures (PKI). Yesterday and today I got extensive workshop-sessions from my daily supervisor. We covered A LOT.
We started of with the basic concepts and techniques of the Java Cryptography Architecture (JCA) and Java Cryptography Extension (JCE) API’s, basically the components that put security and crypto into the Java platform. I got drilled in symmetric and asymmetric cryptography algorithms, with all the flavors. Going from CBC to EBC to ECC. Hybrid cryptographic concepts, signing of files and PKI’s. It was overwhelming and nice to learn. But needless to say a mild headache got the better of me today. Oh, and to top it off: some of the slides were in German. Jup, German. But my supervisor was very good in explaining it in perfect English. So I had that going for me, which is nice.
Tomorrow I start on the real job , which I cannot really disclose the details of but basically it’s penetration testing/information extraction in an Android environment. Anyhow, very interesting start of the internship and everybody is nice, friendly and more important, they are experts in their respective fields, simply amazing.
PS: Did you know that intelliCard forked the open-source BouncyCastle library and adapted it for Android! Awesome, I know 😀 : http://intellicastle.org
PPS: My daily supervisor is a security wizard. The things he knows is from my perspective, endless. He wrote a lot of useful software: http://www.borderzone-software.ch/ Take a look at the FileBrowser: simply the most useful swiss army knife every IT-guy needs. (PUN INTENDED)
Before I left, someone special gave me a small card with the text “Grote avonturen beginnen klein”, which in english translates to “Big adventures start small”. It couldn’t be closer to the truth. First sunday in Switzerland, I am simply impressed by the nature and the city. You can find photographs on my FB-stream.
It started, indeed, very small. Searched for an internship online, applied, did an interview and got the internship. It all flew by so fast, and tomorrow morning it’s my first day on the job.
The surrounding nature is ridiculously beautiful. I can walk from the apartment to the side of the lake in, I think, 2 minutes. Got a flatscreen in the room, got a living room with an even bigger flatscreen. Hell, even a kitchen with a Nespresso machine 😀 (heaven on earth for computer geeks). Also got fitness machines, no excuses there I guess.
That will be all for now. Swiss greetings,
View of the lake on 2 minutes from the apartment.
Sooooooo. For everybody who does not follow my Facebook-feed or heard me in the last couple of months, I will be doing an internship in Switzerland for two months. I will probably be blogging about my stay in Switzerland a lot, so anybody interested can subscribe or just follow twitter or fb for updates about this blog.
Now we got those administrative messages out of the way, my first actual blogpost about my internship. I am still at home, prepping like a maniac for my first long stay abroad. Luckily my mom is doing the major part of the ‘work’, so my part of the job is reduced to saying : “yes I need that” or “no mom, I have enough of those things already”.
I’ll be driving to Switzerland saturday morning, my parents are accompanying me and will drop me off safely at the apartment. Yes I am spoiled, no I am not ashamed for having lovely parents ;-).
The internship itself is situated in the field of security engineering, penetration testing and (big surprise) Android development. Not necessarily in that order. I am very excited for my first work experience in these major fields, which are undoubtedly the most interesting ones for me. I am interested in security since we had a computer with windows 95 and my dad had put a password on it. I wanted to bypass the goddamn thing, which gave birth to my (healthy) interest in cyber security. The Android-part of my geek personality started 5 years ago, when I bought my first Android device and which kickstarted my enthusiasm and passion for this mobile-piece-of-art platform. I think it’s pretty clear that I am very excited to learn a lot in these fields, things I can impossibly learn in an academic environment.
What can you expect from this blog for the next two months? Probably pictures and stories about my stay, not much about my internship or technical details since I signed NDA’s and I don’t want to risk leaking critical information. Look at me all acting mature and responsible.
Signing off here for now. Next blog post will probably come from a swiss IP-address.