ANDROID IPC MECHANISMnfsnfs @ Advanced Defense Lab

1

REFERENCE•⼤大量引⽤用以下資料:

• http://www.slideshare.net/yeg239/android-internals-06-binder-typical-subsystem-rev11

• http://marakana.com/s/post/1340/Deep_Dive_Into_Binder_Presentation.htm

• http://www.slideshare.net/jserv/android-ipc-mechanism

• http://developer.android.com/guide/components/aidl.html

• http://www.jbcreativgroup.com/pdf/an-empirical-study-of-the-robustness-of-inter-component-77091.pdf

2

OUTLINE

• IPC

• Java Layer

• Binder

• Security Issue in IPC

3

WHAT IS IPC ?

• IPC = Inter-Process Communication

• Process 之間的溝通

• More ... ?

4

WHY IPC?

• Android 中每個 process 都有⾃自⼰己的 address space

• Data Isolation

• IPC 可能造成很⼤大的 overhead，也可能造成安全問題

5

有什麼不⼀一樣 ?• Traditional Linux

• Pipe

• Signal

• Message Queue

• Semaphore

• Socket

• Shared Memory 6

ANDROID IPC SYSTEM

• Binder

•從 OpenBinder 來的

• BeOS / Palm

•完全重寫後成為 Android binder

7

SOCKET VS BINDER

Socket !

File Descriptor Network

Stream I/O

Binder !

PID Local only

IOCTL

8

BINDER

!

Linux Kernel/dev/binder

servicemanager system_server

App3

App2

App1

9

WHY BINDER ?

• Security

• isolated process with distinct ID

• Stability

• crashed process

• Memory Management

• no need to free objects10

BIONIC C

•不⽀支援傳統 System V IPCs

• No SysV semaphores, shared memory, message queues

• SysV IPC 會有 kernel resource leakage 的問題

11

COMMUNICATIONSApplication

!Home Contacts Phone Browser

IPC IPC IPC

Application FrameworkIPC

IPC & JNINative Layer

12

ANDROID IPC

• Intent

•在 Java 層，⽤用來傳送訊息的資料結構

• Asynchronous Communication

• ContentResolver 跟 ContentProvider 是 Synchronous Communication

•透過 CRUD API

13

INTENT•包含⼀一些基本資料

• data //表⽰示所需的資料

• action //表⽰示要作的事情

• category //action 的類型

• component //送給哪個 component

• extras //要傳的額外資料

14

INTENT 分類

• Explicit Intent

•有指定 component 的 Intent

• Implicit Intent

•無指定 component 的 Intent

15

EXPLICIT INTENT

• Intent.setComponent(ComponentName)

• Intent.setClass(Context, Class)

• new Intent(Context, Class)

16

INTENT

•不適合⽤用在 low-latency 通訊

•基於 Binder

• Intent 實作 Cloneable 和 Parcelable

•是 Parcelable 才能透過 IPC 傳遞

• ... Or you are a primitive type

17

與 ACTIVITY 互動

Activity Activity

start

return

18

⽤用 INTENT 可以做什麼 ?

• startActivity(Intent)

• startActivityForResult(Intent, int)

•開啟⼀一個 Activity ...

19

與 SERVICE 互動

Activity

BroadcastReceiver

Service

start / stop / bind

start / stop / bind20

⽤用 INTENT 可以做什麼 ?

• startService(Intent)

•開啟⼀一個 Service ...

• stopService(Intent)

•關閉⼀一個 Service ...

21

⽤用 INTENT 可以做什麼 ?

• bindService(Intent, ServiceConnection, int)

•跟⼀一個 Service 建⽴立連線 ..

• ServiceConnection 裡⾯面可以初始化⼀一些 bind 後所需的變數

22

與 BROADCASTRECEVIER 互動

BroadcastReceiverActivity

Service

System

send Intent

23

⽤用 INTENT 可以做什麼 ?

• sendBroadcast(Intent)

• sendOrderedBroadcast、sendStickyBroadcast、sendStickyOrderedBroadcast

•送 Intent 到 BroadcastReceiver ...

24

另外還有 ... ?

• Messenger & Handler

•常⽤用於 Activity / Service 間通訊

• Message.what: 要做什麼

• Message.setData(Bundle): 要傳的資料

•不同 process，請⽤用 Bundle

•如果同 process 內，可使⽤用 Message.obj 傳 object25

MESSENGER & HANDLERApp A App B

Activity

ServiceMessenger

Handler

call back

start

pass by reference

call back

reference / call

26

MESSENGER & HANDLER•和 Intent 很像

•但提供了雙向溝通!

• Android Developer 網站說明:

Reference to a Handler, which others can use to send messages to it. This allows for the implementation of message-based communication across processes, by creating a Messenger pointing to a Handler in one process, and handing that Messenger to another process.

27

MESSENGER & HANDLER

•特⾊色

• Low latency, but still asynchronous

28

MESSENGER & HANDLER

• DEMO

29

MESSENGER & HANDLER

•在 Service 中註冊 Handler 和 Messenger

30

MESSENGER & HANDLER

•在 Service onBind 的時候 return ⼀一個 IBinder

•與 Service bind 在⼀一起的 Activity 可透過此 IBinder 物件傳送訊息

31

MESSAGE•⽤用 Message.obtain() 從 mPool 拿⼀一個 Message

object

•較不建議⽤用 new Message();

• replyTo: 回應給這個 Messenger

32

所以來說說他們背後的 BINDER 吧 !

33

BINDER !

•超重要的！

In the Android platform, the binder is used for nearly everything that happens across processes in the core platform. - Dianne Hackborn!

[https://lkml.org/lkml/2009/6/25/3]

34

METHOD INVOCATION

•在同⼀一個 Process 內的時候

caller

callee

35

OTHER PROCESS?

• RPC ?

• Messaging Passing ?

• Socket ?

• ...

36

BINDER 系統架構其實是 ...Java Binder

⽤用⼾戶端/伺服器端 Native Binder ⽤用⼾戶端/伺服器端

Java Binder Framework

Native Binder Framework

Binder 核⼼心程式庫

Binder AdapterProcessState.cpp / IPCThreadState.cpp

Binder Driver37

BINDER COMMUNICATIONClient Binder Service

Process A Kernel Process B38

BINDER DRIVER

• Binder driver

• ioctl(binderFd, BINDER_WRITE_READ, &bwd) system call

• open / release / poll / mmap / flush / ioctl

• /dev/binder

39

FLAT_BINDER_OBJECT

• binder 和 handle 分別表⽰示 local object 和 remote object

• binder 會幫忙作這對應

40

FLAT_BINDER_OBJECT 的 TYPE

• BINDER_TYPE_BINDER / BINDER_TYPE_WEAK_BINDER - 本機物件

• BINDER_TYPE_HANDLE / BINDER_TYPE_WEAK_HANDLE - 遠端物件參照

• BINDER_TYPE_FD - 檔案

41

FLAT_OBJECT_TYPE 的 FLAG

• TF_ONE_WAY - 單向，⾮非同步，不需要返回

• TF_ROOT_OBJECT - 根物件，代表 type 是本機物件

• TF_STATUS_CODE - 狀態碼，代表 type 是 handle

• TF_ACCEPT_FDS - 可以接受 file descriptor，所以 handle 就會是 file descriptor

42

實際傳遞的資料 BINDER_TRANSACTION_DATA

43

BINDER_WRITE_READ• read_buffer 和 write_buffer 是⼀一個指標（指向 user space 的 buffer）

• BC_TRANSACTION

•解析將要被處理的資料

• BC_REPLY

•回傳結果資料

struct binder_write_read { signed long write_size; signed long write_consumed; unsigned long write_buffer ; signed long read_size; signed long read_consumed; unsigned long read_buffer ;

}

44

BINDER COMMUNICATION

• Native Level 來說，通常⽤用 libbinder 解決，不⽤用直接操作 ioctl driver

•但有時候想隱藏 binder，讓 client ⽐比較容易處理 ...

• AIDL !

• A Java-like lanaguage

45

BINDER COMMUNICATIONClient Binder Service

Process A Kernel Process B

StubProxy

46

AIDL

• Proxy 和 Stub

• Java-based

•可以⽤用 aidl ⼯工具產⽣生

• Android Studio 中，把 aidl 檔案放在 /main/aidl/<package_name>/ 底下，會⾃自⼰己在 /build/source/aidl 產⽣生該 Interface

47

AIDL

• AIDL example:

48

AIDL

• AIDL 只是⽤用來產⽣生⼀一個 Interface

•包含 Proxy 和 Stub 這兩個 class!

49

AIDL

•產⽣生出的 interface:

50

AIDL

• Service 中的 Stub

51

MARSHALLING AND UNMARSHALLING

• Marshalling 就是做出 Parcel object 的⾏行為

• Unmarshalling 就是將 Parcel 還原回原本的 object

52

PARCEL

• AIDL 會幫我們 handle 這件事

•其實是將 object ⽤用 native binary encoding 的⽅方式重新包裝

53

ANDROID.OS.PARCEL• http://www.slideshare.net/jserv/android-ipc-mechanism

54

BINDER COMMUNICATIONClient Binder Service

Process A Kernel Process B

StubManager Proxy

55

SYSTEM SERVICES

• System Services 使⽤用的作法

• Clients 根本感覺不出他們在使⽤用 IPC

• Context.getSystemService(String)

56

SYSTEM SERVICES

• NOTIFICATION_SERVICE

• LOCATION_SERVICE

• CONNECTIVITY_SERVICE

• WIFI_SERVICE

• ... 族繁不及備載: http://developer.android.com/reference/android/content/Context.html

57

使⽤用 SYSTEM SERVICES 的⽅方式

• Example:

58

BINDER COMMUNICATIONBinder Service

Kernel Process B

Service Manager Proxy

Client

Process A

Manager Proxy Context Manager

Framework

register CM

await reqs

get CM register service

registered service

register svc tx

get CM

get svc tx

init manager

get service

got service

59

CONTEXT MANAGER

• Binder Driver 只會允許⼀一個 Context Manager 註冊

•所以 servicemanager 是第⼀一個被啟動的 Android service

• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/servicemanager/service_manager.c

• servicemanager a.k.a Context Manager

60

SERVICEMANAGER IN INIT.RC

init.rc 裡⾯面有 service 的啟動順序

61

設定 SERVICEMANAGER

• frameworks/native/cmds/servicemanager/service_manager.c

這是 (void *) 0

等待 request

62

設定 SERVICEMANAGER

• BINDER_SET_CONTEXT_MGR

• frameworks/native/cmds/servicemanager/binder.c

63

設定 SERVICEMANAGER

• http://lxr.linux.no/linux+v3.10.6/drivers/staging/android/binder.c#L2622

64

SVGMGR_HANDLER• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/

servicemanager/service_manager.c#203

65

SERVICE MANAGER

•系統服務需要跟 service manager 註冊

•應⽤用程式如果要⽤用系統服務要跟 service manager 查詢

66

註冊系統服務

• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/servicemanager/service_manager.c#do_add_service

67

檢查要註冊的服務是否有權限

• http://androidxref.com/4.3_r2.1/xref/frameworks/native/cmds/servicemanager/service_manager.c#svc_can_register

68

⺫⽬目前註冊的 SERVICE

• adb shell service list

69

測試系統服務

• adb service call phone 1 s16 “1234567890”

70

其實是...

• AIDL 中的順序 • http://androidxref.com/4.3_r2.1/xref/frameworks/base/telephony/java/com/android/internal/

telephony/ITelephony.aidl

1

271

整體流程• http://marakana.com/s/post/1340/

Deep_Dive_Into_Binder_Presentation.htm

72

SECURITY

• IPC 可能造成⼀一些安全問題

•因為 Intent 可以是惡意的！

73

THREAT !App A App B Malicious App

Activity

Service

Broadcast Receiver

Activity

Service

Broadcast Receiver

Activity

Service

Broadcast Receiver

Intent Intent Intent

Intent

System Intent

System Intent

74

REF TO COMDROID

•請⾒見 ComDroid 投影⽚片 !

75

QUESTIONS?

• How well does an Android component behave in the presence of a semi-valid or random Intent?

• How robust are Android’s ICC primitives?

• How can we refine the implementation of Intents so that inpt validation can be improved?

76

TESTING TOOL

Package Manager

startActivityForResult

startService

sendBroadcast

Get a list of components

77

AVOID MANUAL INTERVENTION

• startActivityForResult() and finishActivity()

• Pause 100ms between sending of each successive Intent

78

SEMI-MANUAL ...

• finishActivity() did not work in two situations

• System alert was generated (crash or exception)

• Activity was started as a new task

Calling startActivity() from outside of an Activity context requires the FLAG_ACTIVITY_NEW_TASK flag.

79

GENERATING INTENTS

• { Action / Data / Component / Extras }

• Data URI := scheme/path?query

80

DATA URI SCHEME

• content://

• file://

• folder ://

• directory://

• geo:

• google.streeview:

• http://

• https://

• mailto:

• ssh:

• tel:

• voicemail:81

IMPLICIT INTENT

• A. Valid Intent, unrestricted fields null:

• Match only the restricted attributes of the Intent-filter

• B. Semi-valid Intent:

• Fuzz at least one fileds

82

VALID INTENT

• Intent filter

• Intent

<intent-filter><action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" /></intent-filter>

Intent i = new Intent();i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE");sendBroadcast(i);

83

SEMI-VALID INTENT

• Intent filter

• Intent

<intent-filter><action android:name="android.net.wifi.supplicant.CONNECTION_CHANGE" /></intent-filter>

Intent i = new Intent();i.setAction("android.net.wifi.supplicant.CONNECTION_CHANGE");i.addCategory("CATEGORY_ALTERNATIVE");sendBroadcast(i);

84

EXPLICIT INTENT

• FIC A. Semi-valid Action and Data

• FIC B. Blank Action or Data

• FIC C. Random Action or Data

• FIC D. Random Extras

* FIC : fuzz injection campaigns

robustness of callee

potential adversary

85

SEMI-VALID ACTION AND DATA

• Total Intents: |Action|x|Data| for each component

! { act=ACTION_EDIT data=http://www.google.com comp=com.android.someComponent }

Meaningless

86

BLANK DATA OR ACTION

• Total Intents: |Action|+|Data| for each component

!{ data=http://www.google.com comp=com.android.someComponent }

No Action

87

RANDOM ACTION OR DATA

{ act=ACTION_EDIT data=a1b2c3d4 comp=com.android.someComponent }

Random

88

RANDOM EXTRAS

{ act=ACTION_DIAL data=tel:123-456-789 comp=com.android.someComponent has Extras }

89

MACHINE

• Moto Droid - Android 2.2

• HTC Evo 3D - Android 2.3.4

• Emulator - Android 4.0

90

FIRMWARE

• com.android.* package

• In Droid ...

• 297 activities

• 42 services

• 59 receivers

!

!

• In Emulator ...

• 332 activities

• 54 services

• 69 receivers

91

MOST POPULAR FREE APPS

• 3 Dec, 2011

• Facebook

• Pandora Radio

• Voxer Walkie Talkie

• Angry Birds

• Skype

!

!

!

• 103 activities

• 11 services

92

EXPERIMENTAL RESULTS93

FAULT INJECTION

• Choose one particular component and inject all the Intents targeted to that component

94

COLLECT LOGS

• logcat

• “Force Close”

• “Application x stopped unexpectedly”

• “FATAL EXCEPTION: main”

95

RESULTS FOR EXPLICIT INTENTS

• 2148 crashes in Android 2.2

• 641 crashes in Android 4.0

• 152 crashes for Apps from Market

96

FAILED COMPONENTS

!

• Many Android components do not perform null checks

• 3 of the apps (from Market) had at least one component failed one or more experiments

97

EXCEPTION TYPES

Should be handled by the calling

function

98

IN ANDROID 4.0 ...

• Unpredictable environment-dependent errors in Android 4.0

• WindowManager$BadTokenException (26.83%)

• IllegalStateException (23.56%)

• RuntimeException (3.12%)

• system_server restarts (GC)

99

SYSTEM CRASH

• 3 Activities in built-in apps caused system_server to restart

• Did not catch NullPointerExceptions

• Need no extra permissions

100

SYSTEM CRASH

101

RESULTS FOR VALID INTENTS

• In HTC Evo 3D ...

• 1910 Intent-filters startActivity()

• Some of them is registered by Services

• ActivityNotFoundException

• Crashed 5 components

• 12 unexpected exceptions

1. NullPointerException 2. IOException 3. Resource$NotFoundException

102

RESULTS FOR SEMI-VALID

• From Intent-filters

• 643 distinct Actions

• 37 Categories

103

DISCUSSIONS

• Poor exception handling

• Environment-dependent errors in Android 4.0

• Privileged components with unrestricted access

104