Project meeting: SVMP - Secure Virtual Mobile Platform

Transcript

1. SVMP: Secure Virtual Mobile Platform Yu-Hsin Hung

2. Introduction • https://svmp.github.io • Configuration: x86 Android VMs on x86

   server • VM Platform: support KVM, VirtualBox, VMware… • Cloud Controller: support OpenStack, Amazon EC2… • Remote Protocol: WebRTC + SVMP Wire Protocol • Client: Android/iOS app • Storage (user data) is separated from VM

3. Components • Client Application: an unprivileged Android/iOS application with WebRTC

   peer connection and SVMP protocol messages, similar to clients for VNC and RDP • SVMP Overseer: receive login request, perform authentication, and manage VMs on the cloud • SVMP Server: routing input message from client connections to SVMP daemons running inside virtual devices • SVMP daemon: primary entry point of client user input to the virtual device • Virtual Device: Virtual Device Image (SVMP Gold Image) + User Data Volume • Cloud Controller: support OpenStack, Amazon EC2…

4. Architecture

5. Virtual Device Structure • The central SVMP daemon • Touch-screen

   input injection • Virtual sensors • Location update pub/sub • Notification and Intent forwarding and re-broadcast • Virtual frame buffer, video encoding, and streaming

6. Virtual Device Structure

7. SVMP Wire Protocol • SVMP/svmp-protocol-def repository • Request: client->server •

   Response: server->client • JSON Payload: a type attribute and up to one optional attribute associated with that subtype, e.g. {“type”:”ROTATIONINFO”,”rotationInfo":{"rotation":0}} • Protocol Buffers: protocols are defined using “Protocol Buffers” - Google's data interchange format, and Java class definitions are generated by protocol buffer compiler

8. SVMP daemon • SVMP/android_external_svmp_eventserver repository • An user-level Android background

   service, launched when BroadcastReceiver catches BOOT_COMPLETED Intent • EventServer: many handlers to handle different events (touch, sensor, notification…) • LogHandler: logcat message forwarding • DatabaseHandler: GPS location service subscription • WifiSpoofer: spoof that Wi-Fi connection is active • details in next few pages…

9. SVMP daemon • proxy socket: a Java server socket to

   listen events from client • sensor socket: initialized in init.rc as /dev/socket/svmp_sensors • Handlers: • SensorHandler • LocationHandler • IntentHandler • NotificationHandler • KeyHandler • ConfigHandler: only keyboard configurations • LauncherHandler: for single app mode

10. Touch&screen injection • EventServer.java • SCREENINFO packet: sync screen resolution

    • TOUCHEVENT packet: translate coordinates X, Y and inject by Android InputManager (native support) • ROTATION_INFO packet: rotation info is injected by sending custom broadcast ROTATION_CHANGED_ACTION, received by modified framework

11. IntentHandler • IntentHandler.java • Android Intent: an abstract description of

    an operation to be performed • Currently support two kinds of intent forwarding • outgoing call: forward ACTION_NEW_OUTGOING_CALL from server to client and dial using client’s SIM card • activity action: forward ACTION_VIEW from client to server and open URL inside the VM

12. LocationHandler • LocationHandler.java • Android natively support mocked location •

    Catch custom Intent LOCATION_SUBSCRIBE_ACTION (sent by modified framework) and forward location request to client • Maintain location subscription in DatabaseHandler (single- shot or not) • Inject client’s GPS location to VM by spoofing test provider LocationManager.setTestProviderLocation()

13. NotificationHandler • NotificationHandler.java • catch custom Intent INTERCEPT_NOTIFICATION_ACTION • use

    Java Reflection to extract text elements and icons from RemoteViews and forward notification to client

14. SensorHandler • BaseServer.java • SENSOREVENT packet: forwarded to /dev/socket/ svmp_sensors

    socket • Client keep listening to all the available sensors • Use delay time mechanism to prevent spammy sensor messages • SVMP HAL module libsensors listens on the svmp_sensors socket then processes the actual sensor events, the HAL interfaces are defined in AOSP hardware/sensors.h

15. Android client • WebRTC: video & audio streaming • Corresponding

    handlers to deal with SVMP daemon • TouchHandler • RotationHandler • KeyHandler • ConfigHandler • NotificationHandler • SensorHandler • …

16. Android Framework modification • InputManagerService.java • Natively support injecting key

    events (KeyHandler.java in SVMP daemon) • Create a BroadcastReceiver to listen custom intent for hard keyboard, attach two virtual keyboards when hard keyboard attached to client • NotificationManager.java • Intercept notification by preventing enqueue it and send a INTERCEPT_NOTIFICATION broadcast, caught by SVMP daemon

17. Android Framework modification • WindowOrientationListener.java • Create a BroadcastReceiver to

    listen custom ROTATION_CHANGED intent and inject the rotation info • LocationManager.java • Intercept location request and send a LOCATION_SUBSCRIBE_ACTION broadcast, caught by SVMP daemon then redirected to client

18. Android System Core modification • BatteryMonitor.cpp • Battery injection •

    Battery status is always charging • Battery health is always good • Battery level is always 100%

19. Android Device Driver • Lots of things, still tracing… •

    Virtual Frame Buffer • VM write frame to VFB device instead of real video device • Android surfaceflinger library generates a VSYNC event when writing • When VSYNC event occurs, each frame is fed into the WebRTC subsystem • Virtual Sensors: libsensors/sensors.cpp • Re-implement the interface defined by AOSP