Presentation Material
Abstract
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment) Tizen Mobile Tizen TV, and Tizen Wearable Samsung’s first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen’s security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen. For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc. Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
AI Generated Summary
The talk focused on the security of Tizen, an open-source operating system used in various devices, including smartphones and smart home appliances. The researcher discussed the architecture and security model of Tizen, highlighting its similarities and differences with other operating systems like Android and iOS.
Key findings included the presence of a sandboxing mechanism called Smack, which is similar to SELinux used in Android, and the use of a Content Security Policy (CSP) to protect web applications. However, the researcher identified some issues with Tizen’s security, including the lack of Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) in some cases.
The researcher demonstrated exploits of these vulnerabilities, including a buffer overflow attack and a URL address spoofing attack, which could be used to execute arbitrary code or inject malicious content into web pages. The talk also covered the researcher’s efforts to bypass Tizen’s CSP and exploit vulnerabilities in the WebKit browser used in Tizen devices.
The practical implications of these findings are significant, as they highlight the need for Tizen developers to prioritize security and implement robust protections against common web attacks. The researcher’s work also underscores the importance of ongoing security research and testing to identify and address vulnerabilities in emerging operating systems like Tizen. Overall, the talk provided valuable insights into the security strengths and weaknesses of Tizen and highlighted areas for improvement to ensure the security and integrity of devices running this operating system.