Aquifer: Preventing Accidental Data Disclosure in Modern OSes

Modern OSes such as Android, iOS, and Windows 8 have changed the way consumers interact with computing devices. Tasks are often completed by stringing together a collection of purpose-specific user applications (e.g., a barcode reader, a social networking app, a document viewer). As users direct this workflow between applications, it is difficult to predict the consequence of each step. Poor selection may result in accidental information disclosure when the target application unknowingly uses cloud services. The Aquifer DIFC system prevents accidental information disclosure in modern operating systems. In Aquifer, application developers define secrecy restrictions that protect the entire user interface workflow defining the user task. In doing so, Aquifer provides protection beyond simple permission checks and allows applications to retain control of data even after it is shared.

Licensing Information

License for changes to the Android platform

Copyright (c) 2013, North Carolina State University
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
    * Redistributions of source code must retain the above copyright
      notice, this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.
    * Neither the name of the North Carolina State University nor the
      names of its contributors may be used to endorse or promote products
      derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL NORTH CAROLINA STATE UNIVERSITY BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

License for changes to the Android (Linux) Kernel

Copyright (C) 2013  North Carolina State University

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

Downloading the source code.

First, establish the AOSP build environment as described here.

Then, create a working directory for Aquifer, and download the source code for android-4.0.3_r1 to it. This is the unmodified Android source code; we will download Aquifer's modifications in the next few steps.

Optional Note: Syncing the Android platform code will take significant time, so use screen to be safe.

$ mkdir aquifer-4.0.3_r1
$ cd aquifer-4.0.3_r1
$ repo init -u https://android.googlesource.com/platform/manifest -b android-4.0.3_r1
$ repo sync

Download and apply Aquifer patches for the Android framework

Patch /framework/base

$ cd aquifer-4.0.3_r1/framework/base
$ Download aquifer_framework_base.patch and place it in the directory above.
$ git checkout -b aquifer
$ git am --signoff aquifer_framework_base.patch

Patch /bionic

$ cd aquifer-4.0.3_r1/bionic
$ Download aquifer_bionic.patch and place it in the directory above.
$ git checkout -b aquifer
$ git am --signoff aquifer_bionic.patch

Patch /system/core

$ cd aquifer-4.0.3_r1/system/core
$ Download aquifer_system_core.patch and place it in the directory above
$ git checkout -b aquifer
$ git am --signoff aquifer_system_core.patch

Patch /system/extras

$ cd aquifer-4.0.3_r1/system/extras
$ Download aquifer_system_extras.patch and place it in the directory above.
$ git checkout -b aquifer
$ git am --signoff aquifer_system_extras.patch

Generate the necessary syscalls

$ cd aquifer-4.0.3_r1/
$ make clean
$ ./bionic/libc/tools/gensyscalls.py

Download and configure the Android kernel for Aquifer

$ git clone https://android.googlesource.com/kernel/omap.git -b android-omap-tuna-3.0-ics-mr1 aquifer_kernel
$ cd aquifer_kernel
$ Download aquifer_kernel.patch and place it in the directory above.
$ git checkout -b aquifer
$ git am --signoff aquifer_kernel.patch
$ make ARCH=arm tuna_defconfig

In the kernel, modify the .config file. Replace the "File Systems" section of .config with:

$ 
# File systems
#
CONFIG_EXT2_FS=y
CONFIG_EXT2_FS_XATTR=y
# CONFIG_EXT2_FS_POSIX_ACL is not set
CONFIG_EXT2_FS_SECURITY=y
# CONFIG_EXT2_FS_XIP is not set
# CONFIG_EXT3_FS is not set
CONFIG_EXT4_FS=y
CONFIG_EXT4_USE_FOR_EXT23=y
CONFIG_EXT4_FS_XATTR=y
# CONFIG_EXT4_FS_POSIX_ACL is not set
CONFIG_EXT4_FS_SECURITY=y
# CONFIG_EXT4_DEBUG is not set
CONFIG_JBD2=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_FS_MBCACHE=y
# CONFIG_REISERFS_FS is not set
# CONFIG_JFS_FS is not set
# CONFIG_XFS_FS is not set
# CONFIG_GFS2_FS is not set
# CONFIG_BTRFS_FS is not set
# CONFIG_NILFS2_FS is not set
CONFIG_FS_POSIX_ACL=y
CONFIG_FILE_LOCKING=y
CONFIG_FSNOTIFY=y
# CONFIG_DNOTIFY is not set
CONFIG_INOTIFY_USER=y
# CONFIG_FANOTIFY is not set
# CONFIG_QUOTA is not set
# CONFIG_QUOTACTL is not set
# CONFIG_AUTOFS4_FS is not set
CONFIG_FUSE_FS=y
# CONFIG_CUSE is not set
CONFIG_GENERIC_ACL=y

Replace the entire "Security options" section in the .config file with:

$ 
#
# Security options
#
# CONFIG_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_AQUIFER=y
# CONFIG_IMA is not set
CONFIG_TF_ZEBRA=y
CONFIG_SECURITY_MIDDLEWARE_COMPONENT=y
# CONFIG_SMC_KERNEL_CRYPTO is not set
CONFIG_SECURE_TRACE=y
# CONFIG_TF_DRIVER_DEBUG_SUPPORT is not set
CONFIG_DEFAULT_SECURITY_AQUIFER=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="aquifer"
CONFIG_CRYPTO=y

Build the Aquifer Kernel

$ git clone https://android.googlesource.com/kernel/omap.git -b android-omap-tuna-3.0-ics-mr1 aquifer_kernel
$ cd aquifer_kernel
$ ARCH=arm CROSS_COMPILE=/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- make

Copy the newly built kernel to the aquifer-4.0.3_r1 build directory

$ cp arch/arm/boot/zImage /device/samsung/tuna/kernel

Building Aquifer

Building the Android framework

First, download the proprietary binaries needed for building for the Galaxy Nexus (maguro), as shown here.

Then, in the working directory (i.e., "aquifer-4.0.3_r1"), execute the following commands:

$ . build/envsetup.sh
$ lunch full_maguro-userdebug
$ make

Flashing Aquifer to a device

First, ensure that the bootloader of the device is unlocked. Then, use fastboot to flash the newly built images to the device.

$ cd aquifer-4.0.3_r1
$ fastboot flash system out/target/product/maguro/system.img
$ fastboot flash userdata out/target/product/maguro/userdata.img
$ fastboot flash boot out/target/product/maguro/boot.img
$ fastboot flash reboot

Finally, copy the modified android.jar file, needed for importing classes specific to Aquifer.

$ cp aquifer-4.0.3_r1/out/target/common/obj/JAVA_LIBRARIES/android_stubs_current_intermediates/classes.jar /platforms/android-15/android.jar