- About Goa'15
- Blackshield Awards
- Job Fair
- CXO Track
- About Speakers
- Ajin Abraham
Application Security Engineer, Yodlee (India)
Hacking Tizen: The OS of Everything
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
- Tizen IVI (in-vehicle infotainment)
- Tizen Mobile
- Tizen TV, and
- Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This
includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to
Android application, and how these security issues differ with Tizen.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
Ajin Abraham is an Application Security Engineer for Yodlee. He is the founder of OWASP Xenotix XSS Exploit Framework Project. He is a strong supporter of Free & Open Information Security Education. His work could be found at http://opensecurity.in. His area of interest includes web app & stand-alone app security and coding tools. He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac 2013, BlackHat Europe 2013, Hackmiami 2013, Confidence 2013, BlackHat US 2013, ToorCon San diego, and Ground Zero Summit.