Embed Size (px)
Citation preview
Oren Laadan [email protected]
Android Builders 2014
www.cellrox.com
Multi-Persona Android
aprilzosia
Android Builders 2014 2
Mobile devices have multiple uses -
- the device needs to reflect that.
Android Builders 2014 3
Personal Phone Business Phone
Security Use Case
Android Builders 2014 4
Do People Remember?
• Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
• Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
• Install a mobile security app for your phone that scans every app you download to ensure it’s safe.
Android Builders 2014 5
No, They Don’t!
• Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
• Be alert for unusual behavior on your phone. Suspicious behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
• Install a mobile security app for your phone that scans every app you download to ensure it’s safe.
Android Builders 2014 6
More Use Cases
Personal Phone Business Phone Children Phone Privacy Phone Secure Phone
Android Builders 2014 7
Even More Use Cases
Personal Phone Business Phone Children Phone Privacy Phone Secure Phone Social Phone Guest Phone Dev Phone
Android Builders 2014 8
Multi-Persona for Mobile Devices
Android Builders 2014 9
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Mobile Device Virtualization
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Android Builders 2014 10
Nobody Will Notice?
Performance Transparent Application Transparent Platform Transparent User Transparent
Android Builders 2014 11
Hardware Virtualization
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device
Android
applications
Android
environment
Linux
kernel
Device
hardware
Virtual Phone
Hypervisor Type I
Android
applications
Android
environment
Linux
kernel
Virtual Phone
Android Builders 2014 12
Hardware Virtualization Suitable for servers • standard hardware • slow server replace rate • strong security model
Sub-optimal for mobile devices • burden to support devices • reduced performance / battery-life • sub-optimal use of resources
Android Builders 2014 19
Operating System Virtualization Namespaces
provide a group of processes with the illusion that they are the only processes on the system.
Android Builders 2014 20
Namespace (r)evolution Kernel namespaces: • mount-ns: 2.4.19 • uts-ns: 2.6.19 • ipc-ns: 2.6.19 • pid-ns: 2.6.24 • net-ns: 2.6.24-2.6.29 • user-ns: 2.6.23-3.8 System calls: clone(), unshare(), setns()
Android Builders 2014 21
Virtual Phone
Android
applications
Android
environment
Linux
kernel
Device
hardware
Typical device Virtual Phone
Android
applications
Android
environment
Linux
kernel
Device
hardware
Android
applications
Android
environment
Namespaces
Operating System Virtualization
Android Builders 2014 22
Device Diversity A typical collection of peripherals available on a modern smartphone or tablet:
Headset Microphone Speakers (Touch) Screen
Power Buttons Telephony Bluetooth
GPS WiFi Framebuffer GPU
Compass Camera(s) Accelerometer RTC/Alarms
Android Builders 2014 23
Device Interactivity Users interact with a device one application at a time, expect consistent user experience: Split the “attention” of resources between the multiple persona, depending on context.
Android Builders 2014 24
Android
applications
Android
environment
Linux
kernel
Device hardware
Fra
mebuf
Android Builders 2014 25
Android
applications
Android
environment
Linux
kernel
Device hardware
Fra
mebuf
Android
applications
Android
environment
Android Builders 2014 26
Android
applications
Android
environment
Linux
kernel
Device hardware
Fra
mebuf
Input
Android Builders 2014 27
Android
applications
Android
environment
Linux
kernel
Device hardware
Fra
mebuf
Android
applications
Android
environment
Input
Android Builders 2014 28
Android
applications
Android
environment
Linux
kernel
Device hardware
Device Namespace F
ram
ebuf
Android
applications
Android
environment
Input
Android Builders 2014 29
Android
applications
Android
environment
Linux
kernel
Device hardware
Device Namespace F
ram
ebuf
Android
applications
Android
environment
Input
Touch
Pro
xim
ty
Android Builders 2014 30
Android
applications
Android
environment
Linux
kernel
Device hardware
Device Namespace F
ram
ebuf
Android
applications
Android
environment
Input
Touch
Butto
ns
Pro
xim
ty
LE
D
GP
S
Android Builders 2014 32
Mobile Virtualization Challenges Challenge 1: device diversity • plethora of peripherals not virtualized • key logical devices not virtualized virtualize physical & logical devices
Android Builders 2014 34
Mobile Virtualization Challenges Challenge 1: device diversity • plethora of peripherals not virtualized • key logical devices not virtualized virtualize physical & logical devices Challenge 2: interactive usage • users interact with one app at a time • foreground vs. background apps multiplex access based on context
Android Builders 2014 35
Device Namespaces Device diversity: traditional virtualization
• create the illusion that processes interact
exclusively with a set of devices • hide the fact that other processes interact
with the same set of devices • Device major/minor (e.g. loop, dm), and
device setup and internal state
Android Builders 2014 36
“Traditional” virtualization Examples: • alarm-dev • binder • logger • wakelocks • …
Android Builders 2014 37
“Traditional” virtualization Typical driver: Virtualized driver? - global driver state - per open fd state - open() is special - read/write/ioctl etc use per open fd state (and global state)
Android Builders 2014 38
“Traditional” virtualization Typical driver: Virtualized driver: - global driver state - per-devns state - per open fd state - open() is special - read/write/ioctl etc use per open fd state (and global state)
Android Builders 2014 39
“Traditional” virtualization Typical driver: Virtualized driver: - global driver state - per-devns state - per open fd state - per open fd state points to per-devns state - open() is special - read/write/ioctl etc use per open fd state (and global state)
Android Builders 2014 40
“Traditional” virtualization Typical driver: Virtualized driver: - global driver state - per-devns state - per open fd state - per open fd state points to per-devns state - open() is special - obtain per-devns state and perform in context - read/write/ioctl etc use per open fd state (and global state)
Android Builders 2014 41
“Traditional” virtualization Typical driver: Virtualized driver: - global driver state - per-devns state - per open fd state - per open fd state points to per-devns state - open() is special - obtain per-devns state and perform in context - read/write/ioctl etc - read/write/ioctl etc use per open fd state use per open fd state (and global state) and per-devns state (and global state)
Android Builders 2014 42
“Traditional” virtualization A peek at the code: • alarm-dev • binder • …
Android Builders 2014 43
Device Namespaces Interactivity: context-aware virtualization
• concept of an active namespace, with
which the user actually interacts • ability to switch namespaces, to allow
interacting with multi-namespaces • users really interact with one namespace
at a time
Android Builders 2014 44
Device Namespaces
Android
applications
Android
environment
Android
applications
Android
environment
Linux
kernel
Device
hardware
(Device) Namespaces
Fra
mebuf
Input
Touch
Butto
ns
Pro
xim
ty
LE
D
GP
S
Android Builders 2014 45
Framebuffer ?
Android
applications
Android
environment
Linux kernel
Framebuffer
Android
applications
Android
environment
Android
applications
Android
environment
VP VP VP
Android Builders 2014 47
Framebuffer: device namespaces
Android
applications
Android
environment
Linux kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Foreground Background
RAM Framebuffer
Virtualized Framebuffer
Android Builders 2014 48
Framebuffer: device namespaces
Android
applications
Android
environment
Linux kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Foreground Background
RAM Framebuffer
Virtualized Framebuffer
Android Builders 2014 49
Framebuffer: device namespaces
Android
applications
Android
environment
Linux kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Background
RAM Framebuffer
Foreground
Virtualized Framebuffer
Android Builders 2014 50
Input ?
Android
applications
Android
environment
Linux kernel
input
Android
applications
Android
environment
Android
applications
Android
environment
VP VP VP
Android Builders 2014 51
Input: device namespaces
Android
applications
Android
environment
Linux kernel
Android
applications
Android
environment
Android
applications
Android
environment
Background Foreground Background
Input
Virtualized Input
Android Builders 2014 52
Input: device namespaces
Android
applications
Android
environment
Linux kernel
Android
applications
Android
environment
Android
applications
Android
environment
Input
Background Background Foreground
Virtualized Input
Android Builders 2014 53
“Context-aware” virtualization Typical driver: Virtualized driver:
- global driver state - per-devns state
- per open fd state - per open fd state points to per-devns state
- open() is special - obtain per-devns state and perform in context
- read/write/ioctl etc - read/write/ioctl etc use per open fd state use per open fd state (and global state) and per-devns state (and global state)
Android Builders 2014 54
“Context-aware” virtualization Typical driver: Virtualized driver:
- global driver state - per-devns state
- per open fd state - per open fd state points to per-devns state
- open() is special - obtain per-devns state and perform in context
- read/write/ioctl etc - read/write/ioctl etc use per open fd state use per open fd state (and global state) and per-devns state (and global state)
per devns state: • active flag (foreground/background) • callbacks (create, destroy, switch)
Android Builders 2014 55
“Context-aware” virtualization A peek at the code: • input layer • backlight • LED • …
Android Builders 2014 59
Device namespaces in action A quick hands on with the Android emulator
Android Builders 2014 60
User-experience ?
Android Builders 2014 64
User-experience
Identity Awareness Switching Sharing
Android Builders 2014 65
Unique UX
Background persona tab Foreground persona tab
Background persona icon Foreground persona icon
Android Builders 2014 66
Experimental Benchmarks • CPU (Linpack) • Graphics (Neocore) • Storage (Quadrant) • Web browsing (SunSpider) • Networking (custom)
Android Builders 2014 67
Runtime Overhead (Idle)
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
Linpack NeoCore QuadrantI/O
SunSpider
Network
Baseline 1-VP 2-VP 3-VP 4-VP 5-VP
Android Builders 2014 68
Runtime Overhead (load)
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
Linpack NeoCore QuadrantI/O
SunSpider
Network
Baseline 1-VP 2-VP 3-VP 4-VP 5-VP
Android Builders 2014 69
Power Consumption Overhead
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
After 4hrsMusic
After 12hrsIdle
Baseline 1-VP2-VP 3-VP4-VP 5-VP
Android Builders 2014 70
Summary
• Multi-persona Android • Device namespaces (?!)
More info: https://github.com/Cellrox/devns-patches/wiki [email protected]
