'전체 글'에 해당되는 글 589건

Should You Send Your Pen Test Report to the MSRC?

경로 및 정보 2025. 2. 10. 01:58

https://msrc.microsoft.com/blog/2018/11/should-you-send-your-pen-test-report-to-the-msrc/

 

Should You Send Your Pen Test Report to the MSRC? | MSRC Blog | Microsoft Security Response Center

Every day, the Microsoft Security Response Center (MSRC) receives vulnerability reports from security researchers, technology/industry partners, and customers. We want those reports, because they help us make our products and services more secure. High-qua

msrc.microsoft.com

 

Should You Send Your Pen Test Report to the MSRC?

/ By MSRC / November 12, 2018 / 5 min read

Every day, the Microsoft Security Response Center (MSRC) receives vulnerability reports from security researchers, technology/industry partners, and customers. We want those reports, because they help us make our products and services more secure. High-quality reports that include proof of concept, details of an attack or demonstration of a vulnerability, and a detailed writeup of the issue are extremely helpful and actionable. If you send these reports to us, thank you!

Customers seeking to evaluate and harden their environments may ask penetration testers to probe their deployment and report on the findings. These reports can help that customer find and correct security risk(s) in their deployment.

The catch is that the pen test report findings need to be evaluated in the context of that customer’s group policy objects, mitigations, tools, and detections implemented. Pen test reports sent to us commonly contain a statement that a product is vulnerable to an attack, but do not contain specific details about the attack vector or demonstration of how this vulnerability could be exploited. Often, mitigations are available to customers that do not require a change in the product code to remediate the identified security risk.

Let’s look at the results of an example penetration test report for a deployment of Lync Server 2013. This commonly reported finding doesn’t mention the mitigations that already exist.

Whoa—my deployment is vulnerable to a brute-force attack?

In this scenario, a customer deployed Lync Server 2013 with dial-in functionality. The deployment includes multiple web endpoints, allowing users to join or schedule meetings. The customer requests a penetration test and receives the report with a finding that states “Password brute-forcing possible through Lync instance.”

Let’s look at this in more detail.

Lync Server 2013 utilizes certain web endpoints for web form authentication. If these endpoints are not implemented securely, they can open the door for attackers to interact with Active Directory. Penetration testers that analyze customer deployments often identify this issue, as it represents risk to the customer environment.

The endpoint forwards authentication requests to the following SOAP service /WebTicket/WebTicketService.svc/Auth. This service makes use of LogonUserW API to authenticate the requested credentials to the AD.

In this scenario, there is a brute-force attack risk to customers when exposing authentication endpoints.

This is not an unsolvable problem. In environments with mitigations on user accounts (such as a password lockout policy), this would cause a temporary Denial of Service (DoS) for the targeted user, rather than letting their account be compromised. Annoying to the user (and a potential red flag of an active attack if this keeps happening) but not as serious as a compromised account.

Mitigating brute-force AD attacks via publicly exposed endpoints

We advocate for defense in depth security practices, and with that in mind, here are several mitigations to shore up defenses when an endpoint like this is publicly exposed.

  1. Have a strong password policy.

Having a strong password policy in place helps prevent attacks using easily guessed and frequently used passwords. With dictionaries of millions of passwords available online, a strong password can go a long way in preventing brute-forcing. Microsoft guidance on password policies (and personal computer security) is published here - https://www.microsoft.com/en-us/research/publication/password-guidance/ - and provides some great tips based on research and knowledge gained while protecting the Azure cloud.

  1. Have an account lockout policy.

The second step to protecting the environment and taking advantage of a strong password policy is having an account lockout policy. If an attacker knows a username, they have a foothold to perform brute-force attacks. Locking accounts adds a time-based level of complexity to the attack and adds a level of visibility to the target. Imagine attempting to log into your own account, and you’re notified that it’s been locked. Your first step is to contact your IT/support group or use a self-service solution to unlock your account. If this continues to happen, it raises red flags. Guidance and information regarding account lockout policies may be found on our blog here*-*https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/.

  1. Log (and audit) access attempts.

Another step to detect and prevent this behavior is related to event logging and auditing, which can be done in multiple locations. Depending on the edge or perimeter protections, web application filtering or rate limiting at the firewall level can reduce the chances of a brute-force attack succeeding. Dropped login attempts or packets mitigate an attack from a single IP or range of IPs.

  1. Audit account logon attempts.

On any servers used for authentication, a Group Policy auditing account logon events could give visibility into any attempts at password guessing. This is a best practice in any network environment, not only those with web-based endpoints that require authentication. Guidance on securing an Active Directory environment through Group Policy auditing can be found in our guide here*-*https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise.

  1. Use Web application filtering rules.

When one of the above recommendations is not a viable option, alternate mitigations may be needed to reduce risk in the environment. To verify the viability of a potential mitigation, we have setup a test environment for Lync Server 2013 with IIS ARR (application request routing) reverse proxy to test the requirements:

  1. Disable windows auth externally
  2. Allow anonymous user sign externally.

In this environment, the following Web Apps under “Skype for Business Server External Web Site” were blocked by using IIS rewrite rules returning error code 403 on the reverse proxy:

  1. Abs
  2. Autodiscover
  3. Certprov
  4. Dialin
  5. Groupexpansion
  6. HybridConfig
  7. Mcx
  8. PassiveAuth
  9. PersistentChat
  10. RgsCients
  11. Scheduler
  12. WebTicket/WebTicketService.svc/Auth

The following web apps were not blocked in reverse proxy:

  1. Collabcontent
  2. Datacollabweb
  3. Fonts
  4. Lwa
  5. Meet
  6. Ucwa

Under this environment - Windows Authentication is blocked on the meeting web app and sign-in fails. Anonymous users could join a conference and still work with the following modalities:

  1. Chat message in meeting
  2. Whiteboard
  3. PPT share
  4. Poll
  5. Q n A
  6. File transfer
  7. Desktop share

Each customer needs to consider the functionality needed for external users. In the example provided, this assumes that you would not need the following functionality externally:

  1. Dial-in page (shares number to dial-in etc.)
  2. Web Scheduler
  3. PersistentChat
  4. Rgsclients
  5. Hybrid PSTN (Skype for Business using on-prem PSTN infra)
  6. No mobility client users

For reference, we’ve included a sample rule that blocks external access requests to the Dialin folder. Rules are stored in the ApplicationHost.config file, and the rule is added under the configuration/system.webserver/rewrite/globalrules/ section.

<rule name=“BlockDialin” patternSyntax=“Wildcard” stopProcessing=“true”>

<match url="*" />

<conditions logicalGrouping=“MatchAny” trackAllCaptures=“false”>

<add input="{HTTP_HOST}" pattern=“dialin.foo.bar.com” />

<add input="{REQUEST_URI}" pattern="/dialin/*" />

</conditions>

<action type=“CustomResponse” statusCode=“403” statusReason=“Access denied.” statusDescription=“Access denied.” />

</rule>

Additional guidance on Application Request Routing (ARR) in IIS for Lync servers can be found on our blog*-* https://blogs.technet.microsoft.com/nexthop/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013/

The best use for pen test reports

Recommendations will depend on how an environment is configured, it’s best to dig into the report for available mitigations before sharing the results outside your organization. If the report comes up with an unpatched vulnerability that has no mitigations, please send us the report and POC.

For more information, please visit our website at www.microsoft.com/msrc

This article was written with contributions from Microsoft Security Center team members–Christa Anderson, Saif ElSherei, and Daniel Sommerfeld; as well as Pardeep Karara from IDC Skype Exchange R&D, and Caleb McGary from OS, Devices, and Gaming Security.

 

저작자표시 비영리 변경금지

'경로 및 정보' 카테고리의 다른 글

bkcrack tool 경로  (0) 2025.02.05
Hyundai app bugs allowed hackers to remotely unlock, start cars (펌)  (0) 2025.02.02
도커 설치 후 도커 명령어 실행 에러 Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? (펌)  (0) 2025.02.01
dpkg was interrupted Error 해결 방법 (펌)  (0) 2025.02.01
Ubuntu 22.04 끊김 현상  (0) 2025.02.01
블로그 이미지

wtdsoul

,

Android car service (펌)

차량 보안 2025. 2. 9. 14:25

https://wizzie.top/carservice/android_carservice_structureAndInit/

 

Android carservice架构及启动流程

文档内容:carservice架构介绍,内容有Car APP、Car API、Car Service等部分,carservice启动流程

wizzie.top

 

1. 설명영구 링크

1.1. 그림영구 링크

Google은 上介绍汽车架构:

车载HAL是汽车与车辆网络服务之间的接义义(同时保护传入的数据) :

车载HAL은 Android Automotive架构:

  • 자동차 앱: 包括OEM 와 第 3 方开发 의 앱
  • Car API: CarSensorManager가 API에 있습니다.位于/platform/packages/services/Car/car-lib
  • CarService: 系统中与车상식적인 교통수단, 位于/플랫폼/패키지/서비스/Car/
  • 차량 HAL: 하드웨어/인터페이스/자동차/차량/2.0/default/(하드웨어/인터페이스/자동차/차량/2.0/default/impl/vhal_v2_0/)

1.1.1. 프레임워크 CarService영구 링크

기계적 인조 인간 O/P는 자동차가 HAL을 사용하는 차량HAL통신으로 사용됩니다. ,进而过车载总线(例如CAN总线)与车身进行讯,同时它们还为应사용 가능한 앱은 从而让APP과 같은 앱입니다.

  • 자동차***매니저:packages/services/Car/car-lib/src/android/car/hardware
  • 자동차***서비스:packages/services/Car/service/src/com/android/car/

1.2. 앱스토어영구 링크

1.2.1. APP层确认是否支持车载功能영구 링크

  1. 이전에 앱을 사용하는 Car API가 Car API를 사용하여 실행되었습니다.
if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE)) {
    .....
}

예:

//packages/apps/SettingsIntelligence/src/com/android/settings/intelligence/suggestions/eligibility/AutomotiveEligibilityChecker.java
    public static boolean isEligible(Context context, String id, ResolveInfo info) {
        PackageManager packageManager = context.getPackageManager();
        //是否支持车载功能
        boolean isAutomotive = packageManager.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE);
        //是否有车载功能支持的资格
        boolean isAutomotiveEligible =
                info.activityInfo.metaData.getBoolean(META_DATA_AUTOMOTIVE_ELIGIBLE, false);
        if (isAutomotive) {
            if (!isAutomotiveEligible) {
                Log.i(TAG, "Suggestion is ineligible for FEATURE_AUTOMOTIVE: " + id);
            }
            return isAutomotiveEligible;
        }
        return true;
    }

//frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
    @GuardedBy("mAvailableFeatures")
    final ArrayMap<String, FeatureInfo> mAvailableFeatures;

    @Override
    public boolean hasSystemFeature(String name, int version) {
        // allow instant applications
        synchronized (mAvailableFeatures) {
            final FeatureInfo feat = mAvailableFeatures.get(name);
            if (feat == null) {
                return false;
            } else {
                return feat.version >= version;
            }
        }
    }
  1. 일반적으로 Binder访问PackageManagerService,mAvailableFeatures리면적 内容是통로过读取/system/etc/permissions하단 XML 문서(对应SDK적 位置—프레임워크/네이티브/데이터/etc아래 XML 문서 중 기능 字段)
//frameworks/native/data/etc/car_core_hardware.xml
<permissions>
    <!-- Feature to specify if the device is a car -->
    <feature name="android.hardware.type.automotive" />
    .....
</permission>

//frameworks/native/data/etc/android.hardware.type.automotive.xml
<!-- These features determine that the device running android is a car. -->
<permissions>
    <feature name="android.hardware.type.automotive" />
</permissions>

1.2.2. APP创建Car API, 接收底层回调영구 링크

자동차 제작은 平台最高等级的API( packages/services/Car/car-lib/src/android/car/Car.java), 为外界提供汽车所有服务와数据的访问

  1. CommunicrecreateCar 방법으로 새로운 Car实例
  2. 통신 연결 방식 CarService
  3. 当成功连接时可以通过getCarManagermethod获取一个一个相关的manager, 比如Hvaccommunication过get CarManager 방법을 사용하면 CarHvacManager, 当获取到manager后就可以进行以操作

HvacController.java의 예:

//packages/apps/Car/Hvac/src/com/android/car/hvac/HvacController.java
  private Object mHvacManagerReady = new Object();

 @Override
    public void onCreate() {
        super.onCreate();
        if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE)) {
            if (SystemProperties.getBoolean(DEMO_MODE_PROPERTY, false)) {
                IBinder binder = (new LocalHvacPropertyService()).getCarPropertyService();
                initHvacManager(new CarHvacManager(binder, this, new Handler()));
                return;
            }
            //创建Car实例,即new Car对象
            mCarApiClient = Car.createCar(this, mCarConnectionCallback);
            //connect连接,调用startCarService启动CarService
            mCarApiClient.connect();
        }
    }

    private final CarConnectionCallback mCarConnectionCallback =
            new CarConnectionCallback() {
                @Override
                public void onConnected(Car car) {
                    synchronized (mHvacManagerReady) {
                        try {
                            //getCarManager获取manager
                            //在获取到CarHvacManager后,可以直接调用CarHvacManager提供的接口
                            //例如mHvacManager.getPropertyList();
                            initHvacManager((CarHvacManager) mCarApiClient.getCarManager(
                                    android.car.Car.HVAC_SERVICE));
                            mHvacManagerReady.notifyAll();
                        } catch (CarNotConnectedException e) {
                            Log.e(TAG, "Car not connected in onServiceConnected");
                        }
                    }
                }

                @Override
                public void onDisconnected(Car car) {
                }
            };

    private void initHvacManager(CarHvacManager carHvacManager) {
        mHvacManager = carHvacManager;
        List<CarPropertyConfig> properties = null;
        try {
            properties = mHvacManager.getPropertyList();
            mPolicy = new HvacPolicy(HvacController.this, properties);
            //注册回调
            mHvacManager.registerCallback(mHardwareCallback);
        } catch (android.car.CarNotConnectedException e) {
            Log.e(TAG, "Car not connected in HVAC");
        }
    }

    @Override
    public void onDestroy() {
        super.onDestroy();
        if (mHvacManager != null) {
            //取消注册回调
            mHvacManager.unregisterCallback(mHardwareCallback);
        }
        if (mCarApiClient != null) {
            mCarApiClient.disconnect();
        }
    }

    //接收处理callback消息
    private final CarHvacManager.CarHvacEventCallback mHardwareCallback =
            new CarHvacManager.CarHvacEventCallback() {
                @Override
                public void onChangeEvent(final CarPropertyValue val) {
                    int areaId = val.getAreaId();
                    switch (val.getPropertyId()) {
                        case CarHvacManager.ID_ZONED_AC_ON:
                            handleAcStateUpdate(getValue(val));
                            break;
                        case CarHvacManager.ID_ZONED_FAN_DIRECTION:
                            handleFanPositionUpdate(areaId, getValue(val));
                        .....
                        default:
                            if (Log.isLoggable(TAG, Log.DEBUG)) {
                                Log.d(TAG, "Unhandled HVAC event, id: " + val.getPropertyId());
                            }
                    }
                }

                @Override
                public void onErrorEvent(final int propertyId, final int zone) {
                }
            };

예를 들어 라디오 앱의 RadioTunerExt.java文件:

//packages/apps/Car/Radio/src/com/android/car/radio/platform/RadioTunerExt.java
    RadioTunerExt(Context context) {
        //创建Car实例,即new Car对象
        mCar = Car.createCar(context, mCarServiceConnection);
        //connect连接,调用startCarService启动CarService
        mCar.connect();
    }

    private final ServiceConnection mCarServiceConnection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName name, IBinder service) {
            synchronized (mLock) {
                try {
                    //getCarManager获取manager
                    mCarAudioManager = (CarAudioManager)mCar.getCarManager(Car.AUDIO_SERVICE);
                    if (mPendingMuteOperation != null) {
                        boolean mute = mPendingMuteOperation;
                        mPendingMuteOperation = null;
                        Log.i(TAG, "Car connected, executing postponed operation: "
                                + (mute ? "mute" : "unmute"));
                        setMuted(mute);
                    }
        .....

2. 목차영구 링크

2.1. CarService一级目录结构说明( packages/services/Car/)영구 링크

목차:packages/services/Car/

.
├── Android.mk
├── apicheck.mk
├── apicheck_msg_current.txt
├── apicheck_msg_last.txt
├── car-cluster-logging-renderer    //LoggingClusterRenderingService继承InstrumentClusterRenderingService
├── car-default-input-service   //按键消息处理
├── car-lib         //提供给汽车App特有的接口,许多定制的模块都在这里实现,包括Sensor,HVAC,Cabin,ActiveParkingAssiance,Diagnostic,Vendor等
├── car-maps-placeholder    //地图软件相关
├── car_product         //系统编译相关
├── car-support-lib     //android.support.car
├── car-systemtest-lib  //系统测试相关
├── car-usb-handler     //开机自启,用于管理车机USB
├── CleanSpec.mk
├── evs  
├── obd2-lib
├── PREUPLOAD.cfg
├── procfs-inspector
├── service    //com.android.car是一个后台运行的组件,可以长时间运行并且不需要和用户去交互的,这里即使应用被销毁,它也可以正常工作
├── tests
├── tools   //是一系列的工具,要提到的是里面的emulator,测试需要用到的。python写的,通过adb可以连接vehicleHal的工具,用于模拟测试
├── TrustAgent
└── vehicle-hal-support-lib

2.2. 자동차 APP영구 링크

  • packages/services/Car/car_product/build/car.mk里面决정了是否编译상关apk(system/priv-app)
  • 출처 위치::packages/apps/Car/

这个文件中列了汽车系统中的专有模块(首字母大写的模块基本上書是汽车系统中专유있는 앱) :

//packages/services/Car/car_product/build/car.mk
# Automotive specific packages
PRODUCT_PACKAGES += \
    CarService \
    CarTrustAgentService \
    CarDialerApp \                      # 电话应用,包含拨号键盘、通话记录等
    CarRadioApp \                       # 收音机应用
    OverviewApp \
    CarLauncher \
    CarLensPickerApp \                  # 活动窗口选择应用(Launcher)
    LocalMediaPlayer \                  # 提供本地播放服务的应用
    CarMediaApp \                       # 媒体应用,包含播放界面等
    CarMessengerApp \                   # 消息管理应用,包含消息及TTS相关功能
    CarHvacApp \                        # 空调应用,空调显示及操作界面
    CarMapsPlaceholder \
    CarLatinIME \                       # 输入法应用
    CarSettings \                       # 设置应用
    CarUsbHandler \
    android.car \
    car-frameworks-service \
    com.android.car.procfsinspector \
    libcar-framework-service-jni \
....
PRODUCT_PACKAGES += \
    Bluetooth \
    OneTimeInitializer \
    Provision \
    SystemUI \
    SystemUpdater                       # 系统升级应用

2.3. 자동차 API영구 링크

  • 源码位置: /platform/packages/services/Car/car-lib,因为对手机와 平板没有의미 义,仅用于开发汽车,所以没有包含在Framework SDK中

자동차 API(详细路径: packages/services/Car/car-lib/src/android/car/)유如下:

자동차 API 분류:

2.4. 차량 서비스영구 링크

  • 출처 위치:packages/services/Car/

CarServcie模块与很多模块city需要交互(供参考):

  • 向上给APP提供API接口;
  • 向下与MCU进行信,进而와车身网络进行交互;
  • 给其他模块提供标项信息;
  • 给Camera模块提供Digital RVC控等信息等;
  • 可以获取DSP版本、前屏版本号等;
  • 持有Power模块的锁,carservice挂了就会息屏

2.5. AIDL영구 링크

Android는 Android에서 사용하기로 결정했습니다.

如要使用 AIDL 创建绑定服务,请执行以下步骤:

  1. 创建.aidl文件:此文件定义带유방법签名的编程接口
  2. 개발자:Android SDK工具会基于您的.aidl文件,使用Java编程语言生成接口。此接口拥有一个name为Stub的内部抽象类, 用于扩见Binder类并实现AIDL接口中的方法您必须扩Stub类并实现这些방법
  3. 向客户端公开接口,实现Service并写onBind(),从而返回Stub类的实现

2.5.1. 예를 들어 ICarInputListener영구 링크

  1. AIDL문서: 
    //packages/services/Car/car-lib/src/android/car/input/ICarInputListener.aidl
/**
 * Binder API for Input Service.
 *
 * @hide
 */
oneway interface ICarInputListener {
 /** Called when key event has been received. */
 void onKeyEvent(in KeyEvent keyEvent, int targetDisplay) = 1;
}
  2. 같은 종류의 AIDL接口中的内部抽象类Stub
//packages/services/Car/car-lib/src/android/car/input/CarInputHandlingService.java
    private class InputBinder extends ICarInputListener.Stub {
        private final EventHandler mEventHandler;

        InputBinder() {
            mEventHandler = new EventHandler(CarInputHandlingService.this);
        }

        @Override
        public void onKeyEvent(KeyEvent keyEvent, int targetDisplay) throws RemoteException {
            mEventHandler.doKeyEvent(keyEvent, targetDisplay);
        }
    }
  1. 客户端调사용 服务端적 지원

추신:如果需要返回对象则需要实现Service.onBind(Intent)방법, 该方法会返回一个IBinder对象到客户端

//packages/services/Car/service/src/com/android/car/CarInputService.java
    private final ServiceConnection mInputServiceConnection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName name, IBinder binder) {
            if (DBG) {
                Log.d(CarLog.TAG_INPUT, "onServiceConnected, name: "
                        + name + ", binder: " + binder);
            }
            mCarInputListener = ICarInputListener.Stub.asInterface(binder);

            try {
                binder.linkToDeath(() -> CarServiceUtils.runOnMainSync(() -> {
                    Log.w(CarLog.TAG_INPUT, "Input service died. Trying to rebind...");
                    mCarInputListener = null;
                    // Try to rebind with input service.
                    mCarInputListenerBound = bindCarInputService();
                }), 0);
            } catch (RemoteException e) {
                Log.e(CarLog.TAG_INPUT, e.getMessage(), e);
            }
        }

2.6. carservice 작동 흐름 과정영구 링크

대진류과정:

  1. SystemServer는 CarServiceHelperService를 지원합니다.
  2. 여기에서 사용되는 startService后, CarServiceHelperService의 onStart 방법을 통해 bindService의 방법은 CarService(一个系统级别의 APK, 位于system/priv-app)입니다.
  3. 启动CarService后首先调사용 onCreate, 创建ICarImpl对象并初始化, 에서 此时创建了一系列car상형核心服务, 并遍历init初始化
  4. onBind에 사용되는 Bind将该ICarImpl对象返回给CarServiceHelperService,CarServiceHelperService는 Binder에서 사용되는 1个Binder对象ICarServiceHelperImpl传递给CarService,建立双向跨进程

2.6.1. 설명서영구 링크

2.6.2. CarServiceHelperService 서비스영구 링크

frameworks/base/services/java/com/android/server/SystemServer.java - run() —-> startOtherServices()

    private static final String CAR_SERVICE_HELPER_SERVICE_CLASS =
            "com.android.internal.car.CarServiceHelperService";
            ......
            if (mPackageManager.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE)) {
                traceBeginAndSlog("StartCarServiceHelperService");
                mSystemServiceManager.startService(CAR_SERVICE_HELPER_SERVICE_CLASS);
                traceEnd();
            }

—–> frameworks/base/services/core/java/com/android/server/SystemServiceManager.java - startService

    @SuppressWarnings("unchecked")
    public SystemService startService(String className) {
        ....
        return startService(serviceClass);
    }

    public <T extends SystemService> T startService(Class<T> serviceClass) {
        ...
        startService(service);
        ...
    }

    public void startService(@NonNull final SystemService service) {
        ......
        try {
            service.onStart();
            ...
        }

2.6.3. Carservice 서비스 정의영구 링크

—–> 프레임워크/opt/car/services/src/com/android/internal/car/CarServiceHelperService.java - onStart()

    //这就是系统中和汽车相关的核心服务CarService,相关源代码在packages/services/Car/service目录下
    private static final String CAR_SERVICE_INTERFACE = "android.car.ICar";

    @Override
    public void onStart() {
        Intent intent = new Intent();
        intent.setPackage("com.android.car");  //绑定包名,设置广播仅对该包有效
        //绑定action,表明想要启动能够响应设置的这个action的活动,并在清单文件AndroidManifest.xml中设置action属性
        intent.setAction(CAR_SERVICE_INTERFACE);
        //绑定后回调
        if (!getContext().bindServiceAsUser(intent, mCarServiceConnection, Context.BIND_AUTO_CREATE,
                UserHandle.SYSTEM)) {
            Slog.wtf(TAG, "cannot start car service");
        }
        System.loadLibrary("car-framework-service-jni");
    }
  • service源码路径:packages/services/Car/service/AndroidManifest.xml

sharedUserId는 类似SystemUI, 它编译出来同样是一个 APK文件

설계 문서 경로 위치:/system/priv-app/CarService/CarService.apk

//packages/services/Car/service/AndroidManifest.xml
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
        xmlns:androidprv="http://schemas.android.com/apk/prv/res/android"
        package="com.android.car"
        coreApp="true"
        android:sharedUserId="android.uid.system"> 
        ......
<application android:label="Car service"
                 android:directBootAware="true"
                 android:allowBackup="false"
                 android:persistent="true">
        <service android:name=".CarService"
                android:singleUser="true">
            <intent-filter>
                <action android:name="android.car.ICar" />
            </intent-filter>
        </service>
        <service android:name=".PerUserCarService" android:exported="false" />
    </application>

2.6.4. BindService 서비스 제공영구 링크

context.bindService() ——> onCreate() ——> onBind() ——> Service running ——> onUnbind() ——> onDestroy() ——> Service stop

onBind()는 IBind를 사용하여 IBind를 실행합니다.服务时候把调 이용자 ( Context, 例如Activity)는 会 화 서비스 결정에서 1 起, Context 退 了, 서비스 就会调사용 onUnbind-> onDestroy 와 같습니다.

所以调사용bindService의 생활은 다음과 같습니다.onCreate --> onBind(只一次,不可多次绑定) --> onUnbind --> onDestroy

Service每一次的开启关闭过程中,只有onStart可被多次调사용 (통계다次startService调용),其他onCreate,onBind,onUnbind,onDestroy재일个生命周期中只能被调사용일次

2.7. 자동차 서비스영구 링크

2.7.1. 생성중영구 링크

——–> 패키지/서비스/Car/service/src/com/android/car/CarService.java - onCreate()

ICarImpl 실사 제작

    @Nullable
    private static IVehicle getVehicle() {
        try {
            //该service启动文件hardware/interfaces/automotive/vehicle/2.0/default/android.hardware.automotive.vehicle@2.0-service.rc
            return android.hardware.automotive.vehicle.V2_0.IVehicle.getService();
        } ....
        return null;
    }

    @Override
    public void onCreate() {
        Log.i(CarLog.TAG_SERVICE, "Service onCreate");
        //获取hal层的Vehicle service
        mVehicle = getVehicle();

        //创建ICarImpl实例
        mICarImpl = new ICarImpl(this,
                mVehicle,
                SystemInterface.Builder.defaultSystemInterface(this).build(),
                mCanBusErrorNotifier,
                mVehicleInterfaceName);
        //然后调用ICarImpl的init初始化方法
        mICarImpl.init();
        //设置boot.car_service_created属性
        SystemProperties.set("boot.car_service_created", "1");

        linkToDeath(mVehicle, mVehicleDeathRecipient);
        //最后将该service注册到ServiceManager
        ServiceManager.addService("car_service", mICarImpl);
        super.onCreate();
    }

//packages/services/Car/service/src/com/android/car/ICarImpl.java
    private final VehicleHal mHal;
    //构造函数启动一大堆服务
    public ICarImpl(Context serviceContext, IVehicle vehicle, SystemInterface systemInterface,
            CanBusErrorNotifier errorNotifier, String vehicleInterfaceName) {
        mContext = serviceContext;
        mSystemInterface = systemInterface;
        //创建VehicleHal对象
        mHal = new VehicleHal(vehicle);
        mVehicleInterfaceName = vehicleInterfaceName;
        mSystemActivityMonitoringService = new SystemActivityMonitoringService(serviceContext);
        mCarPowerManagementService = new CarPowerManagementService(mContext, mHal.getPowerHal(),
                systemInterface);
        mCarPropertyService = new CarPropertyService(serviceContext, mHal.getPropertyHal());
        .....
        //InstrumentClusterService service启动
        mInstrumentClusterService = new InstrumentClusterService(serviceContext,
                mAppFocusService, mCarInputService);
        mSystemStateControllerService = new SystemStateControllerService(serviceContext,
                mCarPowerManagementService, mCarAudioService, this);
        mPerUserCarServiceHelper = new PerUserCarServiceHelper(serviceContext);
        // mCarBluetoothService = new CarBluetoothService(serviceContext, mCarPropertyService,
        //        mPerUserCarServiceHelper, mCarUXRestrictionsService);
        mVmsSubscriberService = new VmsSubscriberService(serviceContext, mHal.getVmsHal());
        mVmsPublisherService = new VmsPublisherService(serviceContext, mHal.getVmsHal());
        mCarDiagnosticService = new CarDiagnosticService(serviceContext, mHal.getDiagnosticHal());
        mCarStorageMonitoringService = new CarStorageMonitoringService(serviceContext,
                systemInterface);
        mCarConfigurationService =
                new CarConfigurationService(serviceContext, new JsonReaderImpl());
        mUserManagerHelper = new CarUserManagerHelper(serviceContext);

        //注意排序,service存在依赖
        List<CarServiceBase> allServices = new ArrayList<>();
        allServices.add(mSystemActivityMonitoringService);
        allServices.add(mCarPowerManagementService);
        allServices.add(mCarPropertyService);
        allServices.add(mCarDrivingStateService);
        allServices.add(mCarUXRestrictionsService);
        allServices.add(mCarPackageManagerService);
        allServices.add(mCarInputService);
        allServices.add(mCarLocationService);
        allServices.add(mGarageModeService);
        allServices.add(mAppFocusService);
        allServices.add(mCarAudioService);
        allServices.add(mCarNightService);
        allServices.add(mInstrumentClusterService);
        allServices.add(mCarProjectionService);
        allServices.add(mSystemStateControllerService);
        // allServices.add(mCarBluetoothService);
        allServices.add(mCarDiagnosticService);
        allServices.add(mPerUserCarServiceHelper);
        allServices.add(mCarStorageMonitoringService);
        allServices.add(mCarConfigurationService);
        allServices.add(mVmsSubscriberService);
        allServices.add(mVmsPublisherService);

        if (mUserManagerHelper.isHeadlessSystemUser()) {
            mCarUserService = new CarUserService(serviceContext, mUserManagerHelper);
            allServices.add(mCarUserService);
        }

        mAllServices = allServices.toArray(new CarServiceBase[allServices.size()]);
    }

    @MainThread
    void init() {
        traceBegin("VehicleHal.init");
        mHal.init();
        traceEnd();
        traceBegin("CarService.initAllServices");
        //启动的所有服务遍历调用init初始化(各个都继承了CarServiceBase)
        for (CarServiceBase service : mAllServices) {
            service.init();
        }
        traceEnd();
    }

2.7.2. 바인딩에 대한영구 링크

상단 화면의 mICarImpl 생성:

  1. onBind()를 사용하는 방법은 BindService()를 사용하여 의도적으로 사용하는 bindServiceAsUser방법입니다.
  2. onUnbind()는 unbindService()의 의도를 고려하여 서비스를 정의합니다.
//packages/services/Car/service/src/com/android/car/CarService.java
    @Override
    public IBinder onBind(Intent intent) {
        return mICarImpl;
    }

所以此处的mICarImpl会제작为IBinder返回给CarServiceHelperService.java - bindServiceAsUser방법중의 参数mCarServiceConnection (回调)

2.7.3. 파괴시영구 링크

mICarImpl이 제공하는 기능은 다음과 같습니다.

    @Override
    public void onDestroy() {
        Log.i(CarLog.TAG_SERVICE, "Service onDestroy");
        mICarImpl.release();
        mCanBusErrorNotifier.removeFailureReport(this);

        if (mVehicle != null) {
            try {
                mVehicle.unlinkToDeath(mVehicleDeathRecipient);
                mVehicle = null;
            } catch (RemoteException e) {
                // Ignore errors on shutdown path.
            }
        }

        super.onDestroy();
    }

2.8. ServiceConnection을 반환합니다.영구 링크

ICarImpl初始化完毕,会作为IBinder返回给CarServiceHelperService.java - bindServiceAsUser方法中绑定此服务的mCarServiceConnection(回调)

mCarServiceConnection初始化如下:

  1. CarServiceHelperService의 mCarService에서 ICarImpl을 사용할 수 있습니다.
  2. mCarService.transact는 ICar.aidl을 사용하는 통합 솔루션 setCarServiceHelper를 사용합니다.
//frameworks/opt/car/services/src/com/android/internal/car/CarServiceHelperService.java
private static final String CAR_SERVICE_INTERFACE = "android.car.ICar";
private IBinder mCarService;
private final ICarServiceHelperImpl mHelper = new ICarServiceHelperImpl();

private final ServiceConnection mCarServiceConnection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName componentName, IBinder iBinder) {
            Slog.i(TAG, "**CarService connected**");
            //1. 返回的ICarImpl被保存在了CarServiceHelperService的mCarService
            mCarService = iBinder;
            // Cannot depend on ICar which is defined in CarService, so handle binder call directly
            // instead. 
            // void setCarServiceHelper(in IBinder helper)
            Parcel data = Parcel.obtain();
            data.writeInterfaceToken(CAR_SERVICE_INTERFACE);
            //将ICarServiceHelperImpl类型的对象作为数据跨进程传递
            data.writeStrongBinder(mHelper.asBinder());
            try {
                //2.跨进程传输
                //对端是mCarService即ICarImpl,调用binder的transact进行跨进程通信
                //其code代表需要调用的对端方法,data为携带的传输数据
                //FIRST_CALL_TRANSACTION  = 0x00000001,即调用对端ICar.aidl中定义的第一个方法setCarServiceHelper
                mCarService.transact(IBinder.FIRST_CALL_TRANSACTION, // setCarServiceHelper
                        data, null, Binder.FLAG_ONEWAY);
            } catch (RemoteException e) {
                Slog.w(TAG, "RemoteException from car service", e);
                handleCarServiceCrash();
            }
        }

        @Override 
        public void onServiceDisconnected(ComponentName componentName) {
            handleCarServiceCrash();
        }
    };

2.9. 跨进程setCarServiceHelper영구 링크

    @Override
    public void setCarServiceHelper(IBinder helper) {
        int uid = Binder.getCallingUid();
        if (uid != Process.SYSTEM_UID) {
            throw new SecurityException("Only allowed from system");
        }
        synchronized (this) {
            //将ICarServiceHelper的代理端保存在ICarImpl内部mICarServiceHelper
            mICarServiceHelper = ICarServiceHelper.Stub.asInterface(helper);
            //同时也传给了SystemInterface
            //此时他们有能力跨进程访问CarServiceHelperService
            mSystemInterface.setCarServiceHelper(mICarServiceHelper);
        }
    }

3. 참고영구 링크

Android Automotive용 CarService 서비스

深入理解Android의 시작 서비스와 바인딩 서비스

안드로이드와 자동차

안드로이드 O CarService

Java 주석(Annotation)

Google 공식 문서 - AIDL

AIDL 단방향 以及in, out,inout参数의 논리

Android AIDL사용법 알아보기

일구气从零读懂CAN总线

本地进程间通信——Unix域套接字

저작자표시 비영리 변경금지

'차량 보안' 카테고리의 다른 글

ISO 21434 CAL Level  (0) 2023.06.29
Car Hacking Training  (0) 2023.05.18
블로그 이미지

wtdsoul

,

bkcrack tool 경로

경로 및 정보 2025. 2. 5. 14:50

https://github.com/kimci86/bkcrack?tab=readme-ov-file

 

GitHub - kimci86/bkcrack: Crack legacy zip encryption with Biham and Kocher's known plaintext attack.

Crack legacy zip encryption with Biham and Kocher's known plaintext attack. - kimci86/bkcrack

github.com

 

 

저작자표시 비영리 변경금지

'경로 및 정보' 카테고리의 다른 글

Should You Send Your Pen Test Report to the MSRC?  (0) 2025.02.10
Hyundai app bugs allowed hackers to remotely unlock, start cars (펌)  (0) 2025.02.02
도커 설치 후 도커 명령어 실행 에러 Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? (펌)  (0) 2025.02.01
dpkg was interrupted Error 해결 방법 (펌)  (0) 2025.02.01
Ubuntu 22.04 끊김 현상  (0) 2025.02.01
블로그 이미지

wtdsoul

,

공지사항

태그목록

글 보관함

달력

«   2025/02   »
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28

티스토리툴바