SlideShare une entreprise Scribd logo

Digging for Android Kernel Bugs

Jiahong Fang
Jiahong Fang

Digging for Android Kernel Bugs

Logiciels
1  sur  33
Télécharger pour lire hors ligne
Digging for Android Kernel Bugs James Fang, Sen Nie
About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Kernel. Kernel always changes
Kernel. Kernel always changes ---
Kernel. Kernel always changes ---
Kernel. Kernel always changes
Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
Clang-Analyzer Report - A Real Case
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
• Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)

Recommandé

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 

Recommandé

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu IntroductionChiawei Wang
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debuggingLeszek Godlewski
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloudDobrica Pavlinušić
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 

Contenu connexe

Tendances

Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 

Tendances (20)

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debugging
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 

En vedette

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipsweetchip
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 

En vedette (7)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchip
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 

Similaire à Digging for Android Kernel Bugs

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010regehr
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideLinaro
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoValeriia Maliarenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceESUG
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on AndroidTomoaki Imai
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)Douglas Chen
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.UA Mobile
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdfMaxDmitriev
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLinaro
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02chon2010
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesMarina Kolpakova
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясSigma Software
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardJian-Hong Pan
 

Similaire à Digging for Android Kernel Bugs (20)

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Mesa and Its Debugging
Mesa and Its DebuggingMesa and Its Debugging
Mesa and Its Debugging
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on Android
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим Шовкопляс
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development Board
 

Dernier

Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 

Dernier (20)

Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 

Digging for Android Kernel Bugs

  • 1. Digging for Android Kernel Bugs James Fang, Sen Nie
  • 2. About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
  • 3. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 4. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 6. Kernel. Kernel always changes ---
  • 7. Kernel. Kernel always changes ---
  • 9. Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
  • 10. Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
  • 11. Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
  • 12. Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
  • 13. Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
  • 14. Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
  • 15. Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
  • 16. Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
  • 17. Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
  • 18. Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
  • 19. Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
  • 20. Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
  • 21. Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
  • 22. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 23. Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
  • 24. Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
  • 25. Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
  • 26. Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
  • 27. Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
  • 28. Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
  • 29. Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
  • 30. Clang-Analyzer Report - A Real Case
  • 31. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 32. Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
  • 33. • Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)