SlideShare uma empresa Scribd logo

Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint

DroidConTLV
DroidConTLV

As presented in DroidCon Tel Aviv 2015 http://il.droidcon.com

Tecnologia
1 de 64
Baixar para ler offline
MAN IN THE BINDER: MONSTERS UNDER THE HOOD Michael Shalyt   Malware Research Team Leader @ Check Point Idan Revivo   Mobile Malware Researcher @ Check Point
A  Hack  in  Three  Acts   Act  I  –  Know  Your  Droid   Act  II  –  A8ack  Your  Droid   Act  III  –  Prepare  Your  Droid  
Nitay  Artenstein   Idan  Revivo   Michael  Shalyt    
Name:  Ki9y  Bank   Occupa?on:  Bank  Applica?on     “U  want  KitCoins  –  we  haz  it”  
Name:  Ki9y-­‐ninja   Occupa?on:  Script  kiddy     “Mommy,  can  I  rob  this  bank?”  
Name:  Paw  of  Death   Occupa?on:  Black  belt  ninja  hacker     “To  rob  a  bank,  you  must  first   become  the  bank”  
Name:  System  Service   Occupa?on:  SiQng  and   wai?ng  to  serve  your  needs       These  things  run  Android!  
Name:  $  echo  `uname  –r`   Occupa?on:  Holding  the  world   on  its  shoulders  since  1.1.1970     Feeling  neglected  now  that   system  services  get  all  the   a9en?on  on  Android  
Name:  The  Binder   Occupa?on:  All  Powerful   Mystery    Character       ?  
An  Applica<on’s  Life  On  Windows   Syscalls  
An  Applica<on’s  Life  On  Android   Syscalls   Syscalls   Syscalls  
Android  –  The  Real  Picture   Syscalls   Syscalls  
/dev/binder   /dev/9y0   libbinder.so   kernel   /system/libbinder.so   /system/lib*.so   DalvikVM   DalvikVM   syscall  parcel   parcel   Bank  Applica?on  Process   System  Service  Process   applica?on     System  services   proxy     libandroid_run?me.so   libandroid_run?me.so   System  Service   •  Binder  has  a  userland   component  and  a  kernel   one   •  The  driver  receives  the   Parcel  via  an  ioctl  syscall   and  sends  it  to  the   target  processes  
What’s  a  Parcel?  
Playing  MP3  
libbinder.so   DalvikVM   Ki9y  Player  App   Parcels   Syscalls   Parcels   Audio  Manager   /dev/binder   /system/   libbinder.so   kernel   A  short  recap  
Round  I   Key  Logging    
A  n00b  A8acker’s  View  of  The  System  
What  Would  The  n00b  A8acker  Do?  
What  Would  The  n00b  A8acker  Do?  
What  Would  The  n00b  A8acker  Do?  
A  Ninja  A8acker’s  View  of  The  System  
What  Would  The  Ninja  A8acker  Do?  
Key  Logger  Demo  
What  Would  The  Ninja  A8acker  Do?  
Round  II   Data  Manipula<on  
A  n00b  A8acker’s  View  of  The  System   Ac?vity   Ac?vity   Ac?vity  
In-­‐app  Ac<vity  Ini<aliza<on    
What  Would  The  n00b  A8acker  Do?   Bye  Ki8y  Bank  ,  Hello  Shi**y  Bank  
What  Would  The  n00b  A8acker  Do?   Bye  Ki8y  Bank  ,  Hello  Shi**y  Bank  
A  Ninja  A8acker’s  View  of  The  System   Ac?vity  Manager  
In-­‐app  data  goes  through  Binder???  
A  Ninja  A8acker’s  View  of  The  System   Ac?vity  Manager  
What  Would  The  Ninja  A8acker  Do?   Ac?vity  Manager  
A  trillion  dollars,  anyone?  
Data  Manipula<on   Demo  
What  Would  The  Ninja  A8acker  Do?  
Round  III   Intercep<ng  SMS    
A  n00b  A8acker’s  View  of  The  System   Telephony  Manager  
What  Would  The  n00b  A8acker  Do?  
What  Would  The  n00b  A8acker  Do?  
A  Ninja  A8acker’s  View  of  The  System  
What  Would  The  Ninja  A8acker  Do?  
SMS  internals   •  The  Telephony  Manager  no?fies  the  SMS  app   whenever  an  SMS  is  received.     •  The  app  queries  the  TM’s  database.   •  Under  the  hood,  the  response  is  just  a  Unix  fd.    
SMS  internals   •  The  Telephony  Manager  no?fies  the  SMS  app   whenever  an  SMS  is  received     •  The  app  queries  the  TM’s  database  via  Binder:  
SMS  internals   •  But  what’s  a  Cursor  object?   •  It’s  a  messy  abstrac?on  of  a  response  to  a  query  
SMS  internals   •  Surprise:  Under  the  hood,  it’s  just  a  Unix  fd     •  Now  we’re  in  business!  
What  Would  The  Ninja  A8acker  Do?  
Summary   What  Just  Happened?  
A8acking  The  Binder   •  Hook  libbinder.so  at  the  point  where  it  sends  an   ioctl  to  the  kernel   •  Stealth:  dozens  of  places  to  hook   •  But  don’t  you  need  root?  
A8acking  The  Binder   Vulnerable   to  known   roo?ng   exploits  
Consider  The  Possibili?es    
Summary   Features:   •  Versa?lity:  one  hook  –  mul?ple  func?onali?es.   •  App  agnos?c:  no  need  to  RE  apps.   •  Stealth:  the  Android  security  model  limits  3rd   party  security  apps  just  like  any  other  app.    
Summary   •  This  is  NOT  a  vulnerability.  It’s  like  man-­‐in-­‐the-­‐ browser,  but  for  literally  everything  on  Android.   •  Root  is  assumed.  Roo?ng  won’t  go  away  any   ?me  soon.  
Rumors   (You  didn’t  hear  it  from  me…)  
Solu<ons  –  for  developers     •  Take  control  of  your  own  process  memory   space.     •  Minimize  the  amount  of  data  going  to  IPC,  and   encrypt  what  has  to  go.  
Solu<ons  –  for  security  industry   •  Scan  files  like  it’s  the  90’s.   •  Be  brave  –  get  root  yourself:   •  Run?me  process  scanning  and  monitoring.   •  Sofware  firewall  (like  Avast).   •  Binder  firewall/anomaly  detec?on.   •  Etc.  
Further  Reading   [1]  White  paper:  “Man  in  the  Binder”,  Artenstein   and  Revivo     [2]  “On  the    Reconstruc?on  of  Android  Malware   Behaviors”,  Fatori,  Tam  et  al     [3]  “Binderwall:  Monitoring  and  Filtering  Android   Interprocess  Communica?on”,  Hausner  
What  are  you  trying  to  tell  me?   That  I  can  get  all  permissions  on   a  device?     No.   I’m  trying  to  tell  you  that  when   you’re  ready,  you  won’t  have  to  

Recomendados

Taking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.me
Taking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.meTaking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.me
Taking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.me
DroidConTLV
 
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
DroidConTLV
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
DroidConTLV
 
AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...
AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...
AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...
Logan Best
 
Android Application Optimization: Overview and Tools - Oref Barad, AVG
Android Application Optimization: Overview and Tools - Oref Barad, AVGAndroid Application Optimization: Overview and Tools - Oref Barad, AVG
Android Application Optimization: Overview and Tools - Oref Barad, AVG
DroidConTLV
 
Icinga Camp Belgrade - ITAF Monitoring best practices & demo
Icinga Camp Belgrade - ITAF Monitoring best practices & demoIcinga Camp Belgrade - ITAF Monitoring best practices & demo
Icinga Camp Belgrade - ITAF Monitoring best practices & demo
Icinga
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom Framework
Knoldus Inc.
 
Automating microservices: what, where and when
Automating microservices: what, where and whenAutomating microservices: what, where and when
Automating microservices: what, where and when
Oleksandr Romanov
 

Recomendados

Taking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.me
Taking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.meTaking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.me
Taking the Ks off your APKs - Rotem Mizrachi-Meidan, Everything.me
DroidConTLV
 
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
DroidConTLV
 
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...
DroidConTLV
 
AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...
AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...
AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...
Logan Best
 
Android Application Optimization: Overview and Tools - Oref Barad, AVG
Android Application Optimization: Overview and Tools - Oref Barad, AVGAndroid Application Optimization: Overview and Tools - Oref Barad, AVG
Android Application Optimization: Overview and Tools - Oref Barad, AVG
DroidConTLV
 
Icinga Camp Belgrade - ITAF Monitoring best practices & demo
Icinga Camp Belgrade - ITAF Monitoring best practices & demoIcinga Camp Belgrade - ITAF Monitoring best practices & demo
Icinga Camp Belgrade - ITAF Monitoring best practices & demo
Icinga
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom Framework
Knoldus Inc.
 
Automating microservices: what, where and when
Automating microservices: what, where and whenAutomating microservices: what, where and when
Automating microservices: what, where and when
Oleksandr Romanov
 
VPS Hosting for Speed and Security
VPS Hosting for Speed and SecurityVPS Hosting for Speed and Security
VPS Hosting for Speed and Security
Mike Little
 
日本一細かいJavaOne2011報告
日本一細かいJavaOne2011報告日本一細かいJavaOne2011報告
日本一細かいJavaOne2011報告
心 谷本
 
Careful - APIs Inside: Testing and Monitoring for App Development
Careful - APIs Inside: Testing and Monitoring for App DevelopmentCareful - APIs Inside: Testing and Monitoring for App Development
Careful - APIs Inside: Testing and Monitoring for App Development
3scale
 
Monitoring your API
Monitoring your APIMonitoring your API
Monitoring your API
Andrés F Vargas
 
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
心 谷本
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
Sumanth Damarla
 
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Codemotion
 
FIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoT
FIWARE
 
ElasticMQ : Server for Local SQS
ElasticMQ : Server for Local SQSElasticMQ : Server for Local SQS
ElasticMQ : Server for Local SQS
Knoldus Inc.
 
OSMC 2017 | Current State of Icinga by Erk Bernd
OSMC 2017 | Current State of Icinga by Erk BerndOSMC 2017 | Current State of Icinga by Erk Bernd
OSMC 2017 | Current State of Icinga by Erk Bernd
NETWAYS
 
Migrating to Microservices
Migrating to MicroservicesMigrating to Microservices
Migrating to Microservices
BizTalk360
 
Mob324 Windows IoT Core Dave Glover Microsoft Australia
Mob324 Windows IoT Core Dave Glover Microsoft AustraliaMob324 Windows IoT Core Dave Glover Microsoft Australia
Mob324 Windows IoT Core Dave Glover Microsoft Australia
Dave Glover
 
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Matthew Cobby
 
Azure Functions - the evolution of microservices platform or marketing gibber...
Azure Functions - the evolution of microservices platform or marketing gibber...Azure Functions - the evolution of microservices platform or marketing gibber...
Azure Functions - the evolution of microservices platform or marketing gibber...
Katherine Golovinova
 
The Rules of Network Automation - Interop/NYC 2014
The Rules of Network Automation - Interop/NYC 2014The Rules of Network Automation - Interop/NYC 2014
The Rules of Network Automation - Interop/NYC 2014
Jeremy Schulman
 
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDealIcinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
Icinga
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
Ed Bellis
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid?
VMware Tanzu
 
Avit’s Network Asset Compliance Center (NACC)
Avit’s Network Asset Compliance Center (NACC) Avit’s Network Asset Compliance Center (NACC)
Avit’s Network Asset Compliance Center (NACC)
Abbeloos Jo
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
Michael Shalyt
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 

Mais conteúdo relacionado

Mais procurados

日本一細かいJavaOne2011報告
日本一細かいJavaOne2011報告日本一細かいJavaOne2011報告
日本一細かいJavaOne2011報告
心 谷本
 
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
心 谷本
 
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Matthew Cobby
 
Azure Functions - the evolution of microservices platform or marketing gibber...
Azure Functions - the evolution of microservices platform or marketing gibber...Azure Functions - the evolution of microservices platform or marketing gibber...
Azure Functions - the evolution of microservices platform or marketing gibber...
Katherine Golovinova
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid?
VMware Tanzu
 

Mais procurados (20)

VPS Hosting for Speed and Security
VPS Hosting for Speed and SecurityVPS Hosting for Speed and Security
VPS Hosting for Speed and Security
 
日本一細かいJavaOne2011報告
日本一細かいJavaOne2011報告日本一細かいJavaOne2011報告
日本一細かいJavaOne2011報告
 
Careful - APIs Inside: Testing and Monitoring for App Development
Careful - APIs Inside: Testing and Monitoring for App DevelopmentCareful - APIs Inside: Testing and Monitoring for App Development
Careful - APIs Inside: Testing and Monitoring for App Development
 
Monitoring your API
Monitoring your APIMonitoring your API
Monitoring your API
 
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
勝敗は常に見積もりで決まる〜Redmineを使った時間記録の話
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
 
FIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoTFIWARE Global Summit - Connecting to IoT
FIWARE Global Summit - Connecting to IoT
 
ElasticMQ : Server for Local SQS
ElasticMQ : Server for Local SQSElasticMQ : Server for Local SQS
ElasticMQ : Server for Local SQS
 
OSMC 2017 | Current State of Icinga by Erk Bernd
OSMC 2017 | Current State of Icinga by Erk BerndOSMC 2017 | Current State of Icinga by Erk Bernd
OSMC 2017 | Current State of Icinga by Erk Bernd
 
Migrating to Microservices
Migrating to MicroservicesMigrating to Microservices
Migrating to Microservices
 
Mob324 Windows IoT Core Dave Glover Microsoft Australia
Mob324 Windows IoT Core Dave Glover Microsoft AustraliaMob324 Windows IoT Core Dave Glover Microsoft Australia
Mob324 Windows IoT Core Dave Glover Microsoft Australia
 
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
Practical Continuous Deployment - Atlassian - London AUG 18 Feb 2014
 
Azure Functions - the evolution of microservices platform or marketing gibber...
Azure Functions - the evolution of microservices platform or marketing gibber...Azure Functions - the evolution of microservices platform or marketing gibber...
Azure Functions - the evolution of microservices platform or marketing gibber...
 
The Rules of Network Automation - Interop/NYC 2014
The Rules of Network Automation - Interop/NYC 2014The Rules of Network Automation - Interop/NYC 2014
The Rules of Network Automation - Interop/NYC 2014
 
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDealIcinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
Icinga Camp Bangalore - Icinga2 and Salt Stack at SnapDeal
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid?
 
Avit’s Network Asset Compliance Center (NACC)
Avit’s Network Asset Compliance Center (NACC) Avit’s Network Asset Compliance Center (NACC)
Avit’s Network Asset Compliance Center (NACC)
 

Semelhante a Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint

Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
Michael Shalyt
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
nitayart
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
 
North americai iotskynet-v2
North americai iotskynet-v2North americai iotskynet-v2
North americai iotskynet-v2
Steve Poole
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Web design and_hosting
Web design and_hostingWeb design and_hosting
Web design and_hosting
xmgkklglt1991
 

Semelhante a Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint (20)

Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, Touch
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking In
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015
 
North americai iotskynet-v2
North americai iotskynet-v2North americai iotskynet-v2
North americai iotskynet-v2
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Web design and_hosting
Web design and_hostingWeb design and_hosting
Web design and_hosting
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 

Mais de DroidConTLV

Mais de DroidConTLV (20)

Mobile Development in the Information Age - Yossi Elkrief, Nike
Mobile Development in the Information Age - Yossi Elkrief, NikeMobile Development in the Information Age - Yossi Elkrief, Nike
Mobile Development in the Information Age - Yossi Elkrief, Nike
 
Doing work in the background - Darryn Campbell, Zebra Technologies
Doing work in the background - Darryn Campbell, Zebra TechnologiesDoing work in the background - Darryn Campbell, Zebra Technologies
Doing work in the background - Darryn Campbell, Zebra Technologies
 
No more video loss - Alex Rivkin, Motorola Solutions
No more video loss - Alex Rivkin, Motorola SolutionsNo more video loss - Alex Rivkin, Motorola Solutions
No more video loss - Alex Rivkin, Motorola Solutions
 
Mobile at Scale: from startup to a big company - Dor Samet, Booking.com
Mobile at Scale: from startup to a big company - Dor Samet, Booking.comMobile at Scale: from startup to a big company - Dor Samet, Booking.com
Mobile at Scale: from startup to a big company - Dor Samet, Booking.com
 
LiveData on Steroids - Giora Shevach + Shahar Ben Moshe, Climacell
LiveData on Steroids - Giora Shevach + Shahar Ben Moshe, ClimacellLiveData on Steroids - Giora Shevach + Shahar Ben Moshe, Climacell
LiveData on Steroids - Giora Shevach + Shahar Ben Moshe, Climacell
 
MVVM In real life - Lea Cohen Tannoudji, Lightricks
MVVM In real life - Lea Cohen Tannoudji, LightricksMVVM In real life - Lea Cohen Tannoudji, Lightricks
MVVM In real life - Lea Cohen Tannoudji, Lightricks
 
Best Practices for Using Mobile SDKs - Lilach Wagner, SafeDK (AppLovin)
Best Practices for Using Mobile SDKs - Lilach Wagner, SafeDK (AppLovin)Best Practices for Using Mobile SDKs - Lilach Wagner, SafeDK (AppLovin)
Best Practices for Using Mobile SDKs - Lilach Wagner, SafeDK (AppLovin)
 
Building Apps with Flutter - Hillel Coren, Invoice Ninja
Building Apps with Flutter - Hillel Coren, Invoice NinjaBuilding Apps with Flutter - Hillel Coren, Invoice Ninja
Building Apps with Flutter - Hillel Coren, Invoice Ninja
 
New Android Project: The Most Important Decisions - Vasiliy Zukanov
New Android Project: The Most Important Decisions - Vasiliy ZukanovNew Android Project: The Most Important Decisions - Vasiliy Zukanov
New Android Project: The Most Important Decisions - Vasiliy Zukanov
 
Designing a Design System - Shai Mishali, Gett
Designing a Design System - Shai Mishali, GettDesigning a Design System - Shai Mishali, Gett
Designing a Design System - Shai Mishali, Gett
 
The Mighty Power of the Accessibility Service - Guy Griv, Pepper
The Mighty Power of the Accessibility Service - Guy Griv, PepperThe Mighty Power of the Accessibility Service - Guy Griv, Pepper
The Mighty Power of the Accessibility Service - Guy Griv, Pepper
 
Kotlin Multiplatform in Action - Alexandr Pogrebnyak - IceRockDev
Kotlin Multiplatform in Action - Alexandr Pogrebnyak - IceRockDevKotlin Multiplatform in Action - Alexandr Pogrebnyak - IceRockDev
Kotlin Multiplatform in Action - Alexandr Pogrebnyak - IceRockDev
 
Flutter State Management - Moti Bartov, Tikal
Flutter State Management - Moti Bartov, TikalFlutter State Management - Moti Bartov, Tikal
Flutter State Management - Moti Bartov, Tikal
 
Reactive UI in android - Gil Goldzweig Goldbaum, 10bis
Reactive UI in android - Gil Goldzweig Goldbaum, 10bisReactive UI in android - Gil Goldzweig Goldbaum, 10bis
Reactive UI in android - Gil Goldzweig Goldbaum, 10bis
 
Fun with flutter animations - Divyanshu Bhargava, GoHighLevel
Fun with flutter animations - Divyanshu Bhargava, GoHighLevelFun with flutter animations - Divyanshu Bhargava, GoHighLevel
Fun with flutter animations - Divyanshu Bhargava, GoHighLevel
 
DroidconTLV 2019
DroidconTLV 2019DroidconTLV 2019
DroidconTLV 2019
 
Ok google, it's time to bot! - Hadar Franco, Albert + Stav Levi, Monday
Ok google, it's time to bot! - Hadar Franco, Albert + Stav Levi, MondayOk google, it's time to bot! - Hadar Franco, Albert + Stav Levi, Monday
Ok google, it's time to bot! - Hadar Franco, Albert + Stav Levi, Monday
 
Introduction to React Native - Lev Vidrak, Wix
Introduction to React Native - Lev Vidrak, WixIntroduction to React Native - Lev Vidrak, Wix
Introduction to React Native - Lev Vidrak, Wix
 
Bang-Bang, you have been hacked - Yonatan Levin, KolGene
Bang-Bang, you have been hacked - Yonatan Levin, KolGeneBang-Bang, you have been hacked - Yonatan Levin, KolGene
Bang-Bang, you have been hacked - Yonatan Levin, KolGene
 
Educating your app – adding ML edge to your apps - Maoz Tamir
Educating your app – adding ML edge to your apps - Maoz TamirEducating your app – adding ML edge to your apps - Maoz Tamir
Educating your app – adding ML edge to your apps - Maoz Tamir
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint

  • 1. MAN IN THE BINDER: MONSTERS UNDER THE HOOD Michael Shalyt   Malware Research Team Leader @ Check Point Idan Revivo   Mobile Malware Researcher @ Check Point
  • 2. A  Hack  in  Three  Acts   Act  I  –  Know  Your  Droid   Act  II  –  A8ack  Your  Droid   Act  III  –  Prepare  Your  Droid  
  • 3.
  • 4. Nitay  Artenstein   Idan  Revivo   Michael  Shalyt    
  • 5. Name:  Ki9y  Bank   Occupa?on:  Bank  Applica?on     “U  want  KitCoins  –  we  haz  it”  
  • 6. Name:  Ki9y-­‐ninja   Occupa?on:  Script  kiddy     “Mommy,  can  I  rob  this  bank?”  
  • 7. Name:  Paw  of  Death   Occupa?on:  Black  belt  ninja  hacker     “To  rob  a  bank,  you  must  first   become  the  bank”  
  • 8. Name:  System  Service   Occupa?on:  SiQng  and   wai?ng  to  serve  your  needs       These  things  run  Android!  
  • 9. Name:  $  echo  `uname  –r`   Occupa?on:  Holding  the  world   on  its  shoulders  since  1.1.1970     Feeling  neglected  now  that   system  services  get  all  the   a9en?on  on  Android  
  • 10. Name:  The  Binder   Occupa?on:  All  Powerful   Mystery    Character       ?  
  • 11.
  • 12. An  Applica<on’s  Life  On  Windows   Syscalls  
  • 13. An  Applica<on’s  Life  On  Android   Syscalls   Syscalls   Syscalls  
  • 14. Android  –  The  Real  Picture   Syscalls   Syscalls  
  • 15. /dev/binder   /dev/9y0   libbinder.so   kernel   /system/libbinder.so   /system/lib*.so   DalvikVM   DalvikVM   syscall  parcel   parcel   Bank  Applica?on  Process   System  Service  Process   applica?on     System  services   proxy     libandroid_run?me.so   libandroid_run?me.so   System  Service   •  Binder  has  a  userland   component  and  a  kernel   one   •  The  driver  receives  the   Parcel  via  an  ioctl  syscall   and  sends  it  to  the   target  processes  
  • 18. libbinder.so   DalvikVM   Ki9y  Player  App   Parcels   Syscalls   Parcels   Audio  Manager   /dev/binder   /system/   libbinder.so   kernel   A  short  recap  
  • 19.
  • 20.
  • 21. Round  I   Key  Logging    
  • 22. A  n00b  A8acker’s  View  of  The  System  
  • 23. What  Would  The  n00b  A8acker  Do?  
  • 24. What  Would  The  n00b  A8acker  Do?  
  • 25. What  Would  The  n00b  A8acker  Do?  
  • 26. A  Ninja  A8acker’s  View  of  The  System  
  • 27. What  Would  The  Ninja  A8acker  Do?  
  • 29. What  Would  The  Ninja  A8acker  Do?  
  • 30. Round  II   Data  Manipula<on  
  • 31. A  n00b  A8acker’s  View  of  The  System   Ac?vity   Ac?vity   Ac?vity  
  • 33. What  Would  The  n00b  A8acker  Do?   Bye  Ki8y  Bank  ,  Hello  Shi**y  Bank  
  • 34. What  Would  The  n00b  A8acker  Do?   Bye  Ki8y  Bank  ,  Hello  Shi**y  Bank  
  • 35. A  Ninja  A8acker’s  View  of  The  System   Ac?vity  Manager  
  • 36. In-­‐app  data  goes  through  Binder???  
  • 37. A  Ninja  A8acker’s  View  of  The  System   Ac?vity  Manager  
  • 38. What  Would  The  Ninja  A8acker  Do?   Ac?vity  Manager  
  • 39. A  trillion  dollars,  anyone?  
  • 41. What  Would  The  Ninja  A8acker  Do?  
  • 43. A  n00b  A8acker’s  View  of  The  System   Telephony  Manager  
  • 44. What  Would  The  n00b  A8acker  Do?  
  • 45. What  Would  The  n00b  A8acker  Do?  
  • 46. A  Ninja  A8acker’s  View  of  The  System  
  • 47. What  Would  The  Ninja  A8acker  Do?  
  • 48. SMS  internals   •  The  Telephony  Manager  no?fies  the  SMS  app   whenever  an  SMS  is  received.     •  The  app  queries  the  TM’s  database.   •  Under  the  hood,  the  response  is  just  a  Unix  fd.    
  • 49. SMS  internals   •  The  Telephony  Manager  no?fies  the  SMS  app   whenever  an  SMS  is  received     •  The  app  queries  the  TM’s  database  via  Binder:  
  • 50. SMS  internals   •  But  what’s  a  Cursor  object?   •  It’s  a  messy  abstrac?on  of  a  response  to  a  query  
  • 51. SMS  internals   •  Surprise:  Under  the  hood,  it’s  just  a  Unix  fd     •  Now  we’re  in  business!  
  • 52. What  Would  The  Ninja  A8acker  Do?  
  • 53. Summary   What  Just  Happened?  
  • 54. A8acking  The  Binder   •  Hook  libbinder.so  at  the  point  where  it  sends  an   ioctl  to  the  kernel   •  Stealth:  dozens  of  places  to  hook   •  But  don’t  you  need  root?  
  • 55. A8acking  The  Binder   Vulnerable   to  known   roo?ng   exploits  
  • 57. Summary   Features:   •  Versa?lity:  one  hook  –  mul?ple  func?onali?es.   •  App  agnos?c:  no  need  to  RE  apps.   •  Stealth:  the  Android  security  model  limits  3rd   party  security  apps  just  like  any  other  app.    
  • 58. Summary   •  This  is  NOT  a  vulnerability.  It’s  like  man-­‐in-­‐the-­‐ browser,  but  for  literally  everything  on  Android.   •  Root  is  assumed.  Roo?ng  won’t  go  away  any   ?me  soon.  
  • 59. Rumors   (You  didn’t  hear  it  from  me…)  
  • 60.
  • 61. Solu<ons  –  for  developers     •  Take  control  of  your  own  process  memory   space.     •  Minimize  the  amount  of  data  going  to  IPC,  and   encrypt  what  has  to  go.  
  • 62. Solu<ons  –  for  security  industry   •  Scan  files  like  it’s  the  90’s.   •  Be  brave  –  get  root  yourself:   •  Run?me  process  scanning  and  monitoring.   •  Sofware  firewall  (like  Avast).   •  Binder  firewall/anomaly  detec?on.   •  Etc.  
  • 63. Further  Reading   [1]  White  paper:  “Man  in  the  Binder”,  Artenstein   and  Revivo     [2]  “On  the    Reconstruc?on  of  Android  Malware   Behaviors”,  Fatori,  Tam  et  al     [3]  “Binderwall:  Monitoring  and  Filtering  Android   Interprocess  Communica?on”,  Hausner  
  • 64. What  are  you  trying  to  tell  me?   That  I  can  get  all  permissions  on   a  device?     No.   I’m  trying  to  tell  you  that  when   you’re  ready,  you  won’t  have  to