SlideShare uma empresa Scribd logo

Digging for Android Kernel Bugs

Jiahong Fang
Jiahong Fang

Digging for Android Kernel Bugs

Software
1 de 33
Baixar para ler offline
Digging for Android Kernel Bugs James Fang, Sen Nie
About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Kernel. Kernel always changes
Kernel. Kernel always changes ---
Kernel. Kernel always changes ---
Kernel. Kernel always changes
Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
Clang-Analyzer Report - A Real Case
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
• Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)

Recomendados

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 

Recomendados

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu IntroductionChiawei Wang
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debuggingLeszek Godlewski
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloudDobrica Pavlinušić
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 

Mais conteúdo relacionado

Mais procurados

Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 

Mais procurados (20)

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debugging
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 

Destaque

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipsweetchip
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 

Destaque (7)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchip
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 

Semelhante a Digging for Android Kernel Bugs

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010regehr
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideLinaro
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoValeriia Maliarenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceESUG
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on AndroidTomoaki Imai
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)Douglas Chen
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.UA Mobile
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdfMaxDmitriev
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLinaro
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02chon2010
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesMarina Kolpakova
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясSigma Software
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardJian-Hong Pan
 

Semelhante a Digging for Android Kernel Bugs (20)

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Mesa and Its Debugging
Mesa and Its DebuggingMesa and Its Debugging
Mesa and Its Debugging
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on Android
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим Шовкопляс
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development Board
 

Último

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Último (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 

Digging for Android Kernel Bugs

  • 1. Digging for Android Kernel Bugs James Fang, Sen Nie
  • 2. About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
  • 3. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 4. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 6. Kernel. Kernel always changes ---
  • 7. Kernel. Kernel always changes ---
  • 9. Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
  • 10. Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
  • 11. Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
  • 12. Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
  • 13. Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
  • 14. Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
  • 15. Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
  • 16. Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
  • 17. Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
  • 18. Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
  • 19. Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
  • 20. Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
  • 21. Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
  • 22. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 23. Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
  • 24. Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
  • 25. Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
  • 26. Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
  • 27. Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
  • 28. Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
  • 29. Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
  • 30. Clang-Analyzer Report - A Real Case
  • 31. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 32. Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
  • 33. • Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)