Fourteenforty Research Institute, Inc.
1
Fourteenforty Research Institute, Inc.
Black Hat Abu Dhabi 2011
Yet Another Andro...
Fourteenforty Research Institute, Inc.
• Gaining Administrative Privileges in Android OS
– Normally, root cannot be used b...
Fourteenforty Research Institute, Inc.
• Vendors and Careers want to:
– Protect Users
– Protect Career-specific / Vendor-s...
Fourteenforty Research Institute, Inc.
• rooting and Android Security
– Android Internals and Security Model
– Bypassing S...
Fourteenforty Research Institute, Inc.
ROOTING AND ANDROID SECURITY
rooting Android is not the end of the story.
5
Fourteenforty Research Institute, Inc.
• Five known root exploits affecting unmodified version of Android
– CVE-2009-1185 ...
Fourteenforty Research Institute, Inc.
• Logic Errors in suid programs
– Android Tablet [xxx]: OS command injection
rootin...
Fourteenforty Research Institute, Inc.
• Improper User-supplied buffer access
– Android smartphone [xxx]: Sensor Device Dr...
Fourteenforty Research Institute, Inc.
• Gaining Privileges in Android system
– root user in Android system is slightly di...
Fourteenforty Research Institute, Inc.
Android Internals: App Model
• Applications are contained in the Package
• Register...
Fourteenforty Research Institute, Inc.
Android Internals: Package
• Package itself is only a ZIP archive
• AndroidManifest...
Fourteenforty Research Institute, Inc.
Android Internals: App Model in File System
12
root file system (/)
init
init.rc
ve...
Fourteenforty Research Institute, Inc.
• Important Processes are:
– init (The root of all processes)
– Zygote Daemon (The ...
Fourteenforty Research Institute, Inc.
Android Internals: Zygote
14
Zygote (app_process)
Zygote Daemon
Preloaded Libraries...
Fourteenforty Research Institute, Inc.
• Android Permission and Protection
+ Grant by Package Information (Permission Info...
Fourteenforty Research Institute, Inc.
• Abstract “Capability” in Android System
– More than 100 (Internet connection, ret...
Fourteenforty Research Institute, Inc.
• Permission for User App is Restricted
– Some permissions are “protected”
• Protec...
Fourteenforty Research Institute, Inc.
• All Permissions are granted for root processes
– Permission Checks are not really...
Fourteenforty Research Institute, Inc.
Android Internals: Activity
• Activity = Unit of “Action” with User Interface
– Spe...
Fourteenforty Research Institute, Inc.
• Prevent Activity Hooking
– High-priority Activity can hide lower Activities
• Onl...
Fourteenforty Research Institute, Inc.
• Simply need to write System Locations
– /system/app, /vendor/app... (Normally wri...
Fourteenforty Research Institute, Inc.
• Write System Partition
– Overwrite Framework, Applications
• Use chroot
– Make fa...
Fourteenforty Research Institute, Inc.
VENDOR-SPECIFIC PROTECTION
AOSP is not the everything.
23
Fourteenforty Research Institute, Inc.
• Some Android devices have Additional Security Feature
– Restrict root privileges ...
Fourteenforty Research Institute, Inc.
• Reject all WRITE requests to important regions
– Boot Loader
– System Partition
–...
Fourteenforty Research Institute, Inc.
• Prevent Unsigned Boot Loader / Kernel to be Executed
– Hardware Implementation:
•...
Fourteenforty Research Institute, Inc.
• Verify loaded packages / programs are legitimate
– Restrict some features if untr...
Fourteenforty Research Institute, Inc.
• Security Framework in Linux Kernel
– Used by SELinux (for example)
• LSM to Prote...
Fourteenforty Research Institute, Inc.
• LSM (and NAND lock) Stops DroidDream
– DroidDream tries to remount /system read-w...
Fourteenforty Research Institute, Inc.
• Restrictions
– No Kernel-Mode
– No /proc/*/mem, /dev/*mem
– No ptrace
– No chroot...
Fourteenforty Research Institute, Inc.
YET ANOTHER ANDROID ROOTKIT
/protecting/system/is/not/enough/
31
Fourteenforty Research Institute, Inc.
Injecting Hooks: 0 out of 3
32
Having Fun!
Replace ClassModify Dalvik StateTaint Zy...
Fourteenforty Research Institute, Inc.
• Facts:
– All normal Android Apps are forked from Zygote Daemon
– Zygote Daemon fo...
Fourteenforty Research Institute, Inc.
• Exploit race-condition during Initialization of Zygote Daemon
– Time until the fi...
Fourteenforty Research Institute, Inc.
• Exploit race-condition during Initialization of Zygote Daemon
– Time until the fi...
Fourteenforty Research Institute, Inc.
• Perform Man-in-the-Middle Attack
– System Server refers Rootkit’s Socket
• Rootki...
Fourteenforty Research Institute, Inc.
• Pause original Zygote Daemon
• Launch Tainted instance of Zygote
– Many ways to l...
Fourteenforty Research Institute, Inc.
Injecting Hooks: 1 out of 3
38
Having Fun!
Replace ClassModify Dalvik StateTaint Zy...
Fourteenforty Research Institute, Inc.
• Assume: The attacker can execute malicious Java class
• Modify Dalvik VM state to...
Fourteenforty Research Institute, Inc.
Injecting Hooks: 2 out of 3
40
Having Fun!
Replace ClassModify Dalvik StateTaint Zy...
Fourteenforty Research Institute, Inc.
• Easy Implementation Plan: Swap two Classes
– e.g. WebView ⇔ FakeWebView
– Target ...
Fourteenforty Research Institute, Inc.
HashTable
Real Class
...
Injecting Hooks: Complete!
42
Having Fun!
Replace ClassMod...
Fourteenforty Research Institute, Inc.
• By tainting Zygote,
we can hook many of activities including method calls
– Rootk...
Fourteenforty Research Institute, Inc.
DEMO
On-memory modification gives attackers ultimate flexibility.
44
Fourteenforty Research Institute, Inc.
BOTTOM LINE
Protecting system is not so easy.
45
Fourteenforty Research Institute, Inc.
• This Android “weakness” is not a vulnerability alone
• This malware is not a real...
Fourteenforty Research Institute, Inc.
• Protection: LSM...
– Need to know Android Internals
• Difference: Security Requir...
Fourteenforty Research Institute, Inc.
• Low Open Governance Index(1)
– Not everything is shared
• Vendor have to implemen...
Fourteenforty Research Institute, Inc.
• Suggestion: Make policy guidelines to protect Android devices
• Suggestion: Under...
Fourteenforty Research Institute, Inc.
50
Thank You!
Fourteenforty Research Institute, Inc.
http://www.fourteenforty.jp
Re...
Upcoming SlideShare
Loading in …5
×

Yet Another Android Rootkit

1,199 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,199
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Yet Another Android Rootkit

  1. 1. Fourteenforty Research Institute, Inc. 1 Fourteenforty Research Institute, Inc. Black Hat Abu Dhabi 2011 Yet Another Android Rootkit /protecting/system/is/not/enough/ Research Engineer – Tsukasa Oi Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp
  2. 2. Fourteenforty Research Institute, Inc. • Gaining Administrative Privileges in Android OS – Normally, root cannot be used by Apps – Gaining root Privilege using... • Local Exploits (dangerous) • Fake Firmware Updates (relatively safe) • What for? – Customization, Overclocking – Malicious Use (e.g. DroidDream) • root in Android platform works differently – Permission Checks – Software-based UID/PID checks 2 Introduction: rooting Android
  3. 3. Fourteenforty Research Institute, Inc. • Vendors and Careers want to: – Protect Users – Protect Career-specific / Vendor-specific Services – Ensure Smartphones are not Altered and “Radio Legal” – Protect their Business Model  • Answer: “Protect Smartphones” – Prevent Firmware Modification – Patch Framework and Kernel in order to Secure the device 3 Introduction: Japanese smartphones
  4. 4. Fourteenforty Research Institute, Inc. • rooting and Android Security – Android Internals and Security Model – Bypassing Security and Gaining Privileges • Vendor-Specific Protection – Kernel-based Mechanism • Yet Another Android Rootkit – User-Mode Rootkit Bypassing Vendor-Specific Protections – Hook User Applications • So what was wrong? – Open source, Closed platform 4 Agenda
  5. 5. Fourteenforty Research Institute, Inc. ROOTING AND ANDROID SECURITY rooting Android is not the end of the story. 5
  6. 6. Fourteenforty Research Institute, Inc. • Five known root exploits affecting unmodified version of Android – CVE-2009-1185 (exploid) – [no CVE number] (rage against the cage) – CVE-2011-1149 (psneuter) – CVE-2011-1823 (GingerBreak) – CVE-2011-3874 (zergRush) • More of that: Chip/Vendor-specific Vulnerabilities 6 rooting is Sometimes Easy
  7. 7. Fourteenforty Research Institute, Inc. • Logic Errors in suid programs – Android Tablet [xxx]: OS command injection rooting : Vulnerabilities (1) 7 The attacker can invoke arbitrary command in root privileges. [REDACTED]
  8. 8. Fourteenforty Research Institute, Inc. • Improper User-supplied buffer access – Android smartphone [xxx]: Sensor Device Driver rooting : Vulnerabilities (2) 8 The attacker write [REDACTED] to arbitrary user memory, bypassing copy-on-write. Modifying setuid function (which affects all processes) can generate root-privilege processes. [REDACTED]
  9. 9. Fourteenforty Research Institute, Inc. • Gaining Privileges in Android system – root user in Android system is slightly different – The attacker want to take over the whole system • Vendor-Specific Protection – DroidDream won’t work properly on some Japanese Android phones – /system may be Read-Only • Is it possible to take over the system in protected smartphones? 9 rooting isn’t the end
  10. 10. Fourteenforty Research Institute, Inc. Android Internals: App Model • Applications are contained in the Package • Register how “classes” are invoked by Manifest – System calls application “classes” if requested – Activity, Broadcast, ... 10 Package.apk Activity Broadcast Receiver Invoke Application Callback on Event AndroidManifest.xml Android System Install
  11. 11. Fourteenforty Research Institute, Inc. Android Internals: Package • Package itself is only a ZIP archive • AndroidManifest.xml (Manifest) – Application information, permissions – How classes can be called (Activity, BroadcastReceiver...) 11 APK File (ZIP format) AndroidManifest.xml (Manifest) classes.dex (Program) lib/armeabi/* (Native code) ...
  12. 12. Fourteenforty Research Institute, Inc. Android Internals: App Model in File System 12 root file system (/) init init.rc vendor/ data/ system partition (/system) system/ bin/ app_process linker app/lib/ libdvm.so framework/ etc/ vendor/ (symlinked to /vendor) app/ lib/ data partition (/data) app/ lib/ app-private/ data/ build.prop ... default.prop ... ... ... Data Contains Dalvik Code Contains Native Code ... Dalvik host process Dalvik VM Library Trusted by App System Dynamic linker
  13. 13. Fourteenforty Research Institute, Inc. • Important Processes are: – init (The root of all processes) – Zygote Daemon (The root of Android Apps) – System Server (serves many System Services) 13 Android Internals: App Model in Lower Layer init Process Launches some Native Services Service 1 Service 2 ... init (PID=1) System Server App 1 App 2 App 3 ... System Server (serves Services) is directly forked from Zygote Daemon Zygote Daemon All normal Apps are forked from Zygote Daemon when requested
  14. 14. Fourteenforty Research Institute, Inc. Android Internals: Zygote 14 Zygote (app_process) Zygote Daemon Preloaded Libraries (including Dalvik VM itself) System Server App2 App3 fork and specialize for new process Invocation Request (UNIX Domain Socket) Shared Memory /dev/socket/zygote (POSIX permission: 0666)
  15. 15. Fourteenforty Research Institute, Inc. • Android Permission and Protection + Grant by Package Information (Permission Information) - Restrict by Package Location (System or User) - Restrict by Package Signature + Grant by UID/PID (Backdoor?) • Priorities of Activity (User-Interface Element) + Grant by Package Information (Intent Filters) - Restrict by Package Location (System Only) • Legacy Linux Security Model – Grant/Restrict: UID/GID/PID... 15 Android Security: Model
  16. 16. Fourteenforty Research Institute, Inc. • Abstract “Capability” in Android System – More than 100 (Internet connection, retrieve phone number...) • Permissions Checking – Software Checks – GID Checks (some permissions are associated with GIDs) 16 Android Security: Permission App1 App2 Permission: INTERNET The Internet
  17. 17. Fourteenforty Research Institute, Inc. • Permission for User App is Restricted – Some permissions are “protected” • Protection Level – Package Location (signatureOrSystem) – Package Signature (signature, signatureOrSystem) 17 Android Security: Permission Protection User App System App INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES
  18. 18. Fourteenforty Research Institute, Inc. • All Permissions are granted for root processes – Permission Checks are not really Performed • GingerMaster (malware) utilizes this behavior – GingerMaster calls pm command via root shell script – pm is actually a Dalvik program 18 Android Security: Permission Protection User App System App INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES
  19. 19. Fourteenforty Research Institute, Inc. Android Internals: Activity • Activity = Unit of “Action” with User Interface – Specifying object type (target) and action, Activity is called by the system automatically 19 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
  20. 20. Fourteenforty Research Institute, Inc. • Prevent Activity Hooking – High-priority Activity can hide lower Activities • Only System Packages can use Higher Priority – e.g. Android Market (Vending.apk) 20 Android Security: Activity Priorities P=0P=100P=999 User ActivitySystem ActivityUser Activity P=0P=999 0P=100 User ActivityUser ActivitySystem Activity High Priority Low
  21. 21. Fourteenforty Research Institute, Inc. • Simply need to write System Locations – /system/app, /vendor/app... (Normally write-protected) • DEMO 21 Bypassing Security: Activity Priorities P=0P=0P=999 User ActivitySystem ActivitySYSTEM Activity Browser Hooks Real Web Browser High Priority Low
  22. 22. Fourteenforty Research Institute, Inc. • Write System Partition – Overwrite Framework, Applications • Use chroot – Make fake root and make system partition virtually • Use ptrace – Inject Malicious Hooks • root can spoil Android security mechanism. – Or is it? 22 Breaking Security: root can simply...
  23. 23. Fourteenforty Research Institute, Inc. VENDOR-SPECIFIC PROTECTION AOSP is not the everything. 23
  24. 24. Fourteenforty Research Institute, Inc. • Some Android devices have Additional Security Feature – Restrict root privileges to prevent devices to be overwritten • Modification to the Kernel / Board – NAND Lock – Secure [Authenticated] Boot – Integrity Checking – Linux Security Modules (LSM) 24 Vendor-Specific Protection
  25. 25. Fourteenforty Research Institute, Inc. • Reject all WRITE requests to important regions – Boot Loader – System Partition – Recovery Partition • Implemented as a NAND driver / LSM feature • pros. Strong – Prohibits ALL illegal writes in kernel mode • cons. Does not Protect Memory – Does not protect mount points as well – Still can use ptrace / chroot / pivot_root 25 Vendor-Specific: NAND Lock
  26. 26. Fourteenforty Research Institute, Inc. • Prevent Unsigned Boot Loader / Kernel to be Executed – Hardware Implementation: • e.g. nVidia Tegra – Software (Boot Loader) Implementation: • e.g. HTC Vision (Qualcomm’s Implementation) • pros. Hard to Defeat – Haven’t defeated directly • cons. Only Protects Boot Loader / Kernel – Does not Protect On-Memory Boot Loader / Kernel – Most implementations does not Protect System Partition 26 Vendor-Specific: Secure Boot
  27. 27. Fourteenforty Research Institute, Inc. • Verify loaded packages / programs are legitimate – Restrict some features if untrusted packages / programs are loaded • Sharp Corp. : Sphinx (Digest Manager) – Protected Storage in Kernel Mode – Digest Verifier in User-mode (dgstmgrd) • Exports Content Provider • pros. Ability to use Digital Signatures • cons. Easy to avoid if processes can be compromised – e.g. ptrace 27 Vendor-Specific: Integrity Verification
  28. 28. Fourteenforty Research Institute, Inc. • Security Framework in Linux Kernel – Used by SELinux (for example) • LSM to Protect Android System • Sharp Corp. : Deckard LSM / Miyabi LSM – Protect Mount Point (/system) – Prohibit ptrace – Prohibit chroot, pivot_root... • Fujitsu Toshiba Mobile Communications : fjsec – Protect Mount Point (/system) and the FeliCa [subset of NFC] device – Prohibit pivot_root – Path-based / Policy-based Restrictions • Kyocera Corp. : KCLSM 28 Vendor-Specific: Linux Security Modules (1)
  29. 29. Fourteenforty Research Institute, Inc. • LSM (and NAND lock) Stops DroidDream – DroidDream tries to remount /system read-write but it is prohibited by the LSM • pros. Mandatory and Strong – Difficult to Defeat – Capable to Hook System Calls • cons. Difficult to Protect “Everything” – ...unless you know all about Android Internals – That could lead to LSM bypassing • Some holes were fixed though... 29 Vendor-Specific: Linux Security Modules (2)
  30. 30. Fourteenforty Research Institute, Inc. • Restrictions – No Kernel-Mode – No /proc/*/mem, /dev/*mem – No ptrace – No chroot, pivot_root – No writes to system partitions (/system) • But Assume if the attacker can gain root Privileges – Possibility to take over whole system • User-Mode Rootkit 30 Bypassing All Protections
  31. 31. Fourteenforty Research Institute, Inc. YET ANOTHER ANDROID ROOTKIT /protecting/system/is/not/enough/ 31
  32. 32. Fourteenforty Research Institute, Inc. Injecting Hooks: 0 out of 3 32 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root
  33. 33. Fourteenforty Research Institute, Inc. • Facts: – All normal Android Apps are forked from Zygote Daemon – Zygote Daemon forks child on request through UNIX-domain socket • Two plans: – Plan A: Hooking UNIX-domain Socket • Stealthy – Plan B: Generating two Zygote processes • Easy to implement • Flexible 33 Injecting Hooks: Taint Zygote (1)
  34. 34. Fourteenforty Research Institute, Inc. • Exploit race-condition during Initialization of Zygote Daemon – Time until the first process is requested – Window of Vulnerability is very wide (almost 2∼3 seconds) 34 Injecting Hooks: Taint Zygote (Plan A - 1) Zygote Daemon System Server /dev/socket/zygote bind: T0 listen: T1 connect: T2
  35. 35. Fourteenforty Research Institute, Inc. • Exploit race-condition during Initialization of Zygote Daemon – Time until the first process is requested – Window of Vulnerability is very wide (almost 2∼3 seconds) 35 Injecting Hooks: Taint Zygote (Plan A - 2) init (PID=1) Zygote Daemon System Server bind: T0 Pass file descriptor to new Zygote Daemon listen: T1 Start System Server (it does not use socket) connect: T2 Initialization (Preloading Classes, GC...) Window of Vulnerability
  36. 36. Fourteenforty Research Institute, Inc. • Perform Man-in-the-Middle Attack – System Server refers Rootkit’s Socket • Rootkit Injector can restore original Socket to make it stealth – New Apps are requested from one connection between System Server 36 Injecting Hooks: Taint Zygote (Plan A - 3) Zygote Daemon System Server Rootkit Injector Modify Request to Inject Payload written in Java /dev/socket/zygote (moved) /dev/socket/zygote (new; infected)
  37. 37. Fourteenforty Research Institute, Inc. • Pause original Zygote Daemon • Launch Tainted instance of Zygote – Many ways to launch tainted Zygote • Replace socket with rootkit’s one 37 Injecting Hooks: Taint Zygote (Plan B) Zygote Daemon System ServerInfected Zygote Performs like original Zygote (but can perform malicious) /dev/socket/zygote (new; infected) /dev/socket/zygote (moved or deleted)
  38. 38. Fourteenforty Research Institute, Inc. Injecting Hooks: 1 out of 3 38 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes
  39. 39. Fourteenforty Research Institute, Inc. • Assume: The attacker can execute malicious Java class • Modify Dalvik VM state to inject hooks – Read/Write arbitrary memory required – sun.misc.Unsafe class • Dalvik VM (libdvm.so) exports many symbols – Including its Global State (gDvm) – Modifying gDvm enables hook injection 39 Injecting Hooks: Modify Dalvik State libdvm.so ... ... struct DvmGlobals gDvm loadedClasses ... ... struct HashTable info: Class A info: Class B ... Dalvik VM Global State All Classes Information Modify Class Metadata to Inject Hooks
  40. 40. Fourteenforty Research Institute, Inc. Injecting Hooks: 2 out of 3 40 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root libdvm.so ... ... gDvm DvmGlobals ... ... loadedClasses HashTable Real Class ... ... Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly
  41. 41. Fourteenforty Research Institute, Inc. • Easy Implementation Plan: Swap two Classes – e.g. WebView ⇔ FakeWebView – Target = gDvm->loadedClasses – Replacing classes must have exactly same methods 41 Injecting Hooks: Class Replacement/Swapping struct HashTable K1: WebView K2: FakeWebView ... inherit Swap struct HashTable ... K1: FakeWebView K2: WebView before replacement after replacement WebView FakeWebView
  42. 42. Fourteenforty Research Institute, Inc. HashTable Real Class ... Injecting Hooks: Complete! 42 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root libdvm.so ... ... gDvm DvmGlobals ... ... loadedClasses Fake Class Real Class ... Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly Replace class with rootkit’s one
  43. 43. Fourteenforty Research Institute, Inc. • By tainting Zygote, we can hook many of activities including method calls – Rootkit Payload can be implemented in Pure Java • Most of implementation are not so difficult – Be aware of these kind of attacks 43 Conclusion
  44. 44. Fourteenforty Research Institute, Inc. DEMO On-memory modification gives attackers ultimate flexibility. 44
  45. 45. Fourteenforty Research Institute, Inc. BOTTOM LINE Protecting system is not so easy. 45
  46. 46. Fourteenforty Research Institute, Inc. • This Android “weakness” is not a vulnerability alone • This malware is not a really advanced rootkit – Easy to detect, Easy to defeat • But it’s not the point. 46 This is not...
  47. 47. Fourteenforty Research Institute, Inc. • Protection: LSM... – Need to know Android Internals • Difference: Security Requirements – Some Japanese smartphones had higher security requirements – Different than Google expects 47 So, what was wrong?
  48. 48. Fourteenforty Research Institute, Inc. • Low Open Governance Index(1) – Not everything is shared • Vendor have to implement its own LSM and/or protection – Compatibility Issues – e.g. Deckard / Miyabi LSM prohibits all native debugging • Can Google or associations provide additional information to implement proper LSM? – To Defeat Compatibility Issues – To Make implementing Additional Security Easier 48 Android: Open source, Closed platform (1) http://www.visionmobile.com/research.php#OGI
  49. 49. Fourteenforty Research Institute, Inc. • Suggestion: Make policy guidelines to protect Android devices • Suggestion: Understand what’s happening inside the Android system • If the attacker can gain root privileges, the attacker can inject rootkit hooks and monitor App activities • This is easy to protect, but it implies many of other possibilities – Advanced Android malware? • Share the knowledge to protect Android devices! 49 Suggestions / Conclusions
  50. 50. Fourteenforty Research Institute, Inc. 50 Thank You! Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa Oi <oi@fourteenforty.jp>

×