SlideShare a Scribd company logo

Digging for Android Kernel Bugs

Digging for Android Kernel Bugs

1 of 33
Download to read offline
Digging for Android
Kernel Bugs
James Fang, Sen Nie
About us
• Keen Team
• Pwn2Own Mobile 2013
• Pwn2Own 2014, 2015
• 0ops and Blue-Lotus members
• Multiple CVE affecting major
SoC solutions
• Also contribute root tools to
community for fun 
• Huawei Ascend Mate 7
• User-mode exp of giefroot (by
zxz0O0)
Agenda
• Binary Analysis
• Benefits
• Disassembling kernel
• Fuzzing
• Case study
• Suggestions
• SoC vendors
• Phone/ROM mgfr
• Source Analysis
• Tools and methods
• Analyzer internals
• Case study
Agenda
• Binary Analysis
• Benefits
• Disassembling kernel
• Fuzzing
• Case study
• Suggestions
• SoC vendors
• Phone/ROM mgfr
• Source Analysis
• Tools and methods
• Analyzer internals
• Case study
Kernel. Kernel always changes
Kernel. Kernel always changes
---

Recommended

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 

More Related Content

What's hot

Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 

What's hot (20)

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniques
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debugging
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 

Viewers also liked

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipsweetchip
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 

Viewers also liked (7)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchip
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 

Similar to Digging for Android Kernel Bugs

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010regehr
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideLinaro
 
Infecting the Embedded Supply Chain
 Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoValeriia Maliarenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceESUG
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on AndroidTomoaki Imai
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)Douglas Chen
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.UA Mobile
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdfMaxDmitriev
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLinaro
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02chon2010
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesMarina Kolpakova
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясSigma Software
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardJian-Hong Pan
 

Similar to Digging for Android Kernel Bugs (20)

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
 
Infecting the Embedded Supply Chain
 Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Mesa and Its Debugging
Mesa and Its DebuggingMesa and Its Debugging
Mesa and Its Debugging
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on Android
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим Шовкопляс
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development Board
 

Recently uploaded

sql ppt for students who preparing for sql
sql ppt for students who preparing for sqlsql ppt for students who preparing for sql
sql ppt for students who preparing for sqlbharatjanadharwarud
 
killing camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdfkilling camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdfssuser82c38d
 
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이ssuser82c38d
 
Sql server types of joins with example.pptx
Sql server types of joins with example.pptxSql server types of joins with example.pptx
Sql server types of joins with example.pptxsameer gaikwad
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!Anthony Dahanne
 
Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Asher Sterkin
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkTimothy Spann
 
Getting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxGetting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxmavinoikein
 
maximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsmaximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsssuser82c38d
 
killingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdfkillingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdfssuser82c38d
 
Embracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio ManagementEmbracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio ManagementOnePlan Solutions
 
"Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A...
"Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A..."Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A...
"Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A...ISPMAIndia
 
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdfAUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdfAutokey
 
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...emili denli
 
AI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit BendigiriAI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit BendigiriISPMAIndia
 
SPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product ManagementSPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product ManagementISPMAIndia
 
Software Testing life cycle (STLC) Importance, Phases, Benefits...
Software Testing life cycle (STLC) Importance, Phases, Benefits...Software Testing life cycle (STLC) Importance, Phases, Benefits...
Software Testing life cycle (STLC) Importance, Phases, Benefits...Flexsin
 
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTSi-engage
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 

Recently uploaded (20)

sql ppt for students who preparing for sql
sql ppt for students who preparing for sqlsql ppt for students who preparing for sql
sql ppt for students who preparing for sql
 
killing camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdfkilling camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdf
 
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
 
Sql server types of joins with example.pptx
Sql server types of joins with example.pptxSql server types of joins with example.pptx
Sql server types of joins with example.pptx
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!
 
Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
 
Getting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxGetting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptx
 
maximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsmaximum subarray ppt for killing camp students
maximum subarray ppt for killing camp students
 
killingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdfkillingcamp longest common subsequence.pdf
killingcamp longest common subsequence.pdf
 
Embracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio ManagementEmbracing Change - The Impact of Generative AI on Strategic Portfolio Management
Embracing Change - The Impact of Generative AI on Strategic Portfolio Management
 
"Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A...
"Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A..."Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A...
"Discovery and Delivery through Product IntelliGenAI framework" by Ramkumar A...
 
eLearning Content Development Company Code and Pixels.pdf
eLearning Content Development Company Code and Pixels.pdfeLearning Content Development Company Code and Pixels.pdf
eLearning Content Development Company Code and Pixels.pdf
 
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdfAUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
AUTOKEYUNLOCKER-BRANDS-SUPPORT-STANDARD-VERSION.pdf
 
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
 
AI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit BendigiriAI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit Bendigiri
 
SPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product ManagementSPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product Management
 
Software Testing life cycle (STLC) Importance, Phases, Benefits...
Software Testing life cycle (STLC) Importance, Phases, Benefits...Software Testing life cycle (STLC) Importance, Phases, Benefits...
Software Testing life cycle (STLC) Importance, Phases, Benefits...
 
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
100 TOOLS TO MEASURE AND ANALYSE YOUR DIGITAL MARKETING EFFORTS
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 

Digging for Android Kernel Bugs

  • 1. Digging for Android Kernel Bugs James Fang, Sen Nie
  • 2. About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
  • 3. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 4. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 6. Kernel. Kernel always changes ---
  • 7. Kernel. Kernel always changes ---
  • 9. Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
  • 10. Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
  • 11. Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
  • 12. Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
  • 13. Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
  • 14. Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
  • 15. Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
  • 16. Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
  • 17. Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
  • 18. Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
  • 19. Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
  • 20. Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
  • 21. Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
  • 22. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 23. Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
  • 24. Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
  • 25. Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
  • 26. Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
  • 27. Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
  • 28. Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
  • 29. Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
  • 30. Clang-Analyzer Report - A Real Case
  • 31. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 32. Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
  • 33. • Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)