Native Code Execution Control for Attack Mitigation on Android

Native Code Execution Control for Attack Mitigation
on Android
3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and
Mobile Devices (SPSM)
Rafael Fedler, Marcel Kulicke, and Julian Schütte, November 8, 2013

Motivation and Teaser
Currently, native code can be downloaded and executed at runtime on
Android devices
Includes (root) exploits
All current root exploits are native code

Allows for adding code after app installation, thus circumventing user
and package manager authority
Should not be possible in our opinion

Any app with Internet access can download and execute root exploits
w/o any hindrance

Our approach: To control local privilege escalation attacks and
malware building upon them, control native code execution

Native Code Execution Control for Attack Mitigation on Android | Rafael Fedler | November 8, 2013 | 1
© Fraunhofer

on Android
Background
Malware on Android
Basic observations: Exploits and native code usage
Native code execution on Android
Approach
Binaries
Libraries
Discussion
Shortcomings
Comparison to other approaches
Conclusion

© Fraunhofer

Malware on Android
Classiﬁcation
Trivial classiﬁcation:
1. Malware using root exploits
2. Malware not using root exploits
For obvious reasons, 1. much more dangerous:
Droppers or disguised, seemingly legitimate apps can silently install
malicious apps from the net, circumventing the package manager and
permission system
If no NAND write protection: Irremovable installation of malicious apps to
/system partition (usually mounted read-only)
Apps installed on /system get access to potentially hazardous
permissions (protection level signatureOrSystem)
Generally, it can do anything and everything; Android’s sandboxing
mechanism no longer applies
© Fraunhofer

Malware on Android
Classiﬁcation (2) & Further problems
Class 2, on the other hand...
Has to trick the user into manually installing malware
Far more limited control over device
Can be uninstalled by user
Trivial conclusion: Root exploits problematic – Cpt. Obvious
Additional problems:
Device vendors’ patch policy
Patches take many months, if supplied at all
End of life for products often < 1.5 years
Consequence: Many devices vulnerable to exploits for very long time

Antivirus software extremely easy to fool
Root exploits downloaded at runtime completely invisible to AV
© Fraunhofer

Exploits and native code usage
Basic observations
1. All current root exploits exclusively implemented as native code
Reasons:
C header ﬁles → ease of development
System call interfaces for privilege escalation
Some creative tricks, e.g., excessive spawning of processes to hit
RLIMIT_NPROC (RageAgainstTheCage)
Flexibility for memory manipulation and system interaction

Currently only as standalone binaries, no libraries

2. Less than 5% of all apps in Google Play Store use native code at all
Mostly libraries, almost no binaries

Our conclusion: Control native code to control exploits, without
affecting most apps at all

© Fraunhofer

Background

Two (ofﬁcial) ways:
1. Binaries
Process, ProcessBuilder, Runtime API classes from within apps
Need to be marked executable beforehand (!)

2. Libraries
System API class: load() and loadLibrary() from within apps
No need to mark executable before executing

3. Inofﬁcial: Load/map machine code into memory space, make instruction
pointer point to beginning of code
Only works from within native code, not from within apps in Dalvik

© Fraunhofer

Background

© Fraunhofer

Background
Advanced malware: Typical chain of actions until infection

1. Initial propagation
Disguised as a legitimate app
Repackaged
Update of legitimate app after hijacking of developer’s account and
signing key
etc.

2. Download of root exploit at runtime, in case it is not shipped with app
package ﬁle
3. Mark exploit executable with chmod
4. Execute root exploit and carry out payload

© Fraunhofer

on Android
Background
Malware on Android
Approach
Binaries
Libraries
Discussion
Shortcomings
Conclusion

© Fraunhofer

Approach
Basic idea

Do not break native code execution, but control what can be executed by
whom
Mandatory or Discretionary (Android permission based) Access Control
solutions possible
Different approaches in the following

© Fraunhofer

Approach
Binaries
Control ability to set the executable bit
No scenario where an app should mark anything executable at runtime
Undermines the system’s & user’s authority over runnable software on
device
Apps should ship all software at install time and not be able to download
& execute code from the net at runtime

−→ default case: disallow setting the executable bit for ﬁles
Exception: directories (different semantics of executable bit)
Checks to be integrated into (f)chmod system call interface in kernel
Could be circumvented if integrated into chmod utility or libc stub by
invoking syscall

No problem for preshipped binaries: ﬁle system image manipulation

© Fraunhofer

Approach
Binaries: Potential exceptions
Problem with last slide’s MAC approach: Device owners want to root, too
Potential MAC or DAC remedies:
1. UID or GID based exceptions
Introduce option into AndroidManifest.xml and let package manager mark
speciﬁed binaries executable + according permission
(would still prevent download & execution at runtime)
Whitelist root (UID 0) and shell (UID 2000) user s.t. they can still mark
binaries as executable → device owners can run root exploits via USB access
Introduce permission for apps to set executable bit & introduce
corresponding GID

2. Permission-based exceptions
Introduce permissions into Process, ProcessBuilder and Runtime
classes’ methods for executing binaries
If dangerous protection level: DAC
If signature or signatureOrSystem protection level: MAC

© Fraunhofer

Approach
Libraries
Controlling binaries alone would trigger a shift to native libraries
Three approaches:
1. Loader- and ﬁlesystem-based
Require executable bit also for libraries & make System.load() and
System.loadLibrary() check for it
Thus, the aforementioned measures for binaries would apply to libraries too

2. Permission-based
Secure the System class with a permission
To be granted by users at installation time
Retains possibility to still play games

3. Path-based
Restrict System.load() and System.loadLibrary() to default
path for preinstalled libraries
Allows developers to still use preshipped libraries, but no own native code

© Fraunhofer

Discussion
Shortcomings

mmap() some code + just jump into it
mmap() can only be called from within native code → initial protection
still provided
Tampering with mmap() at kernel level can break library loading
mechanisms and much more

Return-oriented programming inside preshipped libraries/binaries
Exploits targeting Dalvik not covered

© Fraunhofer

Discussion

SEAndroid: achieves the same (and even more)
Requires extensive policies, not very lightweight, needs conﬁguration

Removing executability of any native code added after device
manufacturing altogether
Our approach obviously more ﬂexible

© Fraunhofer

Discussion
Conclusion

Different levels of strictness and protection possible (MAC or DAC)
Not perfect, but...
lightweight compared to MAC approaches s.a. SEAndroid
no policies required
ﬂexible
Users may (DAC: permission-based) or may not (MAC) grant apps permission
to still run native code
Openness to modiﬁcation retained

All current root exploits would fail
Hurdles of exploitation strongly increased
95% of apps not affected at all as they do not run native code

© Fraunhofer

Contact Information
Rafael Fedler, Marcel Kulicke, and Julian Schütte
Group Mobile Security
Department Service & Application Security
Fraunhofer Research Institution for
Applied and Integrated Security (AISEC)
Address: Parkring 4
85748 Garching (near Munich)
Germany
Internet: http://www.aisec.fraunhofer.de
Phone:
Fax:
E-Mail:

+49 89 3229986-173
+49 89 3229986-299
rafael.fedler@aisec.fraunhofer.de

© Fraunhofer

Native Code Execution Control for Attack Mitigation on Android

More Related Content

What's hot

Similar to Native Code Execution Control for Attack Mitigation on Android

More from Fraunhofer AISEC

Recently uploaded

Native Code Execution Control for Attack Mitigation on Android