SlideShare a Scribd company logo

Digging for Android Kernel Bugs

Jiahong Fang
Jiahong Fang

The document discusses analyzing Android kernels for security vulnerabilities. It describes binary analysis techniques like disassembling kernels and fuzzing common targets like mmap and ioctl calls. A case study shows discovering a vulnerability in an audio driver through fuzzing its mmap function. The document also recommends approaches for static source code analysis like preprocessing Android kernel source with LLVM tools and using the Clang static analyzer to find issues. Suggestions are provided for smartphone manufacturers and SOC vendors to improve security practices.

Software
1 of 33
Download to read offline
Digging for Android Kernel Bugs James Fang, Sen Nie
About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Kernel. Kernel always changes
Kernel. Kernel always changes ---
Kernel. Kernel always changes ---
Kernel. Kernel always changes
Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
Clang-Analyzer Report - A Real Case
Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
• Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)

Recommended

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Porting Android
Porting AndroidPorting Android
Porting Android
Opersys inc.
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
Opersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting Android
Opersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
Opersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
pundiramit
 

Recommended

How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Porting Android
Porting AndroidPorting Android
Porting Android
Opersys inc.
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
Opersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting Android
Opersys inc.
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
Opersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
pundiramit
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
Chiawei Wang
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
Leszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
Alexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debugging
Leszek Godlewski
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
Dobrica Pavlinušić
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Jeremy Haung
 

More Related Content

What's hot

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
Chiawei Wang
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Anne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
Leszek Godlewski
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
Alexey Sintsov
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debugging
Leszek Godlewski
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
Dobrica Pavlinušić
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 

What's hot (20)

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Gamedev-grade debugging
Gamedev-grade debuggingGamedev-grade debugging
Gamedev-grade debugging
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 

Viewers also liked

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Jeremy Haung
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchip
sweetchip
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 

Viewers also liked (7)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Inc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchipInc0gnito fuzzing for_fun_sweetchip
Inc0gnito fuzzing for_fun_sweetchip
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 

Similar to Digging for Android Kernel Bugs

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010
regehr
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
Linaro
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
Priyanka Aash
 
Mesa and Its Debugging
Mesa and Its DebuggingMesa and Its Debugging
Mesa and Its Debugging
GlobalLogic Ukraine
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
Takuya ASADA
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
Valeriia Maliarenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
ESUG
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on Android
Tomoaki Imai
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Douglas Chen
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
UA Mobile
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
MaxDmitriev
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
Linaro
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Yulia Tsisyk
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02
chon2010
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Marina Kolpakova
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим Шовкопляс
Sigma Software
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
Jim Driscoll
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development Board
Jian-Hong Pan
 

Similar to Digging for Android Kernel Bugs (20)

GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Mesa and Its Debugging
Mesa and Its DebuggingMesa and Its Debugging
Mesa and Its Debugging
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on Android
 
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
 
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
Критика "библиотечного" подхода в разработке под Android. UA Mobile 2016.
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
0xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp020xdroid osdc-2010-100426084937-phpapp02
0xdroid osdc-2010-100426084937-phpapp02
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
 
Mesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим ШовкоплясMesa and Its Debugging, Вадим Шовкопляс
Mesa and Its Debugging, Вадим Шовкопляс
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Share the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development BoardShare the Experience of Using Embedded Development Board
Share the Experience of Using Embedded Development Board
 

Recently uploaded

A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 

Recently uploaded (20)

A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 

Digging for Android Kernel Bugs

  • 1. Digging for Android Kernel Bugs James Fang, Sen Nie
  • 2. About us • Keen Team • Pwn2Own Mobile 2013 • Pwn2Own 2014, 2015 • 0ops and Blue-Lotus members • Multiple CVE affecting major SoC solutions • Also contribute root tools to community for fun  • Huawei Ascend Mate 7 • User-mode exp of giefroot (by zxz0O0)
  • 3. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 4. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 6. Kernel. Kernel always changes ---
  • 7. Kernel. Kernel always changes ---
  • 9. Benefits of Binary Kernel • Exact piece of code running on actual devices • Critical security features • …with many options • SEAndroid • TIMA, etc • Offset, offset, offset… • Important for constructing args • Fuzzing
  • 10. Preparing Kernel 1. Extract zImage 2. Decompress zImage 3. Flat, plain binary • Code + Data • No structure IDA’s best guess ==>
  • 11. Preparing Kernel • Solution: IDA loader 1. Extract address table • Also determine arch by address length (64 or 32) 2. Extract (compressed) symbol name table 3. Create symbols
  • 12. Fuzzing Targets (1) - mmap • Call mmap on dev fd • Create VA => PA mapping in user space • Boundary check? • remap_pfn_range • Fixed or variable start • PA overlapping • Long lasting… • Framaroot (2013) • Mate 7 root (2015)
  • 13. Case Study – audio drv mmap overflow seg000:C059ACE4 vul_mmap seg000:C059ACE4 seg000:C059ACE4 var_14 = -0x14 seg000:C059ACE4 seg000:C059ACE4 MOV R12, SP seg000:C059ACE8 STMFD SP!, {R11,R12,LR,PC} seg000:C059ACEC SUB R11, R12, #4 seg000:C059ACF0 SUB SP, SP, #8 seg000:C059ACF4 LDR R2, =(dword_C0048C38 - 0xC059AD0C) seg000:C059ACF8 MOV R3, R1 seg000:C059ACFC LDR R12, =(unk_C0047244 - 0xC059AD14) seg000:C059AD00 MOV R0, R1 seg000:C059AD04 LDR R2, [PC,R2] ; dword_C0048C38 seg000:C059AD08 LDR R1, [R1,#4] <== start seg000:C059AD0C LDR R12, [PC,R12] ; unk_C0047244 seg000:C059AD10 LDR R3, [R3,#8] <== end seg000:C059AD14 LDR R2, [R2] seg000:C059AD18 LDR R12, [R12] seg000:C059AD1C RSB R3, R1, R3 seg000:C059AD20 MOV R2, R2,LSR#12 seg000:C059AD24 ORR R12, R12, #0x300 seg000:C059AD28 STR R12, [SP,#0x14+var_14] seg000:C059AD2C BL remap_pfn_range int remap_pfn_range( struct vm_area_struct *vma, unsigned long virt_addr, unsigned long pfn, unsigned long size, pgprot_t prot ); pfn: constant before kernel code size:overflow covercodeanddata Fix: 1. Restrict ACL on devfs node (666 -> 600) 2. Add boundary check
  • 14. Fuzzing Targets (2) - ioctl • Manipulate underlying device params. • ioctl(fd, cmd, args) • File descriptor • Command • Arguments • Problem: missing spec document
  • 15. Fuzzing Targets (2) - ioctl • Command code • Specify request type • Differs from device to device • Coverage!!! • Argument • Structure pointer • Length, type, etc… • Digging from binary
  • 16. Hex-Rays Decompiler • Assembly => Pseudo C • API interface: • AST: ctree • Nodes: citem_t • 80+ types of node • 9 types commonly used enum ctype_t { cot_asg = 2, ///< x = y cot_add = 35, ///< x + y cot_sub = 36, ///< x – y cot_cast = 48, ///< (type)x cot_ptr = 51, ///< *x, access size in 'ptrsize' cot_call = 57, ///< x(...) cot_idx = 58, ///< x[y] cot_memref = 59, ///< x.m cot_memptr = 60, ///< x->m, access size in 'ptrsize' };
  • 17. Variable Propagation • Lack of optimization • Semi-SSA pseudo code • int xxx_ioctl(a1, a2, a3) • a1: fd • a2: ioctl command • a3: arg • We need to track both a2 and a3
  • 18. Variable Propagation • Propagation rules • cot_asg nodes • Straight forward • Affecting both cmd and arg • cot_call nodes • Kernel specific • copy_from/to_user • memcpy • Affecting arg only
  • 19. Variable Propagation • Inter-procedure propagation • copy_from/to_user is a special case • memcpy • For non-special case propagation, decompile the sub-routine recursively to proceed https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/ mediatek/mmc-host/mt6582/mt_sd_misc.c
  • 20. Type Re-construction • cot_add & cot_sub • Result of var propagation leads to a3 • Offset can be calculated • Length can be assumed (accurately) • Handling inter-procedure scenarios • Just like variable propagation
  • 21. Case Study – sdcard driver static int simple_mmc_erase_partition_wrap( struct msdc_ioctl* msdc_ctl ) { unsigned char name[25]; if (copy_from_user( name, (unsigned char*)msdc_ctl->buffer, msdc_ctl->total_size )) return -EFAULT; return simple_mmc_erase_partition(name); } static int vulnerable_func(struct vul_ioctl* vul_ctl) { unsigned char name[25]; if (copy_from_user(name, (unsigned char*)vul_ctl->buffer, vul_ctl->total_size <== overflow char name[] array )) return -EFAULT; return other_func(name); } - Discovered by constructing illegal total_size value - Actually needed bigger total_size as a inlined routine - Impacting almost every phone using that brand of SoC when discovered Fix: 1. Restrict access to the devfs node (bypassed by another configuration bug :-S) 2. Check total_size before calling copy_from_user
  • 22. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 23. Secure Android with Dragon Wings • 1. Android Kernel Source • http://www.cyanogenmod.org/ • 2. Kernel Source Preprocessing • http://llvm.linuxfoundation.org/ • 3. Apply Clang-Analyzer to Kernel Source • http://clang-analyzer.llvm.org/ • 4. Review the Clang-Analyzer Report
  • 24. Clang-Analyzer Internals - Overview Source Code AST CallGraph && CFG Exploded Graph
  • 25. Clang-Analyzer Internals - A Node ProgramPoint • Execution Location • Pre-statement • Post-statement • Entering a call • … • Stack Frame ProgramState • Environment • Expr -> Values • Store • Memory Location -> Values • GenericDataMap • Constraints on symbolic values
  • 26. Android Kernel Source Preprocessing • Android ARM Toolchain • -target arm-none-linux-gnueabi -gcc-toolchain • Clang compatibility processing • BUILD_BUG_ON • sbcccs in __range_ok() • Checker compatibility processing • copy_from_user / copy_to_user etc. • remove the “inline” keyword • Kernel Source Building/Pruning • only care about 3rd party drivers • make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 –j8 • Actually there is still a lot can be done...
  • 27. Clang-Analyzer - AST Checker • 1. FuncInfo->isStr(“remap_pfn_range”) ? • 2. TheCall->getNumArgs() == 5 ? • 3. arg3->isEvaluatable() ? • 4. foreach variable in arg3: • visit the ASTBody to decide whether it is constrained. • 5. Are all the variables in arg3 not constrained ? • 6. report the potential bug.
  • 28. Clang-Analyzer - Path-Sensitive Checker Sample 1 Sample 2
  • 29. Clang-Analyzer - Path-Sensitive Checker • Checker Events • checkPreCall / checkPostCall • checkLocation • checkBind • … • Checker States • REGISTER_MAP_WITH_PROGRAMSTATE(ExampleDataType, SymbolRef, int) • int currentlValue = state->get<ExampleDataType>(Sym); • ProgramStateRef newState = state->set<ExampleDataType>(Sym, newValue); Building a Checker in 24 Hours: http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf
  • 30. Clang-Analyzer Report - A Real Case
  • 31. Agenda • Binary Analysis • Benefits • Disassembling kernel • Fuzzing • Case study • Suggestions • SoC vendors • Phone/ROM mgfr • Source Analysis • Tools and methods • Analyzer internals • Case study
  • 32. Suggestions • SoC vendors • Establish security response team • Build in-house vulnerability research capabilities • Acknowledge security researchers • Qualcomm security team is great  • Phone manufacturers / ROM makers • Keep tracking latest security advisories from SoC vendor • Audit custom code, involve 3rd party when needed • Hot patching?
  • 33. • Contact us • Twitter: @K33nteam • Email: hr@keencloudtech.com Thank you • And we are HIRING! • Vulnerability & exploitation • Kernel, app, etc • Location • Shanghai (HQ) • Beijing (Subsidiary)