Fourteenforty Research Institute, Inc.

Similar documents
Example of Standard API

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

Android Programming and Security

Hacking your Droid ADITYA GUPTA

Analysis of advanced issues in mobile security in android operating system

Popular Android Exploits

Studying Security Weaknesses of Android System

Security Enhanced (SE) Android: Bringing Flexible MAC to Android

Safety measures in Linux

Tutorial on Smartphone Security

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Reversing Android Malware

Android Architecture For Beginners

Android Security Joshua Hodosh and Tim Leek

Graduate presentation for CSCI By Janakiram Vantipalli ( Janakiram.vantipalli@colorado.edu )

Developing Mobile Device Management for 15 million devices (case study) Rim KHAZHIN

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Security Issues in Android Custom ROMs

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Using Chroot to Bring Linux Applications to Android

Leave The App Alone! - Attack and Defense of Android App Hijack

Understanding Android s Security Framework

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Android Security for Enterprise App Developers Jon Preedy

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Kernel Intrusion Detection System

Lecture 2 PLATFORM SECURITY IN ANDROID OS

Worms, Trojan Horses and Root Kits

CPS221 Lecture: Operating System Structure; Virtual Machines

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

Attacking Hypervisors via Firmware and Hardware

Mobile Devices - An Introduction to the Android Operating Environment. Design, Architecture, and Performance Implications

Mobile Devices - An Introduction to the Android Operating Environment. Design, Architecture, and Performance Implications

Virtual Machine Security

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

A Survey on Virtual Machine Security

Confining the Apache Web Server with Security-Enhanced Linux

Security Technology for Smartphones

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Analysis of the Linux Audit System 1

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

BlackBerry 10.3 Work and Personal Corporate

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

Overview. The Android operating system is like a cake consisting of various layers.

Sandbox Roulette: Are you ready for the gamble?

Running a Program on an AVD

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Put a Firewall in Your JVM Securing Java Applications!

Tushar Dalvi Sr. Security Engineer at LinkedIn Penetration Tester. Responsible for securing a large suite mobile apps

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Android Commercial Spyware Disease and Medication

What is included in the ATRC server support

Android Security - Common attack vectors

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

Security for Mac Computers in the Enterprise

POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk

UNCLASSIFIED Version 1.0 May 2012

A Look through the Android Stack

An Introduction to Android

WIND RIVER SECURE ANDROID CAPABILITY

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Mercury User Guide v1.1

Attacking Hypervisors via Firmware and Hardware

Getting Started with the AllJoyn Lighting Service Framework 14.12

Chapter 14 Virtual Machines

Tizen Web Runtime Update. Ming Jin Samsung Electronics

Practical Mac OS X Insecurity. Security Concepts, Problems and Exploits on your Mac

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

AllJoyn Android Environment Setup Guide

Homeland Security Red Teaming

Android Security. Giovanni Russello

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

Publishing to TIZEN Using the Automated Conversion/Repackaging of Existing Android Apps. Hyeokgon Ryu, Infraware Technology, Ltd.

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

Android Security (and Not) Internals

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Training Android Debugging

Android Fundamentals 1

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

Mandatory Access Control in Linux

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Host-based Intrusion Prevention on Windows and UNIX. Dr. Rich Murphey White Oak Labs

Windows Phone 8 Security deep dive

Executable Integrity Verification

Smart home appliance security and malware

Transcription:

Black Hat Abu Dhabi 2011 Yet Another Android Rootkit Fourteenforty Research Institute, Inc. /protecting/system/is/not/enough/ Research Engineer Tsukasa Oi Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp 1

Introduction: rooting Android Gaining Administrative Privileges in Android OS Normally, root cannot be used by Apps Gaining root Privilege using Local Exploits (dangerous) Fake Firmware Updates (relatively safe) What for? Customization, Overclocking Malicious Use (e.g. DroidDream) root in Android platform works differently Permission Checks Software-based UID/PID checks 2

Introduction: Japanese smartphones Vendors and Careers want to: Protect Users Protect Career-specific / Vendor-specific Services Ensure Smartphones are not Altered and Radio Legal Protect their Business Model Answer: Protect Smartphones Prevent Firmware Modification Patch Framework and Kernel in order to Secure the device 3

Agenda rooting and Android Security Android Internals and Security Model Bypassing Security and Gaining Privileges Vendor-Specific Protection Kernel-based Mechanism Yet Another Android Rootkit User-Mode Rootkit Bypassing Vendor-Specific Protections Hook User Applications So what was wrong? Open source, Closed platform 4

rooting Android is not the end of the story. ROOTING AND ANDROID SECURITY 5

rooting is Sometimes Easy Five known root exploits affecting unmodified version of Android CVE-2009-1185 (exploid) [no CVE number] (rage against the cage) CVE-2011-1149 (psneuter) CVE-2011-1823 (GingerBreak) CVE-2011-3874 (zergrush) More of that: Chip/Vendor-specific Vulnerabilities 6

rooting : Vulnerabilities (1) Logic Errors in suid programs Android Tablet [xxx]: OS command injection [REDACTED] The attacker can invoke arbitrary command in root privileges. 7

rooting : Vulnerabilities (2) Improper User-supplied buffer access Android smartphone [xxx]: Sensor Device Driver [REDACTED] The attacker write [REDACTED] to arbitrary user memory, bypassing copy-on-write. Modifying setuid function (which affects all processes) can generate root-privilege processes. 8

rooting isn t the end Gaining Privileges in Android system root user in Android system is slightly different The attacker want to take over the whole system Vendor-Specific Protection DroidDream won t work properly on some Japanese Android phones /system may be Read-Only Is it possible to take over the system in protected smartphones? 9

Android Internals: App Model Package.apk Android System Install AndroidManifest.xml Invoke Application Activity Callback on Event Broadcast Receiver Applications are contained in the Package Register how classes are invoked by Manifest System calls application classes if requested Activity, Broadcast, 10

Android Internals: Package APK File (ZIP format) AndroidManifest.xml (Manifest) lib/armeabi/* (Native code) classes.dex (Program) Package itself is only a ZIP archive AndroidManifest.xml (Manifest) Application information, permissions How classes can be called (Activity, BroadcastReceiver) 11

Android Internals: App Model in File System root file system (/) init system/ vendor/ data/ init.rc system partition (/system) bin/ lib/ Dalvik host process app_process libdvm.so linker Dalvik VM Library Dynamic linker vendor/ (symlinked to /vendor) app/ lib/ app/ framework/ etc/ build.prop default.prop data partition (/data) app/ lib/ Trusted by App System Data app-private/ data/ Contains Dalvik Code Contains Native Code 12

Android Internals: App Model in Lower Layer init (PID=1) init Process Launches some Native Services Service 1 Service 2 Zygote Daemon System Server System Server (serves Services) is directly forked from Zygote Daemon App 1 App 2 App 3 Important Processes are: init (The root of all processes) Zygote Daemon (The root of Android Apps) System Server (serves many System Services) All normal Apps are forked from Zygote Daemon when requested 13

Android Internals: Zygote Zygote (app_process) Zygote Daemon Preloaded Libraries (including Dalvik VM itself) /dev/socket/zygote (POSIX permission: 0666) fork and specialize for new process Invocation Request (UNIX Domain Socket) System Server App2 App3 Shared Memory 14

Android Security: Model Android Permission and Protection + Grant by Package Information (Permission Information) - Restrict by Package Location (System or User) - Restrict by Package Signature + Grant by UID/PID (Backdoor?) Priorities of Activity (User-Interface Element) + Grant by Package Information (Intent Filters) - Restrict by Package Location (System Only) Legacy Linux Security Model Grant/Restrict: UID/GID/PID 15

Android Security: Permission The Internet Permission: INTERNET App1 App2 Abstract Capability in Android System More than 100 (Internet connection, retrieve phone number) Permissions Checking Software Checks GID Checks (some permissions are associated with GIDs) 16

Android Security: Permission Protection INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES User App System App Permission for User App is Restricted Some permissions are protected Protection Level Package Location (signatureorsystem) Package Signature (signature, signatureorsystem) 17

Android Security: Permission Protection INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES User App System App All Permissions are granted for root processes Permission Checks are not really Performed GingerMaster (malware) utilizes this behavior GingerMaster calls pm command via root shell script pm is actually a Dalvik program 18

Android Internals: Activity (Choose Apps) Memo App startactivity Mail App Post to Twitter Twitter App Intent and multiple applications (Activities) Activity = Unit of Action with User Interface Specifying object type (target) and action, Activity is called by the system automatically 19

Android Security: Activity Priorities High Priority Low P=999 User Activity P=100 System Activity P=0 User Activity P=100 System Activity P=999 0 User Activity P=0 User Activity Prevent Activity Hooking High-priority Activity can hide lower Activities Only System Packages can use Higher Priority e.g. Android Market (Vending.apk) 20

Bypassing Security: Activity Priorities High Priority Low P=999 SYSTEM Activity P=0 System Activity P=0 User Activity Browser Hooks Real Web Browser Simply need to write System Locations /system/app, /vendor/app (Normally write-protected) DEMO 21

Breaking Security: root can simply Write System Partition Overwrite Framework, Applications Use chroot Make fake root and make system partition virtually Use ptrace Inject Malicious Hooks root can spoil Android security mechanism. Or is it? 22

AOSP is not the everything. VENDOR-SPECIFIC PROTECTION 23

Vendor-Specific Protection Some Android devices have Additional Security Feature Restrict root privileges to prevent devices to be overwritten Modification to the Kernel / Board NAND Lock Secure [Authenticated] Boot Integrity Checking Linux Security Modules (LSM) 24

Vendor-Specific: NAND Lock Reject all WRITE requests to important regions Boot Loader System Partition Recovery Partition Implemented as a NAND driver / LSM feature pros. Strong Prohibits ALL illegal writes in kernel mode cons. Does not Protect Memory Does not protect mount points as well Still can use ptrace / chroot / pivot_root 25

Vendor-Specific: Secure Boot Prevent Unsigned Boot Loader / Kernel to be Executed Hardware Implementation: e.g. nvidia Tegra Software (Boot Loader) Implementation: e.g. HTC Vision (Qualcomm s Implementation) pros. Hard to Defeat Haven t defeated directly cons. Only Protects Boot Loader / Kernel Does not Protect On-Memory Boot Loader / Kernel Most implementations does not Protect System Partition 26

Vendor-Specific: Integrity Verification Verify loaded packages / programs are legitimate Restrict some features if untrusted packages / programs are loaded Sharp Corp. : Sphinx (Digest Manager) Protected Storage in Kernel Mode Digest Verifier in User-mode (dgstmgrd) Exports Content Provider pros. Ability to use Digital Signatures cons. Easy to avoid if processes can be compromised e.g. ptrace 27

Vendor-Specific: Linux Security Modules (1) Security Framework in Linux Kernel Used by SELinux (for example) LSM to Protect Android System Sharp Corp. : Deckard LSM / Miyabi LSM Protect Mount Point (/system) Prohibit ptrace Prohibit chroot, pivot_root Fujitsu Toshiba Mobile Communications : fjsec Protect Mount Point (/system) and the FeliCa [subset of NFC] device Prohibit pivot_root Path-based / Policy-based Restrictions Kyocera Corp. : KCLSM 28

Vendor-Specific: Linux Security Modules (2) LSM (and NAND lock) Stops DroidDream DroidDream tries to remount /system read-write but it is prohibited by the LSM pros. Mandatory and Strong Difficult to Defeat Capable to Hook System Calls cons. Difficult to Protect Everything unless you know all about Android Internals That could lead to LSM bypassing Some holes were fixed though 29

Bypassing All Protections Restrictions No Kernel-Mode No /proc/*/mem, /dev/*mem No ptrace No chroot, pivot_root No writes to system partitions (/system) But Assume if the attacker can gain root Privileges Possibility to take over whole system User-Mode Rootkit 30

/protecting/system/is/not/enough/ YET ANOTHER ANDROID ROOTKIT 31

Injecting Hooks: 0 out of 3 Gaining root Having Fun! Taint Zygote Modify Dalvik State Replace Class 32

Injecting Hooks: Taint Zygote (1) Facts: All normal Android Apps are forked from Zygote Daemon Zygote Daemon forks child on request through UNIX-domain socket Two plans: Plan A: Hooking UNIX-domain Socket Stealthy Plan B: Generating two Zygote processes Easy to implement Flexible 33

Injecting Hooks: Taint Zygote (Plan A - 1) bind: T0 listen: T1 Zygote Daemon System Server /dev/socket/zygote connect: T2 Exploit race-condition during Initialization of Zygote Daemon Time until the first process is requested Window of Vulnerability is very wide (almost 2 3 seconds) 34

Injecting Hooks: Taint Zygote (Plan A - 2) bind: T0 init (PID=1) Zygote Daemon Pass file descriptor to new Zygote Daemon listen: T1 Initialization (Preloading Classes, GC) Start System Server (it does not use socket) connect: T2 System Server Window of Vulnerability Exploit race-condition during Initialization of Zygote Daemon Time until the first process is requested Window of Vulnerability is very wide (almost 2 3 seconds) 35

Injecting Hooks: Taint Zygote (Plan A - 3) Zygote Daemon Modify Request to Inject Payload written in Java /dev/socket/zygote (moved) Rootkit Injector /dev/socket/zygote (new; infected) System Server Perform Man-in-the-Middle Attack System Server refers Rootkit s Socket Rootkit Injector can restore original Socket to make it stealth New Apps are requested from one connection between System Server 36

Injecting Hooks: Taint Zygote (Plan B) Zygote Daemon /dev/socket/zygote (moved or deleted) Performs like original Zygote (but can perform malicious) Infected Zygote System Server /dev/socket/zygote (new; infected) Pause original Zygote Daemon Launch Tainted instance of Zygote Many ways to launch tainted Zygote Replace socket with rootkit s one 37

Injecting Hooks: 1 out of 3 Gaining root Having Fun! Taint Zygote Modify Dalvik State Replace Class Tainted Zygote Taint Zygote to make tainted processes Tainted Process Rootkit Payload Real Program 38

Injecting Hooks: Modify Dalvik State libdvm.so gdvm struct DvmGlobals loadedclasses struct HashTable info: Class A Dalvik VM Global State All Classes Information info: Class B Assume: The attacker can execute malicious Java class Modify Dalvik VM state to inject hooks Read/Write arbitrary memory required sun.misc.unsafe class Dalvik VM (libdvm.so) exports many symbols Including its Global State (gdvm) Modifying gdvm enables hook injection Modify Class Metadata to Inject Hooks 39

Injecting Hooks: 2 out of 3 Gaining root Having Fun! Taint Zygote Modify Dalvik State Replace Class Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly Tainted Process libdvm.so DvmGlobals HashTable Rootkit Payload gdvm loadedclasses Real Class Real Program 40

Swap inherit Fourteenforty Research Institute, Inc. Injecting Hooks: Class Replacement/Swapping struct HashTable WebView K 1 : WebView K 2 : FakeWebView before replacement FakeWebView after replacement struct HashTable K 1 : FakeWebView Easy Implementation Plan: Swap two Classes e.g. WebView FakeWebView Target = gdvm->loadedclasses Replacing classes must have exactly same methods K 2 : WebView 41

Injecting Hooks: Complete! Gaining root Having Fun! Taint Zygote Modify Dalvik State Replace Class Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly Tainted Process libdvm.so DvmGlobals HashTable Replace class with rootkit s one Rootkit Payload gdvm loadedclasses Real Fake Class Real Program Real Class 42

Conclusion By tainting Zygote, we can hook many of activities including method calls Rootkit Payload can be implemented in Pure Java Most of implementation are not so difficult Be aware of these kind of attacks 43

On-memory modification gives attackers ultimate flexibility. DEMO 44

Protecting system is not so easy. BOTTOM LINE 45

This is not This Android weakness is not a vulnerability alone This malware is not a really advanced rootkit Easy to detect, Easy to defeat But it s not the point. 46

So, what was wrong? Protection: LSM Need to know Android Internals Difference: Security Requirements Some Japanese smartphones had higher security requirements Different than Google expects 47

Android: Open source, Closed platform Low Open Governance Index (1) Not everything is shared Vendor have to implement its own LSM and/or protection Compatibility Issues e.g. Deckard / Miyabi LSM prohibits all native debugging Can Google or associations provide additional information to implement proper LSM? To Defeat Compatibility Issues To Make implementing Additional Security Easier (1) http://www.visionmobile.com/research.php#ogi 48

Suggestions / Conclusions Suggestion: Make policy guidelines to protect Android devices Suggestion: Understand what s happening inside the Android system If the attacker can gain root privileges, the attacker can inject rootkit hooks and monitor App activities This is easy to protect, but it implies many of other possibilities Advanced Android malware? Share the knowledge to protect Android devices! 49

Thank You! Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer Tsukasa Oi <oi@fourteenforty.jp> 50

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information