Exploiting Memory Corruption Vulnerabilities in the Java Runtime

Exploiting Memory Corruption Vulnerabilities in the Java Runtime

Tackling the Android Challenge Joshua J. Drake First Annual Breakpoint October 17th 2012 Overview

About Josh Goals Survey Background Ecosystem Patching Disclosure

Attack Surface Tools Exploitation Hardening Recommendations Conclusions

About the Presenter Joshua J. Drake, aka jduck Senior Research Scientist with Accuvant LABS Former Lead Exploit Developer Researching Linux security since 1994 (1.1.59) Researching Android security since Droid 1 (2009) Consulted for a major Android device OEM Presented a working Android ICS 4.0.1 browser exploit at BlackHat USA 2012 Goals

1. Improve Android security Improve security awareness Provide motivation ;-) 2. Enable other researchers to do their thing Summarize information from many sources Improve the tool-chain Survey Background

Introduction Smartphone operating system Open Source (somewhat) Linux based Early History Founded in 2003 Acquired by Google in 2005 Released publicly in 2008 (HTC G1/Dream) ~ 30 releases so far http://en.wikipedia.org/wiki/Android_version_history http://socialcompare.com/en/comparison/android-versions-comparison

Version History Version Date Code name Version Date

Code name 1.0 Sep 23, 2008 Apple Pie? 2.3.6 Sep 2, 2011

Gingerbread 1.1 Feb 9, 2009 Banana Bread? 2.3.7 Sep 21, 2011

Gingerbread 1.5 Apr 30, 2009 Cupcake 3.0 Feb 22, 2011

Honeycomb 1.6 Sep 15, 2009 Donut 3.1 May 10, 2011

Honeycomb 2.0 Oct 26, 2009 Eclair 3.2 Jul 15, 2011

Honeycomb 2.0.1 Dec 3, 2009 Eclair 3.2.1 Sep 20, 2011

Honeycomb 2.1 Jan 12, 2010 Eclair 3.2.2 Aug 30, 2011

Honeycomb 2.2 May 20, 2010 Froyo 3.2.4 Dec 2011

Honeycomb 2.2.1 Jan 18, 2011 Froyo 3.2.6 Feb 2012

Honeycomb 2.2.2 Jan 22, 2011 Froyo 4.0.1 Oct 19, 2011

Ice Cream Sandwich 2.2.3 Nov 21, 2011 Froyo 4.0.2 Nov 28, 2011

Ice Cream Sandwich 2.3 Dec 6, 2010 Gingerbread 4.0.3 Dec 16, 2011

Ice Cream Sandwich 2.3.3 Feb 9, 2011 Gingerbread 4.0.4 Mar 29, 2012

Ice Cream Sandwich 2.3.4 Apr 28, 2011 Gingerbread 4.1.1 Jul 9, 2012

Jelly Bean 2.3.5 Jul 25, 2011 Gingerbread 4.1.2 Oct 9, 2012

Jelly Bean Fun Fact I Releases are named alphabetically after sweets!

Cupcake Donut Eclair Froyo Gingerbread Honeycomb

Ice Cream Sandwich Jelly Bean Key Lime Pie L??? Lollipop? M??? Marble Cake? N??? Nougat? Supported Architectures Android supports at least 4 architectures 1. ARM

The Lions share of devices out there 2. x86 Google TV devices, tablets, phones 3. MIPS 4. PowerPC

Really anything Linux will run on Fun Fact II Theres an Easter egg Settings -> About Phone Quickly tap Android version 4-5 times Some are interactive (try long press, etc) DEMO * Doesnt appear to work on HTC devices Y U NO FUN HTC?! Ecosystem

Its complicated Ecosystem Understanding the Ecosystem is important Provides perspective Good to know who is responsible for what Makes the complexities involved evident

Put yourself in their shoes Helps you put your palm on your face Ecosystem: Groups Six main groups 1. 2. 3. 4. 5. 6.

Google Hardware fabricators Original Equipment Manufacturers (OEMs) Carriers Developers Users All inter-dependent to varying degrees Ecosystem: Groups Six main groups 1.

2. 3. 4. 5. 6. Google Hardware fabricators Original Equipment Manufacturers (OEMs) Carriers Developers Users

All inter-dependent to varying degrees Ecosystem: Groups Six main groups 1. 2. 3. 4. 5. 6.

Google Hardware fabricators Original Equipment Manufacturers (OEMs) Carriers Developers Users All inter-dependent to varying degrees Ecosystem: Groups Six main groups 1.

2. 3. 4. 5. 6. Google Hardware fabricators Original Equipment Manufacturers (OEMs) Carriers Developers Users

All inter-dependent to varying degrees Ecosystem: OEMs http://opensignal.com/reports/fragmentation.php Ecosystem: Groups Six main groups 1. 2. 3.

4. 5. 6. Google Hardware fabricators Original Equipment Manufacturers (OEMs) Carriers Developers Users All inter-dependent to varying degrees

Ecosystem: Groups Six main groups 1. 2. 3. 4. 5. 6. Google Hardware fabricators

Original Equipment Manufacturers (OEMs) Carriers Developers Users All inter-dependent to varying degrees Ecosystem: Groups Six main groups 1. 2. 3.

4. 5. 6. Google Hardware fabricators Original Equipment Manufacturers (OEMs) Carriers Developers Users All inter-dependent to varying degrees

Open Handset Alliance OHA Founded 2007 Mission: increased openness Compared to mobile ecosystem before Android? Members Android builds must be Android Compatible Currently includes most vendors working with Android

Ecosystem: Summary Massive cross-organizational Bureaucracy Everyone working with different goals Some goals are competing Ecosystem: Summary Provides a rich area for security research Implicit trust between groups Source code complexities Creates half-day exploit risk

Ex: Bugs fixed in Chrome but not Android Lengthens patch cycle Leaves end-users unprotected Patching Patching: Whos Who https://blog.lookout.com/blog/2011/08/04/inside-the-android-security-patch-lifecycle/ Updates

Updates for different pieces come from different places Apps Authors->Play Store->User OS (via OTA) Google->OEM->Carrier->User Straight from Google for Nexus devices Patching: AUA Android Update Alliance Required support for 18mo

But cellular contracts are 24mo!!! Announced, but never mentioned again Who is even part of it?! Patching: CTS Android Compatibility Test Suite (CTS) Googles Android Compatible stamp of approval Used to enforce security baselines No known vulnerabilities No world writable directories etc

Continually Evolving Tests are open source https://blog.lookout.com/blog/2011/08/04/inside-the-android-security-patch-lifecycle/ http://blog.n0where.org/errata-to-avoiding-android-app-security-pitfa Time to Patch Google Days or weeks OEMs Not enough information available Carriers Months or never Patching: Summary

Little-to-no back-porting fixes Again, exploits for half-day bugs Users left vulnerable indefinitely Makes Microsoft look like Angels Disclosure Disclosure Practices vary Some full or coordinated disclosure Researchers mostly

Some partial disclosure Some non-disclosure In general, there is very little visible security effort Not even official bug bounties??? Full Disclosure http://sh4ka.fr/android/galaxys3/from_0perm_to_INSTALL_PACKAGES_on_galaxy_S3.html Coordinated Disclosure

http://labs.mwrinfosecurity.com/advisories/2012/09/07/multiple-samsung-android-application-vulnerabilities/ Partial Disclosure: VZW Partial Disclosure: VZW Non-disclosure? Another example, from the recent dialer code + TEL URI issues: sentSILENTLY No CVE, no disclosure

Non-disclosure? TEL URI issues First public mention was from Ekoparty presentation Patched prior by Samsung (on some devices) Total timeline of only about 3 months Not bad! For those devices that got patched. Disclosure: Why? Ability to track issues across organizations

CVEs help a lot here Facilitates industry-wide peer review Raises awareness Attack Surface Attack Surface Attack Surface http://recxltd.blogspot.com/2012/02/refl

ecting-on-mobile-security-today.html http://ddanchev.blogspot.com/2007/03/c omplexity-and-threats-mind-mapping.htm l http://www.symantec.com/connect/blogs /picture-worth-thousand-words-and-i-onl y-have-type-300 Attack Surface The attack surface has grown since that diagram was created

The attack surface is HUGE Especially client-side user-initiated stuff Lots of pushing and polling going on Tools Custom BusyBox Why? Single binary Others?

toolbox motobox various busybox cross-compiles Custom BusyBox Existing binaries have bugs Issues mapping uid and gid to name Issues mapping sockets connections lsof netstat Will be working to address these issues soon

Source Code There is A LOT of it. AOSP Hardcore forking action Lots of community ROMs Kernel sources by OEMs CONFIG_MODULES=y Can build your own modules! insmod on devices!!

Kernel Sources https://www.codeaurora.org/ http://developer.sonymobile.com/downloads/opensource/ http://sourceforge.net/motorola/ http://opensource.samsung.com/index.jsp http://htcdev.com/devcenter/downloads Compilers

Many tool chains to choose from SDK/NDK AOSP prebuilt Linaro Official ARM compiler (RVCT) Others? Debuggers Many different versions Various NDK revisions Various AOSP prebuilt binaries Versions from Linux distros

Might have to try lots to find a working version :-/ Debugging: Issues gdbserver will crash on you :-/ Need to investigate and fix these issues Single-stepping nightmares ARM vs Thumb insanity x/i $pc|$cpsr.t Symbols can tell the debugger which mode

Debugging: Tips What worked for me Using the AOSP prebuilt debugger arm-eabi-gdb and gdbserver Pulling all relevant binaries from the device Built bins with symbols from AOSP Debugging: Example ubvm:0:galaxynexus$ ls -l app_process lib*so linker -rw------- 1 jdrake jdrake 9.7K May 6 02:21 app_process

lrwxrwxrwx 1 jdrake jdrake 26 Jun 1 23:54 libc.so -> symbols/system/lib/libc.so* lrwxrwxrwx 1 jdrake jdrake 28 Jun 1 23:42 libdvm.so -> symbols/system/lib/libdvm.so* lrwxrwxrwx 1 jdrake jdrake 31 Jun 26 22:19 libstdc++.so -> symbols/system/lib/libstdc++.so* lrwxrwxrwx 1 jdrake jdrake 32 May 29 04:24 libwebcore.so -> symbols/system/lib/libwebcore.so* -rw------- 1 jdrake jdrake 39K May 6 02:20 linker ubvm:0:galaxynexus$ cat stuff.gdb set solib-search-path . set arm fallback-mode thumb target remote 127.1:8080

[...] set arm fallback-mode auto cont Debugging: Tips With these two things together, you can get accurate source level debugging \o/ WIN \o/ || ||

Debugging: Tips Possible improvements Use on-device debugger from ARM Linux distro Requires libc, etc Probably faster than USB Exploitation http://1.androidauthority.com/wp-content/uploads/2012/08/banner-best-army-military-soldier-games-android-120824.jpg Device Pool

http://opensignal.com/reports/fragmentation.php Exploitation Most exploitation details are architecture specific ARM presents some challenges Separate data & code cache Multiple processor modes ARM, Thumb, Thumb2, etc More from Stephen Ridley tomorrow!

Bionic Heap Bionic (libc) uses dlmalloc Supposedly somewhat hardened Didnt pose any challenge during recent exploit dev Traditional unlink techniques should apply Browser Heap WebKit has fastMalloc but all memory is serviced by dlmalloc! Includes new and delete

Crashes dereferencing 0xbbadbeef Usually not interesting Out of memory Dalvik ASLR Fail #1 Zygote (app_process) Forks children, doesnt use execve() All Android Applications (Apps) share same initial memory layout An info leak (from any App) is good until reboot at

least, maybe longer The browser is an App! Information Leaks Subreption paper Android exploitation primers: lifting the veil on mobile offensive security (Vol. I) Talks about using infoleaks to exploit the browser Uses CVE-2010-4577 (Chris Rohlfs WebKit CSS Type confusion) Dynamic Return-oriented Programming https://subreption.com/site_media/uploads/reports/droidleak_release.pdf

Hardening Mitigations History Version 1.5 1.5 1.5 1.5 1.5 2.3

2.3 2.3 2.3 4.0 4.0 4.0.2 4.1 4.1 4.1 4.1 4.1 4.1

Mitigation (s) Introduced Disabled %n format specifier Stack cookies (-fstack-protector) safe_iop dlmalloc enhancements calloc integer overflow check Non-executable stack Non-executable heap mmap_min_addr (enhanced in 4.1?) -Wformat-security -Werror=format-security

Randomized stack Randomized mmap (libraries, anon mappings) Randomized heap Default umask changed to 077 Restricted READ_LOGS per app Randomized linker Read-only relocations (RELRO + BIND_NOW) Position independent executable (PIE) dmesg_restrict and kptr_restrict Hardening: Jelly Bean Introduced in 4.1 Jelly Bean

Logcat output hardening Full ASLR, finally! Well, almost.. http://blog.n0where.org/errata-to-avoiding-android-app-security-pitfa Dalvik ASLR Fail #2 diff --git a/vm/native/dalvik_system_Zygote.cpp b/vm/native/dalvik_system_Zygote.cpp index 31fecfd..2d66cef 100644 --- a/vm/native/dalvik_system_Zygote.cpp +++ b/vm/native/dalvik_system_Zygote.cpp

@@ -446,6 +447,12 @@ static pid_t forkAndSpecializeCommon(const u4* args, bool isSystemServer) dvmAbort(); } + + + + + int current = personality(0xffffFFFF); int success = personality((ADDR_NO_RANDOMIZE | current));

if (success == -1) { LOGW("Personality switch failed. current=%d error=%d\n", current, errno); } https://android.googlesource.com/platform/dalvik/+/311886c6c6fcd3b531531f592d56caab5e2a259c%5E%21/#F0 Dalvik ASLR Fail #2 personality System Call Linux-specific ADDR_NO_RANDOMIZE Also other settings like READ_IMPLIES_EXEC

Dalvik ASLR Fail #2 What does this mean? Child processes dont get randomized at all No stack No heap No libs No code Nothing Dalvik ASLR Fail #2 Except.

Doesnt work across setuid executions What good is it then? Makes exploiting child processes of Dalvik applications TRIVIAL Dalvik ASLR Fail #2 Example Consider an app that runs command using remote input This command has a silly buffer overflow in the handling of command line arguments

Trivial remote code execution! But surely bugs like this dont exist, right??? Hardening: Umask Introduced in 4.1 Jelly Bean Umask is supposedly is 077, but not for adb dq:0:~$ adb shell [email protected]:/ $ getprop ro.build.fingerprint google/takju/maguro:4.1.1/JRO03C/398337:user/release-keys [email protected]:/ $ umask 000 [email protected]:/ $ exit

Probably not a huge problem http://blog.n0where.org/errata-to-avoiding-android-app-security-pitfa Chrome for Android Google includes mostly up-to-date WebKit in Chrome for Android Requires 4.0+ :-/ Allows updating their WebKit via Google Play Without OTA updates, firmwares Without involving carriers and OEMs

https://play.google.com/store/apps/details?id=com.android.chrome Chrome for Android Chrome for Android has some sandboxing Not really Mostly just process separation [email protected]:/ $ ps | grep chrome u0_a67 23444 125 578828 91096 ffffffff 00000000 S com.android.chrome u0_i8 23955 125 517628 45476 ffffffff 00000000 S com.android.chrome:sandboxed_process0 More to do here Probably actively being worked on

http://chrome.blogspot.com/2012/09/chrome-for-android-just-got-safer.html SAFEDROID Subreption guys working on a hardened Android build Focused on OMAP (Galaxy Nexus, others) Heavily modified version of PaX Improved exploit mitigations Replace dlmalloc with hardened jemalloc Kernel heap hardening http://www.subreption.com/news/darpa-cyber-fast-track-funding-for-high-assurance-mobile-computing-rd/

Conclusions Conclusions Device pool is a mess Nobody is getting timely patches Researching Android security is challenging! Many tools are half broken But the situation is getting better all the time Android Security is maturing

Recommendations Recommendations Users Use Nexus devices if possible Pure google, faster updates Always use the latest version Use Chrome for Android! Buy devices up-front Dont sign up for 2 year contracts Send a message to carriers!

Recommendations Carriers Stop bloating things! Support devices at least as long as the contract!!! Get updates to users faster Possibly an opt-in beta program? Be more transparent (think disclosures) Recommendations OEMs

Release more security updates Release security fixes faster Offer updates outside of carriers? Be more transparent (think disclosures) Stop making so many changes! Recommendations Google Continue improving security (CTS ftw) Release more security updates! Be more transparent (think disclosures)

More devices! Especially with a qwerty keyboard Oh, and send me some Goggles! ;-) QUESTIONS? Contact information:

@jduck1337 jduck on IRC Email: jdrake [circled-a] accuvant.com Keep an eye on my github ;-) Bonus Slides Dalvik ASLR Fail #2 commit 311886c6c6fcd3b531531f592d56caab5e2a259c Author: Selim Gurun Date: Fri Jan 13 10:47:15 2012 -0800 Prevent memory fragmentation.

Bug: 5817320 Prevent memory fragmentation and potential allocation failures. This change is temporary. Change-Id: Id1e8f9606687648235ea9e18861125a8c799d812 https://android.googlesource.com/platform/dalvik/+/311886c6c6fcd3b531531f592d56caab5e2a259c%5E%21/#F0 Hardening: Umask commit 6ebf12fe1bc2de7af4522349973e8bfcc71d6126 Author: Nick Kralevich Date: Mon Mar 26 09:09:11 2012 -0700 init: Change umask of forked processes to 077

[] ueventd: Keep umask at 000. uevent needs to be able to create device nodes with exactly the permissions it indicates. [] commit eb68fa8153d97f5f8b6d9062fcf91fe393e3bff3 Author: Nick Kralevich Date: Mon Apr 2 13:00:35 2012 -0700 adb: set umask to 000

Recently Viewed Presentations

  • United Nations Economic Commission for Europe Statistical Division

    United Nations Economic Commission for Europe Statistical Division

    * * * Objectives What makes a project Key components of a project Some useful management tools 7 October 2008 Project Management 7 October 2008 proj·ect (noun) 1: a specific plan or design 2: a planned undertaking man·age·ment (noun) 1...
  • The Writing Task - Standard English HSC

    The Writing Task - Standard English HSC

    The writing task measures a student's ability to write creatively and to explore the concept of discovery. This question is out of 15 marks. A = 13-15, B = 10-12, C = 7-9, D = 4-6, E = 0-3. The...
  • City of Baltimore Fiscal 2015 Preliminary Budget Plan

    City of Baltimore Fiscal 2015 Preliminary Budget Plan

    Funds an expanded Office of Inspector General and continues funding to carry out a new charter requirement for periodic audits of city agencies. Eliminates 23 vacant positions and begins consolidation of the Human Resources function, consistent with the Mayor's plan...
  • 2020 Benefits Update Agenda Health Benefits at Butler

    2020 Benefits Update Agenda Health Benefits at Butler

    In practical terms, self-insured employers pay for each out of pocket claim as it happens instead of paying a fixed premium to an insurance carrier, which is known as a fully-insured plan. Typically, a self-insured employer will set up a...
  • The Urantia Book - Paper 95 -The Melchizedek Teachings in the ...

    The Urantia Book - Paper 95 -The Melchizedek Teachings in the ...

    Paper 103 The Reality of Religious Experience AUDIO VERSION. 103:0.1 (1129.1) All of man's truly religious reactions are sponsored by the early ministry of the adjutant of worship and are censored by the adjutant of wisdom.
  • Liberation Theology - Esquivel - Stations of the Cross

    Liberation Theology - Esquivel - Stations of the Cross

    Christ have mercy. Notes accompanying each slide The notes section of each of the slides that follows comprises the liturgy that goes with each Station, as written by Maria Graf-Huber and published in a handbook, "Way of the Cross from...
  • Suffolk & North East Essex STP Implementation Plan

    Suffolk & North East Essex STP Implementation Plan

    EEAST transformation programme includes a range of initiatives that will integrate with the wider health service, including hospitals and community-based clinicians, to send more appropriate resources to patients, treat more patients within the community, and convey fewer patients to A&E...
  • What is Fiction? - Central Bucks School District

    What is Fiction? - Central Bucks School District

    : provides the background of the story, interacts with the main character and helps to move the plot along. Main Character. Problem: Needs to rescue Princess Fiona in order to save his swamp. Minor Character. Donkey . helps. Shrek solve...