Suche senden
Hochladen
Android modding-source
•
3 gefällt mir
•
1,112 views
Phyo Lay
Folgen
Bildung
Technologie
Melden
Teilen
Melden
Teilen
1 von 63
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Io t slides_iotvillage
Io t slides_iotvillage
agmoneyy
Making it big with something small - Philip Handschin - Codemotion Roma 2015
Making it big with something small - Philip Handschin - Codemotion Roma 2015
Codemotion
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase
The key issues for teaching or learning Android and Linux Kernel
The key issues for teaching or learning Android and Linux Kernel
William Liang
VideoEdge Cybersecurity v4.6 - May 2015
VideoEdge Cybersecurity v4.6 - May 2015
William L. Brown Jr., CISSP
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
Peter Wood
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android Internals
Hamilton Turner
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
Empfohlen
Io t slides_iotvillage
Io t slides_iotvillage
agmoneyy
Making it big with something small - Philip Handschin - Codemotion Roma 2015
Making it big with something small - Philip Handschin - Codemotion Roma 2015
Codemotion
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase
The key issues for teaching or learning Android and Linux Kernel
The key issues for teaching or learning Android and Linux Kernel
William Liang
VideoEdge Cybersecurity v4.6 - May 2015
VideoEdge Cybersecurity v4.6 - May 2015
William L. Brown Jr., CISSP
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
Peter Wood
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android Internals
Hamilton Turner
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
Rooting Android Devices
Rooting Android Devices
Lokendra Rawat
Security Issues in Android Custom ROM
Security Issues in Android Custom ROM
Anant Shrivastava
Security Issues in Android Custom Rom
Security Issues in Android Custom Rom
n|u - The Open Security Community
Securing User Data with SQLCipher
Securing User Data with SQLCipher
CommonsWare
iOS application (in)security
iOS application (in)security
iphonepentest
Android Attacks
Android Attacks
Michael Scovetta
X Means Y
X Means Y
CommonsWare
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
Enterprise Deployments: The Real World of Best Practices
Enterprise Deployments: The Real World of Best Practices
Simon Haslam
Android Development Tutorial V3
Android Development Tutorial V3
Diego Torres Milano
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
Benjamin Zores
Android Security: Defending Your Users
Android Security: Defending Your Users
CommonsWare
Webinar: Customer Scale
Webinar: Customer Scale
ForgeRock
Android Booting Scenarios
Android Booting Scenarios
Amr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
Manipulating Memory for Fun and Profit
Manipulating Memory for Fun and Profit
Jovi Umawing
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Yury Chemerkin
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Yury Chemerkin
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
High-Tech Bridge SA (HTBridge)
LicensingScopeAndBoundaries
LicensingScopeAndBoundaries
William Francis
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
Rajeshravi49
C programming myanmar
C programming myanmar
Phyo Lay
ကြန္ပ်ဴတာပ်က္လွ်င္ စဥ္းစားနုိင္ရန္အခ်က္မ်ား
ကြန္ပ်ဴတာပ်က္လွ်င္ စဥ္းစားနုိင္ရန္အခ်က္မ်ား
Phyo Lay
Weitere ähnliche Inhalte
Ähnlich wie Android modding-source
Rooting Android Devices
Rooting Android Devices
Lokendra Rawat
Security Issues in Android Custom ROM
Security Issues in Android Custom ROM
Anant Shrivastava
Security Issues in Android Custom Rom
Security Issues in Android Custom Rom
n|u - The Open Security Community
Securing User Data with SQLCipher
Securing User Data with SQLCipher
CommonsWare
iOS application (in)security
iOS application (in)security
iphonepentest
Android Attacks
Android Attacks
Michael Scovetta
X Means Y
X Means Y
CommonsWare
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
Enterprise Deployments: The Real World of Best Practices
Enterprise Deployments: The Real World of Best Practices
Simon Haslam
Android Development Tutorial V3
Android Development Tutorial V3
Diego Torres Milano
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
Benjamin Zores
Android Security: Defending Your Users
Android Security: Defending Your Users
CommonsWare
Webinar: Customer Scale
Webinar: Customer Scale
ForgeRock
Android Booting Scenarios
Android Booting Scenarios
Amr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
Manipulating Memory for Fun and Profit
Manipulating Memory for Fun and Profit
Jovi Umawing
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Yury Chemerkin
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Yury Chemerkin
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
High-Tech Bridge SA (HTBridge)
LicensingScopeAndBoundaries
LicensingScopeAndBoundaries
William Francis
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
Rajeshravi49
Ähnlich wie Android modding-source
(20)
Rooting Android Devices
Rooting Android Devices
Security Issues in Android Custom ROM
Security Issues in Android Custom ROM
Security Issues in Android Custom Rom
Security Issues in Android Custom Rom
Securing User Data with SQLCipher
Securing User Data with SQLCipher
iOS application (in)security
iOS application (in)security
Android Attacks
Android Attacks
X Means Y
X Means Y
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
Enterprise Deployments: The Real World of Best Practices
Enterprise Deployments: The Real World of Best Practices
Android Development Tutorial V3
Android Development Tutorial V3
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
Android Security: Defending Your Users
Android Security: Defending Your Users
Webinar: Customer Scale
Webinar: Customer Scale
Android Booting Scenarios
Android Booting Scenarios
Manipulating Memory for Fun and Profit
Manipulating Memory for Fun and Profit
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Manipulating memory for fun and profit
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
LicensingScopeAndBoundaries
LicensingScopeAndBoundaries
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
Mehr von Phyo Lay
C programming myanmar
C programming myanmar
Phyo Lay
ကြန္ပ်ဴတာပ်က္လွ်င္ စဥ္းစားနုိင္ရန္အခ်က္မ်ား
ကြန္ပ်ဴတာပ်က္လွ်င္ စဥ္းစားနုိင္ရန္အခ်က္မ်ား
Phyo Lay
ကြန္ ျပုျပင္ စီမံ
ကြန္ ျပုျပင္ စီမံ
Phyo Lay
ပါေတးရွင္းဘယ္လိုပိုင္းမလဲ ရာမညဖိုးလျပည့္
ပါေတးရွင္းဘယ္လိုပိုင္းမလဲ ရာမညဖိုးလျပည့္
Phyo Lay
Window++7++installation
Window++7++installation
Phyo Lay
Dictionary of computing
Dictionary of computing
Phyo Lay
Windows 7 installation guide
Windows 7 installation guide
Phyo Lay
ဥပေဒ အမွဳသည္မ်ားလက္စြဲ
ဥပေဒ အမွဳသည္မ်ားလက္စြဲ
Phyo Lay
Mehr von Phyo Lay
(8)
C programming myanmar
C programming myanmar
ကြန္ပ်ဴတာပ်က္လွ်င္ စဥ္းစားနုိင္ရန္အခ်က္မ်ား
ကြန္ပ်ဴတာပ်က္လွ်င္ စဥ္းစားနုိင္ရန္အခ်က္မ်ား
ကြန္ ျပုျပင္ စီမံ
ကြန္ ျပုျပင္ စီမံ
ပါေတးရွင္းဘယ္လိုပိုင္းမလဲ ရာမညဖိုးလျပည့္
ပါေတးရွင္းဘယ္လိုပိုင္းမလဲ ရာမညဖိုးလျပည့္
Window++7++installation
Window++7++installation
Dictionary of computing
Dictionary of computing
Windows 7 installation guide
Windows 7 installation guide
ဥပေဒ အမွဳသည္မ်ားလက္စြဲ
ဥပေဒ အမွဳသည္မ်ားလက္စြဲ
Kürzlich hochgeladen
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
PoojaSen20
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
AyushMahapatra5
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
VishalSingh1417
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
agholdier
Application orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
RamjanShidvankar
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Maksud Ahmed
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
National Information Standards Organization (NISO)
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
Disha Kariya
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Denish Jangid
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
Thiyagu K
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
RAM LAL ANAND COLLEGE, DELHI UNIVERSITY.
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
TechSoup
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
iammrhaywood
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
christianmathematics
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
VishalSingh1417
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
PoojaSen20
Kürzlich hochgeladen
(20)
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
Application orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
Android modding-source
1.
Android Modding for
the Security Practitioner Dan Rosenberg Copyright © 2012 Virtual Security Research, LLC. 1 All Rights Reserved.
2.
Who am I? ▪
Security consultant and vulnerability researcher at Virtual Security Research in Boston ▫ App/net pentesting, code review, etc. ▫ Published some bugs ▫ Linux kernel exploitation ▫ Rooted a few Android phones Copyright © 2012 Virtual Security Research, LLC. 2 All Rights Reserved.
3.
Goals of this
Talk ▪ Clarify terminology ▪ Demystify Android rooting and modding techniques ▪ Draw some conclusions about security impact of modding Copyright © 2012 Virtual Security Research, LLC. 3 All Rights Reserved.
4.
Agenda ▪ The modding
community ▪ Locked and unlocked bootloaders ▪ Flashing ▪ Case studies in rooting ▪ Post-root hacks Copyright © 2012 Virtual Security Research, LLC. 4 All Rights Reserved.
5.
The Modding Community Copyright ©
2012 Virtual Security Research, LLC. 5 All Rights Reserved.
6.
Why Do People
Want to Mod? ▪ Expert usage ▫ Root-privileged applications for backup ▫ Tethering ▫ Overclocking/underclocking ▪ Customization ▫ Custom ROMs, themes ▫ Removal of bloatware Copyright © 2012 Virtual Security Research, LLC. 6 All Rights Reserved.
7.
Why Do People
Want to Mod? ▪ Upgradeability ▫ Cheap, subsidized phones -> phones become obsolete rapidly -> carriers halt support ▫ Modding allows continued upgrades (security and otherwise) in the event of missing carrier support ▪ Freedom ▫ Full control over your own hardware Copyright © 2012 Virtual Security Research, LLC. 7 All Rights Reserved.
8.
The Modding Community ▪
Modding community is largely Android enthusiasts with varying levels of technical background ▫ Result: mixed or confusing terminology, lack of consistent definitions of terms ▪ Dozens of Android forums and publications ▫ Most popular: XDA Developers, RootzWiki, AndroidForums Copyright © 2012 Virtual Security Research, LLC. 8 All Rights Reserved.
9.
Why Don't (Some)
Carriers Want You Modding? ▪ Support costs (tech support, warranty claims for bricked devices) ▪ Removal of sources of advertising revenue ▪ Free tethering conflicts with business model ▪ Ambiguous claims about “security” ▫ We'll take a look at this one Copyright © 2012 Virtual Security Research, LLC. 9 All Rights Reserved.
10.
What Prevents People
from Modding? ▪ Two primary prevention strategies: ▪ OS protections ▫ Prevent users from gaining root (administrative) access on their devices ▪ Hardware/firmware protections ▫ Prevent users from flashing new firmware images Copyright © 2012 Virtual Security Research, LLC. 10 All Rights Reserved.
11.
Locked and Unlocked
Bootloaders Copyright © 2012 Virtual Security Research, LLC. 11 All Rights Reserved.
12.
What is a
“Locked” Bootloader ▪ Term has come to encompass a variety of restrictions preventing customization ▪ My definition: “A bootloader that performs cryptographic signature verification to prevent booting custom, non-signed code” ▪ Implementation will vary based on vendor Copyright © 2012 Virtual Security Research, LLC. 12 All Rights Reserved.
13.
The State of
Unlocked Bootloaders ▪ Wide variety of tablet OEMs (Toshiba, ASUS, Lenovo, Sony) ▪ Four biggest phone OEMs: Samsung, Motorola, HTC, LG ▪ Varied degrees of bootloader locking ▫ Samsung ships mostly unlockable ▫ HTC supports official unlocking (voids warranty) ▫ LG ships unlocked, but no default flashing support ▫ Motorola tends to be locked tight, no custom ROMs and no downgrading Copyright © 2012 Virtual Security Research, LLC. 13 All Rights Reserved.
14.
How Do Locked
Bootloaders Work? ▪ Varies by hardware implementation ▪ Basic idea: ▫ On-chip crytographic verification of early stage bootloader ▫ Bootloader verifies signature of subsequent stage before loading (kernel, Android recovery, etc.) ▪ If signature check fails, drops into a failsafe mode for recovery Copyright © 2012 Virtual Security Research, LLC. 14 All Rights Reserved.
15.
Android Partition Layout ▪
Actual partitions will vary by manufacturer and chipset ▪ Relevant to Android operating system: ▫ system: binary applications, system configuration, services ▫ userdata: user-installed apps, contacts, data ▫ boot: kernel, filesystem root ▫ recovery: Android recovery system ▫ cache: various frequently accessed system data ▫ misc: odds and ends Copyright © 2012 Virtual Security Research, LLC. 15 All Rights Reserved.
16.
Case Study: Motorola/OMAP ▪
SHA1 hash of root public key stored in eFUSE ▪ Boot ROM verifies hash of key stored in mbmloader and signature on mbmloader ▪ mbmloader verifies signature on mbm (“Motorola Bootloader Mode?”) ▪ mbm verifies signature on lbl (“Linux Boot Loader”) ▪ lbl verifies signature on normal kernel or recovery Copyright © 2012 Virtual Security Research, LLC. 16 All Rights Reserved.
17.
Copyright © 2012
Virtual Security Research, LLC. 17 All Rights Reserved.
18.
Case Study: HTC/Qualcomm ▪
Primary processor (baseband) executes Primary Boot Loader (PBL) from ROM ▪ If FORCE_TRUSTED_BOOT Qfuse blown, verify signature of Secondary Boot Loader (SBL) ▫ Public key stored via Qfuse ▪ SBL verifies signature on REX/AMSS (baseband) and HBOOT (app processor bootloader), starts app processor running HBOOT ▪ HBOOT verifies signature on kernel/recovery, boots into operating system Copyright © 2012 Virtual Security Research, LLC. 18 All Rights Reserved.
19.
HTC S-ON/S-OFF ▪ On
some HTC devices, NAND lock prevents writing to system, kernel, and recovery partitions (“S-ON”) ▪ Flag in radio NVRAM (“@secuflag”) is checked by HBOOT, which enforces NAND lock ▪ Unsetting @secuflag or providing HBOOT that does not enforce is required to flash custom ROMs (“S-OFF”) ▪ Created distinction between temporary root (“temp root”) and permanent root (“perm root”, “perma-root”) ▫ You'll hear these terms misused outside of HTC, where they are meaningless Copyright © 2012 Virtual Security Research, LLC. 19 All Rights Reserved.
20.
HTC Bootloader Unlocking ▪
Submit device-specific token to HTC ▫ Voids warranty ▪ Download and flash signed binary blob ▪ HBOOT verifies blob and sets flag ▫ Disables signature checking on kernel, recovery, and system Copyright © 2012 Virtual Security Research, LLC. 20 All Rights Reserved.
21.
Fastboot Bootloader Unlocking ▪
If device is unlockable, just say the magic words: ▫ “fastboot oem unlock” ▫ We'll talk about fastboot in a bit ▪ Disables signature checks on all partitions ▪ Wipes userdata partition ▫ Important for data protection ▫ Otherwise, could flash compromised kernel/system/recovery and steal user data Copyright © 2012 Virtual Security Research, LLC. 21 All Rights Reserved.
22.
Flashing Copyright © 2012
Virtual Security Research, LLC. 22 All Rights Reserved.
23.
More Fragmentation ▪ Many
proprietary and open flashing protocols ▪ Vary by both handset manufacturer and chipset ▪ Terms are used interchangeably by Android modding community, leading to confusion Copyright © 2012 Virtual Security Research, LLC. 23 All Rights Reserved.
24.
Fastboot ▪ Standardized Android
protocol for flashing over USB ▫ “Client” is fastboot utility from AOSP ▫ “Server” is proprietary OEM-specific implementation in second-stage bootloader ▪ Flashes full disk images to specific partitions ▫ Any signature checking happens at boot, not at flashing ▪ Many phones disable for security reasons Copyright © 2012 Virtual Security Research, LLC. 24 All Rights Reserved.
25.
Update.zip ▪ Officially supported
Android update mechanism ▪ Implemented in Android recovery ▪ Copy zip file to SD card or internal storage ▫ Full binaries, or binary diff ▪ Validates RSA signature against manufacturer keys ▪ Bugs in the past ▫ Original Droid root Copyright © 2012 Virtual Security Research, LLC. 25 All Rights Reserved.
26.
APX Mode /
nvflash ▪ Tegra devices only ▪ Implemented in boot ROM ▪ All communication is AES-128-CBC encrypted ▫ Uses Secure Boot Key (SBK) ▫ Implemented in hardware as blown fuses ▫ Some SBKs are public or based on device ID ▫ Others are OEM secrets ▪ Upload “miniloader”, a minimal bootloader, that handles actual flashing Copyright © 2012 Virtual Security Research, LLC. 26 All Rights Reserved.
27.
SBF ▪ Motorola proprietary
format ▪ Similar to nvflash, but implemented in secondary bootloader (“mbm”) instead of in boot ROM ▪ Client uses RSD Lite (“Remote Software Download”) ▪ Upload minimal bootloader to handle actual flashing ▫ Miniloader is signature-checked ▪ Since Droid 3, replaced by Fastboot Copyright © 2012 Virtual Security Research, LLC. 27 All Rights Reserved.
28.
Misc. Custom Tools/Protocols ▪
KDZ ▫ LG download mode ▪ Odin ▫ Samsung download mode ▪ PDL ▫ Pantech download mode ▪ RUU (ROM Upgrade Utility) ▫ HTC utility, just a Fastboot wrapper Copyright © 2012 Virtual Security Research, LLC. 28 All Rights Reserved.
29.
Flashing and Data
Protection ▪ Userdata partition contains everything valuable ▫ Contacts, mail, SMS, apps, app data ▪ All flashing protocols reachable prior to booting OS ▫ Device passcode won't save you Copyright © 2012 Virtual Security Research, LLC. 29 All Rights Reserved.
30.
Flashing and Data
Protection ▪ Without disk encryption, all data is recoverable if: ▫ SBK of a Tegra device is leaked or predictable ● Use nvflash to read userdata ▫ Bootloader is kept unlocked ● Flash compromised recovery/kernel/system, boot, read from userdata block device ▪ With disk encryption, bootloader status has no effect on data protection ▫ ...if you actually require a strong password Copyright © 2012 Virtual Security Research, LLC. 30 All Rights Reserved.
31.
Rooting Copyright © 2012
Virtual Security Research, LLC. 31 All Rights Reserved.
32.
Why Root? ▪ Need
root access to operating system to perform administrative tasks ▪ It's possible to have a device that: ▫ Has unlocked bootloader (can boot unsigned code) ▫ Does not allow flashing unsigned code ▪ In these cases, custom ROMs are only possible after gaining root and writing to block devices directly ▪ On devices with locked bootloaders, need root to customize anything Copyright © 2012 Virtual Security Research, LLC. 32 All Rights Reserved.
33.
Background: Android Debugging
Bridge (ADB) ▪ Connect over Wifi or USB ▫ Enabled in device settings (“USB Debugging Mode”) ▪ Allows installing applications ▪ ADB shell has uid/gid “shell”, and lots of groups: /* add extra groups: ** AID_ADB to access the USB driver ** AID_LOG to read system logs (adb logcat) ** AID_INPUT to diagnose input issues (getevent) ** AID_INET to diagnose network issues (netcfg, ping) ** AID_GRAPHICS to access the frame buffer ** AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump) ** AID_SDCARD_RW to allow writing to the SD card ** AID_MOUNT to allow unmounting the SD card before rebooting */ Copyright © 2012 Virtual Security Research, LLC. 33 All Rights Reserved.
34.
Background: Android Properties ▪
Android uses “property” system for system settings ▪ Applications can set arbitrary properties, except reserved property namespaces ▪ “ro” (read-only) properties can only be set once, never changed Copyright © 2012 Virtual Security Research, LLC. 34 All Rights Reserved.
35.
ADB + Properties
= ? ▪ Certain properties have special meaning to ADB ▪ If “ro.secure” is 0, ADB shell runs as root ▪ Lesser known: if “ro.kernel.qemu” is 1, ADB shell runs as root: /* run adbd in secure mode if ro.secure is set and ** we are not in the emulator */ Copyright © 2012 Virtual Security Research, LLC. 35 All Rights Reserved.
36.
Case Study: Motofail
Copyright © 2012 Virtual Security Research, LLC. 36 All Rights Reserved.
37.
The Goal ▪ The
Android init process parses /data/local.prop for property settings at boot ▪ If we can modify this file to set any of those “special” properties, we win, because ADB shell will run as root ▪ Fortunately, there are lots of file permission bugs :-) Copyright © 2012 Virtual Security Research, LLC. 37 All Rights Reserved.
38.
Motofail: The Bugs ▪
Motorola init.rc script (run as root) had multiple bugs: mkdir /data/dontpanic chown root log /data/dontpanic chmod 0770 /data/dontpanic # create logger folder mkdir /data/logger 0770 radio log chown radio log /data/logger chmod 0770 /data/logger # workaround: in solana somebody deletes the logfile. # we have to back it up. copy /data/dontpanic/apanic_console /data/logger/last_apanic_console ▪ ADB shell has group “log” Copyright © 2012 Virtual Security Research, LLC. 38 All Rights Reserved.
39.
Exploit Flow ▪ Put
a file containing the string “ro.kernel.qemu=1” at /data/dontpanic/apanic_console ▪ Place a symlink pointing to /data/local.prop at /data/logger/last_apanic_console ▪ On reboot, init will copy our file on top of local.prop, and ADB will run as root! Copyright © 2012 Virtual Security Research, LLC. 39 All Rights Reserved.
40.
Motofail: The Emulator ▪
Adversarial relationship between rooters and OEMs ▫ Goal is to keep bugs unpatched as long as possible ▪ To prevent patching, Motofail was heavily obfuscated ▫ Exploit ran inside custom emulator ▫ Dirty tricks to prevent dynamic analysis ▫ Dummy code generation for false trails ▫ Included full list of filesystem contents in binary ▪ Motorola fixed it quickly anyway :-( ▫ Please email me if you were the one who had to reverse engineer this Copyright © 2012 Virtual Security Research, LLC. 40 All Rights Reserved.
41.
Lessons from Motofail ▪
File permission bugs are a serious problem on Android ▪ Exploit is not possible without group “log” ▫ This group is granted to applications that request android.permission.READ_LOGS ▫ This permission substantially increases the attack surface exposed to malicious applications ▪ Disable USB Debugging mode when not in use ▫ Cripples data protection if lost device is rootable Copyright © 2012 Virtual Security Research, LLC. 41 All Rights Reserved.
42.
Case Study: Sony
Tablet S Copyright © 2012 Virtual Security Research, LLC. 42 All Rights Reserved.
43.
Sony Tablet S:
The Bug ▪ Again, started with the obvious: /log directory is writable by group log ▪ Directory contains root-owned log files that represent on-disk copies of the Android debugging logs (logcat) ▪ Log backups are created with predictable filenames ▪ Observed that replacing log backup with a symlink and triggering a log dump by writing to logcat will: ▫ Create a new file anywhere with the log contents ▫ Append log contents to any existing file Copyright © 2012 Virtual Security Research, LLC. 43 All Rights Reserved.
44.
Plan of Attack ▪
Ultimate goal: get the string “ro.kernel.qemu=1” into /data/local.prop ▪ On any other device, this would be easy: ▫ We can partially control the log file contents by writing to logcat ▫ If local.prop doesn't exist, vuln will create it ▫ If local.prop does exist, vuln will append to it ▪ But... Copyright © 2012 Virtual Security Research, LLC. 44 All Rights Reserved.
45.
OEM Customization ▪ On
this particular device, /data/local.prop is a symbolic link to /configs/local.prop, which is a read-only filesystem (can't append) ▪ Need to find a way to remove existing symlink in order to create new local.prop file Copyright © 2012 Virtual Security Research, LLC. 45 All Rights Reserved.
46.
How to Remove
Arbitrary Files ▪ Noticed odd behavior in Android Package Manager (pm) ▪ pm distinguishes between “system” and “user- installed” packages ▫ System apps are OEM-installed in /system/app ▪ Every app has a data directory in /data/data/[app]/ ▫ Includes lib/ directory for native libraries ▫ System apps are expected to have empty “lib” dirs Copyright © 2012 Virtual Security Research, LLC. 46 All Rights Reserved.
47.
How to Remove
Arbitrary Files, cont. ▪ If a system app's lib directory is not empty on boot, the Package Manager will empty it ▪ What happens if we replace a system app's lib directory with a symbolic link to a directory we want empty? ▪ pm will follow symlinks and non-recursively empty this directory! Copyright © 2012 Virtual Security Research, LLC. 47 All Rights Reserved.
48.
How to Execute
Code as a System App ▪ “run-as” program allows ADB shell to assume privileges of any application marked as “debuggable” ▪ Parses /data/system/packages.list file to determine status and uid of packages ▪ Normally, no system apps are marked debuggable ▪ But, we can append data to arbitrary files! ▫ Modify /data/system/packages.list to make a system app debuggable Copyright © 2012 Virtual Security Research, LLC. 48 All Rights Reserved.
49.
Putting it All
Together ▪ Trigger log vulnerability to append fake package information to /data/system/packages.list ▪ Use “run-as” to assume privileges of system app ▪ Replace system app's lib directory with symlink to /data ▪ Reboot, /data/local.prop will be removed ▪ Use log vulnerability again to create new local.prop ▪ Reboot and run ADB as root Copyright © 2012 Virtual Security Research, LLC. 49 All Rights Reserved.
50.
Lessons from Sony
Root ▪ Root vulnerability ?= security vulnerability ▫ This cannot be exploited by malicious applications ▪ “Benign” roots are often patched faster than real security bugs ▫ Hmm... ▪ Multiple bugs may be chained together to achieve goal Copyright © 2012 Virtual Security Research, LLC. 50 All Rights Reserved.
51.
Post-Root Modding
Copyright © 2012 Virtual Security Research, LLC. 51 All Rights Reserved.
52.
Custom Recovery Partitions ▪
Replaces stock Android recovery system ▫ Allows easily and safely flashing custom partitions ▪ Most popular: ClockworkMod Recovery (CWM) ▪ If bootloader is locked, can't flash custom recovery ▫ Instead, can hijack original recovery executable (“bootstrap recovery”) Copyright © 2012 Virtual Security Research, LLC. 52 All Rights Reserved.
53.
2nd Init, 2nd
System, and kexec ▪ Unable to flash custom kernels on locked bootloaders ▪ 2nd Init: use ptrace() to hijack init process early and run custom init scripts ▫ Allows customization of early boot process ▪ 2nd System: mount a custom system partition on top of original, preserving the original while allowing OS mods ▪ kexec: use the kexec() system call to boot into a new kernel without flashing to disk Copyright © 2012 Virtual Security Research, LLC. 53 All Rights Reserved.
54.
How is Root
Access Provisioned? Copyright © 2012 Virtual Security Research, LLC. 54 All Rights Reserved.
55.
Su and Superuser ▪
No passwords to type in ▪ “su” is setuid root native binary ▪ “Superuser” is Android APK (application) ▪ Applications execute su to gain root privileges ▪ su communicates with Superuser over Unix socket to check database of permitted apps/uids ▫ Permit, deny, or prompt based on response Copyright © 2012 Virtual Security Research, LLC. 55 All Rights Reserved.
56.
How Su Increases
Attack Surface ▪ By default, no setuid binaries accessible by apps ▪ Just the presence of setuid binaries can enable exploitation of privilege escalation vulnerabilities ▪ CVE-2010-3847, CVE-2010-3856 ▫ Tavis Ormandy's glibc vulns, require setuid to exploit ▪ CVE-2012-0056 ▫ “Mempodroid” exploit, requires setuid app Copyright © 2012 Virtual Security Research, LLC. 56 All Rights Reserved.
57.
Evaluating su
▪ User “shell” and “root” automatically permitted: if (su_from.uid == AID_ROOT || su_from.uid == AID_SHELL) allow(shell, orig_umask); ▪ Looks ok now, but sketchy code in the past: @@ -318,7 +318,8 @@ int main(int argc, char *argv[]) } } else if (!strcmp(argv[i], "-s") || !strcmp(argv[i], "--shell")) { if (++i < argc) { - strcpy(shell, argv[i]); + strncpy(shell, argv[i], sizeof(shell)); + shell[sizeof(shell) - 1] = 0; } else { usage(); } Copyright © 2012 Virtual Security Research, LLC. 57 All Rights Reserved.
58.
Pros and Cons
of Su/Superuser ▪ If USB debugging enabled, no root exploit needed to obtain all data ▫ Grants root access to “shell” without prompt ▪ Enables self-administration ▫ Can patch your own services ▫ Can detect malicious activity more easily ▪ Introduces additional attack surface via potential vulnerabilities and presence of accessible setuid apps Copyright © 2012 Virtual Security Research, LLC. 58 All Rights Reserved.
59.
Final Words Copyright ©
2012 Virtual Security Research, LLC. 59 All Rights Reserved.
60.
Final Words ▪ Impossible
to evaluate “Android” security, especially data protection, without considering chipset and handset hardware ▪ Use disk encryption if it's available! ▪ Disable USB debugging access when not in use ▪ Rooting/modding is a double-edged sword ▫ Allows manual patching of vulns, but may introduce additional vulns or exposures Copyright © 2012 Virtual Security Research, LLC. 60 All Rights Reserved.
61.
Thanks To... ▪ [mbm] ▪
kmdm ▪ IEF ▪ Matt Mastracci ▪ Joshua Wise ▪ ShabbyPenguin ▪ k0nane ▪ jcase ▪ PlayfulGod Copyright © 2012 Virtual Security Research, LLC. 61 All Rights Reserved.
62.
References ▪ http://tjworld.net/wiki/Android/HTC/Vision/BootProcess ▪ http://wiki.opticaldelusion.org/wiki/Motoactv ▪
http://www.droid-developers.org/wiki Copyright © 2012 Virtual Security Research, LLC. 62 All Rights Reserved.
63.
Questions? E-mail:
drosenberg@vsecurity.com Twitter: @djrbliss Company: http://www.vsecurity.com Personal: http://www.vulnfactory.org Copyright © 2012 Virtual Security Research, LLC. 63 All Rights Reserved.
Jetzt herunterladen