2. About us
⢠Keen Team
⢠Pwn2Own Mobile 2013
⢠Pwn2Own 2014, 2015
⢠0ops and Blue-Lotus members
⢠Multiple CVE affecting major
SoC solutions
⢠Also contribute root tools to
community for fun ď
⢠Huawei Ascend Mate 7
⢠User-mode exp of giefroot (by
zxz0O0)
3. Agenda
⢠Binary Analysis
⢠Benefits
⢠Disassembling kernel
⢠Fuzzing
⢠Case study
⢠Suggestions
⢠SoC vendors
⢠Phone/ROM mgfr
⢠Source Analysis
⢠Tools and methods
⢠Analyzer internals
⢠Case study
4. Agenda
⢠Binary Analysis
⢠Benefits
⢠Disassembling kernel
⢠Fuzzing
⢠Case study
⢠Suggestions
⢠SoC vendors
⢠Phone/ROM mgfr
⢠Source Analysis
⢠Tools and methods
⢠Analyzer internals
⢠Case study
9. Benefits of Binary Kernel
⢠Exact piece of code running on actual devices
⢠Critical security features
⢠âŚwith many options
⢠SEAndroid
⢠TIMA, etc
⢠Offset, offset, offsetâŚ
⢠Important for constructing args
⢠Fuzzing
10. Preparing Kernel
1. Extract zImage
2. Decompress zImage
3. Flat, plain binary
⢠Code + Data
⢠No structure
IDAâs best guess ==>
11. Preparing Kernel
⢠Solution: IDA loader
1. Extract address table
⢠Also determine arch by
address length (64 or 32)
2. Extract (compressed) symbol
name table
3. Create symbols
12. Fuzzing Targets (1) - mmap
⢠Call mmap on dev fd
⢠Create VA => PA mapping in
user space
⢠Boundary check?
⢠remap_pfn_range
⢠Fixed or variable start
⢠PA overlapping
⢠Long lastingâŚ
⢠Framaroot (2013)
⢠Mate 7 root (2015)
15. Fuzzing Targets (2) - ioctl
⢠Command code
⢠Specify request type
⢠Differs from device to device
⢠Coverage!!!
⢠Argument
⢠Structure pointer
⢠Length, type, etcâŚ
⢠Digging from binary
16. Hex-Rays Decompiler
⢠Assembly => Pseudo C
⢠API interface:
⢠AST: ctree
⢠Nodes: citem_t
⢠80+ types of node
⢠9 types commonly used
enum ctype_t
{
cot_asg = 2, ///< x = y
cot_add = 35, ///< x + y
cot_sub = 36, ///< x â y
cot_cast = 48, ///< (type)x
cot_ptr = 51, ///< *x, access
size in 'ptrsize'
cot_call = 57, ///< x(...)
cot_idx = 58, ///< x[y]
cot_memref = 59, ///< x.m
cot_memptr = 60, ///< x->m,
access size in 'ptrsize'
};
17. Variable Propagation
⢠Lack of optimization
⢠Semi-SSA pseudo code
⢠int xxx_ioctl(a1, a2, a3)
⢠a1: fd
⢠a2: ioctl command
⢠a3: arg
⢠We need to track both a2 and
a3
18. Variable Propagation
⢠Propagation rules
⢠cot_asg nodes
⢠Straight forward
⢠Affecting both cmd and arg
⢠cot_call nodes
⢠Kernel specific
⢠copy_from/to_user
⢠memcpy
⢠Affecting arg only
19. Variable Propagation
⢠Inter-procedure propagation
⢠copy_from/to_user is a
special case
⢠memcpy
⢠For non-special case
propagation, decompile the
sub-routine recursively to
proceed
https://android.googlesource.com/kernel/mediatek/+/58a89abc8fc05796b12fd8829dac415c9e3f01e2/drivers/misc/
mediatek/mmc-host/mt6582/mt_sd_misc.c
20. Type Re-construction
⢠cot_add & cot_sub
⢠Result of var propagation leads to a3
⢠Offset can be calculated
⢠Length can be assumed (accurately)
⢠Handling inter-procedure scenarios
⢠Just like variable propagation
21. Case Study â sdcard driver
static int simple_mmc_erase_partition_wrap(
struct msdc_ioctl* msdc_ctl
)
{
unsigned char name[25];
if (copy_from_user(
name,
(unsigned char*)msdc_ctl->buffer,
msdc_ctl->total_size
))
return -EFAULT;
return simple_mmc_erase_partition(name);
}
static int vulnerable_func(struct vul_ioctl* vul_ctl)
{
unsigned char name[25];
if (copy_from_user(name,
(unsigned char*)vul_ctl->buffer,
vul_ctl->total_size <== overflow char name[] array
))
return -EFAULT;
return other_func(name);
}
- Discovered by constructing illegal total_size value
- Actually needed bigger total_size as a inlined routine
- Impacting almost every phone using that brand of SoC when discovered
Fix:
1. Restrict access to the devfs node (bypassed by another configuration bug :-S)
2. Check total_size before calling copy_from_user
22. Agenda
⢠Binary Analysis
⢠Benefits
⢠Disassembling kernel
⢠Fuzzing
⢠Case study
⢠Suggestions
⢠SoC vendors
⢠Phone/ROM mgfr
⢠Source Analysis
⢠Tools and methods
⢠Analyzer internals
⢠Case study
26. Android Kernel Source Preprocessing
⢠Android ARM Toolchain
⢠-target arm-none-linux-gnueabi -gcc-toolchain
⢠Clang compatibility processing
⢠BUILD_BUG_ON
⢠sbcccs in __range_ok()
⢠Checker compatibility processing
⢠copy_from_user / copy_to_user etc.
⢠remove the âinlineâ keyword
⢠Kernel Source Building/Pruning
⢠only care about 3rd party drivers
⢠make C=1 CHECK="arm-eabi-gcc" CHECKFLAGS="-E -o $<.i" V=1 âj8
⢠Actually there is still a lot can be done...
27. Clang-Analyzer - AST Checker
⢠1. FuncInfo->isStr(âremap_pfn_rangeâ) ?
⢠2. TheCall->getNumArgs() == 5 ?
⢠3. arg3->isEvaluatable() ?
⢠4. foreach variable in arg3:
⢠visit the ASTBody to decide whether it is
constrained.
⢠5. Are all the variables in arg3 not
constrained ?
⢠6. report the potential bug.