beyond root - qualcomm.com · •offline kernel analysis for each vendor kernel/device we support...
TRANSCRIPT
Beyond Root
About us
• 3+ yrs of Android rooting• Ping-Pong Root (CVE-2015-3636)
• Pipe-iovec root (aka iovyroot, CVE-2015-1805)
• Bypassing KNOX on Samsung Galaxy S6/S7
• First root on Samsung Galaxy S7
• …
• Two nominations of Pwnie Awards• For Ping-Pong root and Pipe-iovec root
But not today
• Root for fun vs. Root for profit
• There is no fun in malware
Source: Softpedia News
Profitable Business Model
Backend
DevelopSDK
Report
Pay per use
Fast Learning, …
• …Profit driven malware “community”
• Early 2016 – FramaRoot, put_user, TowelRoot, etc
• Late 2016 – PingPong Root, IovyRoot, etc• Took us 2 years to be there…
Source: https://www.youtube.com/watch?v=pB7xOnBybgU
Plenty of Easy Targets
0
2000
4000
6000
8000
10000
12000
14000
16000
Dirty Cow (64) Iovy(32) Iovy(64) Ping-Pong(32) Ping-Pong(64)
Est. Vulnerable Devices (-K devices, end of 2017)
Est. Vulnerable Devices
Don’t be an Ostrich
• Vulnerabilities are there
• (Most) users can’t fix them without OTA
• We can if users choose to root their phone• Good guys get the upper hand
• Proactive defense implemented by vendors• Pointer authentication• Samsung KNOX RKP• Huawei• YunOS• …
addr_limit Verification
Syscall entrance
Kernel Stack Randomization
- (Seems to be) HW random generator based- Defeats JOP chain operating on kernel stack
This Shall Benefit More Users
• Introducing XMod• Originally named “root killer”
• Prototype developed after Ping-Pong root
• Detect and defeat root attempts
• Adaptive kernel probe
XMod Adaptive Hooking Framework
• Why adaptive?• Fragmented Android ecosystem• Some symbols may be missing or renamed• Some data struct layout may change
• Make it adaptive• Manually locate volatile symbols
• offline kernel analysis for each vendor kernel/device we support
• If not found, use our own fallback implementation • Audit structure offsets
• Locate specific struct layout pattern in memory• Use heuristic method to guess the offset• Decode function code snippet to compute the offset
Offline Kernel Analysis
• Symbols: https://github.com/nforest/droidimg• Now with ida7, radare2 and kaslr support 8-)
• 3 steps:• Identify arch (arm32 or 64)
• Identify address table (according to arch detection)
• Unpack name table
• With symbols, we can further detect• Critical offsets
• Non-exported data structures (ptmx_fops for example)
Why Invented Our Own Wheels
• More than one hooking frameworks in kernel• Kprobes - Non-disruptvie dynamic kernel routine prober
• ftrace - Vesatile kernel internal activity inspector
• Two hindrances to use them in XMod• Availability – optional kernel feature
• Performance – too heavy for our purposes
Light-weight Hooking Framework
Pros & Cons
• Pros• Very light-weighted
• Easy to expand
• Cons• Have to blacklist some instructions
• Usually PC relative ones
• Branch range
Advantages
• Naturally immune to• Obfuscation
• Dynamic payload
• Emulator detection
• Location based disguise
• Very low false-positive• Not that many benign apps
Tracking of “爱心推” SDK
• Used to be part of ZNIU (Dirty Cow exploit in the wild)
• 300+ apps, millions of users• Root exploits are hosted on cloud
• Utilizing VirtualApp for malicious download• https://github.com/asLody/VirtualApp
Their official website…
Observations
• 64-bit systems are less likely to be affected• PXN does raise the bar of exploit
• dm-verity prevents persistency
• Android 5.1 and below are very much vulnerable
What’s Next?
• Non-root malicious behaviors?
• Mining?
• Challenges• No exploit
• No special privilege
• Web or app
• “Side” channels• CPU behavior, cache miss
• Network connection
Conclusion
• Root capability is tagged and sold on market• Both “good” and evil sides are using it
• XMod is an effective complement to existing malware detection• Radiant its detection to markets and other tools
• Has its limitations as an “add-on”
• Mainline kernel guard?• KSPP
• LKRG looks good