escaping the sandbox by not breaking it - put.as · 2016-08-06 · chromium android sandbox (3) •...
TRANSCRIPT
EscapingTheSandboxByNotBreakingItMarcoGrassi (@marcograss)Qidan He (@flanker_hqd)
AboutUs
• MarcoGrassi• SeniorSecurityResearcher@Tencent KEENLab• MainFocus:VulnerabilityResearch,Android,OSX/iOS,Sandboxes
• Qidan He• SeniorSecurityResearcher@Tencent KEENLab• Main Focus: Bug huntingand exploitingon *nix platform
Tencent KEENSecurityLab
• PreviouslyknownasKeenTeam
• AlltheresearchersmovedtoTencent forbusinessrequirements
• Newname:TencentKEENSecurityLab
• InMarchofthisyearourunionteamwithTencent PCManager(Tencent SecurityTeamSniper)wonthetitleof“MasterOfPwn”atPwn2Own2016
Agenda
• IntroductiontoSandboxes• SafariSandboxonOSX(WebContent Sandbox)• GoogleChromeSandboxonAndroid(IsolatedProcess)• ComparisonoftheSandboximplementationofthe2platforms• AuditingSandboxesandCaseStudies• FullSandboxEscapedemofromthebrowserrendererprocess• SummaryandConclusions
IntroductiontoSandboxes
Sandbox
• Inmodernoperatingsystems,a“Sandbox”isamechanismtoruncodeinaconstrainedenvironment.• ASandboxspecifieswhichresourcesthiscodehasaccessto.• Itbecameacrucialcomponentforsecurityinthelastyearsafteritbecameclearthatit’scurrentlyimpossibletogetridofabigpartofthebugs,especiallyinverycomplexsoftwarelikebrowser.• Shiftofapproach/complementaryapproach:• Let’sconfinesoftware,soevenifit’scompromisedithasrestrictedaccesstothesystem.
AcoupleofSandboxesimplementationsmethods
Firsttype(Discretionaryaccesscontrol):AndroidbaseSandboxmechanism• AndroidfromitsinitialversionhadasandboxmechanismimplementedmainlyontopofstandardLinuxprocessisolationwithuniqueUIDs,andGIDsspecifyingacapability(likeaccesstoexternalstorage).• Almosteveryapplication(usually,exceptsharedUID)haveauniqueUID.• Verywellstudiedandunderstoodbycountlessresourcesandtalks,wewillnottalkaboutitalotinthistalk.• Simplertounderstandandimplement,butnotveryflexible.
Secondtype (MandatoryAccessControl):SELinux• Mechanismtospecifyaccesstoresourcesbasedwithdecisionpolicy.• SELinux isanexampleofthis,youcanspecifywhichpolicytheprocessissubjectto.• Whenaresourceisaccessed,thepolicyisevaluatedandadecisionismade.• SELinux wasintroducedinAndroid4.3officiallyanditbecameenforcingshortafter.• Quiteflexiblebutthepoliciescanbecomeverycomplexanddifficulttounderstand.
WebContent SandboxonOSX
StructureoftheSafariSandbox
• Safaricodeissplittoruninmultipleprocesses,basedonthepurposeofthecode,leveragingWebKit2.• The2mainprocessesthatinterestsusmorearetheWebProcessandtheUIProcess.• TheUIProcessistheparentandinchargeofmanagingtheotherprocesses Imagecourtesyof:
https://trac.webkit.org/attachment/wiki/WebKit2/webkit2-stack.png
WebContent process
• TheWebContentprocessistheprocessresponsibleforhandlingjavascript,webpages,andalltheinterestingstuff.• Usuallyyougetyourinitialcodeexecutioninsidehere,thankstoabrowserbug.• Thisprocessisheavilysandboxed,unlikehisUIProcess parent.• WebProcess cantalktoUIProcess thankstoa“broker”interface,sohecanrequestresources(suchaswhenyouhavetoopenafilefromyourcomputer)underthesupervisionofthehigherprivilegedUIProcess.
WebContent sandbox
• RegularOSXsandboximplementedontopofSandbox.kext• Thesandboxprofiledefinitioniscurrentlylocatedat:“/System/Library/Frameworks/WebKit.framework/Versions/A/Resources/com.apple.WebProcess.sb”• Sandbox.kext specifiescallbacksforalotofTrustedBSDMACframework,whichplaceshooksinthekernelwheredecisionshastobemade,toauthorizeaccesstoaresourceornot(forexample,onfileaccess,thesandboxprofileisusedtodecideifaccessshouldbegrantedornot)
Exampleprofilesnippets
Everything isdeniedbydefault
Importing“system.sb”sandboxdefinition file
Thoseparticularmach servicesarewhitelisted,theirmach portcanbeasked
SystemIntegrityProtection(SIP)
• InadditiontothoseSandboxes,onrecentOSXversionsyouarealsosubjecttoSystemIntegrityProtection.• “SIP”isasecuritypolicythatappliestoeveryprocessrunningonthesystem,eventherootones.• Usermode roothavenotunrestrictedaccessanymore
• KernelbugsbecomemoreappealingbecausetheyallowanattackertoescapethesandboxandalsodisableSIP.
GoogleChromeSandboxonAndroid(IsolatedProcess)
ChromiumAndroidSandbox(1)
• OnAndroid,ChromiumleveragestheisolatedProcess featuretoimplementitssandbox.
ChromiumAndroidSandbox(2)
• IsolatedprocesswasintroducedaroundAndroid4.3• "Ifsettotrue,thisservicewillrununderaspecialprocessthatisisolatedfromtherestofthesystemandhasnopermissionsofitsown.”• Chromiumrenderprocess
ChromiumAndroidSandbox(3)
• Soevenifcodeexecutionintherenderprocessisachieved,wedon’thavealotofcapabilities,andactuallywehavelotofrestrictions.• Inordertodosomethingmoremeaningful,asandboxescapemustbechainedafterinitialcodeexecution.• Usuallyitcanbeakernelexploit,orachromiumbrokerexploit,ortargetinganotheravailableattacksurface.• ButwhataboutSELinux?WehavetocheckitsSELinux policy,“isolated_app.te”,underexternal/sepolicy/inAOSP
ChromiumAndroidSandbox(4)
• VeryrestrictiveSandboxprofile• Nodatafileaccessatall• Only2IPCservices• Minimuminteractionwithsockets• NographicdriversaccessL• ServiceManager alsorestricts implicit serviceexport
Per interface constraint
• Isolated_app inherits from app_domain (app.te)• Only interfaces without enforceNotIsolatedCaller can be invoked
AuditingandCaseStudies
Howtoauditasandboxprofile?
• Justlookatthedefinitionsandseewhatattacksurfacesareallowed!• WewilltrywiththeWebContent sandboxonOSX.
system.sb isimported, soweneedtocheckthataswell
System-graphicsisdefined insystem.sb,let’scheckit
Howtoauditasandboxprofile?(2)
AccesstoseveralIOKit UserclientsAndservicesrelatedtographics
Writeaccesstoseveraliokit propertiesrelatedtographics
Graphicsseemsdefinetely aniceattacksurface,
NowwecanstartfindingvulnerabilitiesinthoseIOKit clientsbyfuzzingor
manualauditing,sincewecaninteractwiththemfromtheWebContentprocess,wherewehaveinitialcodeexecution,toescapethesandbox,gettingkernelcodeexecution.
Howtoauditasandboxprofile?(3)
• “allow-iokit-open”(iokit-connection"IOAccelerator")isdefinetely interesting• iokit-connectionallowsthesandboxedprocesstoopenalltheuserclient underthetargetIOService(muchlessrestrictivethaniokit-user-client-class)• InthetableontheleftweseetheUserclientsthatwecanobtainontheIntelAccelerator(defaultdriverinmostoftherecentApplemachines)
UserClient Name Type
IGAccelSurface 0
IGAccelGLContext 1
IGAccel2DContext 2
IOAccelDisplayPipeUserClient2 4
IGAccelSharedUserClient 5
IGAccelDevice 6
IOAccelMemoryInfoUserClient 7
IGAccelCLContext 8
IGAccelCommandQueue 9
IGAccelVideoContext 0x100
IOKit vulnerability:CVE-2016-1744
• RaceconditioninanexternalMethod inAppleIntelBDWGraphics.• AffectseveryrecentMacwithIntelBroadwell CPU/Graphics.• DiscoveredbycodeauditingwhenlookingforsandboxescapesintoIOKitUserClients reachablefromtheSafariWebProcess sandbox.• Unfortunatelyitgotpartiallypatched1-2weeksbeforePwn2Own!LLL .Areplacementwasneeded.L• UnpatchedinOSX10.11.3,onlypartialfixin10.11.4beta6.• Reliablyexploitable.• FinallyitcameoutthatwehadabugcollisionwithIanBeerofGoogleProjectZero,whichreportedthebugtoApple.
IOKit Vulnerability– CVE-2016-1744(cont.)
• Wrong/partialfixmistakeresponsiblydisclosedtoApple.• Fixedin10.11.5beta2• CVE-2016-1860
IOKit vulnerability:CVE-2016-1744
• IGAccelCLContext andIGAccelGLContext are2UserClientsthatcanbereachedfromtheWebProcess Safarisandbox.• ThelockingmechanismsintheseUserClients isnottoogood,somemethodsexpectsonlyawellbehavedsinglethreadedaccess.• Firstwetargetedunmap_user_memory
IOKit vulnerability:someunsafecode
Racecondition– Howtotriggerit?
1. OpenyourtargetUserClient (IGAccelCLContext)2. Callmap_user_memory toinsertoneelementintotheIGHashTable3. Callwith2racingthreadsunmap_user_memory.4. Repeat2and3untilyouareabletoexploittheracewindow.5. Doublefreeonfirsthand6. PROFIT!
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
The ideal situation is both threads passes hash table::contains, and when one is retrieving IOAccelMemoryMap* after get returns valid pointer, the other frees it and we control the pointer
However in reality more frequently they do passes containsbut thread 1 will remove it before thread 2 do get and thread 2 hit a null pointer dereference
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
After 2 is removed
After 3 is removed
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
heap address leaked!
tail element
tail element
Forfurtherinfo,checkourtalkslides
“Don'tTrustYourEye:AppleGraphicsIsCompromised!”http://bit.ly/23GR14N
ThePythonbitesyourapple:fuzzingandexploitingOSXkernelbugs
https://goo.gl/Ccgni1
For Android Sandbox Escape
• Isolated_app inherits app.te, app.te (appdomain) inherits domain.te
ForAndroidSandboxEscape(cont.)
• Attackingthebinderinterfaceisstillanoption• Exploitingvulnerable basic classes
• SharedStorage integer overflow• CVE-2015-3875
• ParcelatJavalevelacceptsdeserializationonclassnamespecifiedbystringwhenprocessingbundle• Ahiddenpathtotriggerde/serializationcodeinsystem_server context
ForAndroidSandboxEscape(cont.)
• Attackingthebinderinterfaceisstillanoption• Unintend-export?
ForAndroidSandboxEscape(cont.)
• Attackingthebinderinterfaceisstillanoption• Exploitingvulnerable basic classes/reachableviabundleinterfaces
• SharedStorage integer overflow
• Attacking the Chrome IPC• Attacking WebGL• GL process runs in host process in Android
• AttackingtheKernel• CVE-2015-1805?
1805inaction
• Goodnews• Nopipepolicyinisolated_app
• Badnews:• CannotcreatesocketandspraykernelmemoryusesendmmsgL
Preventvendor’sbindermistake
• IntegeroverflowinHuaweihw_ext_service runninginsystem_server
Comparison
Comparison
• Bothplatformssharelotoftraits.Theybothimplementasandboxpolicyinfilesthatspecifyitandcanbeaudited• Ingeneralbetweenthe2,theChromiumAndroidsandboxfeelsstrongerbecauseitexposesasmallerattacksurface.• OnAndroidwehavemorelayerofsandboxing:• Androidsandbox,chromeisanapplication,it’srestrictedbyitsDACsandbox• IsolatedProcess,therenderprocessesrunintheirownunprivilegedprocess• RestrictiveSELinux policyisolated_app.te
FullSandboxEscapeDEMO!
SummaryandConclusions
SummaryandConclusions
• Sandboxesareagreatsecuritymitigation.• Theyrequireusuallyatleastanotheradditionalbugtoescapethemandcompromisethesystem,especiallyfromthebrowsercontext.• Theyhavethegreatadvantageofaveryconcise(andsmaller)attacksurface,muchmoredefinedtoaudit.• Adeterminedandknowledgeableattackercanstillcompromisethesystem,butwithmoreefforts.
Acknowledgments
• LiangChen• Qoobee• Wushi• AllourothercolleaguesofKEENLab
Questions?Twitter:@keen_lab