EscapingTheSandboxByNotBreakingItMarcoGrassi (@marcograss)Qidan He (@flanker_hqd)

AboutUs

• MarcoGrassi• SeniorSecurityResearcher@Tencent KEENLab• MainFocus:VulnerabilityResearch,Android,OSX/iOS,Sandboxes

• Qidan He• SeniorSecurityResearcher@Tencent KEENLab• Main Focus: Bug huntingand exploitingon *nix platform

Tencent KEENSecurityLab

• PreviouslyknownasKeenTeam

• AlltheresearchersmovedtoTencent forbusinessrequirements

• Newname:TencentKEENSecurityLab

• InMarchofthisyearourunionteamwithTencent PCManager(Tencent SecurityTeamSniper)wonthetitleof“MasterOfPwn”atPwn2Own2016

Agenda

• IntroductiontoSandboxes• SafariSandboxonOSX(WebContent Sandbox)• GoogleChromeSandboxonAndroid(IsolatedProcess)• ComparisonoftheSandboximplementationofthe2platforms• AuditingSandboxesandCaseStudies• FullSandboxEscapedemofromthebrowserrendererprocess• SummaryandConclusions

IntroductiontoSandboxes

Sandbox

• Inmodernoperatingsystems,a“Sandbox”isamechanismtoruncodeinaconstrainedenvironment.• ASandboxspecifieswhichresourcesthiscodehasaccessto.• Itbecameacrucialcomponentforsecurityinthelastyearsafteritbecameclearthatit’scurrentlyimpossibletogetridofabigpartofthebugs,especiallyinverycomplexsoftwarelikebrowser.• Shiftofapproach/complementaryapproach:• Let’sconfinesoftware,soevenifit’scompromisedithasrestrictedaccesstothesystem.

AcoupleofSandboxesimplementationsmethods

Firsttype(Discretionaryaccesscontrol):AndroidbaseSandboxmechanism• AndroidfromitsinitialversionhadasandboxmechanismimplementedmainlyontopofstandardLinuxprocessisolationwithuniqueUIDs,andGIDsspecifyingacapability(likeaccesstoexternalstorage).• Almosteveryapplication(usually,exceptsharedUID)haveauniqueUID.• Verywellstudiedandunderstoodbycountlessresourcesandtalks,wewillnottalkaboutitalotinthistalk.• Simplertounderstandandimplement,butnotveryflexible.

Secondtype (MandatoryAccessControl):SELinux• Mechanismtospecifyaccesstoresourcesbasedwithdecisionpolicy.• SELinux isanexampleofthis,youcanspecifywhichpolicytheprocessissubjectto.• Whenaresourceisaccessed,thepolicyisevaluatedandadecisionismade.• SELinux wasintroducedinAndroid4.3officiallyanditbecameenforcingshortafter.• Quiteflexiblebutthepoliciescanbecomeverycomplexanddifficulttounderstand.

WebContent SandboxonOSX

StructureoftheSafariSandbox

• Safaricodeissplittoruninmultipleprocesses,basedonthepurposeofthecode,leveragingWebKit2.• The2mainprocessesthatinterestsusmorearetheWebProcessandtheUIProcess.• TheUIProcessistheparentandinchargeofmanagingtheotherprocesses Imagecourtesyof:

https://trac.webkit.org/attachment/wiki/WebKit2/webkit2-stack.png

WebContent process

• TheWebContentprocessistheprocessresponsibleforhandlingjavascript,webpages,andalltheinterestingstuff.• Usuallyyougetyourinitialcodeexecutioninsidehere,thankstoabrowserbug.• Thisprocessisheavilysandboxed,unlikehisUIProcess parent.• WebProcess cantalktoUIProcess thankstoa“broker”interface,sohecanrequestresources(suchaswhenyouhavetoopenafilefromyourcomputer)underthesupervisionofthehigherprivilegedUIProcess.

WebContent sandbox

• RegularOSXsandboximplementedontopofSandbox.kext• Thesandboxprofiledefinitioniscurrentlylocatedat:“/System/Library/Frameworks/WebKit.framework/Versions/A/Resources/com.apple.WebProcess.sb”• Sandbox.kext specifiescallbacksforalotofTrustedBSDMACframework,whichplaceshooksinthekernelwheredecisionshastobemade,toauthorizeaccesstoaresourceornot(forexample,onfileaccess,thesandboxprofileisusedtodecideifaccessshouldbegrantedornot)

Exampleprofilesnippets

Everything isdeniedbydefault

Importing“system.sb”sandboxdefinition file

Thoseparticularmach servicesarewhitelisted,theirmach portcanbeasked

SystemIntegrityProtection(SIP)

• InadditiontothoseSandboxes,onrecentOSXversionsyouarealsosubjecttoSystemIntegrityProtection.• “SIP”isasecuritypolicythatappliestoeveryprocessrunningonthesystem,eventherootones.• Usermode roothavenotunrestrictedaccessanymore

• KernelbugsbecomemoreappealingbecausetheyallowanattackertoescapethesandboxandalsodisableSIP.

GoogleChromeSandboxonAndroid(IsolatedProcess)

ChromiumAndroidSandbox(1)

• OnAndroid,ChromiumleveragestheisolatedProcess featuretoimplementitssandbox.

ChromiumAndroidSandbox(2)

• IsolatedprocesswasintroducedaroundAndroid4.3• "Ifsettotrue,thisservicewillrununderaspecialprocessthatisisolatedfromtherestofthesystemandhasnopermissionsofitsown.”• Chromiumrenderprocess

ChromiumAndroidSandbox(3)

• Soevenifcodeexecutionintherenderprocessisachieved,wedon’thavealotofcapabilities,andactuallywehavelotofrestrictions.• Inordertodosomethingmoremeaningful,asandboxescapemustbechainedafterinitialcodeexecution.• Usuallyitcanbeakernelexploit,orachromiumbrokerexploit,ortargetinganotheravailableattacksurface.• ButwhataboutSELinux?WehavetocheckitsSELinux policy,“isolated_app.te”,underexternal/sepolicy/inAOSP

ChromiumAndroidSandbox(4)

• VeryrestrictiveSandboxprofile• Nodatafileaccessatall• Only2IPCservices• Minimuminteractionwithsockets• NographicdriversaccessL• ServiceManager alsorestricts implicit serviceexport

Per interface constraint

• Isolated_app inherits from app_domain (app.te)• Only interfaces without enforceNotIsolatedCaller can be invoked

AuditingandCaseStudies

Howtoauditasandboxprofile?

• Justlookatthedefinitionsandseewhatattacksurfacesareallowed!• WewilltrywiththeWebContent sandboxonOSX.

system.sb isimported, soweneedtocheckthataswell

System-graphicsisdefined insystem.sb,let’scheckit

Howtoauditasandboxprofile?(2)

AccesstoseveralIOKit UserclientsAndservicesrelatedtographics

Writeaccesstoseveraliokit propertiesrelatedtographics

Graphicsseemsdefinetely aniceattacksurface,

NowwecanstartfindingvulnerabilitiesinthoseIOKit clientsbyfuzzingor

manualauditing,sincewecaninteractwiththemfromtheWebContentprocess,wherewehaveinitialcodeexecution,toescapethesandbox,gettingkernelcodeexecution.

Howtoauditasandboxprofile?(3)

• “allow-iokit-open”(iokit-connection"IOAccelerator")isdefinetely interesting• iokit-connectionallowsthesandboxedprocesstoopenalltheuserclient underthetargetIOService(muchlessrestrictivethaniokit-user-client-class)• InthetableontheleftweseetheUserclientsthatwecanobtainontheIntelAccelerator(defaultdriverinmostoftherecentApplemachines)

UserClient Name Type

IGAccelSurface 0

IGAccelGLContext 1

IGAccel2DContext 2

IOAccelDisplayPipeUserClient2 4

IGAccelSharedUserClient 5

IGAccelDevice 6

IOAccelMemoryInfoUserClient 7

IGAccelCLContext 8

IGAccelCommandQueue 9

IGAccelVideoContext 0x100

IOKit vulnerability:CVE-2016-1744

• RaceconditioninanexternalMethod inAppleIntelBDWGraphics.• AffectseveryrecentMacwithIntelBroadwell CPU/Graphics.• DiscoveredbycodeauditingwhenlookingforsandboxescapesintoIOKitUserClients reachablefromtheSafariWebProcess sandbox.• Unfortunatelyitgotpartiallypatched1-2weeksbeforePwn2Own!LLL .Areplacementwasneeded.L• UnpatchedinOSX10.11.3,onlypartialfixin10.11.4beta6.• Reliablyexploitable.• FinallyitcameoutthatwehadabugcollisionwithIanBeerofGoogleProjectZero,whichreportedthebugtoApple.

IOKit Vulnerability– CVE-2016-1744(cont.)

• Wrong/partialfixmistakeresponsiblydisclosedtoApple.• Fixedin10.11.5beta2• CVE-2016-1860

IOKit vulnerability:CVE-2016-1744

• IGAccelCLContext andIGAccelGLContext are2UserClientsthatcanbereachedfromtheWebProcess Safarisandbox.• ThelockingmechanismsintheseUserClients isnottoogood,somemethodsexpectsonlyawellbehavedsinglethreadedaccess.• Firstwetargetedunmap_user_memory

IOKit vulnerability:someunsafecode

Racecondition– Howtotriggerit?

1. OpenyourtargetUserClient (IGAccelCLContext)2. Callmap_user_memory toinsertoneelementintotheIGHashTable3. Callwith2racingthreadsunmap_user_memory.4. Repeat2and3untilyouareabletoexploittheracewindow.5. Doublefreeonfirsthand6. PROFIT!

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

The ideal situation is both threads passes hash table::contains, and when one is retrieving IOAccelMemoryMap* after get returns valid pointer, the other frees it and we control the pointer

However in reality more frequently they do passes containsbut thread 1 will remove it before thread 2 do get and thread 2 hit a null pointer dereference

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

After 2 is removed

After 3 is removed

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

nextprev

mach_vm_addr_tIOAccelMemoryMap*

IGElement

heap address leaked!

tail element

tail element

Forfurtherinfo,checkourtalkslides

“Don'tTrustYourEye:AppleGraphicsIsCompromised!”http://bit.ly/23GR14N

ThePythonbitesyourapple:fuzzingandexploitingOSXkernelbugs

https://goo.gl/Ccgni1

For Android Sandbox Escape

• Isolated_app inherits app.te, app.te (appdomain) inherits domain.te

ForAndroidSandboxEscape(cont.)

• Attackingthebinderinterfaceisstillanoption• Exploitingvulnerable basic classes

• SharedStorage integer overflow• CVE-2015-3875

• ParcelatJavalevelacceptsdeserializationonclassnamespecifiedbystringwhenprocessingbundle• Ahiddenpathtotriggerde/serializationcodeinsystem_server context

ForAndroidSandboxEscape(cont.)

• Attackingthebinderinterfaceisstillanoption• Unintend-export?

ForAndroidSandboxEscape(cont.)

• Attackingthebinderinterfaceisstillanoption• Exploitingvulnerable basic classes/reachableviabundleinterfaces

• SharedStorage integer overflow

• Attacking the Chrome IPC• Attacking WebGL• GL process runs in host process in Android

• AttackingtheKernel• CVE-2015-1805?

1805inaction

• Goodnews• Nopipepolicyinisolated_app

• Badnews:• CannotcreatesocketandspraykernelmemoryusesendmmsgL

Preventvendor’sbindermistake

• IntegeroverflowinHuaweihw_ext_service runninginsystem_server

Comparison

Comparison

• Bothplatformssharelotoftraits.Theybothimplementasandboxpolicyinfilesthatspecifyitandcanbeaudited• Ingeneralbetweenthe2,theChromiumAndroidsandboxfeelsstrongerbecauseitexposesasmallerattacksurface.• OnAndroidwehavemorelayerofsandboxing:• Androidsandbox,chromeisanapplication,it’srestrictedbyitsDACsandbox• IsolatedProcess,therenderprocessesrunintheirownunprivilegedprocess• RestrictiveSELinux policyisolated_app.te

FullSandboxEscapeDEMO!

SummaryandConclusions

SummaryandConclusions

• Sandboxesareagreatsecuritymitigation.• Theyrequireusuallyatleastanotheradditionalbugtoescapethemandcompromisethesystem,especiallyfromthebrowsercontext.• Theyhavethegreatadvantageofaveryconcise(andsmaller)attacksurface,muchmoredefinedtoaudit.• Adeterminedandknowledgeableattackercanstillcompromisethesystem,butwithmoreefforts.

Acknowledgments

• LiangChen• Qoobee• Wushi• AllourothercolleaguesofKEENLab

Questions?Twitter:@keen_lab