man in the binder

MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID

Everything Goes Through The Binder

A Hack in Three Acts

Act I – Know Your DroidAct II – Attack Your DroidAct III – Prepare Your Droid

Meet The Cast

The Authors

Nitay Artenstein Idan Revivo Michael Shalyt

Victim AppName: Kitty BankOccupation: Bank Application

“U want KitCoins – we haz it”

n00b attackerName: Kitty-ninjaOccupation: Script kiddy

“Mommy, can I rob this bank?”

Ninja AttackerName: Paw of DeathOccupation: Black belt ninja hacker

“To rob a bank, you must first become the bank”

System ServicesName: System ServiceOccupation: Sitting and waiting to serve your needs These things run Android!

The Linux KernelName: $ echo `uname –r`Occupation: Holding the world on its shoulders since 1.1.1970

Feeling neglected now that system services get all the attention on Android

The BinderName: The BinderOccupation: All Powerful Mystery Character ?


Act IKnow Your Droid

An Application’s Life On Windows

Syscalls

An Application’s Life On Android

Syscalls

Syscalls

Syscalls

?

Android – The Real Picture

Syscalls

Syscalls


?

/dev/binder /dev/tty0

libbinder.so

kernel/system/libbinder.so

/system/lib*.so

DalvikVM DalvikVM

syscallparcel parcel

Bank Application Process System Service Process

application

System services proxy

libandroid_runtime.so

libandroid_runtime.so

System Service

• Binder has a userland component and a kernel one

• The driver receives the Parcel via an ioctl syscall and sends it to the target processes

What’s a Parcel?

A Short Recap

libbinder.so

DalvikVM

Kitty Bank Process

Parcels

Syscalls

Parcels

Audio Manager

Act IIAttack Your Droid

Round IKey Logging

A n00b Attacker’s View of The System

?

What Would The n00b Attacker Do?

!


!@#$

A Ninja Attacker’s View of The System

?


What Would The Ninja Attacker Do?

!

Key Logger Demo


w00t

Round IIData Manipulation


?Activity Activity Activity

What Would The n00b Attacker Do?Bye Kitty Bank , Hello Shi**y Bank!

What Would The n00b Attacker Do?Bye Kitty Bank , Hello Shi**y Bank!@#$


?


Activity Manager

In-app data goes through Binder???


?Activity Manager


!Activity Manager

A trillion dollars, anyone?

Data Manipulation Demo


w00t

Round IIIIntercepting SMS


? Telephony Manager


!Just Ask Politely


!@#$Just Ask Politely


?


Telephony Manager


!

SMS internals• The Telephony Manager notifies the SMS app

whenever an SMS is received

• The app queries the TM’s database via Binder:

SMS internals• But what’s a Cursor object?

• It’s a messy abstraction of a response to a query

SMS internals• Surprise: Under the hood, it’s just a Unix fd

• Now we’re in business!


w00t

SummaryWhat Just Happened?

Attacking The Binder

• Hook libbinder.so at the point where it sends an ioctl to the kernel

• Stealth: dozens of places to hook• But don’t you need root?

Attacking The Binder

Vulnerable to known rooting exploits

Consider The Possibilities

SummaryFeatures:• Versatility: one hook – multiple functionalities.• App agnostic: no need to RE apps.• Stealth: the Android security model limits 3rd

party security apps just like any other app.

Summary• This is NOT a vulnerability. It’s like man-in-the-

browser, but for literally everything on Android.• Root is assumed. Rooting won’t go away any

time soon.

Rumors(You didn’t hear it from me…)

What are you trying to tell me? That I can get all permissions on

a device?

No.I’m trying to tell you that when you’re ready, you won’t have to

Act IIIPreparing Your Droid

Solutions – for developers • Take control of your own process memory

space.

• Minimize the amount of data going to IPC, and encrypt what has to go.

Solutions – for security industry• Scan files like it’s the 90’s.• Be brave – get root yourself:• Runtime process scanning and monitoring.• Software firewall (like Avast).• Binder firewall/anomaly detection.• Etc.

Further Reading[1] White paper: “Man in the Binder”, Artenstein and Revivo

[2] “On the Reconstruction of Android Malware Behaviors”, Fatori, Tam et al

[3] “Binderwall: Monitoring and Filtering Android Interprocess Communication”, Hausner

man in the binder

Mobile