Overcoming Stagefright Integer Overflow Protections in Android

Similar documents
Fuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team

Smart buyers of Smart TVs in Russia. TV industry insights based on Google data

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

CSC 405 Introduction to Computer Security Fuzzing

Improving Location Accuracy. Steve Malkos, Technical Program Manager, Google

Making C Less Dangerous

Black Hat Webcast Series. C/C++ AppSec in 2014

Finding media bugs in Android using file format fuzzing. Costel Maxim Intel OTC Security

Low level security. Andrew Ruef

ID 024C: Auto Code Generation: The Shortest Distance From Idea to Implementation

How to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer

Android Kernel Security

Verifying malloc. John Wickerson / Mike Dodds / Matthew Parkinson University of Cambridge

CSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits

Computer Security Course. Midterm Review

A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis

Thwarting unknown bugs: hardening features in the mainline Linux kernel

IntFlow: Integer Error Handling With Information Flow Tracking

Using type analysis in compiler to mitigate integer-overflow-to-buffer-overflow threat

The Fuzzing Project

Modeling and Discovering Vulnerabilities with Code Property Graphs

Undefined Behaviour in C

Software security, secure programming

Welcome to Consentz. Click the Consentz App icon on your ipad to proceed. Consentz Login. Enter your username and password to continue

Automatizing vulnerability research

Presentation title placeholder, can be two lines Presentation subtitle placeholder. Date placeholder

section 01 LOGO USAGE primary logo etched logo solid logo reversed

Hardening Attack Vectors to cars by Fuzzing

Programming in C. Lecture 9: Tooling. Dr Neel Krishnaswami. Michaelmas Term

Improving Linux development with better tools

Advanced Systems Security: Future

5.0 The dash. A unique and critical part of our visual system. Tyson Foods Brand Guidelines June 30, 2017 V

Program Analysis Tools

Improving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation

Reflex Skip Julien Verlaguet

Software Security: Buffer Overflow Attacks

Fuzzing techniques & software vulnerabilities

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University

Introduction into browser hacking. Andrey Kovalev

Building world-class security response and secure development processes

Software Security: Buffer Overflow Defenses and Miscellaneous

FUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM

Fuzzing Clang to find ABI Bugs. David Majnemer

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Software Vulnerability

System Administration and Network Security

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Nail. A Practical Tool for Parsing and Generating Data Formats. Julian Bangert, Nickolai Zeldovich MIT CSAIL. OSDI 14 October 2014

WPBAKERY PAGE BUILDER

CSE 565 Computer Security Fall 2018

CSA Website Ad Specifications

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

I'm losing the battle to increase the number of HP servers at the site I'm on.

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Software Security IV: Fuzzing

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Runtime Defenses against Memory Corruption

Triple Threat Intelligence where you need it most.

Lecture 4 September Required reading materials for this class

RML Example 48: Paragraph flow controls

Secrets of Google VRP The bug hunter's guide to sending great bugs. Krzysztof Kotowicz, Google Security Team

I run a Linux server, so we re secure

Rail defect diagnosis using smartphones and drones by: Borna Tech.

Fuzzing. compass-security.com 1

Memory Corruption 101 From Primitives to Exploit

Triggering Deep Vulnerabilities Using Symbolic Execution

Buffer overflow background

Analysis of MS Multiple Excel Vulnerabilities

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Digital 101 Voice, AI and Smartphones

DESIGN GUIDELINES. Use the following slides as a guide to make sure your presentation follows the PCS Plus brand.

Posters guidelines APRIL 2017

Snooping IoT devices with a Raspberry Pi. a UWC/CSIR project

Adon'tbe an Adobe victim

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

The Automated Exploitation Grand Challenge. A Five-Year Retrospective

Preventing Use-after-free with Dangling Pointers Nullification

Static Analysis and Bugfinding

template guidelines. 1. Visual identity 2. How to build an

MBFuzzer - MITM Fuzzing for Mobile Applications

KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND

TITLE. Tips for Producing a Newsletter IN THIS ISSUE

Buffer Overflow Defenses

QA as in Quality Assurance

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Doing more with Views. Creating an inline menu

High Performance Auto Layout

Index. ChannelEngine. Our users. Product. Writing. Tone-of-voice. Colors. Color Combinations. Typography - Fonts. Typography - Rules. Logo.

ElasticIntel. Scalable Threat Intel Aggregation in AWS

Baggy bounds with LLVM

Rabbit in the Loop. A primer on feedback directed fuzzing using American Fuzzy Lop. by Kevin Läufer

Dynamic code analysis tools

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

Limitations of the stack

Transcription:

Overcoming Stagefright Integer Overflow Protections in Android Dan Austin (oblivion@google.com) May 2016

Agenda $ whoami Stagefright Sanitizers Sanitizers in Practice The Future

$ whoami

$ whoami Dan Austin Google since August 2015 Android Platform Security I work on fuzzing and fuzzing accessories! Scalable Fuzzing Smart Fuzzing Compiler-based Defenses Vulnerability Mitigations

Stagefright

Stagefright

Stagefright

Stagefright MEDIA EXTRACTORS AACExtractor AMRExtractor AVIExtractor DRMExtractor FLACExtractor MidiExtractor MP3Extractor MPEG2PSExtractor MPEG2TSExtractor MPEG4Extractor NuMediaExtractor MatroskaExtractor OggExtractor WAVExtractor WVMExtractor

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor!

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field Which is not validated

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow And memory corruption

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow And memory corruption And ultimately execution...

Vulnerability in Stagefright!!! Vulnerability in MPEG4Extractor! Specifically in parsechunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow And memory corruption And ultimately execution... EVERYBODY FREAK OUT!!!

It s not all bad... Vulnerability Researcher provided a patch! Android was patched in August 2015 Raised visibility of Android's Monthly Security Update Program

It s not all bad... Exploitation of the stagefright vulnerability on its own was in the context of mediaserver Privesc possible with an additional exploit Led to a full re-architecture of mediaserver with security in mind Original PoC required sending an MMS Repeatedly Which is a bit noticeable

Integer Overflows

Integer Overflows Integers are kept in a container of finite space If an arithmetic operation results in a value that can t be fully kept in that finite space, integer overflow occurs! Example: 4294967295 + 1 =?

Integer Overflows Example: 4294967295 + 1 =? Represented as 32 bit values: 32 bits ends here + So 4294967295 + 1 = 0?

Integer Overflows In C & C++: For unsigned values: the result is taken modulo 2bits For signed values: the result is undefined Can lead to memory corruption! (CVE-2015-3864!!!)

Exploitable Integer Overflows: How do they work?

Exploitable Integer Overflows: How do they work? in_buf_size is user controlled, so it can be anything...

Exploitable Integer Overflows: How do they work? in_buf_size is user controlled, so it can be anything... If in_buf_size > 0xffffffef, then buf_size < in_buf_size

Exploitable Integer Overflows: How do they work? in_buf_size is user controlled, so it can be anything... If in_buf_size > 0xffffffef, then buf_size < in_buf_size If buf_size < in_buf_size, then the memcpy will write past the allocated amount, resulting in memory corruption :(

Coding is Hard Unfortunately, the patch had a flaw This is the check that was added in the patch. Unfortunately, SIZE_MAX and size are 32 bits, while chunk_size is 64 bits, which means overflow can still happen and exploitation was still possible. Thanks Project Zero!

UndefinedBehaviorSanitizer C & C++ have the concept of undefined behavior Often the cause of subtle bugs......such as signed integer overflow LLVM has an UndefinedBehaviorSanitizer! Which adds checks at the code generation level to detect and prevent undefined behavior Authors also included unsigned integer overflow, which is nice

UBSan: Integer Overflow Sanitization: How does it work? Implemented in clang as of the CodeGen module (CGExpr & CGExprScalar) Arithmetic operation (+, -, *) detected and passed to EmitOverflowCheckedBinOp LLVM Intrinsic corresponding with the operation checks for overflow Generate code to branch to abort or handler function if an overflow is detected Overflow cannot occur!

What if this were applied to libstagefright?

Sanitizers In Practice

Stagefright before patch

Stagefright after patch v1

Stagefright after patch v1, sanitized

Stagefright before patch v1, sanitized

UBSan applied to libstagefright In Summary: UBSan with original patch: no integer overflow, stops exploit! UBSan with no patch: no integer overflow, stops exploit! SEEMS LEGIT.

UBSan: The Good Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

UBSan: The Good It would have prevented the integer overflow based stagefright vulnerabilities! It s easy! Just add LOCAL_SANITIZE:=unsigned-integer-overflow to the Android.mk It s applied everywhere! Catch ALL THE OVERFLOWS! It s fun! Play whack a mole fixing all that unexploitable undefined behavior in your legacy code base, er, wait...

UBSan: The Bad Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem

UBSan: The Bad Again, it s applied EVERYWHERE Even code designed to work with unsigned overflow! It s not free: some size/execution overhead Optimized code generation for abort function placement makes debugging hard :( See ElementaryStreamQueue::dequeueAccessUnitMPEGVideo

UBSan: The Bad False Positives UBSan is a code health tool being used as a hardening tool From a security perspective, if an overflow does not influence a memory operation in some way, it s likely not exploitable There are lots of overflows in the Android code base that do not influence memory operations at all: Crypto operations often work modulo 2wordsize Codec operations as well while (n--)

UBSan: The Ugly AMR-WB encoder Legacy code Lots of arithmetic integer overflows And stability issues Example: OK, Google voice recognition Specifically, this for loop in the coder function

UBSan: The Ugly When no integer sanitization, clang generates NEON instructions That do not partition the data correctly With integer sanitization, clang generates normal ARM instructions Parallelization is broken by the sanitization checks Data is processed correctly \_(ツ)_/

The Future

UBSan Runtime In Android, UBSan overflow detection results in program abort Great for security, not so good for testing LLVM upstream UBSan has a runtime library that outputs diagnostic messages instead of aborts Currently testing the UBSan runtime in Android for platform-wide detection of integer overflows! (AOSP)

Global Integer Domination Sanitization!!!

Integer Overflow Specific Fuzzing libfuzzer makes fuzzing easy! 1. 2. 3. 4. 5. Write a libfuzzer fuzzer Write a mutator specific to Integer Overflow bugs Include additional logic to better choose paths for further analysis??? Profit!

Questions? Dan Austin oblivion@google.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback