Unleashing D* on Android Kernel Drivers. Aravind Machiry

Similar documents
DR. CHECKER. A Soundy Analysis for Linux Kernel Drivers. University of California, Santa Barbara. USENIX Security seclab

CSE 509: Computer Security

Huawei Frame Buffer Driver Arbitrary Memory Write

The android vulnerability discovery in SoC. Yu Pan and Yang Dai

CS527 Software Security

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

C Pointers. 6th April 2017 Giulio Picierro

THE GOOD, BAD AND UGLY ABOUT POINTERS. Problem Solving with Computers-I

COMP 2355 Introduction to Systems Programming

Software Security: Buffer Overflow Attacks

Recitation #11 Malloc Lab. November 7th, 2017

Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters

Using static analysis to detect use-after-free on binary code

Memory Allocation in C C Programming and Software Tools. N.C. State Department of Computer Science

Secure Software Development: Theory and Practice

Quiz 0 Review Session. October 13th, 2014

Dynamic memory. EECS 211 Winter 2019

Malloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016

Android Kernel Security

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University

NEXT SET OF SLIDES FROM DENNIS FREY S FALL 2011 CMSC313.

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Lecture 8 Dynamic Memory Allocation

Kurt Schmidt. October 30, 2018

DAY 3. CS3600, Northeastern University. Alan Mislove

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Pointers and Arrays CS 201. This slide set covers pointers and arrays in C++. You should read Chapter 8 from your Deitel & Deitel book.

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

Important From Last Time

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

CS 33. Intro to Storage Allocation. CS33 Intro to Computer Systems XXVI 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

CSE 565 Computer Security Fall 2018

Heap Arrays and Linked Lists. Steven R. Bagley

Clang Static Analyzer Documentation

Lecture 9 Assertions and Error Handling CS240

CS 222: Pointers and Manual Memory Management

CS107, Lecture 9 C Generics Function Pointers

Design and development of embedded systems for the Internet of Things (IoT) Fabio Angeletti Fabrizio Gattuso

High-performance computing and programming Intro to C on Unix/Linux. Uppsala universitet

Software Security: Buffer Overflow Defenses and Miscellaneous

Pointer Basics. Lecture 13 COP 3014 Spring March 28, 2018

ECE264 Spring 2013 Final Exam, April 30, 2013

Important From Last Time

Lecture 4 September Required reading materials for this class

CS 11 C track: lecture 5

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Pointers and Memory Management

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 8: Pointer Arithmetic (review) Endianness Functions and pointers

Software Security: Miscellaneous

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

API 퍼징을통한취약점탐지 카이스트 차상길

How Double-Fetch Situations turn into Double-Fetch Vulnerabilities:

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Analysis/Bug-finding/Verification for Security

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

11 'e' 'x' 'e' 'm' 'p' 'l' 'i' 'f' 'i' 'e' 'd' bool equal(const unsigned char pstr[], const char *cstr) {

CSE 351 Final Exam - Winter 2017

Lecture 4: Outline. Arrays. I. Pointers II. III. Pointer arithmetic IV. Strings

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

a data type is Types

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Jagannath Institute of Management Sciences Lajpat Nagar. BCA II Sem. C Programming

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

3/22/2016. Pointer Basics. What is a pointer? C Language III. CMSC 313 Sections 01, 02. pointer = memory address + type

Making C Less Dangerous

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Section 3: File I/O, JSON, Generics. Meghan Cowan

10/20/2015. Midterm Topic Review. Pointer Basics. C Language III. CMSC 313 Sections 01, 02. Adapted from Richard Chang, CMSC 313 Spring 2013

CS107 Handout 08 Spring 2007 April 9, 2007 The Ins and Outs of C Arrays

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

C Review. MaxMSP Developers Workshop Summer 2009 CNMAT

Language Security. Lecture 40

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Heap Arrays. Steven R. Bagley

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

18-642: Code Style for Compilers

Toolbox Kernel Korner

Midterm Exam #2 April 20, 2016 CS162 Operating Systems

Fuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team

Software Security: Buffer Overflow Defenses

1d: tests knowing about bitwise fields and union/struct differences.

CS24 Week 2 Lecture 1

ECE551 Midterm Version 1

C Refresher, Advance C, Coding Standard, Misra C Compliance & Real-time Programming

CS201: Lab #4 Writing a Dynamic Storage Allocator

ECE551 Midterm. There are 7 questions, with the point values as shown below. You have 75 minutes with a total of 75 points. Pace yourself accordingly.

ECE 2400 Computer Systems Programming Fall 2018 Topic 6: C Dynamic Allocation

Finding User/Kernel Pointer Bugs with Type Inference p.1

Dynamic Allocation in C

Dynamic Data Structures. CSCI 112: Programming in C

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Dissecting a 17-year-old kernel bug

Transcription:

Unleashing D* on Android Kernel Drivers Aravind Machiry (@machiry_msidc)

$ whoami Fourth year P.h.D Student at University of California, Santa Barbara. Vulnerability Detection in System software. machiry.github.io

$ Android is everywhere!!

$ Bugs in Android (First Half of 2017) [1] [1]https://www.slideshare.net/JunLI174/android-bug-hunting-from-finding-bugs-to-getting-bounty-20170603

$ Where are Android kernel bugs? android: Protecting the kernel, Jeff Vander Stoep, Linux Foundation 2016

$ Lot of $$$

$ Lot of $$$

$ Okay! Why is it hard to find these bugs? Good ol knowledge on Bug Detection: Static Analysis Dynamic Analysis

$ Okay! Why is it hard to find these bugs? Good ol knowledge on Bug Detection: Static Analysis Dynamic Analysis

$ Static Analysis Kernel drivers are open source (GPL). Use well known source code analysis tools. $$$

$ Static Analysis: Existing tools CppCheck flawfinder RATS Sparse Qualcomm 18 4,365 693 5,202 Samsung 22 8,173 2,244 1,726 Huawei 34 18,132 2,301 11,230 MediaTek 168 14,230 3,730 13,771 Total 242 44,990 8,968 31,929

$ Static Analysis: Existing tools CppCheck flawfinder RATS Sparse Qualcomm 18 4,365 693 5,202 Samsung 22 8,173 2,244 1,726 Huawei 34 18,132 2,301 11,230 MediaTek 168 14,230 3,730 13,771 Total 242 44,990 8,968 31,929

$ Ideal Static analysis tool Track user data. Check if user data is used in sensitive places. Example: memcpy(src, dst, <user_data>);

$ Tracking user data: Pointer analysis struct foo obj; scanf( %d, &idx); if(*) { obj.input_var = &idx; else { obj.input_var = *;... bar(&obj);

$ Tracking user data: Pointer analysis struct foo obj; scanf( %d, &idx); if(*) { obj.input_var = &idx; else { obj.input_var = *;... bar(&obj);

$ Tracking user data: Pointer analysis struct foo obj; scanf( %d, &idx); if(*) { obj.input_var = &idx; else { obj.input_var = *;... bar(&obj);

$ Tracking user data: Pointer analysis struct foo obj; scanf( %d, &idx); if(*) { obj.input_var = &idx; else { obj.input_var = *;... bar(&obj);

$ Tracking user data: Pointer analysis struct foo obj; scanf( %d, &idx); void bar(struct foo *obj_ptr) { if(*) { arr[*(obj_ptr->safe_input)] = 1; obj.input_var = &idx; else { arr[*(obj_ptr->input_var)] = 0; obj.input_var = *;... bar(&obj);

$ Tracking user data: Pointer analysis struct foo obj; void bar(struct foo *obj_ptr) { scanf( %d, &idx); if(*) { arr[*(obj_ptr->safe_input)] = 1; obj.input_var = &idx; else { arr[*(obj_ptr->input_var)] = 0; obj.input_var = *;... bar(&obj);

$ Tracking user data: Pointer analysis We should know which pointer points to what object. void bar(struct foo *obj_ptr) {

$ Tracking user data: Pointer analysis We should know which field of a structure object points to what object. void bar(struct foo *obj_ptr) { arr[*(obj_ptr->safe_input)] = 1; arr[*(obj_ptr->input_var)] = 0;

$ Tracking user data: Pointer analysis Real world code is complex: Loops, Type casting

$ Tracking user data: Taint Propagation We should follow the flow of user data. scanf( %d, & in); su = in + 5; arr[ su] = 0;

$ Tracking user data: Taint Propagation What about library functions? scanf( %10s, inputstr); usrint = atoi(inputstr); arr[usrint] = 0;

$ Tracking user data: Taint Propagation What about library functions: Simple policy doesn t work scanf( %10s, inputstr); usrint = atoi(inputstr); ptr = malloc( usrint); ptr[0] = 0;

$ Kernel drivers are small!! ~ 31 to 240K SLOC 80% of drivers <= 7K SLOC Let s separate driver code from kernel code!!!

$ Optimizations: Soundy Traversal Let's analyze code inside loops fixed number of times. Assume that all kernel functions are safe.

$ DR.CHECKER: Story of the name

$ DR.CHECKER: Story of the name $ mkdir dr_checker

$ DR.CHECKER: Story of the name $ mkdir dr_checker

$ DR.CHECKER: Story of the name $ mkdir dr_checker

$ DR.CHECKER Overview

$ DR.CHECKER: SDTraversal Starting from entry point of the driver: Analyze each instruction of the driver according to the control flow. At each instruction: Maintain and track the user data. Consult Vulnerability or bug detectors for any potential bugs.

$ DR.CHECKER: Vulnerability Detectors Tainted Pointer Dereference. Tainted Integer Arithmetic. Tainted Size. Uninit Leak Detector. Global Variable Race Detector. Improper Tainted Data Use Detector..

$ DR.CHECKER: Bug in Mediatek Accdet driver static char call_status;... static ssize_t accdet_store_call_state (struct device_driver *ddri, size_t count) { int ret = sscanf(buf, "%s", &call_status); if (ret!= 1) { ACCDET_DEBUG("accdet: Invalid values\n"); return -EINVAL; const char *buf,

$ DR.CHECKER: Bug in Mediatek Accdet driver static char call_status;... static ssize_t accdet_store_call_state (struct device_driver *ddri, size_t count) { int ret = sscanf(buf, "%s", &call_status); if (ret!= 1) { ACCDET_DEBUG("accdet: Invalid values\n"); return -EINVAL; const char *buf,

$ DR.CHECKER: Bug in Mediatek Accdet driver static char call_status;... static ssize_t accdet_store_call_state (struct device_driver *ddri, size_t count) const char *buf, { int ret = sscanf(buf, "%s", &call_status); if (ret!= 1) { // TOO LATE..Buffer overflow already happened. ACCDET_DEBUG("accdet: Invalid values\n"); return -EINVAL;

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) {... return -EINVAL;... buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) { //consider when count==2... return -EINVAL;... buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) { //consider when count==2... return -EINVAL;...//buffer is of size 2: buffer[0], buffer[1] buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) { //consider when count==2... return -EINVAL;...//buffer is of size 2: buffer[0], buffer[1] buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) { //consider when count==2... return -EINVAL;...//buffer is of size 2: buffer[0], buffer[1] buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) { //consider when count==2... return -EINVAL;...//buffer is of size 2: buffer[0], buffer[1] buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Bug in Samsung SensorHub driver if (unlikely(count < 2)) { //consider when count==2... return -EINVAL;...//buffer is of size 2: buffer[0], buffer[1] buffer = kzalloc(count * sizeof(char), GFP_KERNEL);... ret = copy_from_user(buffer, buf, count); if (buffer[0] == MSG2SSP_INST_LIB_NOTI) { ret = ssp_sensorhub_send_cmd(hub_data, buffer, count); ssp_sensorhub_send_cmd(..., const char *buf, int count) { If (buf[2] < MSG2SSP_AP_STATUS_WAKEUP buf[2] >= MSG2SSP_AP_TEMPHUMIDITY_CAL_DONE) {...

$ DR.CHECKER: Open Source and Dockerized Tested on Qualcomm, MediaTek, Huawei and Samsung kernels CVE-2016-8433, CVE-2016-8472, CVE-2016-8470, CVE-2016-8471, CVE-2016-8448, CVE-2017-0797 and more.. https://github.com/ucsb-seclab/dr_checker Use it and get rich from bug bounties :)

$ DR.CHECKER is not enough!! Use-after-free. Bugs because of improper usage of kernel API functions. buf = kmalloc( count, GFP_KERNEL); // if count is Zero. if(!buf) { // buf will be ZERO_PTR buf[0] = 1; // Kernel panic.....

$ Okay! Why is it hard to find these bugs? Good ol knowledge on Bug Detection: Static Analysis Dynamic Analysis

$ Dynamic Analysis: Fuzzing!! Hundreds of tools: AFL, Peach etc Just use AFL..

$ Fuzzing: Good Luck!! Drivers expect highly structured and constrained input.

$ Fuzzing: Highly constrained input

$ Fuzzing: Highly constrained input

$ Fuzzing: Highly constrained input

$ Fuzzing: Highly constrained input

$ Fuzzing: Highly constrained input

$ Fuzzing: Highly constrained input

$ Drivers Expect Highly structured input If command == ISP_READ_REGISTER then param should be a valid user pointer to ISP_REG_IO_STRUCT. If command == ISP_WRITE_REGISTER then param should be a valid user pointer to ISP_REG_IO_STRUCT. If command == ISP_HOLD_REG_TIME then param should be a valid user pointer to ISP_HOLD_TIME_ENUM.

$ Bugs are hard to trigger Arbitrary kernel heap write.

$ Bugs are hard to trigger You can trigger the bug, only if command == 1337 and param is a valid pointer to the structure: typedef struct { type_enum type; ( == 77) int idx; ( >= 128) int val; foo_t

$ DIFUZE: Idea Recover all the command values, corresponding param types automatically. This will reduce the state space and help in effective fuzzing.

$ DIFUZE: Overview

$ DIFUZE: Interface Recovery Device Names Source Bitcode Ioctl Handler Commands Argument Types Type Definitions XML Spec

$ DIFUZE: Structure Generation

$ DIFUZE: Structure Generation

$ DIFUZE: On Device Execution Run on the phone connected to host device via ADB (Android Debug Bridge). Map the binary data, do pointer fix ups. Open device and perform the ioctl.

$ DIFUZE: Evaluation Manufacturer Device Chipset Google Pixel Qualcomm HTC E9 Plus Mediatek HTC One M9 Qualcomm Huawei P9 Lite Huawei Huawei Honor 8 Huawei Samsung Galaxy S6 Samsung Sony Xperia XA Mediatek

$ DIFUZE: Evaluation Total Unique E9 Plus 6 Galaxy S6 0 Honor 8 2 One M9 3 P9 Lite 6 Pixel 5 Xperia XA 14 Total 36

$ DIFUZE: Bug Types Crash Type Count Arbitrary Read 4 Arbitrary Write 4 Assert Failure 6 Buffer Overflow 2 Null Dereference 9 Out of Bound Index 5 Uncategorized 5 Writing to non-volatile memory 1

$ DIFUZE: Open Source CVE-2017-15307, CVE-2017-0636, CVE-2017-0804, and many more. https://github.com/ucsb-seclab/difuze Use it and become rich :)

$ In Progress: drchecker.io Dr.Checker warnings drchecker.io DIFUZE Interface Spec

$ Souvenir :)

$ Thank You /dr_checker github.com/ucsb-seclab/difuze github.com/ucsb-seclab

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback