AdaptiveKernelLivePatching:AnOpenCollaborativeEffortto
AmeliorateAndroidN-dayRootExploits
YulongZhangandLenx(Tao)WeiBaiduX-LabAugust2016
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
UnprivilegedUser Root
CodeExecutionVulnerability
Info-leakVulnerability
UserMode
KernelModeInformationLeakage PrivilegeEscalation
ThreatsofKernelVulnerabilities
ThreatsofKernelVulnerabilities• Mostsecuritymechanismsrelyingonkernelintegrity/trustworthinesswillbebroken
• Accesscontrol,app/userisolation• Payment/fingerprintsecurity• KeyStore• OtherAndroiduser-landsecuritymechanisms
• TrustZonewillalsobethreatened• Attacksurfacesexposed• Notenoughinputvalidation
KernelVulnerabilitiesinAndroidSecurityBulletin
1 1 3 4 4 715 19
66
0
10
20
30
40
50
60
70
2015/09 2015/12 2016/01 2016/02 2016/03 2016/04 2016/05 2016/06 2016/07
MonthlyDisclosedNumberofAndroidKernelVulnerabilities
Month Count
2015/09 1
... ...
2015/12 1
2016/01 3
2016/02 4
2016/03 4
2016/04 7
2016/05 15
2016/06 19
2016/07 66
• Moreandmoreattentionsaredrawntosecurethekernel
• MoreandmorevulnerabilitiesareintheN-Dayexploitarsenalfortheundergroundbusinesses
TheGrowingTrendIndicates
ManyVulnerabilitiesHaveExploitPoCPubliclyDisclosedVulnerability/ExploitName CVEIDmempodipper CVE-2012-0056exynos-abuse/Framaroot CVE-2012-6422diagexploit CVE-2012-4221perf_event_exploit CVE-2013-2094fb_mem_exploit CVE-2013-2596msm_acdb_exploit CVE-2013-2597msm_cameraconfig_exploit CVE-2013-6123get/put_user_exploit CVE-2013-6282futex_exploit/Towelroot CVE-2014-3153msm_vfe_read_exploit CVE-2014-4321pipeexploit CVE-2015-1805PingPong Root CVE-2015-3636f2fs_exploit CVE-2015-6619prctl_vma_exploit CVE-2015-6640keyring_exploit CVE-2016-0728…... ......
KEMOGE
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
GHOSTPUSH
http://www.cmcm.com/blog/en/security/2015-09-18/799.html
DOGSPECTUS
“...thepayloadofthatexploit,aLinuxELFexecutablenamedmodule.so,containsthecodeforthefutex orTowelrootexploit thatwasfirstdisclosedattheendof2014.”
https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware
HUMMINGBAD
“Allcombined,thecampaignincludesnearly85milliondevices...HummingBadattemptstogainrootaccessonadevicewitharootkitthatexploitsmultiplevulnerabilities...Ittriestoroot thousandsofdeviceseveryday,withhundredsoftheseattemptssuccessful.”
https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware
iOSMoreSecure?
?
iOSVersion ReleaseDate KernelVulnerability# Android#InThisPeriod
8.4.1 8/13/15 3 -
9 9/16/15 12 1
9.1 10/21/15 6 -
9.2 12/8/15 5 1
9.2.1 1/19/16 4 3
9.3 3/21/16 9 8
9.3.2 5/16/16 11 22
V.S.
Sotheproblemis:AndroidhasMORE vulnerabilitiesVulnerabilitiesremainUNFIXED overalongtime
http://www.whisperingrandomness.com/wp-content/uploads/2014/03/iOS-security-black-hat-macworld-australia.jpghttp://images.pcworld.com/images/article/2011/11/androidsecurity-5241445.jpg
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
• IfApplewantstopatchavulnerability• Applecontrolstheentire(mostly)supplychain• Applehasthesourcecode• Applerefusestosignoldversions,forcingone-directionupgrade• AlltheiOSdeviceswillgetupdateinatimelymanner
• Android• Manydevicesstayunpatchedforever/foralongperiod...
WhyAreAndroidKernelVulnerabilitiesLongLasting?
• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices
• Capabilitymismatchingbetweendevicevendorsandsecurityvendors
CauseA:Thelongpatchingchain
Thereareexploitsappearedinpublicbut• Nevergotofficiallyreportedtovendors
Exploitsmadepublicbutnotreported
AndroidRootanditsProviders:ADouble-EdgedSwordH.Zhang,D.She,andZ.Qian,CCS2015
Thereareexploitsdisclosedbut• Notgettingtimelypatches
Exploitsdisclosedbutnottimelypatched
https://bugs.chromium.org/p/project-zero/issues/detail?id=734&can=1&sort=-id
Thereareexploitspatchedbut• Delayedbythecarriers
Exploitspatchedbutdelayedbycarriers
http://www.howtogeek.com/163958/why-do-carriers-delay-updates-for-android-but-not-iphone
UserdelaystheOTAduetorebooting
WhyAreAndroidKernelVulnerabilitiesLongLasting?
• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices
• Capabilitymismatchingbetweendevicevendorsandsecurityvendors
http://opensignal.com/reports/2015/08/android-fragmentation
CauseB:Fragmentation
GoogleDashboard(2016/07/21)Version Codename API Distribution2.2 Froyo 8 0.1%2.3.x Gingerbread 10 1.9%
4.0.x IceCreamSandwich 15 1.7%
4.1.xJellyBean
16 6.4%4.2.x 17 8.8%4.3 18 2.6%4.4 KitKat 19 30.1%5.0
Lollipop21 14.3%
5.1 22 20.8%6.0 Marshmallow 23 13.3%
LollipopwasreleasedinNovember12,2014,but
51.6%ofthedevicesarestillolderthanthat!GooglestoppedpatchingforAndroidolderthan4.4,
but21.5%ofthedevicesarestillolderthanthat!
ChineseMarketIsEvenWorse(StatsfromdeviceswithBaiduappsinstalled,July2016)
LollipopwasreleasedinNovember12,2014,but
80% ofthedevicesarestillolderthanthat!
Version Codename Rate2.3.x Gingerbread 3%4.0.x IceCreamSandwich 3%4.1.x
JellyBean 36%4.2.x4.34.4 KitKat 39%5 Lollipop 19%5.1
42% ofthedevicesare<4.4!
3% 3%
36%
39%
19%
Gingerbread
IceCreamSandwich
JellyBean
KitKat
Lollipop
WhyAreAndroidKernelVulnerabilitiesLongLasting?
• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices
• Capabilitymismatchingbetweendevicevendorsandsecurityvendors
SecurityVendors:• Capabletodiscoverandpatchvulnerabilities• Notprivilegedenough• Withoutsourcecode,difficulttoadaptthepatches
PhoneVendors:• Privilegedtoapplythepatches• Withsourcecode,easytoadaptthepatches• Notenoughresourcestodiscoverandpatchvulnerabilities
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
CVE-2014-3153(Towelroot)
• Thefutex_requeue functioninkernel/futex.c intheLinuxkernelthrough3.14.5doesnotensurethatcallshavetwodifferentfutex addresses,whichallowslocaluserstogainprivileges.
CVE-2015-3636 (PingPong Root)
• Theping_unhash functioninnet/ipv4/ping.c intheLinuxkernelbefore4.0.3doesnotinitializeacertainlistdatastructureduringanunhash operation,whichallowslocaluserstogainprivilegesorcauseadenialofservice.
CVE-2015-1805 (used inKingRoot)
• Thepipe_read andpipe_write implementationsinkernelbefore3.16allowslocaluserstocauseadenialofservice(systemcrash)orpossiblygainprivilegesviaacraftedapplication.
• Aknown issue inthe upstream Linuxkernel that was fixed inApril 2014butwasn’t called outasasecurity fix andassigned CVE-2015-1805 untilFebruary 2,2015.
0 200 400 600 800 1000
CVE-2015-1805PipeRoot
CVE-2015-3636PingPongRoot
CVE-2014-3153Towelroot
Dayssincetheadvisorypublicationdate
0%
20%
40%
60%
80%
100%
CVE-2014-3153Towelroot
CVE-2015-3636PingPongRoot
CVE-2015-1805PipeRoot
Vulnerable NotVulnerable
VulnerabilitystatisticscollectedfromChineseAndroiddeviceinJuly2016
How/WhotoSecureThem???
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
KernelLivePatching
• kpatch• kGraft• ksplice• Linuxupstream’slivepatch• ......
KernelLivePatching
kGraft asanexample
KernelLivePatching
• Loadnewfunctionsintomemory• Linknewfunctionsintokernel
• Allowsaccesstounexported kernelsymbols
• Activenesssafetycheck• Preventold&newfunctionsfromrunningatsametime• stop_machine()+stackbacktrace checks
• Patchit!• Usesftrace etc.
https://events.linuxfoundation.org/sites/events/files/slides/kpatch-linuxcon_3.pdf
ChallengesforThirdParty
• Mostexistingworkrequiressourcecode.Phonevendoristheonlyguythatcangeneratethelivepatches
• Unabletodirectlyapplypatchestootherkernelbuilds
AdaptKpatch- AdaptiveLivePatching
Autopatchadaption
• Kernelinfogathering• Datastructurefilling
Patchingpayloadinjection
• ChoiceA:Installkernelmodule
• ChoiceB:Binary codeinjectionviamemdevice
Patchingpayloadexecution
• Replace/hookvulnerablefunctions
KernelInfoCollection• Kernelversion
• /proc/version• vermagic
• Symboladdresses/CRC• /proc/kallsyms (/proc/sys/kernel/kptr_restrict)
• Otherkernelmodules• SymbolCRC/moduleinit offset
• Bootimage• decompressgzip/bzip/lzma/lzo/xz/lz4• somearerawcodeorevenELFfile
PatchInjectionMethodsCoverage
INSMOD95%
(K)MEM60%
0.6%
99.4%
MethodA:KernelModuleInjection
Kernelchecksthatneedtoberesolvedforadaption§ vermagiccheck§ symbolCRCcheck§modulestructurecheck§ vendor’sspecificcheck
vSamsunglkmauth
Bypassvermagic/symbolCRC
- Bigenoughvermagicbuffer- Copykernelvermagicstringtomodule- CopykernelsymbolCRCstomodule
BypassSamsunglkmauth
MethodB:mem/kmem Injection
- Symboladdresses- vmalloc_exec- module_alloc
- Structuredshellcode- Allocate/reusememory- Writeintomemory- Triggertherunning
PatchingPayloadExecution
• Overwritethefunctionpointer
• Overwritewithpatchcodedirectly
• Inlinehook
Samewithotherlivepatchingmethods
AdaptionChallengesSolved•Patchautomaticadaption
Patch
Devicekernelinfo
Autoadaption
Adaptedpatch
ChallengesSolvedüMostexistingworkrequiressourcecode.Phonevendoristheonlyguythatcangeneratethelivepatches
üUnabletodirectlyapplypatchestootherkernelbuilds
Vulnerable Immutable Vulnerable Immutable
SuccessfullyEvaluatedCVEs• mmapCVEs è Framaroot• CVE-2014-3153 è Towelroot• CVE-2015-0569• CVE-2015-1805 è PipeRoot• CVE-2015-3636 è PingPongRoot• CVE-2015-6640• CVE-2016-0728• CVE-2016-0805• CVE-2016-0819• CVE-2016-0844• …...
SuccessfullyEvaluatedonMostPopularPhones
GT-I8552 GT-S7572 S4 A7 SM-G5308W Grand2 Note4
C8813 P6-U06 Hornor U8825D
SuccessfullyEvaluatedonMostPopularPhones
M7 M8Sw S720e T528d
SuccessfullyEvaluatedonMostPopularPhones
A630t A788t A938t K30-T
SuccessfullyEvaluatedonMostPopularPhones
SuccessfullyEvaluatedonMostPopularPhones
DemoBeforePatch:PingPong Root succeed
AfterPatch:PingPong Root fail
RecalltheTwoProblems
• Thelongpatchingchain• Solvedbyadaptivelivepatching
• Capabilitymismatching• Tobesolvedbyajoint-effort
Exploitexistingvulnerabilitiestogainroot
Vendorcooperation&pre-embeddedkernelagent
Multi-stageVettingMechanism
Vendorqualification
Patchsecurityvetting
Reputationranking
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
Weneedapatchingmechanism
• powerfulenoughtoblockmostthreats;• agileenoughforquickpatchgeneration;• yetrestrictiveenoughtoconfinepossibledamagescausedbythepatches.
OurSolution-- LuaKpatch
Insertingatype-safedynamiclanguageengine (Lua)intothekerneltoexecutepatches
• Easytoupdate• NaturallyjailedinthelanguageVM• Noneedtoworryaboutmemoryoverflowetc.ofthepatches
Arguments
ExternalInputs
Arguments
ExternalInputs
pwnednormalcontrolflow
maliciousinput
Arguments
ExternalInputs
normalcontrolflow
maliciousinput
Byhookingthedatainputentriesandvalidatingtheinput,wecanblockmostofthekernelexploits.
Sowehavethefollowingrestrictions1) Thepatchcanhookatargetfunction’sentry;2) Incombinationwith1),withinthetargetfunction,thepatchcan
hooktheinvokingpointorreturningpointoffunctionsthatreturnastatuscode(e.g.,copy_from_user);
3) Thepatchcanreadanythingthatcanberead(registers,stacks,heaps,code,etc.,aslongasitdoesnottriggerfaults),butcannotmodifyoriginalkernelmemory(nowrite,andnodatacanbesentout);
4) Afterjudgingwhethertheinputismaliciousornot,thepatchcanreturnspecificerrorcodes.
1: fun(...) {2: // entry of A can be hooked3: bool result;4: struct *s;5:6: // foo is allowed to be hooked7: result = foo(...);8: if (result == E_INVALID)9: return;10:11: // bar cannot be hooked12: s = bar(...);13: if (s)14: s->fun();15: }
Arunningexampletoillustratewhichfunctionscanbehookedandwhichcannot
ImplementationofLuaKpatch
• Manypracticesfollowedfromthelunatik-ng project.• Line-of-Code(LoC)is~11K.600LoCarethecorepatchinglogic.• Compiledasa800KBkernelmodule.• Capabilityinterfaces:
o SymbolsearchingoHookingo Typedreadingo Threadinfofetching
SampleLuapatchtofixoneofthevulnerableconditionsofCVE-2014-3153,knownas“Towelroot”
EfficacyEvaluation
CVE-2012-4220 CVE-2013-6123 CVE-2015-3636CVE-2012-4221 CVE-2013-6282 CVE-2015-6619CVE-2012-4222 CVE-2014-3153 CVE-2015-6640CVE-2013-1763 CVE-2014-4321 CVE-2016-0728CVE-2013-2094 CVE-2014-4322 CVE-2016-0774CVE-2013-2596 CVE-2015-0569 CVE-2016-0802CVE-2013-2597 CVE-2015-1805 CVE-2016-2468
CVEsverifiedtobeprotectablebyLuaKpatch.MostareTypeIvulnerabilities(thosethatcanbepatchedbysimplyhookingtheentryofthevulnerablefunctions),butthehighlighted/coloredonesareTypeIIvulnerabilities(thosethatalsoneedtohooktheinvocationsthatreturnstatuscode).
EfficacyEvaluation
All21CVEscanbepatchedbyLuaKpatch.16areTypeI,and5areTypeII.So76%ofthemcanbeeasilyfixedbyhookingandcheckinginputatthefunctionentry.
TypeI16
TypeII5
ExampleI(CVE-2013-1763)
LuaKpatchcanpatchitbyhookingtheentryofthe__sock_diag_rcv_msg function,gettingthenlh argument,obtainingreq fromnlh,andthencheckingwhethertheconditionreq->sdiag_family >= AF_MAX issatisfied.Ifthisistrue,itisanexploitconditionandthepatchshouldreturnanerror.
ExampleII(CVE-2013-6123)
LuaKpatchcanpatchitbyhookingthereturningpointofthecopy_from_user invokedbymsm_ioctl_server tochecktheexploitcondition.
Demo
BeforePatch:VulnerabletoTowelroot andPingPong Root
AfterPatch:ImmunetoTowelroot andPingPong Root
PerformanceEvaluation
17473.25 17551.75 17521.4 17482
02000400060008000
100001200014000160001800020000
Normal Patched(Towelroot) Patched(PingPongRoot)
Patched(bothvulnerabilities)
CF-BenchPerformanceScore
0
20
40
60
80
100
120
Nopatch Patchedwithadirectreturn
Patchedwithaconditionalcomparison
Patchedwithamemoryread
Patchedwithmixedoperations
ExecutionTimeofchmod(Microseconds)
100.7µs +0.42µs +0.98µs +0.82µs +3.74µs
LuaKpatchvalidationcheckaddsanoverheadunder4microseconds,only4%ofachmodsystemcall.
Becausesystemcallsarenotinvokedallthetime,theimpacttotheoverallsystemperformanceshouldbeevenless.• WhenausernormallybrowsesInternetusingChromeonNexus5+Android4.4,gettimeofday wasthemostly-calledsystemcall,triggeredfor~110,000times.Theoverallperformanceoverheadcanbeestimatedas5µs*110,000/1min» 0.9%,whichisquitesmall.
As an ongoing work, we are migrating LuaKpatch to LuaJIT, which should further improve the performance.
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
Thepatchingcircleintheopencollaborativepatchingecosystem
Let’sfightthebadtogether!• Thenumberandthecomplexityofkernelvulnerabilitieskeepincreasing,somorejointeffortmakesiteasiertobattleagainstthem.
• IntheAdaptKpatchscheme,patchescanbevettedandcross-validatedbyqualifiedalliancemembers.
• Lastbutmostimportantly,allvendorscanjointogethertodevelopapatchingstandardinsteadofimplementingdifferentvariants.Ifdifferenthotpatchingmechanismsexist,itintroducesanotherlayeroffragmentation.
Thanks!YulongZhang,YueChen,ChenfuBao,LiangzhaoXia,
LongriZheng,YongqiangLu,LenxWeiBaiduX-LabAugust2016