Agenda• Bio• Context
• Whatisroot?
• Reversingtoolbox
• Examina7onofcommonrootdetec7onmethods
• SecurityandBYODapps
• AndroPoser
• Conclusion
Copyright©2015SymantecCorpora7on2
AllyourRootChecksareBelongtoUs:Bio• AzzedineBenameur:– JoinedSymantecin2011– Pastresearchprojects:Minestrone(IARPA)andMEERKATS(DARPA)– SAPSecurity&TrustLab,HPCloudSecurityLab– Ph.D.,ComputerSciencefromLyonUniversity,2009
• NathanEvans:– JoinedSymantecin2011– Pastresearchprojects:Minestrone(IARPA)andMEERKATS(DARPA)– AFRL-fundedresearchinnetworksecurity/mapping(NICE)– Ph.D.,ComputerSciencefromT.U.Munich,2011
• YunShen:– JoinedSymantecin2012– Pastresearchproject:Bigfoot(FP7)– HPCloudSecurityLab– Ph.D.,ComputerSciencefromUniversityofHull,2005
3Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:Context• TheriseofBYOD:– Personalandcorporatedataonthesamedevice– Androidison70%ofthedevices(phoneandtablet)– Roothasabadreputa7on
• Ques7ons– Howmany/whichapplica7onscheckforrootasasecurityconcern?– Howarethesechecksimplemented/aretheyeffec7veatdetec7ngroot?– Howeasilycanthesechecksbesubvertedtohidethepresenceofroot?– Whataretheimplica7ons?
• Methodology– Lookatthetopsecurity/MDMsolu7onsavailable– Comparerootdetec7onmethodsbasedonstandardsetofchecks
4Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:Whatisroot?
HowRootworks:
5Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:ToolBox
6Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:ToolBox
• AndroidApplica7onaredistributedasAPK:
7Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:ToolBox• Dex2Jar:convertsandroidbytecodetoJavaArchive(JAR)
• JD-core:convertsJARtoJavasourcecode.
• Apktool:decompilesandroidbytecodetoanintermediatelanguage(incasetheJavasourcecodewasnotfullyrecoveredortheanalysiswasinconclusive)
• CustomScripts:automatetheprocessandsearchforobviousJavacallsandbroadreferencestorootedphonefeatures
8Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:CommonRootDiscovery• Presenceoffiles:– StaBcPATH:Hardcodepaths(/system/bin/su,/bin/su,etc.)andissueanopen/stat– DynamicPATH:ParsethePATHvariable,appending“/su”toeachentry;openeachinaloop
– SystemPATH:Executeswhichcommandwithparameter“su”andcheckiftheresultis0
– ExecuBon:Justalempttoexecute“su”asasubprocessandcheckthereturncode– RootACLProgram:Checkforsuperuserapkunderthepath“/system/app/Superuser.apk”.
– Setuid:Wefoundoneappwithaninteres7ngcheck;thepresenceofbinariesonthesystemthatweresetuidroot,orabletobeexecutedasroot(uid0)bynormalusers.Whilestandardsubinariesaresetuidroot,wearenotsureifthisisalegi7matecheckforrootasprogramscouldbesetuidrootforotherreasons.
– InstalledPackages:Checkforthepresenceofcommonrootpackagesbeinginstalledonthesystem(e.g.,“com.chainfire.supersu”,“com.noshufou.android.su”).WesawbothchecksusingAndroidAPI’saswellasbyexec’ing“pmlistpackages”
9Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:CommonRootDiscovery
• GeneralDeviceSeongs:– Testkeys:Ifacustomkernelisusedonadevicethebuildversionshowsthat“test-keys”areusedinsteadof“release-keys”.Someappsassume“test-keys”meansthedeviceisrooted,whichisnotalwaysthecase.Also,thepresenceof“release-keys”doesnotindicatethedeviceisnotrooted.
– Buildversion:Weencounteredspecificchecksoftheseong“ro.modversion”aswell,whichcanbeusedtoiden7fycertaincustomAndroidROMs(suchasCyanogenmod).
10Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:CommonRootDiscovery
• Run7meCapabili7esandCharacteris7cs:– Systemmounted:Someroo7ngmethodsrequirethispar77ontoberemounted“rw”(read-/write).Wesawtwovariantsofthischeck;thefirstsimplyrunsthemountcommandandlooksfora“rw”flag,thesecondactuallyalemptstocreateafileunder“/system/”or“/data/”.
– Abilitytomount:Arelatedmethodalemptstomountthe“/system”par77onwiththecommand“mount-oremount,rw/system”,andthenchecksthereturncode.
– UserID:Acuriouscheckwefoundinonecasewastheappgeongthecurrentuserid(UID)oftheappasitwasrunningandcheckingifitwasrunningasroot(UID0).Thisiscuriousbecauseasfarasweknow,evenonarootedphoneanyappstartedbyZygotegetsit’sownunique(non0)UID.However,itispossiblethatanappwouldrequestrootaccessviaintentandthenissuetheUIDcheck.
11Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:SecurityApplica7ons
12Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:SecurityApplica7ons
• Nona7vecodeusedforrootdetec7on?!• RootCloak/Xposed“friendly”
• AVASTleveragesroot:iptables/firewall
• Kasperskyrootchecks:packed/reflec7on(requiredrun7mehelp)
13Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:BYODSolu7ons
14Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:BYODSolu7ons• NaBvecode:– VMware’sAirwatchMDMagent.libcoredevice.soisnotpar7cularlydifficulttoreverse.ThebulkofthechecksareinthemethodgetDeviceState(JNIEnv*,jobject*)
– Excitor:Thelibraryisnotdifficulttoreverse:sta7cpathalongwithprivilegeescala7onalempt.
• Fourvendorshavenorootcheck:– MobileIron:com.cisco.anyconnect.vpn.android.rooted,Policymightbepushedfromserverlater?
• Breadth:WewereimpressedbytheapparenteffortthatwentintomakingIBM’sMDMsolu7onasrigorousandin-depthaspossible.Butnoobfusca7onandnona7vecode
15Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:AndroPoser
• Neededatooltoverifyoursta7canalysis
• Createdalibrarythatgivesusrun7mevisibilityintowhattheprocessisreallydoing
• Leverageddynamiclinkerfeature:LD_PRELOAD
• Selectedasetoffunc7onstoinspect
16Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:AndroPoser
• EasytosetonAndroid:– setpropwrap.com.package.id“LD_PRELOAD=/data/androposer.so”
• Exampleonopen():
17Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:AndroPoser
• Otheruse:defeatAn7-Debugprotec7on• Iden7fyFDforopen/proc/self/status
• Replacereadfor“TracerPid:XXX”(whereXXXisthedebugger)
18Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:Conclusion
• Security/MDMcomparison:– McAfee:NocheckontheirAVbutchecksontheMDMagent– Kaspersky/Symantec:SamecodeforbothsecurityandMDMapp,Kasperskyhasadifferentbuildprobably
– Panda:noapparentrootcheckforeither
• BYOD/MDMsolu7onsdocareaboutRoot
• MostarevulnerabletoRootCloak/Xposed/AndroPoser
19Copyright©2015SymantecCorpora7on
AllyourRootChecksareBelongtoUs:Conclusion
• Levelup:– Werevisitedhowwecheckforroot– Na7vecodeismakingitalillebitharder– Binary“hardening”:packing,check-summing,stringencryp7on
• Exploringotherways:– Machinelearningbasedapproachtodetectroot:WIP– ARMTrustZone?
20Copyright©2015SymantecCorpora7on
Thankyou!
Copyright©2015SymantecCorporaBon.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorpora7onoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespec7veowners.
Thisdocumentisprovidedforinforma7onalpurposesonlyandisnotintendedasadver7sing.Allwarran7esrela7ngtotheinforma7oninthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw.Theinforma7oninthisdocumentissubjecttochangewithoutno7ce.