+ All Categories
Home > Documents > Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: –...

Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: –...

Date post: 16-Jun-2020
Category:

Documents
Upload: others
View: 0 times
Download: 0 times
Download Report this document
Share this document with a friend
21
Transcript
Page 1: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.
Page 2: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

Agenda•  Bio•  Context

• Whatisroot?

•  Reversingtoolbox

•  Examina7onofcommonrootdetec7onmethods

•  SecurityandBYODapps

•  AndroPoser

•  Conclusion

Copyright©2015SymantecCorpora7on2

Page 3: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:Bio•  AzzedineBenameur:–  JoinedSymantecin2011–  Pastresearchprojects:Minestrone(IARPA)andMEERKATS(DARPA)–  SAPSecurity&TrustLab,HPCloudSecurityLab–  Ph.D.,ComputerSciencefromLyonUniversity,2009

•  NathanEvans:–  JoinedSymantecin2011–  Pastresearchprojects:Minestrone(IARPA)andMEERKATS(DARPA)–  AFRL-fundedresearchinnetworksecurity/mapping(NICE)–  Ph.D.,ComputerSciencefromT.U.Munich,2011

•  YunShen:–  JoinedSymantecin2012–  Pastresearchproject:Bigfoot(FP7)–  HPCloudSecurityLab–  Ph.D.,ComputerSciencefromUniversityofHull,2005

3Copyright©2015SymantecCorpora7on

Page 4: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:Context•  TheriseofBYOD:–  Personalandcorporatedataonthesamedevice–  Androidison70%ofthedevices(phoneandtablet)–  Roothasabadreputa7on

•  Ques7ons–  Howmany/whichapplica7onscheckforrootasasecurityconcern?–  Howarethesechecksimplemented/aretheyeffec7veatdetec7ngroot?–  Howeasilycanthesechecksbesubvertedtohidethepresenceofroot?– Whataretheimplica7ons?

•  Methodology–  Lookatthetopsecurity/MDMsolu7onsavailable–  Comparerootdetec7onmethodsbasedonstandardsetofchecks

4Copyright©2015SymantecCorpora7on

Page 5: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:Whatisroot?

HowRootworks:

5Copyright©2015SymantecCorpora7on

Page 6: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:ToolBox

6Copyright©2015SymantecCorpora7on

Page 7: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:ToolBox

•  AndroidApplica7onaredistributedasAPK:

7Copyright©2015SymantecCorpora7on

Page 8: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:ToolBox•  Dex2Jar:convertsandroidbytecodetoJavaArchive(JAR)

•  JD-core:convertsJARtoJavasourcecode.

•  Apktool:decompilesandroidbytecodetoanintermediatelanguage(incasetheJavasourcecodewasnotfullyrecoveredortheanalysiswasinconclusive)

•  CustomScripts:automatetheprocessandsearchforobviousJavacallsandbroadreferencestorootedphonefeatures

8Copyright©2015SymantecCorpora7on

Page 9: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:CommonRootDiscovery•  Presenceoffiles:–  StaBcPATH:Hardcodepaths(/system/bin/su,/bin/su,etc.)andissueanopen/stat–  DynamicPATH:ParsethePATHvariable,appending“/su”toeachentry;openeachinaloop

–  SystemPATH:Executeswhichcommandwithparameter“su”andcheckiftheresultis0

–  ExecuBon:Justalempttoexecute“su”asasubprocessandcheckthereturncode–  RootACLProgram:Checkforsuperuserapkunderthepath“/system/app/Superuser.apk”.

–  Setuid:Wefoundoneappwithaninteres7ngcheck;thepresenceofbinariesonthesystemthatweresetuidroot,orabletobeexecutedasroot(uid0)bynormalusers.Whilestandardsubinariesaresetuidroot,wearenotsureifthisisalegi7matecheckforrootasprogramscouldbesetuidrootforotherreasons.

–  InstalledPackages:Checkforthepresenceofcommonrootpackagesbeinginstalledonthesystem(e.g.,“com.chainfire.supersu”,“com.noshufou.android.su”).WesawbothchecksusingAndroidAPI’saswellasbyexec’ing“pmlistpackages”

9Copyright©2015SymantecCorpora7on

Page 10: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:CommonRootDiscovery

•  GeneralDeviceSeongs:–  Testkeys:Ifacustomkernelisusedonadevicethebuildversionshowsthat“test-keys”areusedinsteadof“release-keys”.Someappsassume“test-keys”meansthedeviceisrooted,whichisnotalwaysthecase.Also,thepresenceof“release-keys”doesnotindicatethedeviceisnotrooted.

–  Buildversion:Weencounteredspecificchecksoftheseong“ro.modversion”aswell,whichcanbeusedtoiden7fycertaincustomAndroidROMs(suchasCyanogenmod).

10Copyright©2015SymantecCorpora7on

Page 11: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:CommonRootDiscovery

•  Run7meCapabili7esandCharacteris7cs:–  Systemmounted:Someroo7ngmethodsrequirethispar77ontoberemounted“rw”(read-/write).Wesawtwovariantsofthischeck;thefirstsimplyrunsthemountcommandandlooksfora“rw”flag,thesecondactuallyalemptstocreateafileunder“/system/”or“/data/”.

–  Abilitytomount:Arelatedmethodalemptstomountthe“/system”par77onwiththecommand“mount-oremount,rw/system”,andthenchecksthereturncode.

–  UserID:Acuriouscheckwefoundinonecasewastheappgeongthecurrentuserid(UID)oftheappasitwasrunningandcheckingifitwasrunningasroot(UID0).Thisiscuriousbecauseasfarasweknow,evenonarootedphoneanyappstartedbyZygotegetsit’sownunique(non0)UID.However,itispossiblethatanappwouldrequestrootaccessviaintentandthenissuetheUIDcheck.

11Copyright©2015SymantecCorpora7on

Page 12: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:SecurityApplica7ons

12Copyright©2015SymantecCorpora7on

Page 13: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:SecurityApplica7ons

•  Nona7vecodeusedforrootdetec7on?!•  RootCloak/Xposed“friendly”

•  AVASTleveragesroot:iptables/firewall

•  Kasperskyrootchecks:packed/reflec7on(requiredrun7mehelp)

13Copyright©2015SymantecCorpora7on

Page 14: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:BYODSolu7ons

14Copyright©2015SymantecCorpora7on

Page 15: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:BYODSolu7ons•  NaBvecode:–  VMware’sAirwatchMDMagent.libcoredevice.soisnotpar7cularlydifficulttoreverse.ThebulkofthechecksareinthemethodgetDeviceState(JNIEnv*,jobject*)

–  Excitor:Thelibraryisnotdifficulttoreverse:sta7cpathalongwithprivilegeescala7onalempt.

•  Fourvendorshavenorootcheck:– MobileIron:com.cisco.anyconnect.vpn.android.rooted,Policymightbepushedfromserverlater?

•  Breadth:WewereimpressedbytheapparenteffortthatwentintomakingIBM’sMDMsolu7onasrigorousandin-depthaspossible.Butnoobfusca7onandnona7vecode

15Copyright©2015SymantecCorpora7on

Page 16: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:AndroPoser

•  Neededatooltoverifyoursta7canalysis

•  Createdalibrarythatgivesusrun7mevisibilityintowhattheprocessisreallydoing

•  Leverageddynamiclinkerfeature:LD_PRELOAD

•  Selectedasetoffunc7onstoinspect

16Copyright©2015SymantecCorpora7on

Page 17: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:AndroPoser

•  EasytosetonAndroid:–  setpropwrap.com.package.id“LD_PRELOAD=/data/androposer.so”

•  Exampleonopen():

17Copyright©2015SymantecCorpora7on

Page 18: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:AndroPoser

•  Otheruse:defeatAn7-Debugprotec7on•  Iden7fyFDforopen/proc/self/status

•  Replacereadfor“TracerPid:XXX”(whereXXXisthedebugger)

18Copyright©2015SymantecCorpora7on

Page 19: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:Conclusion

•  Security/MDMcomparison:– McAfee:NocheckontheirAVbutchecksontheMDMagent–  Kaspersky/Symantec:SamecodeforbothsecurityandMDMapp,Kasperskyhasadifferentbuildprobably

–  Panda:noapparentrootcheckforeither

•  BYOD/MDMsolu7onsdocareaboutRoot

•  MostarevulnerabletoRootCloak/Xposed/AndroPoser

19Copyright©2015SymantecCorpora7on

Page 20: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

AllyourRootChecksareBelongtoUs:Conclusion

•  Levelup:– Werevisitedhowwecheckforroot–  Na7vecodeismakingitalillebitharder–  Binary“hardening”:packing,check-summing,stringencryp7on

•  Exploringotherways:– Machinelearningbasedapproachtodetectroot:WIP–  ARMTrustZone?

20Copyright©2015SymantecCorpora7on

Page 21: Agenda - Black Hat · All your Root Checks are Belong to Us: BYOD Soluons • Nave code: – VMware’s Airwatch MDM agent. libcoredevice.so is not par7cularly difficult to reverse.

Thankyou!

Copyright©2015SymantecCorporaBon.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorpora7onoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespec7veowners.

Thisdocumentisprovidedforinforma7onalpurposesonlyandisnotintendedasadver7sing.Allwarran7esrela7ngtotheinforma7oninthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw.Theinforma7oninthisdocumentissubjecttochangewithoutno7ce.


Recommended
AirWatch Troubleshooting Guide - Beckman Coulteriosapps.beckmancoulter.com/airwatch/AirWatch_Troubleshooting_G… · AirWatch Troubleshooting Guide Revised 23 January 2018 Program

AirWatch Troubleshooting Guide - Beckman Coulteriosapps.beckmancoulter.com/airwatch/AirWatch_Troubleshooting_G… · AirWatch Troubleshooting Guide Revised 23 January 2018 Program

Documents

Airwatch eBook

Airwatch eBook

Documents

Airwatch Application Installation

Airwatch Application Installation

Documents

User manual for AirWatch enrollment - Androideum.im/air/air_android.pdf · User manual for AirWatch enrollment - ... and installation, of the AirWatch app. 5. ... AirWatch Inbox for

User manual for AirWatch enrollment - Androideum.im/air/air_android.pdf · User manual for AirWatch enrollment - ... and installation, of the AirWatch app. 5. ... AirWatch Inbox for

Documents

AirWatch Inbox for iOS User Guide - Home | U.S. … · Inboxapplicationflipstotheanchorapplication(AirWatch Agent/AirWatchContainer).Followthepromptsandinstructionsto ... AirWatch

AirWatch Inbox for iOS User Guide - Home | U.S. … · Inboxapplicationflipstotheanchorapplication(AirWatch Agent/AirWatchContainer).Followthepromptsandinstructionsto ... AirWatch

Documents

SALE | SERVICE | SUPPORT | AMC | RENTkkrishinfotech.com/Downloads/CorporateFlyer.pdf · Website Development (Responsive) Digital Markeng Soluons Graphic Designing DLP Soluons We take

SALE | SERVICE | SUPPORT | AMC | RENTkkrishinfotech.com/Downloads/CorporateFlyer.pdf · Website Development (Responsive) Digital Markeng Soluons Graphic Designing DLP Soluons We take

Documents

Integrating AirWatch with Cisco Identity Services · PDF fileIntegrating AirWatch with Cisco Identity Services ... AirWatch offers both an on-premise model and cloud ... Integrating

Integrating AirWatch with Cisco Identity Services · PDF fileIntegrating AirWatch with Cisco Identity Services ... AirWatch offers both an on-premise model and cloud ... Integrating

Documents

Roadmap Soluons for your ERP - Version 1

Roadmap Soluons for your ERP - Version 1

Documents

VMware AirWatch PowerShell Integration Guide€¦ · Title: VMware AirWatch PowerShell Integration Guide Author: AirWatch Created Date: 6/12/2018 4:41:45 PM

VMware AirWatch PowerShell Integration Guide€¦ · Title: VMware AirWatch PowerShell Integration Guide Author: AirWatch Created Date: 6/12/2018 4:41:45 PM

Documents

AIRWATCH FOR USERS - prettl.com · To download the AirWatch agent, please launch the App Store. Picture 48: App Store . PRETTL IT Documentation Software AirWatch

AIRWATCH FOR USERS - prettl.com · To download the AirWatch agent, please launch the App Store. Picture 48: App Store . PRETTL IT Documentation Software AirWatch

Documents

AirWatch Container Demo - help.vmwdemo.comhelp.vmwdemo.com/internal/DemoTopic-AirWatch Container.pdf · AirWatch Container Demo | v.2015.08 | August 2015 Copyright © 2014 AirWatch,

AirWatch Container Demo - help.vmwdemo.comhelp.vmwdemo.com/internal/DemoTopic-AirWatch Container.pdf · AirWatch Container Demo | v.2015.08 | August 2015 Copyright © 2014 AirWatch,

Documents

AirWatch On-Premise Configuration Guidedocshare01.docshare.tips/files/31045/310450866.pdf · AirWatch-specificwarningsanderrorsarewrittentologfilesinthe\AirWatch ...

AirWatch On-Premise Configuration Guidedocshare01.docshare.tips/files/31045/310450866.pdf · AirWatch-specificwarningsanderrorsarewrittentologfilesinthe\AirWatch ...

Documents

AirWatch AndroidUserGuide

AirWatch AndroidUserGuide

Documents

AirWatch by VMware - Spectralink · 2017-08-18 · AirWatch simplifies mobility for organizations, while empowering end users. With AirWatch, organizations can easily deploy, configure,

AirWatch by VMware - Spectralink · 2017-08-18 · AirWatch simplifies mobility for organizations, while empowering end users. With AirWatch, organizations can easily deploy, configure,

Documents

Airwatch Application Installation · 2.) Touch AirWatch Container. e areful! Don’t install AirWatch MDM Agent by mistake! 3.) Touch GET or the “cloud” icon indicated (if AirWatch

Airwatch Application Installation · 2.) Touch AirWatch Container. e areful! Don’t install AirWatch MDM Agent by mistake! 3.) Touch GET or the “cloud” icon indicated (if AirWatch

Documents

VMware AirWatch Mobile Device Management … · VMware AirWatch Mobile Device Management . Supplemental Administrative Guidance . ... and Syslog Guide [8] VMware AirWatch ... Installation

VMware AirWatch Mobile Device Management … · VMware AirWatch Mobile Device Management . Supplemental Administrative Guidance . ... and Syslog Guide [8] VMware AirWatch ... Installation

Documents

Engineered Soluons For Pipe Moon

Engineered Soluons For Pipe Moon

Documents

MDM - airwatch

MDM - airwatch

Documents