a content aware kernel ipc firewall for android
play

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey - PowerPoint PPT Presentation

A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus Overview Understanding Binder and how its used Intercepting and modifying data with BinderFilter Demos! @davidwuuuuuuuu @sergeybratus Undergraduate at


  1. A Content-Aware Kernel IPC Firewall for Android David Wu Sergey Bratus

  2. Overview Understanding Binder and how it’s used ● Intercepting and modifying data with BinderFilter ● ● Demos!

  3. @davidwuuuuuuuu @sergeybratus Undergraduate at Dartmouth Research Associate Professor at ● ● Software Engineer in Boston Dartmouth ● ● Network and Linux ● LangSec for Penetration Testing instrumentation research with Weird machines in ELF and ● Sergey Bratus DWARF formats Web analysis automation and Hacking 802.15.4/ZigBee digital ● ● Android security research at Ionic radio hacking Security

  4. BinderFilter ● Run-time blocking and modification of all inter-app communication ● Context informed policy decisions ● Binder message parser and filter

  5. B i n d e r

  6. Man in the Binder 2014 Blackhat Europe - ● Nitay Artenstein, Idan Revivo Keylogger, SMS message ● interceptor “Most secure apps protect ● their data, but don’t bother with data moving between in-app Activities... this data goes through Binder” https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf

  7. Android Security Concepts Built on Linux ● SELinux, file permissions, system calls ○ ○ Sandboxing enforced by UID (each application is a different Linux user) ○ Permissions ● Android 6.0 introduced dynamic permissions for ○ certain messages 30% of users have Android 6.0+ [1] ■

  8. Application Layer Application Framework Layer Core Libraries Layer Kernel Layer developer.android.com/guide/platform/index.html

  9. Binder Android’s IPC system ● Implemented as a Linux kernel driver ● ○ /dev/binder /drivers/staging/android/binder.{c,h} ○ Every IPC message goes through Binder driver ● Supports: ● ○ Security tokens Death notifications ○ (local) RPC ○ Intents ○ ○ ContentProviders

  10. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data

  11. Demo binderfilter -s -m "android.permission.CAMERA" -u 10078 -a 3 --modify-data="cat.jpg"

  12. Separate process address spaces enforced by kernel Process A (Camera) Process B (Facebook) sergey cat readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver sergey cat

  13. myCustomCameraApp.java getSystemService() Camera.java native takePicture() JNI android_hardware_Camera.cpp takePicture() Camera.cpp takePicture() ICamera.cpp transact(TAKE_PICTURE, …) syscall binder.c

  14. Visualizations

  15. Linux process (UID 10098) Linux process (UID 10099) Client Application Service Binder Proxy Binder Stub Android Binder IPC IBinder: IBinder : onTransact() { transact() ... } Linux driver (/dev/binder) Android Security Internals, Nikolay Elenkov, No Starch Press

  16. Service Binder Client

  17. Service Binder Client Await requests (BC_REGISTER_LOOPER) Service thread sleeps

  18. Service Binder Client Await requests (BC_REGISTER_LOOPER) Request from client (BC_TRANSACTION) Service thread sleeps Wait for response callback

  19. Service Binder Client Await requests (BC_REGISTER_LOOPER) Request from client (BC_TRANSACTION) Service thread sleeps Request from client (BC_TRANSACTION) Wait for response callback

  20. Service Binder Client Await requests (BC_REGISTER_LOOPER) Request from client (BC_TRANSACTION) Service thread sleeps Request from client (BC_TRANSACTION) Wait for response callback Reply to client (BC_REPLY)

  21. Service Binder Client Await requests (BC_REGISTER_LOOPER) Request from client (BC_TRANSACTION) Service thread sleeps Request from client (BC_TRANSACTION) Wait for response callback Reply to client (BC_REPLY) Reply to client (BC_REPLY) Aleksandar Gargenta. Deep Dive into Android IPC/Binder Framework. 2013.

  22. Application Layer MyApp.java Intent batteryStatus = Context. registerReceiver (null, new IntentFilter( Intent.ACTION_BATTERY_CHANGED);

  23. Application Framework Layer ContextImpl.java registerReceiver() -> registerReceiverInternal()-> ActivityManagerNative.registerReceiver() ActivityManagerNative.java Parcel data = Parcel.obtain() data.writeString(packageName) filter.writeToParcel(data) IBinder.transact(data, reply) BinderProxy.java (implements IBinder) transact() -> native transactNative() // JNI

  24. Core Libraries android_util_Binder.cpp android_os_BinderProxy_transact() -> IBinder.transact() BpBinder : IBinder IPCThreadState::self()->transact()

  25. Core Libraries IPCThreadState.cpp open(“/dev/binder”) ProcessState.cpp transact() -> Parcel.cpp waitForResponse() -> mParcel.write(data) talkWithDriver() // writes Java parcel data to this process’ address space ioctl(fd, BINDER_WRITE_READ, mParcel) Linux Kernel binder.c

  26. IPC “Packets” struct binder_transaction_data { /* The first two identify struct binder_write_read { the target and contents of signed long write_size; the transaction. signed long write_consumed; */ unsigned long write_buffer; union { signed long read_size; size_thandle; signed long read_consumed; void *ptr; unsigned long read_buffer; } target; }; void *cookie; struct flat_binder_object { unsigned intcode; /* 8 bytes for large_flat_header. */ unsigned intflags; unsigned long type; unsigned long flags; /* General information about the transaction.*/ pid_t sender_pid; /* 8 bytes of data. */ uid_t sender_euid; union { size_t data_size; void *binder; // local obj size_t offsets_size; signed long handle; // remote obj }; union { struct { /* extra data associated with local object */ /* transaction data */ void *cookie; const void *buffer; }; const void *offsets; } ptr; uint8_t buf[8]; } data; };

  27. IPC “Scheduler” Blocking ioctl syscall copy_from_user(data) wake_up_interruptable(service) binder_thread_write() client binder_transaction() list_add_tail(data, service) binder_ioctl() loop until list not empty copy_to_user(data) service binder_thread_read() data = list_first_entry() time

  28. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data

  29. Separate process address spaces enforced by kernel Process A Process B data data readFromParcel() writeToParcel() userland kernel copy_from_user() copy_to_user() Binder Driver data data

  30. Blocking ioctl syscall copy_from_user(data) wake_up_interruptable(service) binder_thread_write() client binder_transaction() list_add_tail(data, service) binder_ioctl() loop until list not empty copy_to_user(data) service binder_thread_read() data = list_first_entry() time

  31. BinderFilter

  32. Enhanced logs Existing binder.c logs ● printk(), TRACE_EVENT(), seq_printf() ○ Existing: [49431.544219] binder: 9916:9916 BC_TRANSACTION 683674 -> 198 ● - node 289403, data 8dc12180 (null) size 80-0 ● Enhanced: [14:33:56.084452] binder_command BC_TRANSACTION: process pid 9916 (android.picky), thread pid 9916 -> process pid 198 (/system/bin/surfaceflinger), node id 289403, transaction id 683674, data address 8dc12180, data size 80, offsets address null, offsets size 0

  33. Parsing message contents (Man in the Binder) Binder buffer contents in memory {(0)(64)(24)(0)android.os.IPowerManager(0)(0)(1)(0)(0)(0)} Fields are Each Strings are Classes are Chars are Integers aligned on character or prepended passed as 2 bytes are 4 bytes 4 byte (p) value is by their string literals intervals a byte length Sender of the intent

  34. Modifying Saved Pictures {(4)H(28)(0)android.app.IActivityManager(0)(0)(133)*bs(127)( 1)(0)P(196)(180)(174)(224)(145)(181)(172)(19)(0)com.facebook .katana(0)"(0)android.media.action.IMAGE_CAPTURE(0)(0)(0)(0) (255)(255)(255)(255)(3)(0)(255)(255)(255)(255)(255)(255)(255 )(255)(0)(0)(0)(0)(0)(0)(1)(0)(1)(0)(0)(0)(0)(0)(1)(0)(13)(0 )text/uri-list(0)(0)(0)(1)(0)(1)(0)(255)(255)(255)(255)(255) (255)(255)(255)(0)(0)(1)(0)(3)(0)(4)(0)file(0)(0)(0)(0)(0)(0 )(0)(0)(0)(0)(0)(0)(2)(0)(62)(0)/storage/emulated/0/Pictures /Facebook/FB_IMG_1464314001208.jpg}

  35. Demo # Evernote: microphone binderfilter -s -m "android.permission.RECORD_AUDIO" -u 10092 -a 1 # Google Maps: location binderfilter -s -m "android.permission.ACCESS_FINE_LOCATION" -u 10056 -a 1 # Photos: read storage binderfilter -s -m "android.permission.READ_EXTERNAL_STORAGE" -u 1000 -a 1 # Camera: ContentProvider (service for saving pictures) binderfilter -s -m "android.permission.READ_EXTERNAL_STORAGE" -u 1000 -a 2 binderfilter -s -m "ContentProvider" -u 10044 -a 1

  36. Blocking messages ● Blocking generic strings in Binder messages is dangerously powerful Permissions are passed as string literals in IPC messages ● Check uid, context ● Check binder message content for message with strstr ● ● Clear out the entire message with memset

  37. Blocking Permissions {(0)@(28)(0)android.app.IActivityManager(0)(0))(0)android.pe rmission.ACCESS_COARSE_LOCATION(0)(155)(9)(0))'(0)}

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend