back to the future going back in time to abuse android s
play

Back To The Future Going Back In Time To Abuse Androids JIT 1 $ - PowerPoint PPT Presentation

Aug 13, 2023 •31 likes •751 views

Back To The Future Going Back In Time To Abuse Androids JIT 1 $ whoami Benjamin Watson Director of Security Research @VerSprite Security Android @rotlogix 2 Agenda Inspiration and Overview Android 4.4.4 JIT

  1. Back To The Future Going Back In Time To Abuse Android’s JIT �1

  2. $ whoami • Benjamin Watson • Director of Security Research @VerSprite Security • Android • @rotlogix �2

  3. Agenda • Inspiration and Overview • Android 4.4.4 JIT Internals & Abuse • Android 7.1.1 JIT Internals & Abuse • Android Oreo • Tools • Future Challenges • Conclusion �3

  4. Back To The Future Going Back In Time To Abuse Android’s JIT �4

  5. Making Android Malware Great The First Time �5

  6. On The Shoulders Of Giants �6

  7. On the Shoulders of Giants @ mattifestation @ rwincey �7

  8. Shellcode Execution in .NET using MSIL- Based JIT Overwrite • @mattifestation discovered the CPBLK opcode, which is effectively the MSIL equivalent to memcpy • He used to this opcode to overwrite a JIT’ed .NET method with shellcode • https://www.exploit-monday.com/2013/04/ MSILbasedShellcodeExec.html �8

  9. Java Shellcode Execution • @rwincey uses the Unsafe API to overwrite a JIT’ed Java method with shellcode • https://www.slideshare.net/RyanWincey/java- shellcodeoffice �9

  10. On the Shoulders of Giants • After absorbing Matt and Ryan’s research, I was left with one question … “ Is this also possible in Android? “ … �10

  11. Motivation • These techniques discussed today are post-exploitation in nature • We already have installed a malicious application or gain code execution in Java through an arbitrary application • Our goal is to execute shellcode in memory entirely through Java without loading additional shared-libraries, or utilizing JNI �11

  12. Motivation • This means that a simple “application” can have a self- contained solution for loading shellcode from memory into memory • This only relies on having access to a runtime and nothing more • The technique results in zero disk presence, which eliminates the need packaging up shared-libraries or other executable payloads �12

  13. Malicious PNG AD Network Download Shellcode from PNG Extract shellcode from PNG Embedded Shellcode and execute it in memory via JIT technique Malware Installation Google Play �13

  14. Time Travel �14

  15. Time Travel • Unfortunately the existence of a JIT compiler is not in every major version of Android • Up until KitKat , Android utilized Dalvik, which is a JIT based VM • When the Android Runtime (ART) was introduced in Lollipop it replaced the Dalvik VM • The Android Runtime itself relies on Ahead-of-Time (AOT) compilation �15

  16. Time Travel • Things change in Android Nougat , when a new JIT compiler is introduced with code profiling • This is meant to improve the performance of applications when running in the ART �16

  17. �17

  18. Overview • This research predominantly focuses on Android KitKat and Android Nougat • We are going to deep dive the internals of Dalvik’s JIT implementation and the JIT compiler running in version 7.1.1 • Our main goal is to abuse each implementation in order to execute shellcode directly from memory • This research was performed on a Nexus 5 running 4.4.4 and a Nexus 5X running 7.1.1 �18

  19. Dalvik JIT Internals �19

  20. Dalvik JIT Internals • The first question we need to answer is the following • How does a Dalvik method in its bytecode form, become Just-in-Time compiled? • For this research I care less about the “why” and more about the “how” �20

  21. Dalvik JIT Internals Java Source Code Java Bytecode Dalvik Bytecode Dalvik Executable Dalvik VM �21

  22. Dalvik JIT Internals - Put in Work • When a Dalvik method has been selected for JIT compilation, the compiler spins up and goes to work • Once the JIT compiler has finished its compilation operations for the given Dalvik method, it calls the dvmJitSetCodeAddr function • The compiler passes the target Dalvik method’s bytecode pointer and the JIT code address as arguments to dvmJitSetCodeAddr �22

  23. {} Bytecode and JIT Code Pointers �23

  24. Dalvik JIT Internals - Lookup & Add • dvmJitSetCodeAddr is then responsible for calling and passing the dPC to lookupAndAdd • lookupAndAdd handles the “Lookup & Add” JIT operations {} dPC -> Dalvik Method Bytecode �24

  25. Dalvik JIT Internals - Lookup & Add • lookupAndAdd is responsible for finding available “JitEntry” slots in the “JitTable” • pJitEntryTable - Hash table structure that contains one or more JitEntry structure s • JitEntry - Structure that contains a pointer to the Dalvik method’s bytecode and a pointer to its translated JIT code �25

  26. Dalvik JIT Internals - Lookup & Add An available JitEntry slot within the pJitEntryTable hash table is updated with the The JitEntry is populated with the code hash of the target dPC address for the target Dalvik method The translated address member is initialized and the JitEntry is returned �26

  27. Dalvik JIT Internals - Lookup & Add • Within the dvmSetCodeAddr function the translated address is then used to fill out the JitEntry’s codeAddress member {} �27

  28. Dalvik JIT Internals - JIT Entries • The pJitEntryTable is a member of a global structure called DvmJitGlobals which is defined as gDvmJit • The JitEntry structure is compromised a few different things including the JitEntryInfoUnion union and JitEntryInfo structure �28

  29. {} Pointers of Interest �29

  30. Dalvik JIT Internals - JIT Cache • JIT code is memory mapped and a pointer to the beginning of the memory map is stored in the gDvmJit global structure’s codeCache member The translated JIT code pointer within a JitEntry will point somewhere in the JIT Code Cache �30

  31. Dalvik JIT Internals - JIT Execution •There are a lot of moving parts in the Dalvik VM when a method is invoked •Our main focus will be within Dalvik’s interpreter dvmInvokeMethod dvmCallMethodV dvmCallMethod dvmInterpret dvmMterpStd dvmMterpStdRun �31

  32. Dalvik JIT Internals - JIT Entries • dvmMterpStdRun is implemented entire in assembly • This function is responsible for loading the current PC and executing it • If that method is JIT’ed the PC will be pointing to the translated code within a thread structure passed in as an argument to the function • There are multiple global entry points back into the interpreter from JIT code �32

  33. Abusing Dalvik(s) JIT • My goal hopefully has become relatively clear at this point • I want the ability to hijack a JitEntry for a target method with a pointer to shellcode �33

  34. Abusing Dalvik(s) JIT • The biggest challenge was finding a way to read, write and map memory from Java • My first idea was to explore the Unsafe API included within Android • This did not prove to be fruitful • After digging through Android’s internals, I stumbled on the libcore package �34

  35. Abusing Dalvik(s) JIT • I was pleasantly surprised when I found that libcore contain a class called libcore.io.Posix • This class implements the libcore.io.OS interface, and contains the methods mmap and munmap ! • Basically all of the posix methods in the libcore.io.Posix class are JNI methods that call their native counterpart. • These methods can easily be accessed via Java reflection! • Now we have a mechanism for mapping RWX shellcode �35

  36. Abusing Dalvik(s) JIT • I also discovered the libcore.io.Memory and libcore.io.MemoryBlock classes, which provides methods for reading and writing to memory through different forms • peekInt , pokeInt , and pokeByteArray specifically were used to read from and write to our shellcode and other memory in the virtual machine �36

  37. Abusing Dalvik(s) JIT �37

  38. Abusing Dalvik(s) JIT • The JIT Code Cache isn’t writeable, but this doesn’t matter! • We can use our read and write primitives for controlling entries in the writeable global JitTable • In order to do this we need to locate the gDvmJit global structure in memory • gDvmJIT actually has a symbol reference to it! • We wrote a basic process maps parser for getting the base address of libdvm , then simply added the offset �38

  39. {} How do we deal with this? �39

  40. Abusing Dalvik(s) JIT • We attempted to honor the tableLock and whether or not it was being held by checking the pthread_mutex_t structure’s state member • If the tableLock was not held, we would acquire the lock by setting the state to “locked” in Java through our memory write primitive • However, we found that the tableLock is rarely held when first checked • Initially we thought racing against the JIT compiler in order to write to the JitTable would be required • We also found this wasn’t typically the case �40

  41. Abusing Dalvik(s) JIT • Attacking the JIT Entry Table requires overwriting the codeAddress field of a JitEntry for a method or a partial method • We were unsuccessful with being able to force a given method to be JIT’ed in a consistent way • So we focused on scanning the entire JIT Entry Table for populated JIT Entries �41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BACK IN TIME: BACK IN TIME: WHAT WOULD YOU DO? WHAT WOULD YOU DO? Gro Group 1: up 1: You are

BACK IN TIME: BACK IN TIME: WHAT WOULD YOU DO? WHAT WOULD YOU DO? Gro Group 1: up 1: You are

BACK IN TIME: BACK IN TIME: WHAT WOULD YOU DO? WHAT WOULD YOU DO? Gro Group 1: up 1: You are a group of people split equally between males and females that mostly descend from a common, recent, ancestor (great-great grandfather,

617 views • 13 slides
Back to the future : the Back and Forth Nudging algorithm Conference on Applied Inverse

Back to the future : the Back and Forth Nudging algorithm Conference on Applied Inverse

Didier Auroux Mathematics Institute of Toulouse, France Near future : University of Nice auroux@math.univ-toulouse.fr auroux@unice.fr Work in collaboration with : J. Blum (U. Nice), M. Nodet (U. Grenoble) Back to the future : the Back and

429 views • 30 slides
Back to the future Back to the future Pointcuts as Pointcuts as Predicates over Predicates

Back to the future Back to the future Pointcuts as Pointcuts as Predicates over Predicates

Back to the future Back to the future Pointcuts as Pointcuts as Predicates over Predicates over Traces Traces Karl Klose, Klaus Ostermann Darmstadt University of Technology, Germany Back to the Future Pointcuts as Predicates over

295 views • 16 slides
Confounders and Corfield: Back to the Future 12 July, 2018 0G 2018 ICOTS-10 1 0G 2018

Confounders and Corfield: Back to the Future 12 July, 2018 0G 2018 ICOTS-10 1 0G 2018

Confounders and Corfield: Back to the Future 12 July, 2018 0G 2018 ICOTS-10 1 0G 2018 ICOTS-10 2 Back to the Future: Confounding and Cornfield: Back to the Future The Movie Milo Schield, US Teenager Fellow: American Statistical

682 views • 39 slides
Back to the Future on the Back of an Envelope Terry M. Gray, Ph.D. ASA 2017 Colorado School of

Back to the Future on the Back of an Envelope Terry M. Gray, Ph.D. ASA 2017 Colorado School of

Back to the Future on the Back of an Envelope Terry M. Gray, Ph.D. ASA 2017 Colorado School of Mines Golden, Colorado Cityscapes Then (~1900) and Now Global and US Population Clock https://www.census.gov/popclock/ China 1.38 billion

439 views • 22 slides
Back to the future : the Back and Forth Nudging Scaling Up and Modeling for Transport and Flow in

Back to the future : the Back and Forth Nudging Scaling Up and Modeling for Transport and Flow in

Jacques Blum Didier Auroux University of Nice Sophia Antipolis University of Toulouse jblum@unice.fr auroux@math.univ-toulouse.fr Back to the future : the Back and Forth Nudging Scaling Up and Modeling for Transport and Flow in Porous Media

786 views • 27 slides
PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI BAPTIST CHURCH, IBADAN MARCH 10, 2013 Ibidunni Alonge Olumide Dada WHY LOW BACK PAIN? 2 Knee Back Neck WHAT IS LOW BACK PAIN? 3 Low back

1.56k views • 61 slides
Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service

Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service

Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service provider who agrees to take over the servicing of a portfolio of assets on the occurrence of certain trigger events, most commonly failure of the

829 views • 5 slides
thin clients: thin clients: back to the future back to the future <Jason Nieh>

thin clients: thin clients: back to the future back to the future <Jason Nieh>

thin clients: thin clients: back to the future back to the future <Jason Nieh> nieh@cs.columbia.edu <Jason Nieh> nieh@cs.columbia.edu Computers in the future may weigh no more than 1.5 tons. a Popular Mechanics editorial

837 views • 82 slides
Divine Child Abuse??? Ransom: to buy back slaves Gregory of Nyssa (375 - ?) Adam &

Divine Child Abuse??? Ransom: to buy back slaves Gregory of Nyssa (375 - ?) Adam &

Sermon Divine Child Abuse??? Ransom: to buy back slaves Gregory of Nyssa (375 - ?) Adam & Eve sold humanity to Satan. God baited Satan with Jesus, whom death couldnt hold. St Anselm of Canterbury SaNsfacNon: Gods 1033 -

382 views • 12 slides
DIALING BACK PHONE VERIFIED ACCOUNT ABUSE Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek

DIALING BACK PHONE VERIFIED ACCOUNT ABUSE Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek

DIALING BACK PHONE VERIFIED ACCOUNT ABUSE Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier (Databricks), Damon McCoy (GMU) Keys to the kingdom Security & Abuse Research Blackmarket for bulk accounts Security

700 views • 41 slides
Back of queue detection Edward D. Cox, Indiana DOT 1 Back ck of queue, queue, m many option

Back of queue detection Edward D. Cox, Indiana DOT 1 Back ck of queue, queue, m many option

Back of queue detection Edward D. Cox, Indiana DOT 1 Back ck of queue, queue, m many option ons available today ay 2 Smar mart w work zone t technology 3 Probe Data choices Dashboards & Services VS. Real Time Data Feed 4 INDO

373 views • 26 slides
Back to the Future: What Old Thinkers can teach us about

Back to the Future: What Old Thinkers can teach us about

Back to the Future: What Old Thinkers can teach us about making Innova;on Succeed Today Dr. Emma Langman, Manager of HR & Performance Thursday 6

456 views • 29 slides
to get back on track It took a while but now I have taken back control. Im trying new things,

to get back on track It took a while but now I have taken back control. Im trying new things,

Making it easier to get back on track It took a while but now I have taken back control. Im trying new things, pushing my limits again. Alessia Leading intimate healthcare Coloplast Earnings Conference Call Q1 2019/20 February 6 th , 2020

465 views • 8 slides
XFS: There and Back.... .... and There Again? Dave Chinner <david@fromorbit.com>

XFS: There and Back.... .... and There Again? Dave Chinner <david@fromorbit.com>

XFS: There and Back.... .... and There Again? Dave Chinner <david@fromorbit.com> <dchinner@redhat.com> XFS: There and Back .... and There Again? Slide 1 of 38 Overview Story Time Serious Things These Days

741 views • 38 slides
Take Back Manufacturing . E ssential for Sustainable Supply Chains in the future. The

Take Back Manufacturing . E ssential for Sustainable Supply Chains in the future. The

5/5/2016 TBM Take Back Manufacturing WWW.SME-TBM.ORG Take Back Manufacturing . E ssential for Sustainable Supply Chains in the future. The Globalized manufacturing approach with efficient supply chain management has been the business norm in

1.18k views • 70 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Industrial Management & Data Systems Customer relationship management: key components for IT

Industrial Management & Data Systems Customer relationship management: key components for IT

Industrial Management & Data Systems Customer relationship management: key components for IT success Ranjit Bose, Article information: To cite this document: Ranjit Bose, (2002) "Customer relationship management: key components for IT

302 views • 15 slides
MPAGS AS1 An introduction to scientific computing with

MPAGS AS1 An introduction to scientific computing with

MPAGS AS1 An introduction to scientific computing with http://stevenbamford.com/python_mpags_2018/ Steven Bamford Course prerequisites To make the most of this course, you should have: Some programming experience (in any language)

1.05k views • 48 slides
Scientific Programming in mpags-python.github.io Steven Bamford An introduction to scientific

Scientific Programming in mpags-python.github.io Steven Bamford An introduction to scientific

PHYS4038/MLiS and AS1/MPAGS Scientific Programming in mpags-python.github.io Steven Bamford An introduction to scientific programming with Session 2 : Introduction to Python, continued Python 2.x versus 3.x The 3.x branch was released in

540 views • 31 slides
Getting started with Android Part 1 1/12/18 Presented by: Cassiano Monteiro Contents Android

Getting started with Android Part 1 1/12/18 Presented by: Cassiano Monteiro Contents Android

Getting started with Android Part 1 1/12/18 Presented by: Cassiano Monteiro Contents Android Studio Hello World API levels Project structure and files Dealing with UI components App lifecycle PAGE 2 Installing Android Studio

228 views • 18 slides
A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization

A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization

A Probabilistic Pointer Analysis A Probabilistic Pointer Analysis for Speculative Optimization for Speculative Optimization Jeff DaSilva Jeff DaSilva Greg Steffan Greg Steffan Electrical and Computer Engineering Electrical and Computer

890 views • 38 slides
Blackphone Jon Callas CTO and co-founder, Silent Circle The Device Blackphone 2 Android

Blackphone Jon Callas CTO and co-founder, Silent Circle The Device Blackphone 2 Android

Blackphone Jon Callas CTO and co-founder, Silent Circle The Device Blackphone 2 Android Lollipop (5.1.1) Qualcomm hardware Medium-to-high end hardware specs 64-bit, 8-core, 3GB RAM Spaces virtualization, based on SE

407 views • 25 slides
MA162: Finite mathematics . Jack Schmidt University of Kentucky December 7, 2011 Schedule: HW

MA162: Finite mathematics . Jack Schmidt University of Kentucky December 7, 2011 Schedule: HW

. MA162: Finite mathematics . Jack Schmidt University of Kentucky December 7, 2011 Schedule: HW 7C is due Wednesday, Dec 14, 2011. Final Exam is Wednesday, Dec 14th, 8:30pm-10:30pm. Today we will review. Practice Exam #1 Setup the

441 views • 17 slides

More recommend