chaining hals
play

Chaining HALs ABS 2015 PRELIMINARY HY Research LLC - PowerPoint PPT Presentation

Feb 08, 2024 •268 likes •465 views

Chaining HALs ABS 2015 PRELIMINARY HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC Agenda * Introduction - Why chain a HAL? * Android HAL basics * Overview of chaining a HAL * HAL loader * Exampling:

  1. Chaining HALs ABS 2015 PRELIMINARY HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  2. Agenda * Introduction - Why chain a HAL? * Android HAL basics * Overview of chaining a HAL * HAL loader * Exampling: sensor HAL chaining * Conclusion * Questions HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  3. Why Chain a HAL? * HAL: H ardware A bstraction L ayer * Binary blob to talk to Hardware * Bug work around a binary HAL * Adding features to a binary HAL * Modified Hardware * Prototyping * Reuse of code * Obsolete code HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  4. Android HAL basics * Connects HW to Android * GPS, Sensors, Graphics, Sound * Radio () * HALs offer a place to provide virtual HW * HW specific nature may lead to binary HALs. * HALs are shared ELF objects Uses a well known symbol, HMI HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  5. How does it work? * Subsystem requests a HAL via hw_module_load() (hardware/libhardware) err = hw_get_module(SENSORS_HARDWARE_MODULE_ID, (hw_module_t const**)&module); 1) Search /system/lib/hw and /vendor/lib/hw for a file named MODULE.tag.so. Where: MODULE is a string from the first paramter. tag is a string from system properties: - ro.hardware - ro.poduct.board - ro.board.platform - ro.arch HY Research LLC or fall back of "default" http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  6. How does it work? (con't) 2) If the file exists, the search stops! - Even if it is not valid! - Other combinations not tried. 3) File is opened with dlopen() 4) The HMI symbol is located with dlsym() - HAL_MODULE_INFO_SYM_AS_STR - HAL_MODULE_INFO_SYM HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  7. How does it work? (con't) 5) Basic sanity check. id member of HMI is checked. * After hw_module_load(), HAL specific initialization. * HAL specific information is often overlayed onto the HMI structure. - Sensor HAL adds a get sensors callback HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  8. HAL Chaining Overview * Security folks - Man In the Middle Attack * Implement 2 interfaces: 1) Standard HAL API loadable by Android 2) HAL loading interface like Android. * ELF tap dancing 1) Potentially identical names 2) Track using pointers * File names: 1) Rename and/or move original HAL 2) Place new HAL in old place. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  9. Other chaining * Non Android userland using glibc - LD_PRELOAD - LD_LIBRARY_PATH - Done via the dynamic linker in glibc. - Not supported by bionic HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  10. Example: Sensor HAL * Nothing special. Just easy to demo. * 3 parts - a normal HAL skeleton for sensors - a simplified HAL loader - sensor specific details. * Goal: modify select data coming from the real sensor HAL. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  11. Sensor HAL skeleton * Fulfill Android requirements * Define the HMI structure - Provide an open callback that initializes methods for sensors. - Provide a get_sensor_list() callback returns a list of sensors. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  12. Sensor HAL skeleton static struct hw_module_methods_t chain_sensors_module_methods = { open: chain_open_sensors }; struct sensors_module_t HAL_MODULE_INFO_SYM = { common: { tag: HARDWARE_MODULE_TAG, version_major: 1, version_minor: 0, id: SENSORS_HARDWARE_MODULE_ID, name: "Sensor module", author: "HY Research LLC", methods: &chain_sensors_module_methods, }, get_sensors_list: chain_sensors__get_sensors_list, }; HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  13. Sensor HAL loader * Simplified version of hw_module_loader() * Directly dlopen() the original HAL. No searching. * Use dlsym() to find the pointer to the HMI structure and save it off. - Starting point to find entries into the original HAL. * Gets invoked by the open method of our HAL. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  14. static int chain_open_sensors(const struct hw_module_t* module, const char* id, struct hw_device_t** device) { [Declarations removed/error handlign removed.] ... const char *sym = HAL_MODULE_INFO_SYM_AS_STR; snprintf(old_sensorHAL_path, 2048, "%s/sensors.old.so", "/system/lib/hw"); handle = dlopen(old_sensorHAL_path, RTLD_NOW); ... old_hmi = (struct sensors_module_t *)dlsym(handle, sym); ... if (strcmp(SENSORS_HARDWARE_MODULE_ID, old_hmi->common.id) != 0) { dlclose(handle); return -EINVAL; } ChainHALinfo.old_handle = handle; ChainHALinfo.get_sensors_list = old_hmi->get_sensors_list; old_status = (old_hmi->common.methods->open)(&(old_hmi->common), id, device); old_device = (struct sensors_poll_device_t *)*device; ChainHALinfo.old_poll = old_device->poll; old_device->poll = chain_poll__poll; HY Research LLC return old_status; http://www.hy-research.com/ } Mar 15, 2015 (C) 2015 HY Research LLC

  15. Modifying the data * Replace the sensor HAL specific poll method with our own and save old poll method. * New poll method: - Calls old poll method to acquire the data - Inspects the data for things to modify. - Modify data found. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  16. static int chain_poll__poll(struct sensors_poll_device_t *dev, sensors_event_t* data, int count) { int old_ret; int i; /* Acquire data */ old_ret = ChainHALinfo.old_poll(dev, data, count); /* Modify data if needed */ if (old_ret > 0) { /* There is data! */ for (i = 0; i < old_ret; i++) { if (data[i].type == SENSOR_TYPE_ACCELEROMETER) { data[i].data[0] = -data[i].data[0]; data[i].data[1] = -data[i].data[1]; data[i].data[2] = -data[i].data[2]; } } } HY Research LLC return old_ret; http://www.hy-research.com/ } Mar 15, 2015 (C) 2015 HY Research LLC

  17. Summary * HAL chaining can work around limitations of binary blobs. * HALs are ELF objects with a well known symbol, HMI * To chain a HAL, 2 things needs to happen: 1. The HAL interface for Android needs to be implemented. 2. A HAL loader needs to be written. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  18. Questions? HY Research LLC http://www.hy-research.com/ Feb 11, 2013 (C) 2013 HY Research LLC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher

Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher

Chaining Operator in Climb Introduction Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher Chedeau Image Processing Implementation Attempts Dollar macro LRDE Extensions Laboratoire de

554 views • 42 slides
Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of

Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of

Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of forward chaining (and eliminating irrelevancy) You try all sentences that are of the form: , and try to find a way to satisfy P1, P2, ... recursively

753 views • 41 slides
Occupation. Oc Meani Me ning ng. . Pu Purpose. KA KATYA HALS LSALL LL DI DIRECTOR

Occupation. Oc Meani Me ning ng. . Pu Purpose. KA KATYA HALS LSALL LL DI DIRECTOR

26 September 2018. Getting Personal: Contemporary practice in personal injury/medical negligence Occupation. Oc Meani Me ning ng. . Pu Purpose. KA KATYA HALS LSALL LL DI DIRECTOR What is on the menu Being in suitable work is good

441 views • 17 slides
Additives for polyolefins: chemistry involved and innovative effects Mara Destro Intelligent

Additives for polyolefins: chemistry involved and innovative effects Mara Destro Intelligent

Additives for polyolefins: chemistry involved and innovative effects Mara Destro Intelligent packaging; session number7733 Outline of Presentation Weatherability of HALS in LLDPE Film and Impact of PPA on the Performance of HALS Oxygen

594 views • 37 slides
Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project? Small Footprint RTOS Truly Open Source Cross Architecture As small as 8KB Apache 2.0 License ARM Enables Hosted by Linux

340 views • 16 slides
Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda Heeren / Andy Roth / Geoffrey Tien 1 Separate chaining Separate chaining takes a different approach to collisions Each entry in the hash table

470 views • 26 slides
Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key cryptography Signatures Addition/Subtraction General ledger Notarization Proof of validity Hash chaining Enigma machine Enigma rotors

477 views • 27 slides
Functional Chaining System in ICN Phil Brown Fujitsu Laboratories of America, Inc. December 7,

Functional Chaining System in ICN Phil Brown Fujitsu Laboratories of America, Inc. December 7,

Functional Chaining System in ICN Phil Brown Fujitsu Laboratories of America, Inc. December 7, 2016 Functional Chaining demo setup 2 Routing optimization 3 In-network caching 4 Whole-chain security /video_compression/

237 views • 10 slides
The generalized TSP and trip chaining IWSSSCM3 John Gunnar Carlsson Epstein Department of

The generalized TSP and trip chaining IWSSSCM3 John Gunnar Carlsson Epstein Department of

The generalized TSP and trip chaining IWSSSCM3 John Gunnar Carlsson Epstein Department of Industrial and Systems Engineering, University of Southern California January 7, 2016 John Gunnar Carlsson, USC ISE GTSP and trip chaining January 7,

896 views • 45 slides
Container service chaining Martin ual INTRO AGENDA ETSI NFV MANO IETF SFC

Container service chaining Martin ual INTRO AGENDA ETSI NFV MANO IETF SFC

Container service chaining Martin ual INTRO AGENDA ETSI NFV MANO IETF SFC Existing solutions Container service chaining solution Demo 2 ETSI NFV Management and Orchestration (MANO) 3 NFV MANO MANO ARCHITECTURE 4

1.15k views • 45 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
Virtual Topologies for Service Chaining in BGP IP MPLS VPNs

Virtual Topologies for Service Chaining in BGP IP MPLS VPNs

Virtual Topologies for Service Chaining in BGP IP MPLS VPNs (dra?-rfernando-l3vpn-service-chaning-03) Dhananjaya Rao Rex Fernando Luyuan Fang

353 views • 8 slides
Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the

Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the

Chaining Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the undesired state and the desired state are too far apart. Usually when the undesired state is a stuck state where there is no

596 views • 8 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Lecture 3: Inversion and Chaining Disclaimer: In this lecture, we drop the names of the judgments

Lecture 3: Inversion and Chaining Disclaimer: In this lecture, we drop the names of the judgments

Lecture 3: Inversion and Chaining Disclaimer: In this lecture, we drop the names of the judgments eph and pers , as it is clear form the context, which formula is index how. Full linear logic contains a rich set of connectives for building

333 views • 14 slides
Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6 (actual k 6 k 5 keys) k 7 k 8 k 3 k 7 k 3 k 8 m 1 Expected Cost of an Search Theorem: An unsuccessful search takes expected time (1+). Proof

466 views • 33 slides
video It's a lot more than just a HTML5 tag Jess Portnoy jess.portnoy@kaltura.com, Kaltura,

video It's a lot more than just a HTML5 tag Jess Portnoy jess.portnoy@kaltura.com, Kaltura,

video It's a lot more than just a HTML5 tag Jess Portnoy jess.portnoy@kaltura.com, Kaltura, Inc Abstract The element was first proposed by Opera Software in &lt;video&gt; February 2007. Integrating video elements into the HTML5 standard

350 views • 17 slides
Spanish Tax Agency Spanish Tax Agency ITS 2.0 implementation ITS 2.0 implementation experience

Spanish Tax Agency Spanish Tax Agency ITS 2.0 implementation ITS 2.0 implementation experience

Spanish Tax Agency Spanish Tax Agency ITS 2.0 implementation ITS 2.0 implementation experience in HTML5: experience in HTML5: www.agenciatributaria.es www.agenciatributaria.es MultilingualWeb Workshop Making the Multilingual Web Work Rome,

307 views • 27 slides
Living in the Present: On-the-fly Information Processing in Scalable Web Architectures David

Living in the Present: On-the-fly Information Processing in Scalable Web Architectures David

Department of Computing Living in the Present: On-the-fly Information Processing in Scalable Web Architectures David Eyers, Tobias Freudenreich, Alessandro Margara, Sebastian Frischbier, Peter Pietzuch , Patrick Eugster University of Otago, TU

589 views • 20 slides
Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object

Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object

Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object Query Language Introduction to Databases Svetlozar Nestorov Lecture Notes #15 CS 235: Introduction to Databases 2 Object-Oriented DBMSs ODMG

550 views • 8 slides
The Utility of OpenMath James H. Davenport Department of Computer Science University of Bath

The Utility of OpenMath James H. Davenport Department of Computer Science University of Bath

The Utility of OpenMath James H. Davenport Department of Computer Science University of Bath Bath BA2 7AY England J.H.Davenport@bath.ac.uk June 28, 2007 The status of an OpenMath content dictionary is one of the following: official :

383 views • 20 slides
Continuous Improvement Toolkit 5S www. citoolkit .com The Continuous Improvement Map Managing

Continuous Improvement Toolkit 5S www. citoolkit .com The Continuous Improvement Map Managing

Continuous Improvement Toolkit 5S www. citoolkit .com The Continuous Improvement Map Managing Selecting &amp; Decision Making Planning &amp; Project Management* Risk PDPC Daily Planning PERT/CPM Break-even Analysis Importance Urgency

1.88k views • 162 slides
Clo cks [Contd.] 1 Goals of the lecture Direct dep endency clo cks Pred and

Clo cks [Contd.] 1 Goals of the lecture Direct dep endency clo cks Pred and

Clo cks [Contd.] 1 Goals of the lecture Direct dep endency clo cks Pred and Succ functions Matrix clo cks Prop erties of matrix clo cks Vija c y K. Ga rg Distributed Systems Sp ring 96 Clo

186 views • 15 slides
Towards Scalable Backscatter Sensor Networks Aggelos Bletsas &amp; John N. Sahalos

Towards Scalable Backscatter Sensor Networks Aggelos Bletsas &amp; John N. Sahalos

Towards Scalable Backscatter Sensor Networks Aggelos Bletsas &amp; John N. Sahalos RadioCommunications Laboratory (RCL) Aristotle University of Thessaloniki, Greece Cost Assist Workshop April 2008, Cyprus Outline 1. Introduction to RFIDs:

509 views • 29 slides

More recommend