SLIDE 1
MAN IN THE BINDER:
HE WHO CONTROLS IPC, CONTROLS THE DROID
Everything Goes Through The Binder A Hack in Three Acts Act I Know - - PowerPoint PPT Presentation
Everything Goes Through The Binder A Hack in Three Acts Act I Know - - PowerPoint PPT Presentation
MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II Atuack Your Droid Act III Prepare Your Droid Meet The Cast The Authors Nitay
SLIDE 2
SLIDE 3
Meet The Cast
SLIDE 4
The Authors
Nitay Artenstein Idan Revivo Michael Shalyt
SLIDE 5
Victim App
Name: Kituy Bank Occupatjon: Bank Applicatjon “U want KitCoins – we haz it”
SLIDE 6
n00b attacker
Name: Kituy-ninja Occupatjon: Script kiddy “Mommy, can I rob this bank?”
SLIDE 7
Ninja Attacker
Name: Paw of Death Occupatjon: Black belt ninja hacker “To rob a bank, you must fjrst become the bank”
SLIDE 8
System Services
Name: System Service Occupatjon: Sittjng and waitjng to serve your needs These things run Android!
SLIDE 9
The Linux Kernel
Name: $ echo `uname –r` Occupatjon: Holding the world
- n its shoulders since 1.1.1970
Feeling neglected now that system services get all the atuentjon on Android
SLIDE 10
The Binder
Name: The Binder Occupatjon: All Powerful Mystery Character
?
Everything Goes Through The Binder
SLIDE 11
Act I Know Your Droid
SLIDE 12
An Applicatjon’s Life On Windows
Syscalls
SLIDE 13
An Applicatjon’s Life On Android
Syscalls Syscalls Syscalls
?
SLIDE 14
Android – The Real Picture
Syscalls Syscalls
Everything Goes Through The Binder
?
SLIDE 15
/dev/binder /dev/tuy0 libbinder.so libbinder.so
kernel
/system/libbinder.so /system/libbinder.so /system/lib*.so /system/lib*.so
DalvikVM DalvikVM
syscall
parcel parcel Bank Applicatjon Process System Service Process
applicatjon applicatjon System services proxy System services proxy
libandroid_runtjme.so libandroid_runtjme.so libandroid_runtjme.so libandroid_runtjme.so
System Service System Service
- Binder has a userland
component and a kernel
- ne
- The driver receives the
Parcel via an ioctl syscall and sends it to the target processes
SLIDE 16
What’s a Parcel?
SLIDE 17
A Short Recap
libbinder.so libbinder.so
DalvikVM
Kituy Bank Process
Parcels Syscalls Parcels
Audio Manager
SLIDE 18
Everything Goes Through The Binder
SLIDE 19
Act II Attack Your Droid
SLIDE 20
Round I
Key Logging
SLIDE 21
A n00b Atuacker’s View of The System
?
SLIDE 22
What Would The n00b Atuacker Do?
!
SLIDE 23
What Would The n00b Atuacker Do?
!
SLIDE 24
What Would The n00b Atuacker Do?
!@#$
SLIDE 25
A Ninja Atuacker’s View of The System
?
Everything Goes Through The Binder
SLIDE 26
What Would The Ninja Atuacker Do?
!
SLIDE 27
Key Logger Demo
SLIDE 28
What Would The Ninja Atuacker Do?
w00t
SLIDE 29
Round II
Data Manipulatjon
SLIDE 30
A n00b Atuacker’s View of The System
?
Actjvity Actjvity Actjvity
SLIDE 31
What Would The n00b Atuacker Do?
Bye Kituy Bank , Hello Shi**y Bank
!
SLIDE 32
What Would The n00b Atuacker Do?
Bye Kituy Bank , Hello Shi**y Bank
!@#$
SLIDE 33
A Ninja Atuacker’s View of The System
?
Everything Goes Through The Binder
Actjvity Manager
SLIDE 34
In-app data goes through Binder???
SLIDE 35
A Ninja Atuacker’s View of The System
?
Actjvity Manager
SLIDE 36
What Would The Ninja Atuacker Do?
!
Actjvity Manager
SLIDE 37
A trillion dollars, anyone?
SLIDE 38
Data Manipulatjon Demo
SLIDE 39
What Would The Ninja Atuacker Do?
w00t
SLIDE 40
Round III
Interceptjng SMS
SLIDE 41
A n00b Atuacker’s View of The System
?
Telephony Manager
SLIDE 42
What Would The n00b Atuacker Do?
!
Just Ask Politely
SLIDE 43
What Would The n00b Atuacker Do?
!@#$
Just Ask Politely
SLIDE 44
A Ninja Atuacker’s View of The System
?
Everything Goes Through The Binder
Telephony Manager
SLIDE 45
What Would The Ninja Atuacker Do?
!
SLIDE 46
SMS internals
- The Telephony Manager notjfjes the SMS app
whenever an SMS is received
- The app queries the TM’s database via Binder:
SLIDE 47
SMS internals
- But what’s a Cursor object?
- It’s a messy abstractjon of a response to a query
SLIDE 48
SMS internals
- Surprise: Under the hood, it’s just a Unix fd
- Now we’re in business!
SLIDE 49
What Would The Ninja Atuacker Do?
w00t
SLIDE 50
Summary
What Just Happened?
SLIDE 51
Atuacking The Binder
- Hook libbinder.so at the point where it sends an
ioctl to the kernel
- Stealth: dozens of places to hook
- But don’t you need root?
SLIDE 52
Atuacking The Binder
Vulnerable to known rootjng exploits
SLIDE 53
Consider The Possibilitjes
SLIDE 54
Summary
Features:
- Versatjlity: one hook – multjple functjonalitjes.
- App agnostjc: no need to RE apps.
- Stealth: the Android security model limits 3rd
party security apps just like any other app.
SLIDE 55
Summary
- This is NOT a vulnerability. It’s like man-in-the-
browser, but for literally everything on Android.
- Root is assumed. Rootjng won’t go away any
tjme soon.
SLIDE 56
Rumors
(You didn’t hear it from me…)
SLIDE 57
What are you trying to tell me? That I can get all permissions on a device? No. I’m trying to tell you that when you’re ready, you won’t have to
SLIDE 58
Act III Preparing Your Droid
SLIDE 59
Solutjons – for developers
- Take control of your own process memory
space.
- Minimize the amount of data going to IPC, and
encrypt what has to go.
SLIDE 60
Solutjons – for security industry
- Scan fjles like it’s the 90’s.
- Be brave – get root yourself:
- Runtjme process scanning and monitoring.
- Sofuware fjrewall (like Avast).
- Binder fjrewall/anomaly detectjon.
- Etc.
SLIDE 61
Further Reading
[1] White paper: “Man in the Binder”, Artenstein and Revivo [2] “On the Reconstructjon of Android Malware Behaviors”, Fatori, Tam et al [3] “Binderwall: Monitoring and Filtering Android Interprocess Communicatjon”, Hausner