everything goes through the binder
play

Everything Goes Through The Binder A Hack in Three Acts Act I Know - PowerPoint PPT Presentation

Jul 18, 2023 •535 likes •1.16k views

MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II Atuack Your Droid Act III Prepare Your Droid Meet The Cast The Authors Nitay

  1. MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder

  2. A Hack in Three Acts Act I – Know Your Droid Act II – Atuack Your Droid Act III – Prepare Your Droid

  3. Meet The Cast

  4. The Authors Nitay Artenstein Idan Revivo Michael Shalyt

  5. Victim App Name: Kituy Bank Occupatjon: Bank Applicatjon “U want KitCoins – we haz it”

  6. n00b attacker Name: Kituy-ninja Occupatjon: Script kiddy “Mommy, can I rob this bank?”

  7. Ninja Attacker Name: Paw of Death Occupatjon: Black belt ninja hacker “To rob a bank, you must fjrst become the bank”

  8. System Services Name: System Service Occupatjon: Sittjng and waitjng to serve your needs These things run Android!

  9. The Linux Kernel Name: $ echo `uname –r` Occupatjon: Holding the world on its shoulders since 1.1.1970 Feeling neglected now that system services get all the atuentjon on Android

  10. The Binder Name: The Binder Occupatjon: All Powerful ? Mystery Character Everything Goes Through The Binder

  11. Act I Know Your Droid

  12. An Applicatjon’s Life On Windows Syscalls

  13. An Applicatjon’s Life On Android ? Syscalls Syscalls Syscalls

  14. Android – The Real Picture ? Syscalls Syscalls Everything Goes Through The Binder

  15. Bank Applicatjon Process System Service Process • Binder has a userland DalvikVM DalvikVM component and a kernel applicatjon applicatjon System Service System Service one System services System services proxy proxy • The driver receives the libandroid_runtjme.so libandroid_runtjme.so Parcel via an ioctl syscall libandroid_runtjme.so /system/lib*.so libandroid_runtjme.so /system/lib*.so and sends it to the target libbinder.so /system/libbinder.so libbinder.so /system/libbinder.so kernel processes syscall parcel parcel /dev/tuy0 /dev/binder

  16. What’s a Parcel?

  17. A Short Recap Audio Manager Kituy Bank Process DalvikVM Parcels Syscalls Parcels libbinder.so libbinder.so

  18. Everything Goes Through The Binder

  19. Act II Attack Your Droid

  20. Round I Key Logging

  21. A n00b Atuacker’s View of The System ?

  22. What Would The n00b Atuacker Do? !

  23. What Would The n00b Atuacker Do? !

  24. What Would The n00b Atuacker Do? !@#$

  25. A Ninja Atuacker’s View of The System ? Everything Goes Through The Binder

  26. What Would The Ninja Atuacker Do? !

  27. Key Logger Demo

  28. What Would The Ninja Atuacker Do? w00t

  29. Round II Data Manipulatjon

  30. A n00b Atuacker’s View of The System ? Actjvity Actjvity Actjvity

  31. What Would The n00b Atuacker Do? Bye Kituy Bank , Hello Shi**y Bank !

  32. What Would The n00b Atuacker Do? Bye Kituy Bank , Hello Shi**y Bank !@#$

  33. A Ninja Atuacker’s View of The System Actjvity Manager ? Everything Goes Through The Binder

  34. In-app data goes through Binder???

  35. A Ninja Atuacker’s View of The System Actjvity Manager ?

  36. What Would The Ninja Atuacker Do? Actjvity Manager !

  37. A trillion dollars, anyone?

  38. Data Manipulatjon Demo

  39. What Would The Ninja Atuacker Do? w00t

  40. Round III Interceptjng SMS

  41. A n00b Atuacker’s View of The System ? Telephony Manager

  42. What Would The n00b Atuacker Do? ! Just Ask Politely

  43. What Would The n00b Atuacker Do? !@#$ Just Ask Politely

  44. A Ninja Atuacker’s View of The System ? Telephony Manager Everything Goes Through The Binder

  45. What Would The Ninja Atuacker Do? !

  46. SMS internals • The Telephony Manager notjfjes the SMS app whenever an SMS is received • The app queries the TM’s database via Binder:

  47. SMS internals • But what’s a Cursor object? • It’s a messy abstractjon of a response to a query

  48. SMS internals • Surprise: Under the hood, it’s just a Unix fd • Now we’re in business!

  49. What Would The Ninja Atuacker Do? w00t

  50. Summary What Just Happened?

  51. Atuacking The Binder • Hook libbinder.so at the point where it sends an ioctl to the kernel • Stealth: dozens of places to hook • But don’t you need root?

  52. Atuacking The Binder Vulnerable to known rootjng exploits

  53. Consider The Possibilitjes

  54. Summary Features: • Versatjlity: one hook – multjple functjonalitjes. • App agnostjc: no need to RE apps. • Stealth: the Android security model limits 3 rd party security apps just like any other app.

  55. Summary • This is NOT a vulnerability. It’s like man-in-the- browser, but for literally everything on Android. • Root is assumed. Rootjng won’t go away any tjme soon.

  56. Rumors (You didn’t hear it from me…)

  57. What are you trying to tell me? That I can get all permissions on a device? No. I’m trying to tell you that when you’re ready, you won’t have to

  58. Act III Preparing Your Droid

  59. Solutjons – for developers • Take control of your own process memory space. • Minimize the amount of data going to IPC, and encrypt what has to go.

  60. Solutjons – for security industry • Scan fjles like it’s the 90’s. • Be brave – get root yourself: • Runtjme process scanning and monitoring. • Sofuware fjrewall (like Avast). • Binder fjrewall/anomaly detectjon. • Etc.

  61. Further Reading [1] White paper: “Man in the Binder”, Artenstein and Revivo [2] “On the Reconstructjon of Android Malware Behaviors”, Fatori, Tam et al [3] “Binderwall: Monitoring and Filtering Android Interprocess Communicatjon”, Hausner

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem Coleri Shashwath Sreedhar, Sogol Haddadi, Matthew Haynes, and Sunny Lewis Other contribut Other butor ors TAC members: Larry Ilg ODOT

712 views • 34 slides
Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D.

Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D.

transportationstudies.asu.edu Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D. Assistant Professor, School of Sustainable Engineering and the Built Environment Co-Director, The National Center of

311 views • 27 slides
Regulatory Binder By: Sam Payn Regulatory Binder Goals To learn about regulatory binders.

Regulatory Binder By: Sam Payn Regulatory Binder Goals To learn about regulatory binders.

Regulatory Binder By: Sam Payn Regulatory Binder Goals To learn about regulatory binders. To learn about Essential documents for the regulatory binder Put together a regulatory binder Purpose The purpose of the Regulatory Binder is

187 views • 14 slides
What is a Regulatory Binder? Paperwork required to keep updated on studies where patients are

What is a Regulatory Binder? Paperwork required to keep updated on studies where patients are

Regulatory Binder: 1.26.15 Sara L. Douglas, PhD, RN Amy R. Lipson, PhD Information in this Presentation Is Up-to-Date as of 8.18.17 What is a Regulatory Binder? Paperwork required to keep updated on studies where patients are being consented

342 views • 16 slides
I N N O V A T I O N W O R L D W I D E CARDBOARD ECO BINDER A NEW CONCEPT OF

I N N O V A T I O N W O R L D W I D E CARDBOARD ECO BINDER A NEW CONCEPT OF

I N N O V A T I O N W O R L D W I D E CARDBOARD ECO BINDER A NEW CONCEPT OF BINDING SHEETS ENVIRONMENTALLY FRIENDLY, COST EFFECTIVE AND INNOVATIVE USE AN ALTERNATIVE TO TRADITIONAL METAL OF PLASTIC COIL BINDERS. The patent

283 views • 7 slides
Field Validation Database for Binder Testing Procedures Recommended by NCHRP 9-10 Wilfung

Field Validation Database for Binder Testing Procedures Recommended by NCHRP 9-10 Wilfung

Field Validation Database for Binder Testing Procedures Recommended by NCHRP 9-10 Wilfung Martono H.U.Bahia University of Wisconsin-Madison ETG Meeting Fall 2003 Las Vegas, NV Background ! Need for Field Validation of ! Binder repeated

743 views • 23 slides
Binder tude du mcanisme de communication interprocessus d'Android et de ses vulnrabilits

Binder tude du mcanisme de communication interprocessus d'Android et de ses vulnrabilits

Binder tude du mcanisme de communication interprocessus d'Android et de ses vulnrabilits - Binder IPC and its vulnerabilities Prsent 06/03/2020 Pour THCON 2020 Par Jean-Baptiste Cayrou Who I am Jean-Baptiste Cayrou ( @jbcayrou )

1.63k views • 97 slides
Binder: A System to Aggregate Mul5ple Internet Gateways in

Binder: A System to Aggregate Mul5ple Internet Gateways in

Binder: A System to Aggregate Mul5ple Internet Gateways in Community Networks Marwan Fayed Luca Boccassi (Cisco) and Mahesh Marina How to solve

445 views • 13 slides
Guide to Rates of Application of Primer Primer Pavement Grade Rate (L/m ) Tightly bonded

Guide to Rates of Application of Primer Primer Pavement Grade Rate (L/m ) Tightly bonded

Design of Rates of Application Primes Primerseals Seals C170 binder Polymer modified binder Sprayed Seal Design Geotexle reinforced seals (GRS) AAPA training

222 views • 9 slides
p K a modulation of a bis(2-aminoimidazoline) DNA minor groove binder that targets the kinetoplast

p K a modulation of a bis(2-aminoimidazoline) DNA minor groove binder that targets the kinetoplast

p K a modulation of a bis(2-aminoimidazoline) DNA minor groove binder that targets the kinetoplast of Trypanosoma brucei Jorge Jonathan Nu Martinez 1 , Harry P. De Koning 2 , Godwin Ebiloma 2 , Cinthia Millan 3 , J. Lourdes Campos 3 , Christophe

724 views • 20 slides
THE USE OF XPS TO INVESTIGATE THE AGEING MECHANISM OF THE PHENOL-UREA-FORMALDEHYDE (PUF) BINDER

THE USE OF XPS TO INVESTIGATE THE AGEING MECHANISM OF THE PHENOL-UREA-FORMALDEHYDE (PUF) BINDER

THE USE OF XPS TO INVESTIGATE THE AGEING MECHANISM OF THE PHENOL-UREA-FORMALDEHYDE (PUF) BINDER COATED MINERAL FIBERS A. Zafar 1* , J. Schjdt-Thomsen 1 , R. Sodhi 2 , D. de Kubber 3 1 Department of Mechanical and Manufacturing Engineering,

66 views • 6 slides
at Palm Valley Academy - Email is the best way to communicate with us. - Please make sure your

at Palm Valley Academy - Email is the best way to communicate with us. - Please make sure your

at Palm Valley Academy - Email is the best way to communicate with us. - Please make sure your child brings their binder and planner to school every day. In your childs binder, you will find: - Homework - Graded Papers - Notes (when needed)

512 views • 24 slides
A proposal for a 100% use of bauxite residue: The process, results on the novel Fe-rich binder

A proposal for a 100% use of bauxite residue: The process, results on the novel Fe-rich binder

A proposal for a 100% use of bauxite residue: The process, results on the novel Fe-rich binder and how this can take place within the alumina refinery T. Hertel, L. Arnout, A. Peys, L. Pandelaers, B. Blanpain, Y. Pontikes 06/10/2015 The dirty

318 views • 31 slides
Polarized We Govern? Sarah Binder GWU and Brookings Negotiating with Republicans is like

Polarized We Govern? Sarah Binder GWU and Brookings Negotiating with Republicans is like

Polarized We Govern? Sarah Binder GWU and Brookings Negotiating with Republicans is like Chasing a greasy pig It is kind of a painless ordeal for the pig For those who dont know what a greased pig contest is, heres what it

108 views • 9 slides
Convergence to SLE 6 for Percolation Models (joint with I. Binder & L. Chayes) Helen K. Lei

Convergence to SLE 6 for Percolation Models (joint with I. Binder & L. Chayes) Helen K. Lei

Convergence to SLE 6 for Percolation Models (joint with I. Binder & L. Chayes) Helen K. Lei August 14, 2009 Introduction Setup & Scaling Limit Conformal Invariance & Cardys Formula Statement of Result Percolation

281 views • 27 slides
Welcome Grab your binder and something to write with Open to your SEL Section Opening Activity

Welcome Grab your binder and something to write with Open to your SEL Section Opening Activity

Welcome Grab your binder and something to write with Open to your SEL Section Opening Activity Turn to your SEL section How will we respond to the immigrant caravan? Students will be able to Analyze texts to identify the push and

162 views • 14 slides
FHA Catalyst: Case Binder Module April 3 , 2020 Tech Support Recommend Chrome browser.

FHA Catalyst: Case Binder Module April 3 , 2020 Tech Support Recommend Chrome browser.

FHA Catalyst: Case Binder Module April 3 , 2020 Tech Support Recommend Chrome browser. Technical issues? Review Technology FAQs by clicking Chat icon at bottom of screen, or on Landing Page. Need additional tech support? Click

517 views • 6 slides
: Bell work: Pick up the worksheet and a notecard from the table. Place your name card

: Bell work: Pick up the worksheet and a notecard from the table. Place your name card

Welcome to Class! Today is Tuesday, August 16 th Homework ork Due: signed syllabus and binder with tabs. : Bell work: Pick up the worksheet and a notecard from the table. Place your name card back on your desk. Turn in your signed

943 views • 23 slides
Information Technology Advisory Committee (ITAC) Public Business Meeting February 3, 2020

Information Technology Advisory Committee (ITAC) Public Business Meeting February 3, 2020

Information Technology Advisory Committee (ITAC) Public Business Meeting February 3, 2020 Teleconference Hon. Sheila F. Hanson Chair, Information Technology Advisory Committee 1 Administrative Matters Open Meeting I. Call to Order, Roll

1.03k views • 14 slides
Development of an Integra ated CARI Interactive Data Access System for th e US Census Bureau

Development of an Integra ated CARI Interactive Data Access System for th e US Census Bureau

Development of an Integra ated CARI Interactive Data Access System for th e US Census Bureau Mai Nguyen, M. Rita Thissen, Ch hristopher Siege, Sandhya Bikmal RTI Inter RTI I t rnational ti l 2010 International Bla ise Users Conference

529 views • 15 slides
Slides on cross-domain call and Remote Procedure Call (RPC)

Slides on cross-domain call and Remote Procedure Call (RPC)

Slides on cross-domain call and Remote Procedure Call (RPC) This classic paper is a good example of a microbenchmarking study. It also explains the RPC abstraction and serves as a case study of the

477 views • 44 slides
WEEK OF 08.31.20 A Note From Check out our first week at a glance! Happy first week of school!

WEEK OF 08.31.20 A Note From Check out our first week at a glance! Happy first week of school!

WEEK OF 08.31.20 A Note From Check out our first week at a glance! Happy first week of school! Take a look at what learning is ahead! Mrs. Milburn & Mr. McKinney MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY What is Math Workshop? Math

768 views • 28 slides
SSReflect in Coq 8.10 New intro patterns and support for rewriting under binders rik

SSReflect in Coq 8.10 New intro patterns and support for rewriting under binders rik

SSReflect in Coq 8.10 New intro patterns and support for rewriting under binders rik Martin-Dorel 1 Enrico Tassi 2 1 IRIT, Universit Toulouse 3, France 2 Inria, Universit Cte dAzur, France September 8th, 2019 The 10th Coq Workshop

1.1k views • 32 slides
Bottle Binder Nikki Akraboff Chris Becker Chris Desrochers Batya Fellman Katie

Bottle Binder Nikki Akraboff Chris Becker Chris Desrochers Batya Fellman Katie

R e d Bottle Binder Nikki Akraboff Chris Becker Chris Desrochers Batya Fellman Katie Matlack Keith Molina Ilan Moyer Matt Robertson Alex St. Claire Problem and Customer n villages in Ecuador Need for

403 views • 7 slides

More recommend