fuzzing remote interfaces for system
play

Fuzzing remote interfaces for system services in Android Alexandru - PowerPoint PPT Presentation

Nov 09, 2022 •130 likes •446 views

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1 Agenda Context Fuzzing tool implementation Results and vulnerabilities 2 Context Intro to System Services System services

  1. Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1

  2. Agenda Context Fuzzing tool implementation Results and vulnerabilities 2

  3. Context Intro to System Services • System services – the core of Android • Implement many of the fundamental Android features Display Telephony Network Connectivity 3

  4. Context Intro to System Services • System services – expose remote interfaces Java Native JNI 4

  5. Context Opportunity • Android IPC mechanism – Binder • Android controls access to Binder objects • Some Binder objects (system services) need to be universally accessible 5

  6. Context Service CLI root@flounder:/ # service Usage: service [-h|-?] service list service check SERVICE service call SERVICE CODE [i32 N | i64 N | f N | d N | s16 Options: i32: Write the 32-bit integer N into the send parcel. i64: Write the 64-bit integer N into the send parcel. f: Write the 32-bit single-precision number N into the parcel d: Write the 64-bit double-precision number N into the parce s16: Write the UTF-16 string STR into the send parcel. 6

  7. Context Service CLI Android service list flounder:/ $ service list Found 118 services: 0 nfc: [android.nfc.INfcAdapter] 1 phone: [com.android.internal.telephony.ITelephony] 2 isms: [com.android.internal.telephony.ISms] ... 18 media_session: [android.media.session.ISessionManager] 19 restrictions: [android.content.IRestrictionsManager] ... 45 notification: [android.app.INotificationManager] 46 recovery: [android.os.IRecoverySystem] 47 updatelock: [android.os.IUpdateLock] 7

  8. Context Service CLI • Each service has a number of methods – > can be called using service call $ service call SERVICE CODE [i32 N | i64 N | f N | d N | s16 STR] $ service call meminfo 13 i32 12 i32 43 s16 “ string_example ” 8

  9. Context Service CLI • Each service has a remote interface that defines the methods, implemented in Java or C/C++ ... 101 SurfaceFlinger: [android.ui.ISurfaceComposer] $ find /path/to/tree – name ISurfaceComposer.h / ISurfaceComposer.aidl ... 9

  10. Context Service CLI Remote interface – example class IAudioPolicyService : public Iinterface { public: DECLARE_META_INTERFACE(AudioPolicyService); virtual status_t registerEffect(const effect_descriptor_t *desc, 1 audio_io_handle_t io, uint32_t strategy, int session, int id) = 0; virtual status_t unregisterEffect(int id) = 0; 2 virtual status_t setEffectEnabled(int id, bool enabled) = 0; 3 10

  11. Context Service CLI Remote interface – transaction codes class IAudioPolicyService : public Iinterface { public: DECLARE_META_INTERFACE(AudioPolicyService); virtual status_t setEffectEnabled(int id, bool enabled) = 0; 3 $ service call media.audio_policy 3 i32 23 i32 1 11

  12. Context Service CLI Remote interface – not a data message class IResourceManagerService : public Iinterface { public: DECLARE_META_INTERFACE(IResourceManagerService); virtual status_t method_1(int ...); 1 virtual status_t method_2(int ...); 2 virtual status_t method_3(int ...); 3 virtual status_t method_4(int ...); 4 $ service call media.resource_manager 5 5 Parcel(Error: 0xffffffffffffffb6 "Not a data message") ??? 12

  13. Context Service CLI Remote interface – not a data message class ISurfaceComposer: public IInterface { public: DECLARE_META_INTERFACE(SurfaceComposer); virtual sp<ISurfaceComposerClient> createConnection() = 0; 1 virtual sp<IGraphicBufferAlloc> createGraphicBufferAlloc() = 0; 2 ... virtual int getActiveConfig(const sp<IBinder>& display) = 0; 13 Result: Parcel(Error: 0xffffffffffffffb6 "Not a data message") virtual int getActiveConfig(const sp<IBinder>& display) = 0; 14 Result: Parcel(ffffffea '....') 13

  14. Context Service CLI Remote interface – permissions flounder:/ $ service call bluetooth_manager 7 Result: Parcel( 0x00000000: ffffffff 0000006e 0065004e 00640065 '....n...N.e.e.d.' 0x00000010: 00420020 0055004c 00540045 004f004f ' .B.L.U.E.T.O.O.' 0x00000020: 00480054 00410020 004d0044 004e0049 'T.H. .A.D.M.I.N.' 0x00000030: 00700020 00720065 0069006d 00730073 ' .p.e.r.m.i.s.s.' 0x00000040: 006f0069 003a006e 004e0020 00690065 'i.o.n.:. .N.e.i.' 0x00000050: 00680074 00720065 00750020 00650073 't.h.e.r. .u.s.e.' 0x00000060: 00200072 00300032 00300030 006e0020 'r. .2.0.0.0. .n.' 0x00000070: 0072006f 00630020 00720075 00650072 'o.r. .c.u.r.r.e.' 0x00000080: 0074006e 00700020 006f0072 00650063 'n.t. .p.r.o.c.e.' 0x00000090: 00730073 00680020 00730061 00610020 's.s. .h.a.s. .p.' 0x000000a0: 00720065 0069006d 00730073 006f0069 'e.r.m.i.s.s.i.o.' 0x000000b0: 002e006e 004c0042 00450055 004f0054 'n.B.L.U.E.T.O.O.' 0x000000c0: 0054004f 005f0048 00440041 0049004d ‘T.H._.A.D.M.I.N.') 14

  15. Agenda Context Fuzzing tool implementation Results and vulnerabilities 15

  16. Fuzzing tool implementation Main idea Fuzz the • service call command methods • transaction code for each of each method system • fuzzed parameters service • 0 permissions 2 testing • all permissions scenarios 16

  17. Fuzzing tool Module 1 Get information regarding the available system services media.audio_policy Service name Parse service list Store necessary Service android.media.IAudio command output information description PolicyService frameworks/av/media/ Path to interface libmedia/IAudioPolicy Service.cpp 17

  18. Fuzzing tool Module 2 Get information regarding the methods of each service Number of methods Number of method parameters Serialize the Parse interface necessary source files information Type of method parameters Path to interface 18

  19. Fuzzing tool Module 3 Actual fuzzing process Dumb fuzzing Intelligent fuzzing Targeted fuzzing 19

  20. Fuzzing tool Module 3 Dumb fuzzing No args Random args Fuzz each Data generator For each service Random number method of args Random args Fixed number of Fusil Python Method map args fuzzing library Transaction Number of numbers methods 20

  21. Fuzzing tool Module 3 Intelligent vs dumb fuzzing Parameter Parameter Numerical number type parameters Strings Equal to the number of parameters Regexp of the parameters method Random and type- conscious arguments 21

  22. Fuzzing tool Module 3 Targeted fuzzing • Create custom generation models for each particular interface • Priority is on native interfaces, but Java based interfaces are interesting as well • Allows triggering sections of code that would be otherwise inaccessible 22

  23. Fuzzing tool Module 4 Logging process 03-17 13:43:17.310 F/service_call:DUMB:fuzzer(29448): createDisplay[4] - param: 2 - seed: 0 03-17 13:43:17.461 F/service_call:DUMB:fuzzer(29453): createDisplay[4] - param: 2 - seed: 4736359305080745519 03-17 13:43:17.533 F/service_call:DUMB:fuzzer(29456): createDisplay[4] - param: 2 - seed: 3491175988003079 03-17 13:43:17.229 F/libc( 9876): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 9890 (Binder_2) 03-17 13:43:18.137 F/service_call:DUMB:fuzzer(29476): destroyDisplay[5] - param: 1 - seed: 0 03-17 13:43:18.281 F/service_call:DUMB:fuzzer(29481): destroyDisplay[5] - param: 1 - seed: 3218211437215368928 03-17 13:43:18.430 F/service_call:DUMB:fuzzer(29486): destroyDisplay[5] - param: 1 - seed: 5058432304378629718 23

  24. Fuzzing tool Module 4 Logging process • Some of the arguments are not printable • Generate as many random values as the number of parameters Problems seed_list = [] init_seed = randint (0, max_value) • Save the random generator state before seed_list.append (init_seed) each test case is executed (not feasible) Ideal case seed[i] = F (init_seed, i) seed_list.append (seed[i]) • For a given test case, generate a single seed Solution 24

  25. Fuzzing tool Summary 25

  26. Agenda Context Fuzzing tool implementation Results and vulnerabilities 26

  27. Vulnerability example • Vulnerability in libaudiopolicyservice.so – triggered when calling portConfig() method in IAudioPolicyService interface • Impact: Mediaserver native crash Media/Camera DOS Media/Camera Restart Device DOS Restart Component 27

  28. Vulnerability example Logcat snapshot 03-25 12:05:28.774 W/AudioSystem( 580): AudioFlinger server died! 03-25 12:05:28.774 W/AudioSystem( 580): AudioPolicyService server died! 03-25 12:05:28.774 W/SoundTrigger( 580): Sound trigger service died! 03-25 12:05:28.774 I/ServiceManager( 171): service 'media.resource_manager' died 03-25 12:05:28.775 I/ServiceManager( 171): service 'media.audio_flinger' died 03-25 12:05:28.775 I/ServiceManager( 171): service 'media.player' died 03-25 12:05:28.775 I/ServiceManager( 171): service 'media.camera' died 03-25 12:05:28.775 I/ServiceManager( 171): service 'media.audio_policy' died 03-25 12:05:28.775 I/ServiceManager( 171): service 'media.sound_trigger_hw' died 03-25 12:05:28.775 I/ServiceManager( 171): service 'media.radio' died 03-25 12:05:28.775 W/AudioSystem( 1148): AudioFlinger server died! 03-25 12:05:28.775 W/AudioSystem( 728): AudioPolicyService server died! 03-25 12:05:28.775 E/AudioService( 580): Media server died. 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
Overview Overview Grid/NetSolve Grid enabled software Allows easy access to remote

Overview Overview Grid/NetSolve Grid enabled software Allows easy access to remote

GridSolve: A Seamless Bridge Between : A Seamless Bridge Between GridSolve the Standard Programming Interfaces the Standard Programming Interfaces and Remote Resources and Remote Resources Jack Dongarra University of Tennessee and Oak

407 views • 11 slides
DP Photon System Readout - Envisioned System and DAQ Interfaces Cayetano Santos - On behalf of

DP Photon System Readout - Envisioned System and DAQ Interfaces Cayetano Santos - On behalf of

DP Photon System Readout - Envisioned System and DAQ Interfaces Cayetano Santos - On behalf of the IN2P3 group DUNE FD DAQ Design Workshop - Architecture considerations: Interfaces - Columbia University 30-31 October 2017 APC - Astroparticule

368 views • 19 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida 1 Basic Elements of HW/SW Interfaces 1. On-chip communica&gt;on fabrics, ex. buses 2 Memory Mapped Interfaces To resolve simultaneous writes

722 views • 25 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of

System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of

System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of South Florida 1 System Structural Model Mem CPU P1 P2 Arbiter Bridge P3 P5 P4 HW HW 2 Basic Elements of HW/SW Interfaces 1. On-chip

235 views • 22 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When, Why, How? What: Code Structure used to express operations that multiple class have in common No method implementations No fields

611 views • 12 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
(R) Evolution Philipp Krenn @xeraa Revolution

(R) Evolution Philipp Krenn @xeraa Revolution

(R) Evolution Philipp Krenn @xeraa Revolution https://db-engines.com/en/ranking https://www.reddit.com/r/SQL/comments/7i828i/ms_sql_query_is_too_complex/ Who uses Elasticsearch? Infrastructure | Developer Advocate

919 views • 59 slides
A Few Open Problems in Vertically-Partially-Connected 3D-NoC Frdric Ptrot and Hamed

A Few Open Problems in Vertically-Partially-Connected 3D-NoC Frdric Ptrot and Hamed

A Few Open Problems in Vertically-Partially-Connected 3D-NoC Frdric Ptrot and Hamed Sheibanyrad System-Level Synthesis Group TIMA Laboratory 46, Av Flix Viallet, 38031 Grenoble, France July 17 th , 2015 July 17th, 2015 Frdric

799 views • 10 slides
Jurong West Primary School English Department Primary 1 TEAMWORK Key changes To enhance

Jurong West Primary School English Department Primary 1 TEAMWORK Key changes To enhance

Jurong West Primary School English Department Primary 1 TEAMWORK Key changes To enhance the joy of learning starting 2019 1) No weighted assessment from 2019 (including year-end exam for P2) 2) Use qualitative descriptors to report

734 views • 28 slides
Range Sensors Gianpaolo Palma Who Gianpaolo Palma Researcher at Visual Computing

Range Sensors Gianpaolo Palma Who Gianpaolo Palma Researcher at Visual Computing

3D Models from Range Sensors Gianpaolo Palma Who Gianpaolo Palma Researcher at Visual Computing Laboratory (ISTI-CNR) Expertise: 3D scanning, Mesh Processing, Computer Graphics E-mail: gianpaolo.palma@isti.cnr.it Office hours

360 views • 24 slides
Logic + Control: An example or SAT solver of Howe &amp; King as a logic program (File

Logic + Control: An example or SAT solver of Howe &amp; King as a logic program (File

Intro. Specification Correctness&amp;. . . Programs Final Logic + Control: An example or SAT solver of Howe &amp; King as a logic program (File ./LIPIcs/29.pdf ) W lodzimierz Drabent Institute of Computer Science, Polish Academy of

806 views • 41 slides
Ge#ngSmarterAbout theSmartGrid TimothySchoechle,PhD

Ge#ngSmarterAbout theSmartGrid TimothySchoechle,PhD

Ge#ngSmarterAbout theSmartGrid TimothySchoechle,PhD SeniorResearchFellow NaGonalInsGtuteforScience,Law,andPublicPolicy Washington,DC CommonwealthClubofCalifornia

190 views • 17 slides
Lower Bound Techniques for QBF Proof Systems Meena Mahajan The Institute of Mathematical

Lower Bound Techniques for QBF Proof Systems Meena Mahajan The Institute of Mathematical

Lower Bound Techniques for QBF Proof Systems Meena Mahajan The Institute of Mathematical Sciences, HBNI, Chennai. Complexity, Algorithms, Automata, Logic Meeting CAALM 2019, CMI, India. 21-25 Jan 2019 24 Jan 2019 Meena Mahajan, IMSc Credits

980 views • 94 slides
26th International Cartographic Conference, Dresden, Germany, 25 30 August 2013 Exploring the

26th International Cartographic Conference, Dresden, Germany, 25 30 August 2013 Exploring the

26th International Cartographic Conference, Dresden, Germany, 25 30 August 2013 Exploring the Impact of a Spatial Data Infrastructure on Value Added Resellers and Vice Versa Antony K. Cooper, Serena Coetzee, Petr Rapant, Dominique Laurent,

521 views • 15 slides

More recommend