1 / 14

Two Vulnerabilities in Android OS Kernel

Two Vulnerabilities in Android OS Kernel. Speaker: Xiaojiang Du Authors: Xiali Hei , Xiaojiang Du and Shan Lin Temple University. 1. 1. Problem and Background. 4. 2. Goal and Contributions. Results. 5. 3. Conclusions. Methods. Outline. Problem and Background.

merrill
Download Presentation

Two Vulnerabilities in Android OS Kernel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Two Vulnerabilities in Android OS Kernel Speaker: Xiaojiang Du Authors: XialiHei, Xiaojiang Du and Shan Lin Temple University

  2. 1. 1. Problem and Background 4. 2. Goal and Contributions Results 5. 3. Conclusions Methods Outline

  3. Problem and Background • The Android operation system is widely used in smartphones and tablet devices. • There is no antivirus to protect the kernel of Android because its kernel is not open to security software company. • Tegra 2 CPU is a dual core and widely used in mobile devices [1]. If the driver of them has vulnerability, it will affect a lot of devices. And this kind of vulnerability is difficult to detected.

  4. Goal and Contributions • Find 0-day vulnerabilities in Android OS. One 0-day vulnerability costs the government $30000-$60000. Also, it probably caused huge losses. • We revealed a security pitfall in the Tegra 2 CPU driver program on the Android operating system. Several severe security vulnerabilities are exposed by exploiting this pitfall. • We demonstrated how to perform system privilege escalation and denial-of-service attack using a real Samsung Galaxy Tablet. • We proposed a solution to fix the pitfall, our report to the problem has been accepted by Google.

  5. Methods (1) • We examine the source codes of two packages: GTP7500 OpenSource.zip and GT-P7510 OpenSource.zip [1], and we find two vulnerabilities in the nvhostioctl ctrl module regrdwr function in the file dev.c. • Vulnerability 1: Get user(offs, offsets) in Line 561 is used to get the offset from users. There is no boundary check on “offs”. • Vulnerability 2: Line 598: BUG ON( IOC SIZE(cmd)->NVHOST IOCTL CTRL MAX ARG SIZE). The program fails to check the size of IOC SIZE(cmd).

  6. Methods (2) • Fuzzy test • Fuzz testing is a automated or semi-automated software testing technique. We use it to find the first the vulnerability and exploit the second vulnerability.

  7. Method (3) • ADB • Android Debug Bridge (ADB) is a command line tool that allows your local computer to communicate with a connected Android-powered device or an emulator. • The attacker can use ADB’s push command to implant an exploit on the device, and use ADB’s shell command to launch the exploit and escalate his privilege. • After run adb get-serialno on the computer, the attack can get the serial number of a device.

  8. Experiments • We conducted experiments on Android Honeycomb 3.1 using the Samsung Galaxy Tab 10.1 with NvidiaTegra CPU. • And the results show that we can easily exploit these vulnerabilities and we can solve them with our fix methods. • We will present our results later. Note that, many android devices with NvidiaTegraCPU suffer these vulnerabilities.

  9. Results: • Android is based on a modified Linux kernel and it applies the Discretionary Access Control (DAC) on the file system level. • If the uid = 0, this means that the user get root-level privilege, which is the goal of exploiting privilege escalation vulnerabilities. • We can scan the kallsyms log and find the offset of the sys-setuid function. This means that we can find out the address of the sys-setuid function. • We overwrite the code of setuid using newvalues[0] = 0 to get the root privilege, then setuid = 0.

  10. Results (1): • Logs for Experiment 1-Kernel privileges escalation vulnerability

  11. Result (2) Logs for Experiment 1-Kernel privileges escalation vulnerability Uid was changed to 0 from 7d0.

  12. Result (3): Dos Vulnerability Kernel was panic and system was reset.

  13. Conclusions • We presented two new vulnerabilities in Tegra driver programs located in Android kernel. • The first vulnerability can be used to escalate the kernel privileges. • The second vulnerability can be used to launch the deny of service (DoS) attack. • We successfully exploited the two vulnerabilities on several versions of Android by using a real device - a Galaxy tablet device. • Furthermore, we provided security patches to fix the two vulnerabilities and we confirmed that the patches work.

  14. Question? Any Questions ?

More Related