adaptive kernel live patching - black hat...ice cream sandwich 15 1.7% 4.1.x jelly bean 16 6.4%...

AdaptiveKernelLivePatching:AnOpenCollaborativeEffortto

AmeliorateAndroidN-dayRootExploits

YulongZhangandLenx(Tao)WeiBaiduX-LabAugust2016

Agenda• TheProblem

• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies

• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint

• TheFuture• EstablishingtheEcosystem

UnprivilegedUser Root

CodeExecutionVulnerability

Info-leakVulnerability

UserMode

KernelModeInformationLeakage PrivilegeEscalation

ThreatsofKernelVulnerabilities

ThreatsofKernelVulnerabilities• Mostsecuritymechanismsrelyingonkernelintegrity/trustworthinesswillbebroken

• Accesscontrol,app/userisolation• Payment/fingerprintsecurity• KeyStore• OtherAndroiduser-landsecuritymechanisms

• TrustZonewillalsobethreatened• Attacksurfacesexposed• Notenoughinputvalidation

KernelVulnerabilitiesinAndroidSecurityBulletin

1 1 3 4 4 715 19

66

0

10

20

30

40

50

60

70

2015/09 2015/12 2016/01 2016/02 2016/03 2016/04 2016/05 2016/06 2016/07

MonthlyDisclosedNumberofAndroidKernelVulnerabilities

Month Count

2015/09 1

... ...

2015/12 1

2016/01 3

2016/02 4

2016/03 4

2016/04 7

2016/05 15

2016/06 19

2016/07 66

• Moreandmoreattentionsaredrawntosecurethekernel

• MoreandmorevulnerabilitiesareintheN-Dayexploitarsenalfortheundergroundbusinesses

TheGrowingTrendIndicates

ManyVulnerabilitiesHaveExploitPoCPubliclyDisclosedVulnerability/ExploitName CVEIDmempodipper CVE-2012-0056exynos-abuse/Framaroot CVE-2012-6422diagexploit CVE-2012-4221perf_event_exploit CVE-2013-2094fb_mem_exploit CVE-2013-2596msm_acdb_exploit CVE-2013-2597msm_cameraconfig_exploit CVE-2013-6123get/put_user_exploit CVE-2013-6282futex_exploit/Towelroot CVE-2014-3153msm_vfe_read_exploit CVE-2014-4321pipeexploit CVE-2015-1805PingPong Root CVE-2015-3636f2fs_exploit CVE-2015-6619prctl_vma_exploit CVE-2015-6640keyring_exploit CVE-2016-0728…... ......

KEMOGE

https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html

GHOSTPUSH

http://www.cmcm.com/blog/en/security/2015-09-18/799.html

DOGSPECTUS

“...thepayloadofthatexploit,aLinuxELFexecutablenamedmodule.so,containsthecodeforthefutex orTowelrootexploit thatwasfirstdisclosedattheendof2014.”

https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware

HUMMINGBAD

“Allcombined,thecampaignincludesnearly85milliondevices...HummingBadattemptstogainrootaccessonadevicewitharootkitthatexploitsmultiplevulnerabilities...Ittriestoroot thousandsofdeviceseveryday,withhundredsoftheseattemptssuccessful.”

https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware

iOSMoreSecure?

?

iOSVersion ReleaseDate KernelVulnerability# Android#InThisPeriod

8.4.1 8/13/15 3 -

9 9/16/15 12 1

9.1 10/21/15 6 -

9.2 12/8/15 5 1

9.2.1 1/19/16 4 3

9.3 3/21/16 9 8

9.3.2 5/16/16 11 22

V.S.

Sotheproblemis:AndroidhasMORE vulnerabilitiesVulnerabilitiesremainUNFIXED overalongtime

http://www.whisperingrandomness.com/wp-content/uploads/2014/03/iOS-security-black-hat-macworld-australia.jpghttp://images.pcworld.com/images/article/2011/11/androidsecurity-5241445.jpg

• IfApplewantstopatchavulnerability• Applecontrolstheentire(mostly)supplychain• Applehasthesourcecode• Applerefusestosignoldversions,forcingone-directionupgrade• AlltheiOSdeviceswillgetupdateinatimelymanner

• Android• Manydevicesstayunpatchedforever/foralongperiod...

WhyAreAndroidKernelVulnerabilitiesLongLasting?

• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices

• Capabilitymismatchingbetweendevicevendorsandsecurityvendors

CauseA:Thelongpatchingchain

Thereareexploitsappearedinpublicbut• Nevergotofficiallyreportedtovendors

Exploitsmadepublicbutnotreported

AndroidRootanditsProviders:ADouble-EdgedSwordH.Zhang,D.She,andZ.Qian,CCS2015

Thereareexploitsdisclosedbut• Notgettingtimelypatches

Exploitsdisclosedbutnottimelypatched

https://bugs.chromium.org/p/project-zero/issues/detail?id=734&can=1&sort=-id

Thereareexploitspatchedbut• Delayedbythecarriers

Exploitspatchedbutdelayedbycarriers

http://www.howtogeek.com/163958/why-do-carriers-delay-updates-for-android-but-not-iphone

UserdelaystheOTAduetorebooting

http://opensignal.com/reports/2015/08/android-fragmentation

CauseB:Fragmentation

GoogleDashboard(2016/07/21)Version Codename API Distribution2.2 Froyo 8 0.1%2.3.x Gingerbread 10 1.9%

4.0.x IceCreamSandwich 15 1.7%

4.1.xJellyBean

16 6.4%4.2.x 17 8.8%4.3 18 2.6%4.4 KitKat 19 30.1%5.0

Lollipop21 14.3%

5.1 22 20.8%6.0 Marshmallow 23 13.3%

LollipopwasreleasedinNovember12,2014,but

51.6%ofthedevicesarestillolderthanthat!GooglestoppedpatchingforAndroidolderthan4.4,

but21.5%ofthedevicesarestillolderthanthat!

ChineseMarketIsEvenWorse(StatsfromdeviceswithBaiduappsinstalled,July2016)

LollipopwasreleasedinNovember12,2014,but

80% ofthedevicesarestillolderthanthat!

Version Codename Rate2.3.x Gingerbread 3%4.0.x IceCreamSandwich 3%4.1.x

JellyBean 36%4.2.x4.34.4 KitKat 39%5 Lollipop 19%5.1

42% ofthedevicesare<4.4!

3% 3%

36%

39%

19%

Gingerbread

IceCreamSandwich

JellyBean

KitKat

Lollipop

SecurityVendors:• Capabletodiscoverandpatchvulnerabilities• Notprivilegedenough• Withoutsourcecode,difficulttoadaptthepatches

PhoneVendors:• Privilegedtoapplythepatches• Withsourcecode,easytoadaptthepatches• Notenoughresourcestodiscoverandpatchvulnerabilities

CVE-2014-3153(Towelroot)

• Thefutex_requeue functioninkernel/futex.c intheLinuxkernelthrough3.14.5doesnotensurethatcallshavetwodifferentfutex addresses,whichallowslocaluserstogainprivileges.

CVE-2015-3636 (PingPong Root)

• Theping_unhash functioninnet/ipv4/ping.c intheLinuxkernelbefore4.0.3doesnotinitializeacertainlistdatastructureduringanunhash operation,whichallowslocaluserstogainprivilegesorcauseadenialofservice.

CVE-2015-1805 (used inKingRoot)

• Thepipe_read andpipe_write implementationsinkernelbefore3.16allowslocaluserstocauseadenialofservice(systemcrash)orpossiblygainprivilegesviaacraftedapplication.

• Aknown issue inthe upstream Linuxkernel that was fixed inApril 2014butwasn’t called outasasecurity fix andassigned CVE-2015-1805 untilFebruary 2,2015.

0 200 400 600 800 1000

CVE-2015-1805PipeRoot

CVE-2015-3636PingPongRoot

CVE-2014-3153Towelroot

Dayssincetheadvisorypublicationdate

0%

20%

40%

60%

80%

100%

CVE-2014-3153Towelroot

CVE-2015-3636PingPongRoot

CVE-2015-1805PipeRoot

Vulnerable NotVulnerable

VulnerabilitystatisticscollectedfromChineseAndroiddeviceinJuly2016

How/WhotoSecureThem???

KernelLivePatching

• kpatch• kGraft• ksplice• Linuxupstream’slivepatch• ......

KernelLivePatching

kGraft asanexample

KernelLivePatching

• Loadnewfunctionsintomemory• Linknewfunctionsintokernel

• Allowsaccesstounexported kernelsymbols

• Activenesssafetycheck• Preventold&newfunctionsfromrunningatsametime• stop_machine()+stackbacktrace checks

• Patchit!• Usesftrace etc.

https://events.linuxfoundation.org/sites/events/files/slides/kpatch-linuxcon_3.pdf

ChallengesforThirdParty

• Mostexistingworkrequiressourcecode.Phonevendoristheonlyguythatcangeneratethelivepatches

• Unabletodirectlyapplypatchestootherkernelbuilds

AdaptKpatch- AdaptiveLivePatching

Autopatchadaption

• Kernelinfogathering• Datastructurefilling

Patchingpayloadinjection

• ChoiceA:Installkernelmodule

• ChoiceB:Binary codeinjectionviamemdevice

Patchingpayloadexecution

• Replace/hookvulnerablefunctions

KernelInfoCollection• Kernelversion

• /proc/version• vermagic

• Symboladdresses/CRC• /proc/kallsyms (/proc/sys/kernel/kptr_restrict)

• Otherkernelmodules• SymbolCRC/moduleinit offset

• Bootimage• decompressgzip/bzip/lzma/lzo/xz/lz4• somearerawcodeorevenELFfile

PatchInjectionMethodsCoverage

INSMOD95%

(K)MEM60%

0.6%

99.4%

MethodA:KernelModuleInjection

Kernelchecksthatneedtoberesolvedforadaption§ vermagiccheck§ symbolCRCcheck§modulestructurecheck§ vendor’sspecificcheck

vSamsunglkmauth

Bypassvermagic/symbolCRC

- Bigenoughvermagicbuffer- Copykernelvermagicstringtomodule- CopykernelsymbolCRCstomodule

BypassSamsunglkmauth

MethodB:mem/kmem Injection

- Symboladdresses- vmalloc_exec- module_alloc

- Structuredshellcode- Allocate/reusememory- Writeintomemory- Triggertherunning

PatchingPayloadExecution

• Overwritethefunctionpointer

• Overwritewithpatchcodedirectly

• Inlinehook

Samewithotherlivepatchingmethods

AdaptionChallengesSolved•Patchautomaticadaption

Patch

Devicekernelinfo

Autoadaption

Adaptedpatch

ChallengesSolvedüMostexistingworkrequiressourcecode.Phonevendoristheonlyguythatcangeneratethelivepatches

üUnabletodirectlyapplypatchestootherkernelbuilds

Vulnerable Immutable Vulnerable Immutable

SuccessfullyEvaluatedCVEs• mmapCVEs è Framaroot• CVE-2014-3153 è Towelroot• CVE-2015-0569• CVE-2015-1805 è PipeRoot• CVE-2015-3636 è PingPongRoot• CVE-2015-6640• CVE-2016-0728• CVE-2016-0805• CVE-2016-0819• CVE-2016-0844• …...

SuccessfullyEvaluatedonMostPopularPhones

GT-I8552 GT-S7572 S4 A7 SM-G5308W Grand2 Note4

C8813 P6-U06 Hornor U8825D


M7 M8Sw S720e T528d


A630t A788t A938t K30-T


DemoBeforePatch:PingPong Root succeed

AfterPatch:PingPong Root fail

RecalltheTwoProblems

• Thelongpatchingchain• Solvedbyadaptivelivepatching

• Capabilitymismatching• Tobesolvedbyajoint-effort

Exploitexistingvulnerabilitiestogainroot

Vendorcooperation&pre-embeddedkernelagent

Multi-stageVettingMechanism

Vendorqualification

Patchsecurityvetting

Reputationranking

Weneedapatchingmechanism

• powerfulenoughtoblockmostthreats;• agileenoughforquickpatchgeneration;• yetrestrictiveenoughtoconfinepossibledamagescausedbythepatches.

OurSolution-- LuaKpatch

Insertingatype-safedynamiclanguageengine (Lua)intothekerneltoexecutepatches

• Easytoupdate• NaturallyjailedinthelanguageVM• Noneedtoworryaboutmemoryoverflowetc.ofthepatches

Arguments

ExternalInputs

Arguments

ExternalInputs

pwnednormalcontrolflow

maliciousinput

Arguments

ExternalInputs

normalcontrolflow

maliciousinput

Byhookingthedatainputentriesandvalidatingtheinput,wecanblockmostofthekernelexploits.

Sowehavethefollowingrestrictions1) Thepatchcanhookatargetfunction’sentry;2) Incombinationwith1),withinthetargetfunction,thepatchcan

hooktheinvokingpointorreturningpointoffunctionsthatreturnastatuscode(e.g.,copy_from_user);

3) Thepatchcanreadanythingthatcanberead(registers,stacks,heaps,code,etc.,aslongasitdoesnottriggerfaults),butcannotmodifyoriginalkernelmemory(nowrite,andnodatacanbesentout);

4) Afterjudgingwhethertheinputismaliciousornot,thepatchcanreturnspecificerrorcodes.

1: fun(...) {2: // entry of A can be hooked3: bool result;4: struct *s;5:6: // foo is allowed to be hooked7: result = foo(...);8: if (result == E_INVALID)9: return;10:11: // bar cannot be hooked12: s = bar(...);13: if (s)14: s->fun();15: }

Arunningexampletoillustratewhichfunctionscanbehookedandwhichcannot

ImplementationofLuaKpatch

• Manypracticesfollowedfromthelunatik-ng project.• Line-of-Code(LoC)is~11K.600LoCarethecorepatchinglogic.• Compiledasa800KBkernelmodule.• Capabilityinterfaces:

o SymbolsearchingoHookingo Typedreadingo Threadinfofetching

SampleLuapatchtofixoneofthevulnerableconditionsofCVE-2014-3153,knownas“Towelroot”

EfficacyEvaluation

CVE-2012-4220 CVE-2013-6123 CVE-2015-3636CVE-2012-4221 CVE-2013-6282 CVE-2015-6619CVE-2012-4222 CVE-2014-3153 CVE-2015-6640CVE-2013-1763 CVE-2014-4321 CVE-2016-0728CVE-2013-2094 CVE-2014-4322 CVE-2016-0774CVE-2013-2596 CVE-2015-0569 CVE-2016-0802CVE-2013-2597 CVE-2015-1805 CVE-2016-2468

CVEsverifiedtobeprotectablebyLuaKpatch.MostareTypeIvulnerabilities(thosethatcanbepatchedbysimplyhookingtheentryofthevulnerablefunctions),butthehighlighted/coloredonesareTypeIIvulnerabilities(thosethatalsoneedtohooktheinvocationsthatreturnstatuscode).

EfficacyEvaluation

All21CVEscanbepatchedbyLuaKpatch.16areTypeI,and5areTypeII.So76%ofthemcanbeeasilyfixedbyhookingandcheckinginputatthefunctionentry.

TypeI16

TypeII5

ExampleI(CVE-2013-1763)

LuaKpatchcanpatchitbyhookingtheentryofthe__sock_diag_rcv_msg function,gettingthenlh argument,obtainingreq fromnlh,andthencheckingwhethertheconditionreq->sdiag_family >= AF_MAX issatisfied.Ifthisistrue,itisanexploitconditionandthepatchshouldreturnanerror.

ExampleII(CVE-2013-6123)

LuaKpatchcanpatchitbyhookingthereturningpointofthecopy_from_user invokedbymsm_ioctl_server tochecktheexploitcondition.

Demo

BeforePatch:VulnerabletoTowelroot andPingPong Root

AfterPatch:ImmunetoTowelroot andPingPong Root

PerformanceEvaluation

17473.25 17551.75 17521.4 17482

02000400060008000

100001200014000160001800020000

Normal Patched(Towelroot) Patched(PingPongRoot)

Patched(bothvulnerabilities)

CF-BenchPerformanceScore

0

20

40

60

80

100

120

Nopatch Patchedwithadirectreturn

Patchedwithaconditionalcomparison

Patchedwithamemoryread

Patchedwithmixedoperations

ExecutionTimeofchmod(Microseconds)

100.7µs +0.42µs +0.98µs +0.82µs +3.74µs

LuaKpatchvalidationcheckaddsanoverheadunder4microseconds,only4%ofachmodsystemcall.

Becausesystemcallsarenotinvokedallthetime,theimpacttotheoverallsystemperformanceshouldbeevenless.• WhenausernormallybrowsesInternetusingChromeonNexus5+Android4.4,gettimeofday wasthemostly-calledsystemcall,triggeredfor~110,000times.Theoverallperformanceoverheadcanbeestimatedas5µs*110,000/1min» 0.9%,whichisquitesmall.

As an ongoing work, we are migrating LuaKpatch to LuaJIT, which should further improve the performance.

Thepatchingcircleintheopencollaborativepatchingecosystem

Let’sfightthebadtogether!• Thenumberandthecomplexityofkernelvulnerabilitieskeepincreasing,somorejointeffortmakesiteasiertobattleagainstthem.

• IntheAdaptKpatchscheme,patchescanbevettedandcross-validatedbyqualifiedalliancemembers.

• Lastbutmostimportantly,allvendorscanjointogethertodevelopapatchingstandardinsteadofimplementingdifferentvariants.Ifdifferenthotpatchingmechanismsexist,itintroducesanotherlayeroffragmentation.

Thanks!YulongZhang,YueChen,ChenfuBao,LiangzhaoXia,

LongriZheng,YongqiangLu,LenxWeiBaiduX-LabAugust2016

adaptive kernel live patching - black hat...ice cream sandwich 15 1.7% 4.1.x jelly bean 16 6.4%...

Documents