On Root Detection Strategies for Android Devices
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Introduction to Debugging the Freebsd Kernel
Introduction to Debugging the FreeBSD Kernel John H. Baldwin Yahoo!, Inc. Atlanta, GA 30327 [email protected], http://people.FreeBSD.org/˜jhb Abstract used either directly by the user or indirectly via other tools such as kgdb [3]. Just like every other piece of software, the The Kernel Debugging chapter of the FreeBSD kernel has bugs. Debugging a ker- FreeBSD Developer’s Handbook [4] covers nel is a bit different from debugging a user- several details already such as entering DDB, land program as there is nothing underneath configuring a system to save kernel crash the kernel to provide debugging facilities such dumps, and invoking kgdb on a crash dump. as ptrace() or procfs. This paper will give a This paper will not cover these topics. In- brief overview of some of the tools available stead, it will demonstrate some ways to use for investigating bugs in the FreeBSD kernel. FreeBSD’s kernel debugging tools to investi- It will cover the in-kernel debugger DDB and gate bugs. the external debugger kgdb which is used to perform post-mortem analysis on kernel crash dumps. 2 Kernel Crash Messages 1 Introduction The first debugging service the FreeBSD kernel provides is the messages the kernel prints on the console when the kernel crashes. When a userland application encounters a When the kernel encounters an invalid condi- bug the operating system provides services for tion (such as an assertion failure or a memory investigating the bug. For example, a kernel protection violation) it halts execution of the may save a copy of the a process’ memory current thread and enters a “panic” state also image on disk as a core dump. -
Android (Operating System) 1 Android (Operating System)
Android (operating system) 1 Android (operating system) Android Home screen displayed by Samsung Nexus S with Google running Android 2.3 "Gingerbread" Company / developer Google Inc., Open Handset Alliance [1] Programmed in C (core), C++ (some third-party libraries), Java (UI) Working state Current [2] Source model Free and open source software (3.0 is currently in closed development) Initial release 21 October 2008 Latest stable release Tablets: [3] 3.0.1 (Honeycomb) Phones: [3] 2.3.3 (Gingerbread) / 24 February 2011 [4] Supported platforms ARM, MIPS, Power, x86 Kernel type Monolithic, modified Linux kernel Default user interface Graphical [5] License Apache 2.0, Linux kernel patches are under GPL v2 Official website [www.android.com www.android.com] Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[6] [7] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[8] Android's mobile operating system is based on a modified version of the Linux kernel. Google and other members of the Open Handset Alliance collaborated on Android's development and release.[9] [10] The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android.[11] The Android operating system is the world's best-selling Smartphone platform.[12] [13] Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. There are currently over 150,000 apps available for Android.[14] [15] Android Market is the online app store run by Google, though apps can also be downloaded from third-party sites. -
2019 China Military Power Report
OFFICE OF THE SECRETARY OF DEFENSE Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China ANNUAL REPORT TO CONGRESS Military and Security Developments Involving the People’s Republic of China 2019 Office of the Secretary of Defense Preparation of this report cost the Department of Defense a total of approximately $181,000 in Fiscal Years 2018-2019. This includes $12,000 in expenses and $169,000 in DoD labor. Generated on 2019May02 RefID: E-1F4B924 OFFICE OF THE SECRETARY OF DEFENSE Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China OFFICE OF THE SECRETARY OF DEFENSE Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2019 A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2000, as Amended Section 1260, “Annual Report on Military and Security Developments Involving the People’s Republic of China,” of the National Defense Authorization Act for Fiscal Year 2019, Public Law 115-232, which amends the National Defense Authorization Act for Fiscal Year 2000, Section 1202, Public Law 106-65, provides that the Secretary of Defense shall submit a report “in both classified and unclassified form, on military and security developments involving the People’s Republic of China. The report shall address the current and probable future course of military-technological development of the People’s Liberation Army and the tenets and probable development of Chinese security strategy and military strategy, and of the military organizations and operational concepts supporting such development over the next 20 years. -
Ah! Universal Android Rooting Is Back
AH! UNIVERSAL ANDROID ROOTING IS BACK Wen `Memeda` Xu @K33nTeam ABOUT ME Wen Xu a.k.a Memeda @antlr7 • Security research intern at KeenTeam • Android Roo6ng • Soware exploita6on • Senior student at Shanghai Jiao Tong University • Member of LoCCS • Vice-captain of CTF team 0ops • Rank 2rd in the world on CTFTIME AGENDA • Present Situa6on of Android Roo6ng • Awesome Bug (CVE-2015-3636) • Fuzzing • Analysis • Awesome Exploita6on Techniques • Object Re-filling in kernel UAF • Kernel Code Execu@on • Targe@ng 64bit Devices • Future PART I Present Situation PRESENT SITUATION Root for what? • Goal • uid=0(root) gid=0(root) groups=0(root) • Kernel arbitrary read/write • Cleaning • SELinux • … PRESENT SITUATION • SoC (Driver) • Missing argument sani6Za6on (ioctl/mmap) • Qualcomm camera drivers bug CVE-2014-4321, CVE-2014-4324 CVE-2014-0975, CVE-2014-0976 • TOCTTOU • Direct dereference in user space CVE-2014-8299 • Chip by chip A BIG DEAL • Universal root soluon • Universally applied bug • Confronng Linux kernel • Universally applied exploita6on techniques • One exploit for hundreds of thousands of devices • Adaptability (Hardcode) • User-friendly (Stability) • COMING BACK AGAIN! PART II Bug Hunting FUZZING Open source kernel syscall fuzzer • Trinity • hps://github.com/kernelslacker/trinity • Scalability • Ported to ARM Linux FUZZING Let’s take a look at our log when we wake up ;) • Crical paging fault at 0x200200?!! SK: PING SOCKET OBJECT IN KERNEL user_sock_fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); 2 3 1 LIST_POISON2 == 0X200200 ping_unhash -
Practical and Effective Sandboxing for Non-Root Users
Practical and effective sandboxing for non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Abstract special tools. More importantly, all use cases neither re- quire root privilege nor require modification to the OS MBOX is a lightweight sandboxing mechanism for non- kernel and applications. root users in commodity OSes. MBOX’s sandbox usage model executes a program in the sandbox and prevents Overview MBOX aims to make running a program in a the program from modifying the host filesystem by layer- sandbox as easy as running the program itself. For exam- ing the sandbox filesystem on top of the host filesystem. ple, one can sandbox a program (say wget) by running as At the end of program execution, the user can examine below: changes in the sandbox filesystem and selectively com- mit them back to the host filesystem. MBOX implements $ mbox -- wget google.com ... this by interposing on system calls and provides a variety Network Summary: of useful applications: installing system packages as a > [11279] -> 173.194.43.51:80 > [11279] Create socket(PF_INET,...) non-root user, running unknown binaries safely without > [11279] -> a00::2607:f8b0:4006:803:0 network accesses, checkpointing the host filesystem in- ... Sandbox Root: stantly, and setting up a virtual development environment > /tmp/sandbox-11275 without special tools. Our performance evaluation shows > N:/tmp/index.html [c]ommit, [i]gnore, [d]iff, [l]ist, [s]hell, [q]uit ?> that MBOX imposes CPU overheads of 0.1–45.2% for var- ious workloads. In this paper, we present MBOX’s design, wget is a utility to download files from the web. -
Porting the QEMU Virtualization Software to MINIX 3
Porting the QEMU virtualization software to MINIX 3 Master's thesis in Computer Science Erik van der Kouwe Student number 1397273 [email protected] Vrije Universiteit Amsterdam Faculty of Sciences Department of Mathematics and Computer Science Supervised by dr. Andrew S. Tanenbaum Second reader: dr. Herbert Bos 12 August 2009 Abstract The MINIX 3 operating system aims to make computers more reliable and more secure by keeping privileged code small and simple. Unfortunately, at the moment only few major programs have been ported to MINIX. In particular, no virtualization software is available. By isolating software environments from each other, virtualization aids in software development and provides an additional way to achieve reliability and security. It is unclear whether virtualization software can run efficiently within the constraints of MINIX' microkernel design. To determine whether MINIX is capable of running virtualization software, I have ported QEMU to it. QEMU provides full system virtualization, aiming in particular at portability and speed. I find that QEMU can be ported to MINIX, but that this requires a number of changes to be made to both programs. Allowing QEMU to run mainly involves adding standardized POSIX functions that were previously missing in MINIX. These additions do not conflict with MINIX' design principles and their availability makes porting other software easier. A list of recommendations is provided that could further simplify porting software to MINIX. Besides just porting QEMU, I also investigate what performance bottlenecks it experiences on MINIX. Several areas are found where MINIX does not perform as well as Linux. The causes for these differences are investigated. -
Satisfy That Android Sweet Tooth
IBM Security Thought Leadership White Paper Satisfy that Android sweet tooth Do Android’s dessert-named updates improve device and data security enough to work for the enterprise? Satisfy that Android sweet tooth Android is ready for the enterprise. Is your continues to grow. The wide variety of Android devices enterprise ready for Android? available means that they are often a good fit for corporate- owned device programs. For example, many field-based employees need rugged Android devices built to stand up to Introduction dust, shock, vibration, rain, humidity, solar radiation, altitude, Android has long ruled the consumer market. Now, the latest and temperature extremes. Others want Android devices with security advancements from Google and device manufacturers, data capture features ideal for inventory control and warehouse and support for Android by leading EMM solution providers, operations. are expanding its presence in the enterprise. To help ensure security and compliance with industry standards and This growth comes with some unintended consequences, as government regulations, enterprises need a way to protect well as important considerations for IT. Companies are and manage the wide range of available devices, versions, and allowing employees to use their own preferred or industry- idiosyncrasies of the world’s most popular mobile operating specific devices, but IT must address the very real concerns of system. protecting corporate data and providing standardized management. It’s not a one-solution-fits-all situation. IT needs to examine its device and application landscape and decide what security and The most popular mobile platform in the world also has a management capabilities are essential in a customized volatile security record;2 however, Android’s recent, sweetly- enterprise mobility strategy. -
User-Level Infrastructure for System Call Interposition: a Platform for Intrusion Detection and Confinement
User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement K. Jain R. Sekar Iowa State University State University of New York Ames, IA 50014 Stony Brook, NY 11794 [email protected] [email protected] Abstract attacks launched remotely via the Internet. Such attacks may utilize a variety of techniques, e.g., exploit software er- Several new approaches for detecting malicious attacks rors in privileged programs to gain root privilege, exploit on computer systems and/or confining untrusted or ma- vulnerabilities in system configuration to access confiden- licious applications have emerged over the past several tial data, or rely on a legitimate system user to download years. These techniques often rely on the fact that when and run a legitimate-looking Trojan Horse program that in- a system is attacked from a remote location over a network, flicts damage. Intrusion detection refers to a broad range of damage can ultimately be inflicted only via system calls techniques that have been developed over the past several made by processes running on the target system. This factor years to protect against malicious attacks. A majority of has lead to a surge of interest in developing infrastructures these techniques take the passive approach of offline moni- that enable secure interception and modification of system toring of system (or user) activities to identify those activ- calls made by processes running on the target system. Most ities that deviate from the norm [1, 26, 10, 12, 17, 21] or known approaches for solving this problem have relied on are otherwise indicative of attacks [14, 18, 22]. -
Agchain: a Blockchain-Based Gateway for Permanent, Distributed, and Secure App Delegation from Existing Mobile App Markets
AGChain: A Blockchain-based Gateway for Permanent, Distributed, and Secure App Delegation from Existing Mobile App Markets Mengjie Chen Daoyuan Wu∗ The Chinese University of Hong Kong The Chinese University of Hong Kong [email protected] [email protected] Xiao Yi Jianliang Xu The Chinese University of Hong Kong Hong Kong Baptist University [email protected] [email protected] ABSTRACT policies and delist the apps as they wish. For example, Mobile app markets are emerging with the popularity of 13.7% (1,146) of the 8,359 popular apps we measured smartphones. However, they fall short in several aspects, in late 2018 have been delisted (by either the market including no transparent app listing, no world-wide app ac- or developers themselves) after one year in late 2019. cess, and even insecure app downloading. To address these P2: No world-wide and even censored access. Secondly, problems, we propose a novel blockchain-based gateway, many apps on Google Play and Apple Store are avail- AGChain, to bridge end users and app markets so that ex- able only in certain countries. Moreover, Google Play isting app markets could still provide services while users itself is being censored in some regions, causing no enjoy permanent, distributed, and secure app delegation from easy app access for the users in those affected areas. AGChain. To this end, we identify two previously underesti- P3: No enough security guarantee. Thirdly, we find that a mated challenges and propose mechanisms to significantly significant portion of third-party Android app markets reduce gas costs in our smart contract and make IPFS (Inter- do not provide secure app downloading. -
Android Malware Detection Via (Somewhat) Robust Irreversible Feature Transformations
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2020.2975932, IEEE Transactions on Information Forensics and Security IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1 Android Malware Detection via (Somewhat) Robust Irreversible Feature Transformations Qian Han1, V.S. Subrahmanian1 and Yanhai Xiong1 1Department of Computer Science and the Institute for Security Technology and Society Dartmouth College, Hanover, NH 03755, USA As the most widely used OS on earth, Android is heavily targeted by malicious hackers. Though much work has been done on detecting Android malware, hackers are becoming increasingly adept at evading ML classifiers. We develop FARM, a Feature transformation based AndRoid Malware detector. FARM takes well-known features for Android malware detection and introduces three new types of feature transformations that transform these features irreversibly into a new feature domain. We first test FARM on 6 Android classification problems separating goodware and “other malware” from 3 classes of malware: rooting malware, spyware, and banking trojans. We show that FARM beats standard baselines when no attacks occur. Though we cannot guess all possible attacks that an adversary might use, we propose three realistic attacks on FARM and show that FARM is very robust to these attacks in all classification problems. Additionally, FARM has automatically identified two malware samples which were not previously classified as rooting malware by any of the 61 anti-viruses on VirusTotal. These samples were reported to Google’s Android Security Team who subsequently confirmed our findings. -
Ptrace, Utrace, Uprobes: Lightweight, Dynamic Tracing of User Apps
Ptrace, Utrace, Uprobes: Lightweight, Dynamic Tracing of User Apps Jim Keniston Ananth Mavinakayanahalli Prasanna Panchamukhi IBM IBM IBM [email protected] [email protected] [email protected] Vara Prasad IBM [email protected] Abstract Details of the design and implementation of uprobes form the major portion of this paper. The ptrace system-call API, though useful for many We start by discussing the current situation in the user- tools such as gdb and strace, generally proves unsat- space tracing world. Sections 2 and 3 discuss the var- isfactory when tracing multithreaded or multi-process ious instrumentation approaches possible and/or avail- applications, especially in timing-dependent debugging able. Section 4 goes on to discuss the goals that led scenarios. With the utrace kernel API, a kernel-side to the current uprobes design, while Section 5 details instrumentation module can track interesting events in the implementation. In the later sections, we put forth traced processes. The uprobes kernel API exploits some of the challenges, especially with regard to mod- and extends utrace to provide kprobes-like, breakpoint- ifying text and handling of multithreaded applications. based probing of user applications. Further, there is a brief discussion on how and where We describe how utrace, uprobes, and kprobes together we envision this infrastructure can be put to use. We fi- provide an instrumentation facility that overcomes some nally conclude with a discussion on where this work is limitations of ptrace. For attendees, familiarity with a headed. tracing API such as ptrace or kprobes will be helpful but not essential. -
Android Device Rooting Lab
SEED Labs 1 Android Device Rooting Lab Copyright c 2015 - 2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award No. 1303306 and 1318814. This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License. A human-readable summary of (and not a substitute for) the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. 1 Overview Android devices do not allow their owners to have the root privilege on the device. This is fine for normal customers, but for users who want to make deep customizations on their devices, this is too restrictive. There are ways to overcome these restrictions, most of which require the root privilege on the device. The process of gaining the root device on Android devices is called rooting. Being able to root Android devices is a very useful skill for security experts. The objective of this lab is two-fold. First, through this lab, students will get familiar with the process of device rooting and understand why certain steps are needed. Many people can root Android devices, but not many people fully understand why things have to be done in a particular way. Second, the entire rooting mechanism involves many pieces of knowledge about the Android system and operating system in general, so it serves as a great vehicle for students to gain such in-depth system knowledge.