DOCSLIB.ORG

Remote Code Execution on Android

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Remote Code Execution on Android MASARYK UNIVERSITY FACULTY OF INFORMATICS Remote code execution on Android MASTER'S THESIS Mayank Samadhiya Chennai, Fall 2017 MASARYK UNIVERSITY FACULTY OF INFORMATICS Remote code execution on Android MASTER'S THESIS Mayank Samadhiya Chennai, Fall 2017 This is where a copy of the official signed thesis assignment and a copy of the Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Mayank Samadhiya Advisor: Martin Stehlik i Acknowledgement I am very thankful to my organization and Government of India for giving me the opportunity to pursue Master studies at Masaryk Uni­ versity. I am thankful to RNDr. Martin Stehlik Ph.D, Mgr. Jaroslav Seděnka and Dr. Chester Rebeiro who has guided me in completion of my Master thesis. I am also thankful to Prof RNDr Václav Matyáš Ph.D. for his continuous motivation for the completion of thesis. I am also thankful to all my teachers at Masaryk University, especially Prof RNDr Václav Matyáš Ph.D., RNDr. Petr Švenda Ph. D and to all my batchmates for enabling me to learn many vital aspects of In­ formation Security. I would like to thank my wife Ritu and children Darsh and Shivay for there patience and providing me continuous encouragement and support. iii Abstract Android is an open-source platform which is widely used in smart phones, tablets and other low power applications. The security of Android has become very crucial with high increase in usage. The number of attacks on Android and their sophistication has increased exponentially in past few years. This work explores the security mecha• nism deployed by Android developers to protect their users along with few of the vulnerabilities reported recently. Further five well known vulnerabilities are chosen and are executed on vulnerable versions and patched versions on emulators and different hardware platforms. iv Keywords Android, Exploit, Integer Overflow, Integer Underflow, Libstagefright, Patch, Privilege Escalation, Remote Code Execution, Vulnerability, WebView. v Contents 1 Introduction 1 2 Android OS and Webview Component 5 2.1 Android OS Architecture 5 2.1.1 Linux Kernel 5 2.1.2 Hardware Abstraction Layer 6 2.1.3 Android Runtime 6 2.1.4 Libraries 7 2.1.5 Application Framework 7 2.1.6 Application 8 2.2 An Overview of Android Security and Vulnerabilities .... 8 2.2.1 Android Security Mechanisms 8 2.2.2 Overview of Vulnerabilities in Android 11 2.3 WebView 13 2.3.1 Creating an WebView Instance 14 2.3.2 WebView Issues and Vulnerabilities 14 2.3.3 Attack Vectors for WebView Vulnerabilities ... 16 2.4 StageFright 16 2.4.1 Stagefright Vulnerabilities 17 2.4.2 Attack Vectors for Stagefright Vulnerabilities . 18 3 Exploits Classification 19 3.1 Denial of Service (DoS) 19 3.2 Code Execution 21 3.3 Buffer Overflow 23 3.4 Memory Corruption 24 3.5 Privilege Escalation 25 4 Analysis of Selected Exploits 27 4.1 Stagefright Vulnerabilities 27 4.1.1 CVE-2015-1538 28 4.1.2 CVE-2015-3824 29 4.1.3 CVE-2015-3864 31 4.2 WebView Vulnerabilities 33 4.2.1 CVE-2016-6754 33 4.2.2 CVE-2012-6636 35 vii 5 Evaluation and Modification of Selected Exploits 37 5.1 Evaluation of Stage/right Attacks 37 5.1.1 CVE-2015-1538 37 5.1.2 CVE-2015-3824 38 5.1.3 CVE-2015-3864 41 5.2 Evaluation of Attacks on WebView 42 5.2.1 CVE-2016-6754 42 5.2.2 CVE-2012-6636 43 6 Conclusion 45 7 Future Work 47 A Exploitation Procedure for CVE-2015-1538 53 B AVD Details for Exploited Device for CVE-2015-1538 55 C Exploitation Procedure for CVE-2015-3824 57 D AVD Details for Exploited Device for CVE-2015-3824 and CVE-2015-3864 59 E Procedure to Exploit CVE-2015-3864 61 F Procedure to Exploit CVE-2012-6636 63 viii List of Tables 5.1 Stagefright Vulnerability Results 42 5.2 CVE-2016-6754 Exploit Results 43 5.3 CVE-2012-6636 Exploit Results 44 List of Figures 1.1 Exponential Increase in Vulnerabilities Found in Android - Year wise 2 1.2 Types of Vulnerabilities Discovered in Android 2 2.1 Android Stack [29] 6 2.2 Mind Map of Issues in Android Vulnerabilities [13] 11 2.3 Vulnerable Components of Android [13] 12 3.1 Types of Vulnerabilities Affected Android in Year 2016 20 xi 1 Introduction There are many platforms which are used in smart phones like An• droid, iOS, Windows, Symbian and few others. Android's share was 86.1 percent among all the mobile phones sold to end users in first quarter of 2017 [23], and the total share of Android phones is 73.05 percent in Oct, 2017 [26]. During the initial days of Android, its only purpose was to run on smart phones. But with further advancements now Android found applications in Smart TVs, Smart watches, medi• cal equipment etc [16]. With such wide usage and dependencies, the security of Android systems has also became a big matter of concern. The Figure 1.1 shows number of vulnerabilities discovered from 2009 till year 2017 (Sept.), the data has been obtained from [33]. It can be observed from the Figure 1.1 that since 2008 there is exponential in• crease in the vulnerabilities discovered in the Android systems [33] and thus the attacks on Android systems have also increased in same fashion. The Figure 1.1 is based on data obtained from CVE-MITRE, which assumes that all the reported vulnerabilities are patched soon or before reported on CVE. The major share of vulnerabilities reported and exploited is taken by Denial of Service (DoS), Code Execution, Overflow and Gain privileges, which can be seen in Figure 1.2. The Figure 1.2 also shows the types of vulnerabilities popped since 2008 and their individual shares [33]. There are very few SQL injection vulnerabilities (one) reported in Android since its origin as shown in figure 1.2. This work discuss about many vulnerabilities reported in Android systems. Different types of vulnerabilities arising from design flaws are explained in detail. Further three vulnerabilities from Stagefright media library and two from Web View component are analyzed and tested on vulnerable and patched versions. The Chapter 2 deals with the Android architecture along with its various layers and the security mechanisms in place. An overview of vulnerabilities discovered in past in various Android components are discussed and explained. At the last of this chapter, Web View component and libstagefright library of Android is discussed along with related security issues. 1 i. INTRODUCTION Figure 1.1: Exponential Increase in Vulnerabilities Found in Android - Year wise Figure 1.2: Types of Vulnerabilities Discovered in Android 2 i. INTRODUCTION In Chapter 3 different attack vectors with relation to the related vulnerabilities are discussed. Five kind of vulnerabilities along with exploit examples are discussed in this chapter. In Chapter 4 five specific vulnerabilities are studied in detail and their available exploits have been analyzed. Three of the vulnerabil• ities are from libstagefright library and two are from the Web View component of Android. In Chapter 5 the result of exploitation of vulnerabilities discussed in chapter 4 are placed. Analysis is done on the vulnerable and patched versions of Android. Further, devices from different Original Equip• ment Manufacturers (OEMs) are also considered for analysis. 3 2 Android OS and Webview Component This section deals with Android OS, its various layers, latest security mechanisms and vulnerabilities associated with every layer. Later in this section web view component of Android is discussed in detail. 2.1 Android OS Architecture Android is an open source operating system which is based on Linux and designed for mobile phones and tablets. It is also used in other small devices like smart watch, Vehicle Mounted Systems, Point of Sale (PoS) Devices, Medical Devices [16] etc. Android is more like a software stack which consists of different layers as shown in Figure 2.1 [29]. The different layers of Android are: 1. Linux kernel 2. Hardware Abstraction Layer 3. Android Runtime 4. Libraries 5. Application framework 6. Applications 2.1.1 Linux Kernel The lowest layer in Android is Linux. It provides a level of abstraction between the hardware and other layers of Android stack. The Android devices mainly use versions 3.18 or 4.4 of Linux kernel [17]. There is no direct interaction of developers and users with this layer, still this layer serves as core layer. The Linux kernel provides generic system services like: • Memory and process management • Permissions 5 2. ANDROID OS AND WEB VIEW COMPONENT ALARM • BROWSER • CALCULATOR • CALENDAR • CAMERA - CLOCK • CONTACTS • DIALER • EM AIL * HOME - IM • MEDIA PLAYER • PHOTO ALBUM * SMS/MMS • VOICE DIAL CONTENT PROVIDERS • MANAGERS (ACTIVITY. LOCATION. PACKAGE. NOTIFICATION. RESOURCE. TELEPHONY. WINDOW)' VIEW SYSTEM AUDIO MANAGER* FREETYPE'LIBC • MEDIA FRAMEWORK * CORE LIBRARIES* OPENGL'ES • ART • DALVIK VM SOLÍTE* SSL* SURFACE MANAGER* WEBKIT AUDIO • BLUETOOTH • CAMERA ' DRM • EXTERNAL STORAGE • GRAPHICS • INPUT * MEDIA • SENSORS • TV DRIVERS (AUDIO, BINDER (IPC). BLUETOOTH. CAMERA, DISPLAY, KEYPAD, SHARED MEMORY, USB, WIFI) • POWER MANAGEMENT Figure 2.1: Android Stack [29] • File and network I/Os • Device management • Device drivers 2.1.2 Hardware Abstraction Layer The Hardware abstraction layer (HAL) provides a standard method for creating software hooks (interfaces) between the Android platform and any proprietary hardware [29].
Load more

Recommended publications
  • Security Analysis of Docker Containers in a Production Environment
    Security analysis of Docker containers in a production environment Jon-Anders Kabbe Master of Science in Communication Technology Submission date: June 2017 Supervisor: Colin Alexander Boyd, IIK Co-supervisor: Audun Bjørkøy, TIND Technologies Norwegian University of Science and Technology Department of Information Security and Communication Technology Title: Security Analysis of Docker Containers in a Production Environment Student: Jon-Anders Kabbe Problem description: Deployment of Docker containers has achieved its popularity by providing an au- tomatable and stable environment serving a particular application. Docker creates a separate image of a file system with everything the application require during runtime. Containers run atop the regular file system as separate units containing only libraries and tools that particular application require. Docker containers reduce the attack surface, improves process interaction and sim- plifies sandboxing. But containers also raise security concerns, reduced segregation between the operating system and application, out of date or variations in libraries and tools and is still an unsettled technology. Docker containers provide a stable and static environment for applications; this is achieved by creating a static image of only libraries and tools the specific application needs during runtime. Out of date tools and libraries are a major security risk when exposing applications over the Internet, but availability is essential in a competitive market. Does Docker raise some security concerns compared to standard application deploy- ment such as hypervisor-based virtual machines? Is the Docker “best practices” sufficient to secure the container and how does this compare to traditional virtual machine application deployment? Responsible professor: Colin Alexander Boyd, ITEM Supervisor: Audun Bjørkøy, TIND Technologies Abstract Container technology for hosting applications on the web is gaining traction as the preferred mode of deployment.
    [Show full text]
  • The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground
    The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground Mayra Rosario Fuentes and Shiau-Jing Ding Contents TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and 4 should not be construed to constitute legal advice. The information contained herein may not be applicable to all Introduction situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing 7 herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document Overview of Exploit Developers at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise 12 related to the accuracy of a translation, please refer to the original language official version of the document. Any Overview of Exploit Demand and discrepancies or differences created in the translation are Availability not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro 16 makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree Outdated Exploits that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied.
    [Show full text]
  • Sstic-2021-Actes.Pdf
    Préface Mercredi 2 juin 2021, 8 heures du matin. Sous perfusion de café, les yeux à peine entrouverts, je suis avec le reste du comité d’organisation (CO), qui est sur les rangs et veille aux derniers détails, vérifiant que la guicheteuse et les lecteurs de badge fonctionnent. Pendant ce temps, certains irréductibles sont déjà dehors, malgré le crachin breton, prêts à se ruer pour pouvoir découvrir en premier les goodies et s’installer confortablement dans l’amphi, à leur place favorite, pour feuilleter les actes et lire la préface. On ouvre les portes, c’est parti pour le 19e SSTIC ! Fondu. Huit cents personnes dans l’amphi face à nous, je vérifie avec l’orateur invité qui fait l’ouverture que tout est prêt. Avec le trac, les spots qui m’éblouissent, je m’avance pour prononcer quelques mots et lancer la conférence... Et dire qu’il y a environ un tiers de nouveaux ! Fondu. Petit tour en régie, pour discuter avec les techniciens du Couvent et s’assurer que le streaming se passe bien. Oups, on me dit sèchement de m’éloigner de la caméra ; apparemment, les talkies-walkies qui assurent la liaison avec le reste du CO, éparpillé entre le premier rang et l’accueil, font trembler les aimants du stabilisateur... Fondu. Après la présentation des résultats du challenge, une session de rumps réussie où il a fallu courir dans l’amphi pour apporter le micro, nous voilà dans le magnifique cloître du Couvent, sous un soleil bienvenu. Les petits fours sont excellents et je vois, à l’attroupement qui se forme rapidement, que le stand foie gras vient d’ouvrir.
    [Show full text]
  • Area Efficient and Low Power Carry Select Adder Using
    International Journal of Advances in Electronics and Computer Science, ISSN(p): 2394-2835 Volume-6, Issue-7, Jul.-2019 http://iraj.in EVOLUTION OF ANDROID MALWARE OFFENSE AND ANDROID ECOSYSTEM DEFENSE 1NISHANT PANDIT, 2DEEPTI V VIDYARTHI 1Student, Defence Institute of Advanced Technology, Girinagar, Pune, Maharashtra – 411025, India 2Assistant Professor, Defence Institute of Advanced Technology, Girinagar, Pune, Maharashtra – 411025, India E-mail: [email protected], [email protected] Abstract - Android mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. The paper captures the journey of android malware from being mere revenue generation incentives for the malware developer to stealing the personal data of people using these devices. It also discusses how the open source nature of Android has led to fragmentation of the core Operating System among various device manufacturer which introduces additional vulnerabilities. The non-availability of official Google Play store in some countries led to the emergence of various third party Application market which are largely unregulated in terms of the application verification. Android Operating system itself has come a long way in terms of the security features and fixed vulnerabilities over the course of a decade. Our evaluation shows that the Android System has become quite robust against malware threats and automatic installation of malware is not possible without user intervention. We explore certain simple settings on android which would protect the user from malware threats on Android device. Keywords - Android System, Malware Analysis, Vulnerabilities, Android Fragmentation. I.
    [Show full text]
  • The Shadows of Ghosts Inside the Response of a Unique Carbanak Intrusion
    WHITE PAPER The Shadows of Ghosts Inside the response of a unique Carbanak intrusion By: Jack Wesley Riley – Principal, Incident Response Consultant Table of contents 1 Glossary of terms................................................................................................................ 7 2 Report summary.................................................................................................................. 8 3 Intrusion overview........................................................................................................... 13 3.1 Anatomy of attack..................................................................................................... 13 3.1.1 Phase 1: D+0...................................................................................................... 14 3.1.2 Phase 2: D+0....................................................................................................... 14 3.1.3 Phase 3: D+1 through D+3............................................................................... 16 3.1.4 Phase 4: D+3 through D+25............................................................................ 17 3.1.5 Phase 5: D+25 through D+30.......................................................................... 18 3.1.6 Phase 6: D+30 through D+44.......................................................................... 19 3.2 Detection and response............................................................................................ 19 4 Intrusion details.................................................................................................................
    [Show full text]
  • Mobile Threat
    Mobile threat February 2018 David Bird FBCS considers threats via mobile devices and explains why he thinks the future may not be so bright. The unprecedented WannaCry ransomware and subsequent Petya destruct-ware outbreaks have caused mayhem internationally. As a result of a remote execution vulnerability, malware has propagated laterally due to two basic root-causes: (a) out-dated operating systems (OS), and/or (b) in-effective patching regimes. Here we have a commonality with the mobile device domain. There are many older generation devices that have different legacy mobile OSes installed that are no longer supported or updated. Legacy connected Microsoft Pocket PC palmtops and Windows CE or Windows Mobile devices are examples of tech still being used by delivery firms and supermarkets; even though they have been end-of-extended support since 2008 and 2014 respectively. So, do we have a problem? With over two and a half billion smartphones globally in 2016, the market is anticipated to reach at least six billion by 2020 due to the convenience of mobile back-end-as-a-service. Apparently, one vulnerability is disclosed every day, in which 10 per cent of those are critical. This figure does not include the number of internet-enabled tablets that are in circulation; in 2015, there were one billion globally, and this is expected to rise to almost one and a half billion by 2018. Today both Android-centric manufacturers and Apple fight for dominance in the mobile device market - squeezing out Blackberry’s enterprise smartphone monopoly. This has resulted in unsupported Blackberry smart-devices persisting in circulation, closely followed by successive versions of Windows Phone OS - with only 10 left supported.
    [Show full text]
  • Exploiting Host-Based Vulnerabilities
    Exploiting Host-Based Vulnerabilities • Exploit Windows-Based Vulnerabilities • Exploit *nix-Based Vulnerabilities Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 1 Commonalities Among Windows-Based Vulnerabilities (Slide 1 of 2) • OSs and most applications based on C, which has no default bounds-checking. • Susceptible to buffer overflows, arbitrary code execution, and privilege escalation. • Developers need to use security best practices and unit testing. • Proprietary product, so source code is not publicly available. • Fewer reviews open the door for undiscovered weaknesses. • Complexity enables vulnerabilities to remain undetected after release. • Microsoft doesn’t patch all vulnerabilities—they release new versions. • This leaves the vulnerability unaddressed in older installations. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 Commonalities Among Windows-Based Vulnerabilities (Slide 2 of 2) • Servers: Network-based vulnerabilities; workstations: Application-based vulnerabilities. • Uses standard protocols and technologies. • Susceptible to cross-platform exploits. • Physical access puts hosts at greater risk. • Connecting cables to administrative console ports. • Booting to a different OS. • Using removable media. • Stealing and damaging hardware. • Social engineering is required to expose certain vulnerabilities. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Windows Operating System Vulnerabilities Category Description Remote code execution Any condition that allows attackers to execute arbitrary code. Buffer or heap overflow A programming error that allows attackers to overwrite allocated memory addresses with malicious code. Denial of service Any condition that allows attackers to use resources so that legitimate requests can’t be served. A programming error that allows attackers to access a program’s memory space and hijack the normal Memory corruption execution flow.
    [Show full text]
  • Race Conditions and Dirty
    Race Condition Mooo Meltdown, DirtyCOW and more! What is a Race Condition? Race conditions are the result of code that need to happen in a certain order but have unintended consequences when they are misordered. Exploiting a race condition vulnerability: - Make instructions execute in a unintended order - Take advantage of undefined behavior History of Race Condition The term race condition has been used since 1954 in Huffman’s notes on his thesis of sequential switching circuits Did not describe the vulnerability in software, but was used to describe an event that would occur in hardware For example, suppose there is an AND gate that takes 2 inputs: A and NOT A If A were to change from false to true, the term race condition was used to describe a glitch in which there was a time lag for NOT A to change to false For a short moment, both A and NOT A will be true → results in (A AND NOT A) = True Why are Race Conditions prevalent? ● Large code bases ○ “The Linux kernel has around 27.8 million lines of code in its Git repository...” ● Writing good, error free multithreaded code is HARD ● Testing for race conditions is HARD ● New features might have unintended effects Unlimited Starbucks Credits Vulnerability discovered by Egor Homakov in 2015 When multiple requests are made to transfer points from card A to card B in a short time frame, a race condition occurs 3 non-atomic processes - check that card A has enough credits - transfer credits to card B - deduct credits from card A Thread Sequence Let’s say Card A has a balance of $5 and we want
    [Show full text]
  • Dirty COW Attack Lab 1
    SEED Labs – Dirty COW Attack Lab 1 Dirty COW Attack Lab Copyright © 2017 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award No. 1303306 and 1718086. This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License. A human-readable summary of (and not a substitute for) the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. 1 Lab Overview The Dirty COW vulnerability is an interesting case of the race condition vulnerability. It existed in the Linux kernel since September 2007, and was discovered and exploited in October 2016. The vulnerability affects all Linux-based operating systems, including Android, and its consequence is very severe: attackers can gain the root privilege by exploiting the vulnerability. The vulnerability resides in the code of copy-on- write inside Linux kernel. By exploiting this vulnerability, attackers can modify any protected file, even though these files are only readable to them. The companion book of the SEED labs, Computer Security: A Hands-on Approach by Wenliang Du, has a detailed explanation on this vulnerability (Chapter 8). The objective of this lab is for students to gain the hands-on experience on the Dirty COW attack, understand the race condition vulnerability exploited by the attack, and gain a deeper understanding of the general race condition security problems.
    [Show full text]
  • 2017 Annual Security Roundup: the Paradox of Cyberthreats
    2017 Annual Security Roundup: The Paradox of Cyberthreats TrendLabsSM 2017 Annual Security Roundup Contents TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It 5 is not intended and should not be construed to constitute legal advice. The information contained Ransomware brings about bigger herein may not be applicable to all situations and may not reflect the most current situation. Nothing global outbreaks despite fewer contained herein should be relied on or acted major players upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify 10 the contents of this document at any time without prior notice. Adaptable threats exploit known vulnerabilities in new ways Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of 13 a translation, please refer to the original language official version of the document. Any discrepancies Amid growing awareness of the or differences created in the translation are not threat, BEC scams are still on the binding and have no legal effect for compliance or enforcement purposes. rise Although Trend Micro uses reasonable efforts to include accurate and up-to-date information 16 herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, Cryptocurrency’s meteoric ascent currency, or completeness. You agree that access to and use of and reliance on this document and inspires new mining malware and the content thereof is at your own risk.
    [Show full text]
  • OS-Level Attacks and Defenses: from Software to Hardware-Based Exploits © December 2018 by David Gens Phd Referees: Prof
    OS-LEVELATTACKSANDDEFENSES: FROMSOFTWARETOHARDWARE-BASEDEXPLOITS Dissertation zur Erlangung des akademischen Grades Doktor der Ingenieurswissenschaften (Dr.-Ing.) genehmigt durch den Fachbereich Informatik (FB 20) der Technischen Universtität Darmstadt von D AV I D G E N S aus Wiesbaden, Deutschland Gutachter: Prof. Dr.-Ing. Ahmad-Reza Sadeghi (Erstreferent) Prof. Dr. Thorsten Holz (Zweitreferent) Tag der Einreichung: 14. Dezember 2018 Tag der Disputation: 13. Februar 2019 CYSEC/System Security Lab Intel Collaborative Research Institute (ICRI-CARS) Fachbereich für Informatik Technische Universität Darmstadt Hochschulkennziffer: D17 OS-level Attacks and Defenses: from Software to Hardware-based Exploits © December 2018 by David Gens phd referees: Prof. Dr.-Ing. Ahmad-Reza Sadeghi (1st PhD Referee) Prof. Dr. Thorsten Holz (2nd PhD Referee) further phd commission members: Prof. Dr. Sebastian Faust Prof. Dr. Guido Salvaneschi Prof. Dr.-Ing. Thomas Schneider Darmstadt, Germany December 2018 Veröffentlichung unter CC-BY-SA 4.0 International https://creativecommons.org/licenses/ ABSTRACT Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming repre- senting the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed soft- ware, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and ef- fective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabil- ities to construct successful exploits.
    [Show full text]
  • Characterizing Linux-Based Malware: Findings and Recent Trends
    Highlights Characterizing Linux-based Malware: Findings and Recent Trends J. Carrillo-Mondéjar,J. L. Martínez,G. Suarez-Tangil • We show that a data-driven approach is key for modern malware forensics. We also show that understanding malware is an important step in tackling the challenges posed to digital forensics by new computing platforms, such as those in the Internet of Things (IoT). • We build an automated system to study the problem of malware in IoT systems. Our system uses both static and dynamic analysis, together with a similarity function designed to relate unknown samples to known threats. • We use our system to assist a malware expert in the process of vetting recent unknown IoT malware samples and characterizing their behavior. • We dissociate the problem of understanding Linux-based IoT malware from the IoT architecture used for malware in the wild. Characterizing Linux-based Malware: Findings and Recent Trends a < a b J. Carrillo-Mondéjar , , J. L. Martínez andG. Suarez-Tangil aAlbacete Institute of Informatics (i3a). University of Castilla-La Mancha, Albacete, Spain bDepartment of Informatics at King’s College London (KCL), London, UK. ARTICLEINFO Abstract Keywords: Malware targeting interconnected infrastructures has surged in recent years. A major factor driving Malware Forensics this phenomenon is the proliferation of large networks of poorly secured IoT devices. This is exacer- IoT bated by the commoditization of the malware development industry, in which tools can be readily Embedded Systems obtained in specialized hacking forums or underground markets. However, despite the great interest Data Analytics in targeting this infrastructure, there is little understanding of what the main features of this type of Machine Learning malware are, or the motives of the criminals behind it, apart from the classic denial of service attacks.
    [Show full text]