Automatic Hot Patch Generation for Android Kernels
Total Page:16
File Type:pdf, Size:1020Kb
Automatic Hot Patch Generation for Android Kernels Zhengzi Xu Yulong Zhang Longri Zheng Liangzhao Xia Nanyang Technological University Baidu X-Lab Baidu X-Lab Baidu X-Lab Chenfu Bao Zhi Wang Yang Liu Baidu X-Lab Florida State University Nanyang Technological University Abstract The rapid growth of the Android ecosystem has led to the Table 1: Android version distribution (OCT 2018) fragmentation problem where a wide range of (customized) Android Major Version Release Date Percentage versions of Android OS exist in the market. This poses a se- Android 4.x Oct 2011 6.65% vere security issue as it is very costly for Android vendors Android 5.x Nov 2014 18.11% to fix vulnerabilities in their customized Android kernels in Android 6.x Oct 2015 19.96% time. The recent development of the hot patching technique Android 7.x Aug 2016 25.47% provides an ideal solution to solve this problem since it can Android 8.x Aug 2017 29.60% be applied to a wide range of Android kernels without in- terrupting their normal functionalities. However, the current Android 9.x Aug 2018 0.04% hot patches are written by human experts, which can be time- Others - 0.17% consuming and error-prone. To this end, we first study the feasibility of automatic patch for Android 6.x and below. As a result, based on the statistics generation from 373 Android kernel CVEs ranging from 2012 in Table1, 44.72% of Android devices will not receive any to 2016. Then, we develop an automatic hot patch generation security patches unless vendors can upgrade the firmware ulmet tool, named V , which produces semantic preserving hot themselves. Fig.1 provides further detailed analysis of the patches by learning from the official patches. The key idea Android patch level of the same 500 million devices. Only ulmet of V is to use the weakest precondition reasoning to 20% of the devices can catch up with the 3-month-old security transform the changes made by the official patches into the hot patch updates; only 60% of the devices can catch up with the ulmet patch constraints. The experiments have shown that V 6-month-old security patch updates; and 20% of the devices can generate correct hot patches for 55 real-world Android only have security updates more than a year ago. kernel CVEs. The hot patches do not affect the robustness of The low upgrade rate has resulted in legacy Android sys- the kernels and have low performance overhead. tems with unpatched vulnerabilities. However, Android ven- dors are not motivated to fix those vulnerabilities. It is costly 1 Introduction to apply changes to kernels, as it requires to go through te- dious testing process to ensure that the changes do not break Android platform has become the biggest mobile platform in existing functionalities[18]. Therefore, the legacy systems the modern mobile device industry. The rapid growth of the will remain vulnerable for a very long period. Attackers can Android ecosystem makes our lives convenient by bringing us leverage the known vulnerabilities to attack easily. thousands of new devices with various (customized) Android To address this known vulnerability threat, tremendous ef- operating systems. However, most of these devices cannot forts have been made to patch old Android systems. Among receive timely updates. Table1 gives the Android version all the possible solutions, the hot patch technique provides 1 distribution from 500 million devices as of October 2018 . a convenient way to fix the vulnerabilities without interrupt- The table shows that the recent release of Android Pie (9.0) in ing the normal functionalities of the program [47]. It greatly August 2018 reaches only very few devices after two months. improves the user experience since it can ensure the system However, from the August 2018’s monthly release, the An- security without rebooting the devices. Based on the hot patch droid Security Bulletin [1] stopped to carry security patches idea, Chen et al. have proposed an adaptive Android kernel 1With user consent, we collected Android versions and patch levels from live patching framework [14]. The framework hooks the vul- devices with the Baidu app installed. nerable function and applies a pre-constructed hot patch to it. 100% 16% Overall, this paper has made the following contribution: 90% 14% 1. We formally define the process of automatic hot patch 80% 12% 70% generation via learning from the semantics of the official 60% 10% 50% 8% patches. We elicit three requirements of the process and define 40% 6% its operation scopes. 30% 4% 20% 2. We conduct an empirical study by collecting, summa- 10% 2% 0% 0% rizing, and categorizing different real-world Android kernel vulnerability patches based on their behaviors and distill four 1/1/16 4/1/16 6/1/16 8/1/16 9/5/16 1/1/17 2/5/17 4/1/17 5/5/17 7/1/17 8/5/17 1/5/18 4/1/18 5/1/18 6/5/18 9/1/18 10/1/15 10/5/16 11/7/16 10/1/17 11/1/17 12/1/17 2/18/18 7/13/18 10/5/18 insights. Patch Level Patch 3. We propose an approach to automatically generate hot Number of devices with patch levels newer than this date patches, and implement a tool, named Vulmet, to simulate the Number of devices on this patch level hot patch generating process and test its performance using the vulnerabilities in the real-world legacy Android system. Figure 1: Android patch level distribution as of Oct 2018 The experiments show that the generated hot patch can fix the vulnerabilities with low overheads. The rest of the paper is organized as follows. In Section2, we define the automatic hot patch generation problem with The hot patch will block the malicious input to the function a real-world example. Next, in Section3, we conduct a sur- to ensure the security. Mulliner et al. [38] have built a frame- vey of Android vulnerability type and define the scope of the work, named PatchDroid, which can insert the hot patches patch which can be used to generate the hot patch. Then, Sec- into the binary for third-party unsupported Android kernels. tion4 presents the automatic hot patch generation framework. It checks constraints during patching the vulnerabilities to Section5 evaluates of di fferent aspects of Vulmet with dif- ensure the stability of the system. These works try to build ferent experiments. Section6 lists the related works in patch the framework to insert the hot patch into the legacy system. generation. At last, Section7 concludes the paper. However, the hot patches are still needed to be provided to the system. The framework cannot generate the patches auto- matically. 2 Automatic Hot Patch Generation Writing hot patches based on the officially released patches is challenging. At source code level, programmers can modify In this section, we define of the automatic hot patch generation any parts of the vulnerable functions to fix the bug, while in problem, state requirements and assumptions, and illustrate it binary, it is difficult to find exactly the locations to place the with an example. same modifications. To get a hot patch in the suitable place, se- curity experts are required to understand the semantics of the 2.1 Problem Definition official patch and write a corresponding hot patch. However, this is a time-consuming process and error-prone. It is not We define the automatic hot patch generation as follow: acceptable for the IT industry with the fast development cycle Given a vulnerable function F and its official patch P at and limited security budgets. Therefore, there is a need to location L, we would like to find a suitable location L0 of F develop an automatic solution to correctly convert an official in binary form to insert an automatically generated hot patch patch into a hot patch. P0, which has the same semantics as P. To this end, this paper proposes a solution to automate the In this work, to achieve the goal of hot patch generation, we hot patch generation process. We propose a proper definition have conducted a vulnerability and patch survey to collect the of the problem and set the requirements and assumptions that vulnerable functions F with the official patches P. Then, we involved. To have a complete understanding on the vulner- develop Vulmet to automatically set up the metrics to measure ability patches, we first analyze most of the Android CVEs whether a location is suitable to insert the hot patch and select 0 from the year 2012 to 2016 and categorize them based on the most suitable one as L . After that, Vulmet leverages their patching behaviors. With the insight from the analysis, the weakest precondition to transform the constraints of the we develop Vulmet, which can automatically generate hot original semantics into new constraints to form the hot patch 0 0 patches by extracting the semantics of the official patches P at L . using program analysis. Vulmet will find a suitable place in the function, build and apply a semantic equivalent hot patch 2.2 Requirements to fix the vulnerability. To test the effectiveness of Vulmet, we have generated the hot patches for real-world Android To ensure the generated hot patches are practical, we have set CVEs. The hot patches can prevent the exploits with only the requirements to measure whether it is suitable to patch little overhead on the system. Android kernels. 1 int q6lsm_snd_model_buf_alloc(struct lsm_client*client, 2 size_t len){ 3 struct cal_block_data*cal_block= NULL; 4 size_t pad_zero=0, total_mem=0; 5 ..