Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/7/2018
04:13 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Researchers Defeat Android OEMs' Security Mitigations

At Black Hat Asia, two security experts will bypass security improvements added to Android by equipment manufacturers.

It's getting harder and harder to exploit vulnerabilities in Android, thanks to a combination of Google-enabled security mechanisms and additional protections from individual smartphone manufacturers. However, as two researchers discovered, it's still possible to break in.

Over the past few years, Google has buckled down on Android device security with new protections to reduce the number and impact of kernel-level bugs. Some of its mitigations include Stack Guard, SELinux, privileged execute never (PXN), hardened user-copy, privileged access never (PAN) emulation, and kernel address space layout randomization (KASLR).

"As far as we know, mainly mitigations are currently applied on Android kernel," explains Jun Yao, security researcher with the C0re team. "However, these mechanisms are difficult to apply to every phone due to Android fragmentation issues."

To fill the security gaps, smartphone manufacturers integrate additional mitigations into the devices they produce. Attackers need to meet certain conditions to complete an exploit on an Android phone and OEMs' extra mitigations make these conditions difficult to meet, he says.

In the second quarter of 2017, Samsung, Huawei, Oppo, and Vivo accounted for 47.2 percent of the global smartphone market share, the researchers report. Despite their standing as the world's top four Android OEMs, deep research on their security mitigations has been limited to the Samsung Knox. Yao and Lin decided to put more manufacturers' protections to the test.

At this year's Black Hat Asia conference, being held March 20-23 in Singapore, Yao and fellow Core security researcher Tong Lin will share the details of these mitigations and demonstrate how they can be stably bypassed in ways that have not been made public. One of the implementations they broke was the addr_limit checking protection on Vivo devices.

"Usually, to get root privilege on [a] target device, attackers need to be able to overwrite kernel memory," Yao explains. "The most popular way to do it is to modify the process' addr_limit."

Because the kernel checks addr_limit before the system call returns, it cannot be modified directly. The researchers had to find another way to overwrite the kernel without changing addr_limit, and they successfully did so.

"We use gadgets to overwrite the kernel without changing addr_limit," says Yao. "When we control PC in kernel mode, we force it to point to a gadget. When the gadget runs, it will overwrite a victim function pointer. And we can read or write kernel memory by calling this victim function pointer with different arguments."

They report this mitigation can be easily bypassed on a target device depending on the security mechanisms already in place.

[Learn more about breaking Android security in the Black Hat Asia session "Prison Break Season 6: Defeating the Mitigations Adopted by Android OEMs" in which Yao and Lin will demonstrate how they bypassed security protections built into Android phones.]

"It depends on specific devices," says Yao. "If PAN is enabled on a target device, I think it's difficult to bypass it. If it's not, it's easy to defeat it."

PAN emulation works with hardened usercopy, which adds bounds checking to usercopy functions that the kernel uses to transfer data from user space to kernel space memory and back. Missing or invalid bounds checking has often caused kernel vulnerabilities in the past.

Hardened usercopy functions help detect and mitigate security issues in developers' code, but they can only help if developers use them, explains Sami Tolvanen, senior software engineer for Android Security, on the Android developer blog. Features like PAN in ARM 8.1 and Supervisor Mode Access Prevention (SMAP) in x86 prevent the kernel from accessing user space directly, and ensure developers go through usercopy functions.

"I think mitigations fall into two categories," says Yao. "One is to reduce the attack surface, and the other is to make exploits harder. The mitigations we are talking about belong to the latter one." Fewer vulnerabilities lessen the chances of defeating these mitigations, he adds.

The most important thing for OEMs to do is promptly patch kernel flaws, Yao continues. He also advises using a combination of mitigations, as single mitigation is easier to bypass.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johnparker1
50%
50%
johnparker1,
User Rank: Apprentice
7/17/2018 | 5:04:17 PM
Good to read the post
fdhhggnfgnfgnfgmhmhgmghmhgmghmgh
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.