The Misuse of Android Unix Domain Sockets and Security...
Transcript of The Misuse of Android Unix Domain Sockets and Security...
TheMisuseofAndroidUnixDomainSocketsandSecurityImplicationsYuruShao1,JasonOtt2,Yunhan JackJia1,
Zhiyun Qian2,Z.MorleyMao11UniversityofMichigan,2UniversityofCalifornia,Riverside
110/25/16
Motivation
• AndroidinheritsIPCmechanismsfromLinux• Sockets,signals,pipes,sharedmemory,etc.
• AndroidalsohasuniqueIPCsmainlyforframeworkandapps’use• Intents,Messagehandler,etc.
10/25/16 2
IPC UsageinAOSP Documentation Studied?Androidunique Framework,apps Detailed Yes[1][2]
FromLinux
Daemons, nativecomponents Sketchy No
[1]Feltetal,PermissionRe-Delegation:AttacksandDefenses.SECURITY2011.[2]Graceetal,SystematicDetectionofCapabilityLeaksinStockAndroidSmartphones.NDSS2012.
No
Motivation(cont’d)
• IPCsinheritedfromLinuxhavebeenoverlooked• Vulnerabilitiesreported(e.g.,CVE-2011-1823)
• Unixdomainsocketstheonly LinuxIPCbeingusedbymanyappsandsystemdaemons
10/25/16 3
LinuxIPC Primaryusage
Bidirectional JavaAPIs
Native-Java
Signals Asyc notification ✘ ✘ ✘
Netlink sockets Kernel-userspace ✔ ✘ ✘
Unixsockets Userspace ✔ ✔ ✔
Pipes Parent-child ✔ ✔ ✘
Contributions
• WedevelopSInspector fordiscoveringmisuseofUnixdomainsockets• WeperformthefirststudyofUnixdomainsocketsonAndroid1. Categorizationofusage2. Existingsecuritymeasuresbeingenforced3. Commonflawsandsecurityimplications
• Weconductanin-depthanalysisandsuggestcountermeasures
10/25/16 4
UnixdomainsocketsonAndroid
10/25/16 5
Unixdomainsockets
• ForIPCbetweenprocessesonthesamehost• 3addressnamespacesonAndroid• FILESYSTEM:addressisafilepath,andfileexistsonFS
10/25/16 6
Namespace Socket file File permissions SEAndroidFILESYSTEM ✔ ✔ N/AforappsABSTRACT ✘ ✘ N/AforappsRESERVED* ✔ ✔ ✔
*RESERVEDisessentiallyasub-namespaceofFILESYSTEM.Socketfileslocateunder/dev/socket/.
ABSTRACTsocketsarelesssecure,aslessaccesscontrolisimposedonthesocketchannel
Client Server
Threatmodel
• Amaliciousappwithlowprivilegeisinstalled• OnlyINTERNETpermissionisthemust-have• Repackagingorbuildingaunsuspiciousexploitapp
10/25/16 7
✕
/proc/net/unix isapublicly readablefile!
ABSTRACTisthedefault
• AndroidAPIsbydefaultuseABSTRACTaddresses
10/25/16 8
• PossiblereasonstomakeABSTRACTasdefault• Morereliable• Moreconvenienttouse
Authenticationisneeded
• EspeciallyforABSTRACTsockets• Nofilepermissionsaccesscontrolonthesocketchannel
• Butdevelopersaredoingbadonthis• Lackofauthentication
10/25/16 9
Itcoverseverythingbutsecurity
Detectingvulnerableapps&systemdaemons
10/25/16 10
Overview
• SInspector:Vettingappsanddaemonsforfindingoutpotentiallyvulnerableones
1110/25/16
AppsanddaemonsThoseusingUnixdomainsockets
Thosewithinsecuresocketaddresses
Thosehavingnoorweak authentication
Potentiallyvulnerableapps/daemons
Highlights
1210/25/16
WhichappsareusingUnixdomainsockets?
Howtoevaluatethesecurityofasocketaddress?
Whichtypesofauthenticationsarestrong?
Q1
Q2
Q3
AppsusingUnixsockets(Q1)
• INTERNETpermissionisrequired• UnixdomainsocketAPIsorsyscalls presentinanapp’scode• socket(AF_UNIX, …)• LocalSocket• LocalServerSocket
• Codeisreachableatruntime• Unixdomainsocketrelatedlogicisexecutedatruntime
10/25/16 13
Socketaddressanalysis(Q2)
• FILESYSTEMaddressesaresecureonlyifsocketfilepermissionsarecorrectlyset• Isthereanyoperationsthatchangefilepermissions?
• Somesocketaddressesarenotjustconstantstrings
1410/25/16
AseversocketlisteningonABSTRACTaddressaddr iscreated
Trackingtheconstructionofthesocketaddressstring
Authenticationanalysis(Q3)
• Authenticationisthelast chance topreventunauthorizedaccess• Clientandservercangettheirpeer’scredentials
• PID,UID,andGID
10/25/16 15
• Lookatcontroldependencybetweenr/woperationsandcredentials• PID-basedauthenticationisconsideredtobeweak• ProcessIDallocationisnondeterministic
Implementation
• AppDEX code• AnalysisbuiltontopofAmandroid [1]• Inter-componentcontrolanddataflows• Controlanddatadependency
• Native code• LeverageIDAPro’sdisassemblyengineandcontrolflowanalysis• OnlysupportARM32,intra-proceduraldataflowanalysisfornow
1610/25/16
[1]Guowei Fengetal.,Amandroid:APreciseandGeneralInter-componentDataFlowAnalysisFrameworkforSecurityVettingofAndroidApps,CCS2014.
Results&findings
10/25/16 17
Overview
• 14,644GooglePlayapps(toponesineachcate.)• 3,734(25.5%)haveUnixdomainsocketAPIs/syscalls• Themajority(3,689)useABSTRACTaddresses• 45outof67reportedareexploitable
• 60daemonsfrom3rootedphones• 20 useRESERVEDaddresses• 9outof12reportedareexploitable
1810/25/16
Real-worldusage
1. IPC,(e.g.,debugginginterface)2. Implementingwatchdog3. Realizingsingletonservices&globallocks• ABSTRACTsocketaddressesareusedexclusively• CouldbeeasilyDoS’ed
1910/25/16
App1
PushService
App2
PushService
StartsasocketserverlisteningonADDR
FailstolistenonADDR
share PreemptivelytakesADDR
PushService
?? ??
Identifiedlibraries
• 12 librarieswereidentifiedbysocketaddresses• 10/12areusingABSTRACTnamespace• Theother2(Amazon,OpenVPN)useFILESYSTEM
• OnlyFacebookStetho hasauthentication
2010/25/16
Libraries Usage #AppsBaidu,Tencent,Umeng,
FacebookSockLock,YandexSingleton/Global lock 145
FacebookStetho, QT5 Debugginginterface 107Sony,Samsung,Amazon,CM Datatransmission 40
OpenVPN Cmd &control 7
Weakauthentication
• Qualcommtimedaemonchecksclientprocessname• Byreadingprocfile/proc/PID/comm• Accessallowedifclientprocnamecontains“comm.timeservice”
• Appsareabletochangetheirprocessnamesfreely• Process.setArgV0(String s)
2110/25/16
It’sahiddenmethodbutstillcanbecalledthroughJavareflection
Strongauthentications
• UID/GIDchecks• Usernamechecks• Permissionchecks• FacebookStetho onlyacceptsconnectionsfromadb shell• Seeifthepeerhasandroid.permission.DUMP
• Token-basedchecks• Clientandserversharedatokenthroughasecurechannel,e.g.,apermission-protectedbroadcast• Denyaccessifthepeerdoesn’towntherighttoken
10/25/16 22
Commonmistakes
• IntendedtouseFILESYSTEMbutactuallyusedABSTRACT• ESFileExplorerlistensonanABSTRACTaddress:/data/data/com.estrongs.android.pop/file/comm/su_port
• Socketfilepermissionswronglyconfigured• Hideman VPNchangedsocketfilepermissionsto777/data/data/net.hideman/cache/OpenVpnManagementInterfaceSocket• LGATdaemonallowsaccessesfromappsininet group
• Lackofstrongpeerauthentication
10/25/16 23
Whatattackerscando
• Privilegeescalation• LGATdaemon,etc.• Turnon/offSIMcard,factoryresetphone
• Datainjection• KingRoot,etc.• Grantanyapprootaccess
• Datatheft• Samsunghealthlibrary,etc.
• DoS• Baidupush,etc
10/25/16 24
Casestudy:KingRoot
10/25/16 25
/system/bin/su
RequestingrootListeningon
…/files/.socketXXX
Askingfordecision
Lookinguppoliciesornotifyingtheuser
Sending“ALLOW”/”DENY” Rootaccessgranted/denied
Injecting”ALLOW”
Rootgranted
1. Socketfilepermissionswronglyconfigured
2. Noauthenticationwhenacceptingrootrequestdecision
Mitigations
• Morefine-grainedSEAndroid domainassignment• Currentlyall3rd-partyappsbelongtountrusted_app• Theycanaccesseachother’ssocketchannels
• Systemdaemons• Implementaproxyservicefortalkingtothedaemonandperformingauthentication
2610/25/16
Daemon(checking
SystemUID)Directaccessdenied
SystemService(checkingapppermission)
UnixdomainsocketIntent
Mitigations(cont’d)
• Appsexposingfunctionalitiestootherapps• Theserverdoesn’tknowwhoarepotentialclientapps
• UID/GID-basedauthenticationisnotapplicable• Asecurewaytoexchangetokenisdesired
• SecureAndroidIPCsuchasbroadcast
10/25/16 27
ClientApp
ServerApp
Requestingtoken
Askingforuserdecision
Replyingatoken
Unixdomainsocket
Summary
•WeperformedthefirststudyonUnixdomainsocketsonAndroid• Presentedatoolfordetectingpotentiallyvulnerableappsanddaemons• Reportedhigh-severityvulnerabilities• Conductedin-depthanalysisanddiscussedmitigations
10/25/16 28
Scantowatchdemos
Demos
1. ExploitKingRoot togainrootaccess
2. ExploitingESFileExplorertomodifysystemfile
3. ExploitingLGATdaemontofactoryresetaphone
2910/25/16
Thankyou
• Q/A
3010/25/16
Scantowatchdemos
Dynamicanalysisfordaemons(Q2)
• Wecannotpullbinariesoutwithoutroot• Oncewehaverootaccesswecancollectalotmoreruntimeinformationaboutsockets• Wedon’tneedtoworryaboutcoverage
10/25/16 31
Enumeratingallsocketsinlisteningstate
Tryingtoconnecttothemonebyone
Socketchannelissecurelyprotectedifconnectionfailedduetoinsufficientpermission
Limitations
• Humaneffortsrequiredforvalidatingvulnerabilities• Wemayhavefalsenegatives• Encrypted/packeddaemonscannotbeanalyzed• Weareunabletohandledynamicallyloadedcode
• Lackofgroundtruthtoevaluatefalsenegatives
10/25/16 32
Casestudy:LGATdaemon
• LGATdaemonlistenson/dev/socket/atd
• All appshavingINTERNETpermissionbelongtoLinuxusergroupinet• NoSEAndroid policyenforced,noauthentication• CVE-2016-3360
10/25/16 33
$ ls –l /dev/socket/atdsrw-rw---- system inet