KSMA: Breaking Android Kernel Isolation and Rooting with ARM MMU Features

Presented at Black Hat Asia 2018, March 22, 2018, 10:15 a.m. (60 minutes)

Recently, Android 8.0 has released, born with new kernel harden features and more strict SELinux policies enforcing. Rooting large numbers of newest Android devices with one single vulnerability is quite a challenge. In this talk, we will first detail a new rooting solution ReVent. It derives from a Use-After-Free vulnerability due to race condition, which affects all the Android devices shipped with >=3.18 Linux kernel, and can be executed by any untrusted application. Since many different slab objects are frequently allocated/freed on the same heap during exploiting process, it's quite challenging to shape heap Fengshui and achieve kernel code execution. We will demonstrate how to use the TOCTOU feature of pipe subsystem to gain arbitrary kernel memory overwriting. It's no doubt that using the old public exploitation technique like overwriting ptmx_fops to bypass PXN is straightforward. Unsurprisingly, it can hardly defeat "Oreo" due to PAN mitigation. To bypass PXN and PAN mitigation on Android 8.0, we will introduce a new kernel exploitation technique, named Kernel Space Mirroring Attack(KSMA). It derives from ARM MMU features and enables an attacker to r/w kernel text/data virtual address from user mode(EL0) without any syscalls. Combined with the above vulnerability, the newest Android 8.0 devices can be rooted. Another rooting solution CPRooter will also be detailed in this presentation. The vulnerability, which affects large numbers of Qualcomm Android devices, enables an attacker to r/w the TTBRx registers. Without constructing all level page tables, modifying the value of any TTBRx registers can lead to the kernel crash. We will demonstrate how to solve the problem with ARM MMU features and construct a 100% reliable exploit chain on Android 64-bit devices using KSMA exploitation technique. In summary, the ideas of exploitation are fresh, and the new exploitation technique KSMA against Android 8.0 we proposed has never been discussed before.

Presenters:

  • Yong Wang - Security Engineer, Pandora Lab of Ali Security, Alibaba Group
    Yong Wang (@ThomasKing2014) is a security researcher in Pandora Lab of Ali Security, focusing on Android vulnerability hunting and exploitation since 2015. These years he has reported several vulnerabilities in Android system core components and kernel, which were credited in multiple advisories.
  • Yang Song - Senior Security Specialist, Pandora Lab of Ali Security, Alibaba Group
    Yang Song received his Ph.D. degree in Computer Science from University of Chinese Academy of Sciences. He is a security researcher in Pandora Lab of Ali Security, focusing on mobile vulnerability hunting and exploitation and has reported several vulnerabilities in Android.
  • Chengming Yang - Security Specialist, Pandora Lab of Ali Security, Alibaba Group
    Yang Chengming is a Security Specialist in Pandora Lab of Ali Security. He is a contributor of google mobile security and Huawei psirt security. He has reported several vulnerabilities in Android's kernel, and also successfully developed exploits for them.
  • Baozeng Ding - Senior Engineer, Pandora Lab of Ali Security, Alibaba Group
    Baozeng Ding received his Ph.D. degree in Institute of Software, Chinese Academy of Sciences in China. After his graduation, he joined Alibaba as a senior engineer in Pandora Lab of Ali Security and is focus on hunting Android kernel/driver bug.

Links:

Similar Presentations: