Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone

Presented at Black Hat USA 2019, Aug. 7, 2019, 10:30 a.m. (25 minutes).

Though researchers have found lots of vulnerabilities in Stagefright framework for audio/video codecs on Android smartphones, all these vulnerabilities are in the software implementation of the AOSP. However, almost all smartphone chip manufacturers utilize the hardware implementation decoders to improve the performance and reduce battery consuming. For example, a complex video format, such as h264 or h265, will be given priority to decode by the hardware decoders.

Therefore, lots of questions about hardware decoder remain unanswered. How does it work? What's the security status and overall impact to the whole system? What about the attack surface and mitigation? Can we find any vulnerabilities and exploit it? Our research will answer these questions.

We focus on the hardware decoder named Venus on Qualcomm based smartphone. Venus is the dedicated video hardware decoder, which is a subsystem like Baseband, WLAN. This presentation will describe the architecture, the work principle, and the attack surface of Venus. Then we'll describe how to defeat the secure boot and setup the live debugger. Finally, we'll describe the vulnerabilities we found and how to exploit Venus remotely.

Nowadays, there are plenty of security features and mitigations on the application processor of Android. For a real attack from the browser, we should gain arbitrary code execution first, escape from the sandbox, then break down the userspace application isolation. Finally, if we are lucky enough, we could escalate privilege into a process that can touch something like the device node exposed by the Kernel. The whole process can be a long journey.

However, by attacking the hardware decoder, we can bypass all these defenses directly. In the hardware decoder, we have DMA, IO Port, shared memory with other processor, and messages with Kernel. There are plenty of attack surfaces into the Kernel and left behind security features like the Maginot Line.


Presenters:

  • Xiling Gong - Senior Security Researcher, Tencent Blade Team
    Xiling Gong is a senior security researcher of Tencent Blade Team. He's an Android vulnerability hunter and has discovered many Android vulnerabilities. He is the speaker of CanSecWest 2018. Now he is focusing on Qualcomm firmware security, including Baseband, WLAN, Video/Audio Hardware Decoder.
  • Peter Pi - Senior Security Researcher, Tencent Blade Team
    Peter Pi is a Senior Security Researcher of Tencent Blade Team. He has discovered many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. He was the #1 researcher of Google Android VRP in year 2016. He has spoken at many famous security conferences such as BlackHat, ConSecWest, HITB GSEC and Hitcon.

Links:

Similar Presentations: