Android Universal Root: Exploiting Mobile GPU / Command Queue Drivers

Presented at Black Hat USA 2022, Aug. 10, 2022, 11:20 a.m. (40 minutes).

<div><span>Rooting modern Android devices using kernel bugs from an unprivileged process without any hardcoded offsets/addresses and with almost a 100% success rate is exceptionally rare. After reporting the in-the-wild CVE-2020-0069 in Mediatek's Command Queue device driver, we conducted a security review on ImgTec's PowerVR GPU device driver during which we discovered and reported several such rare vulnerabilities (e.g. GPU CVE-2021-39815). In total, we discovered 35+ exploitable bugs.</span></div><div><span><br></span></div><div><span>This talk will primarily focus on GPU hacking. There have been many vulnerability reports about other GPUs like Mali and Adreno in the last few years, but Google only received a single report about ImgTec's PowerVR GPU. It appears that the security risks of ImgTec's PowerVR GPUs have been underexplored so far, even though ImgTec may have the largest GPU market share in the Android ecosystem as many affordable, popular devices ship with ImgTec's GPUs. In addition to Android devices, many Chromebooks also use PowerVR GPUs. This makes the discovered vulnerabilities and exploits truly cross-platform, plus 10 more OEMs are affected.</span></div><div><span><br></span></div><div><span>In general, kernel memory management for CPUs and GPUs is complex, making it easy to produce unwanted or undefined outcomes. We will discuss the design & implementation of GPU driver technologies such as kernel APIs, memory management, kernel object lifetime, and the implementations of the OpenCL internal libraries.</span></div><div><span><br></span></div><div><span>We will also highlight the latest SELinux policy for limiting unprivileged interaction with ImgTec's PowerVR GPUs on devices, and how to achieve a stable bypass. We will discuss the details of the exploit and show a demo rooting a well-known PowerVR device.</span></div>

Presenters:

  • Richard Neal - Staff Security Engineer, Google
    Richard Neal has been a lead on the Android Malware Research team at Google for the last 5 years, managing a group of security and software engineers working to solve problems around Android malware, and trying to do as much technical work as possible. He has 23 years of professional experience in computer security, starting in development of secure systems and then moving into vulnerability and malware analysis, as reverse engineering is fun.
  • Jon Bottarini - Program Manager, Google
    Jon Bottarini is a Program Manager at Google where he leads security initiatives throughout Android. Outside of work, he participates in bug bounties, having reported hundreds of security vulnerabilities to worldwide brands and organizations. Jon formerly led the federal government bug bounty programs through the Department of Defense Hack the Pentagon initiative at bug bounty vendor HackerOne.
  • Xingyu Jin - Security Engineer, Google
    Xingyu Jin has been a security engineer on the Google Android Security team, focusing on Android exploits and reverse engineering. He has more than 3 years of professional experience in computer security and has reported/discovered 40+ Android, Apple and Linux kernel CVEs.

Links:

Similar Presentations: