Observação de Ataques contra a Memória do Kernel Android: Desafios e Soluções
Resumo
Em 2023, foram reportadas mais de 300 vulnerabilidades no kernel Linux, corroborando a necessidade da análise de exploits para compreendê-las e proteger os sistemas afetados (inclusive Android) de escaladas de privilégio, vazamento de dados e outros ataques. Este artigo aborda os desafios e soluções para segurança da memória do kernel Android, e avalia ferramentas de tracing e sanitização de memória disponíveis para esse sistema operacional. A pesquisa inclui testes de desempenho dessas ferramentas e a implementação de uma prova de conceito em nível de kernel para melhorar a análise de exploits de memória, provendo observação completa do ataque e permitindo continuar sua execução após a detecção, o que não é alcançado pelo estado da arte.Referências
Afonso, V. M., de Geus, P. L., Bianchi, A., Fratantonio, Y., Krügel, C., Vigna, G., Doupé, A., and Polino, M. (2016). Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In Network and Distributed System Security Symposium.
Cho, H., Park, J., Oest, A., Bao, T., Wang, R., Shoshitaishvili, Y., Doupé, A., and Ahn, G.-J. (2022). Vik: practical mitigation of temporal memory safety violations through object id inspection. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’22), pages 271–284.
Cho, M., An, D., Jin, H., and Kwon, T. (2023). BoKASAN: Binary-only kernel address sanitizer for effective kernel fuzzing. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4985–5002, Anaheim, CA. USENIX Association.
Curry, D. (2024). Android statistics (2024). [link].
CVEDetails (2024). Application sandbox. [link].
CWE (2023). 2023 cwe top 10 kev weaknesses. [link].
Gebai, M. and Dagenais, M. R. (2018). Survey and analysis of kernel and userspace tracers on linux: Design, implementation, and overhead. ACM Computing Surveys (CSUR), 51(2):1–33.
Hund, R., Holz, T., and Freiling, F. C. (2009). Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In USENIX Security Symposium.
Jay Schulist, Daniel Borkmann, A. S. (2024). Linux socket filtering aka berkeley packet filter (bpf). [link].
Jing, Y., Zhao, Z., Ahn, G.-J., and Hu, H. (2014). Morpheus: Automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14, page 216–225, New York, NY, USA. Association for Computing Machinery.
Kang, H., Liu, G., Wu, Z., Tian, Y., and Zhang, L. (2021). A modified flowdroid based on chi-square test of permissions. Entropy, 23(2).
Kernel Development Community (2024). Kernel modules. [link].
Khan, I. (2022). Linux slub allocator internals and debugging, part 1 of 4. [link].
Lee, B., Song, C., Jang, Y., Wang, T., Kim, T., Lu, L., and Lee, W. (2015). Preventing use-after-free with dangling pointers nullification. In NDSS’15.
Liang, Z., Zou, X., Song, C., and Qian, Z. (2024). K-leak: Towards automating the generation of multi-step infoleak exploits against the linux kernel. In 31th Annual Network and Distributed System Security Symposium, NDSS.
Lin, Y., Wong, J., and Gao, D. (2023). Fa3: Fine-grained android application analysis. In Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications, HotMobile ’23, page 74–80, New York, NY, USA. Association for Computing Machinery.
Lin, Z., Chen, Y., Wu, Y., Mu, D., Yu, C., Xing, X., and Li, K. (2022). Grebe: Unveiling exploitation potential for linux kernel bugs. In 2022 IEEE Symposium on Security and Privacy (SP), pages 2078–2095. IEEE.
Marco, A., Cestaro, R., Conti, M., and Losiouk, E. (2020). Mascara: a novel attack leveraging android virtualization.
McConnell, S. (2004). Code complete. Pearson Education.
Mitsunami, K. (2021). Delivering enhanced security through memory tagging extension. [link].
Nong, Y., Cai, H., Ye, P., Li, L., and Chen, F. (2021). Evaluating and comparing memory error vulnerability detectors. Information and Software Technology, 137:106614.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic malware analysis in the modern era—a state of the art survey. ACM Computing Surveys (CSUR), 52(5).
Song, D., Lettner, J., Rajasekaran, P., Na, Y., Volckaert, S., Larsen, P., and Franz, M. (2019). Sok: Sanitizing for security. In IEEE Symposium on Security and Privacy.
Sutter, T., Kehrer, T., Rennhard, M., Tellenbach, B., and Klein, J. (2024). Dynamic security analysis on android: A systematic literature review. IEEE Access.
Wu, W., Chen, Y., Xu, J., Xing, X., Gong, X., and Zou, W. (2018). FUZE: Towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18), pages 781–797. USENIX Association.
Zeng, K., Chen, Y., Cho, H., Xing, X., Doupé, A., Shoshitaishvili, Y., and Bao, T. (2022). Playing for {K (H) eaps}: Understanding and improving linux kernel exploit reliability. In 31st USENIX Security Symposium (USENIX Security 22), pages 71–88.
Cho, H., Park, J., Oest, A., Bao, T., Wang, R., Shoshitaishvili, Y., Doupé, A., and Ahn, G.-J. (2022). Vik: practical mitigation of temporal memory safety violations through object id inspection. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’22), pages 271–284.
Cho, M., An, D., Jin, H., and Kwon, T. (2023). BoKASAN: Binary-only kernel address sanitizer for effective kernel fuzzing. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4985–5002, Anaheim, CA. USENIX Association.
Curry, D. (2024). Android statistics (2024). [link].
CVEDetails (2024). Application sandbox. [link].
CWE (2023). 2023 cwe top 10 kev weaknesses. [link].
Gebai, M. and Dagenais, M. R. (2018). Survey and analysis of kernel and userspace tracers on linux: Design, implementation, and overhead. ACM Computing Surveys (CSUR), 51(2):1–33.
Hund, R., Holz, T., and Freiling, F. C. (2009). Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In USENIX Security Symposium.
Jay Schulist, Daniel Borkmann, A. S. (2024). Linux socket filtering aka berkeley packet filter (bpf). [link].
Jing, Y., Zhao, Z., Ahn, G.-J., and Hu, H. (2014). Morpheus: Automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14, page 216–225, New York, NY, USA. Association for Computing Machinery.
Kang, H., Liu, G., Wu, Z., Tian, Y., and Zhang, L. (2021). A modified flowdroid based on chi-square test of permissions. Entropy, 23(2).
Kernel Development Community (2024). Kernel modules. [link].
Khan, I. (2022). Linux slub allocator internals and debugging, part 1 of 4. [link].
Lee, B., Song, C., Jang, Y., Wang, T., Kim, T., Lu, L., and Lee, W. (2015). Preventing use-after-free with dangling pointers nullification. In NDSS’15.
Liang, Z., Zou, X., Song, C., and Qian, Z. (2024). K-leak: Towards automating the generation of multi-step infoleak exploits against the linux kernel. In 31th Annual Network and Distributed System Security Symposium, NDSS.
Lin, Y., Wong, J., and Gao, D. (2023). Fa3: Fine-grained android application analysis. In Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications, HotMobile ’23, page 74–80, New York, NY, USA. Association for Computing Machinery.
Lin, Z., Chen, Y., Wu, Y., Mu, D., Yu, C., Xing, X., and Li, K. (2022). Grebe: Unveiling exploitation potential for linux kernel bugs. In 2022 IEEE Symposium on Security and Privacy (SP), pages 2078–2095. IEEE.
Marco, A., Cestaro, R., Conti, M., and Losiouk, E. (2020). Mascara: a novel attack leveraging android virtualization.
McConnell, S. (2004). Code complete. Pearson Education.
Mitsunami, K. (2021). Delivering enhanced security through memory tagging extension. [link].
Nong, Y., Cai, H., Ye, P., Li, L., and Chen, F. (2021). Evaluating and comparing memory error vulnerability detectors. Information and Software Technology, 137:106614.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic malware analysis in the modern era—a state of the art survey. ACM Computing Surveys (CSUR), 52(5).
Song, D., Lettner, J., Rajasekaran, P., Na, Y., Volckaert, S., Larsen, P., and Franz, M. (2019). Sok: Sanitizing for security. In IEEE Symposium on Security and Privacy.
Sutter, T., Kehrer, T., Rennhard, M., Tellenbach, B., and Klein, J. (2024). Dynamic security analysis on android: A systematic literature review. IEEE Access.
Wu, W., Chen, Y., Xu, J., Xing, X., Gong, X., and Zou, W. (2018). FUZE: Towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18), pages 781–797. USENIX Association.
Zeng, K., Chen, Y., Cho, H., Xing, X., Doupé, A., Shoshitaishvili, Y., and Bao, T. (2022). Playing for {K (H) eaps}: Understanding and improving linux kernel exploit reliability. In 31st USENIX Security Symposium (USENIX Security 22), pages 71–88.
Publicado
16/09/2024
Como Citar
TORRES JÚNIOR, Cláudio; CORREIA, Jorge; PINCOVSCY, João; ZANATA, Marco; GRÉGIO, André.
Observação de Ataques contra a Memória do Kernel Android: Desafios e Soluções. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 492-507.
DOI: https://doi.org/10.5753/sbseg.2024.241778.
