Observing Attacks Against Android Kernel Memory: Challenges and Solutions
Abstract
In 2023, over 300 vulnerabilities were reported in the Linux kernel. This emphasizes the need for exploit analysis aiming at understanding and protecting affected systems (including Android) from privilege escalation, data leakage, and other attacks. In this article, we address the challenges and solutions for the security of Android kernel memory, as well as present an evaluation of available tracing and memory sanitization tools for this operating system. This research includes performance tests of these tools and the implementation of a proof of concept at the kernel level to improve memory exploit analysis, providing complete attack observation and allowing continued execution after detection, which is not achieved by the state of the art.References
Afonso, V. M., de Geus, P. L., Bianchi, A., Fratantonio, Y., Krügel, C., Vigna, G., Doupé, A., and Polino, M. (2016). Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In Network and Distributed System Security Symposium.
Cho, H., Park, J., Oest, A., Bao, T., Wang, R., Shoshitaishvili, Y., Doupé, A., and Ahn, G.-J. (2022). Vik: practical mitigation of temporal memory safety violations through object id inspection. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’22), pages 271–284.
Cho, M., An, D., Jin, H., and Kwon, T. (2023). BoKASAN: Binary-only kernel address sanitizer for effective kernel fuzzing. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4985–5002, Anaheim, CA. USENIX Association.
Curry, D. (2024). Android statistics (2024). [link].
CVEDetails (2024). Application sandbox. [link].
CWE (2023). 2023 cwe top 10 kev weaknesses. [link].
Gebai, M. and Dagenais, M. R. (2018). Survey and analysis of kernel and userspace tracers on linux: Design, implementation, and overhead. ACM Computing Surveys (CSUR), 51(2):1–33.
Hund, R., Holz, T., and Freiling, F. C. (2009). Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In USENIX Security Symposium.
Jay Schulist, Daniel Borkmann, A. S. (2024). Linux socket filtering aka berkeley packet filter (bpf). [link].
Jing, Y., Zhao, Z., Ahn, G.-J., and Hu, H. (2014). Morpheus: Automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14, page 216–225, New York, NY, USA. Association for Computing Machinery.
Kang, H., Liu, G., Wu, Z., Tian, Y., and Zhang, L. (2021). A modified flowdroid based on chi-square test of permissions. Entropy, 23(2).
Kernel Development Community (2024). Kernel modules. [link].
Khan, I. (2022). Linux slub allocator internals and debugging, part 1 of 4. [link].
Lee, B., Song, C., Jang, Y., Wang, T., Kim, T., Lu, L., and Lee, W. (2015). Preventing use-after-free with dangling pointers nullification. In NDSS’15.
Liang, Z., Zou, X., Song, C., and Qian, Z. (2024). K-leak: Towards automating the generation of multi-step infoleak exploits against the linux kernel. In 31th Annual Network and Distributed System Security Symposium, NDSS.
Lin, Y., Wong, J., and Gao, D. (2023). Fa3: Fine-grained android application analysis. In Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications, HotMobile ’23, page 74–80, New York, NY, USA. Association for Computing Machinery.
Lin, Z., Chen, Y., Wu, Y., Mu, D., Yu, C., Xing, X., and Li, K. (2022). Grebe: Unveiling exploitation potential for linux kernel bugs. In 2022 IEEE Symposium on Security and Privacy (SP), pages 2078–2095. IEEE.
Marco, A., Cestaro, R., Conti, M., and Losiouk, E. (2020). Mascara: a novel attack leveraging android virtualization.
McConnell, S. (2004). Code complete. Pearson Education.
Mitsunami, K. (2021). Delivering enhanced security through memory tagging extension. [link].
Nong, Y., Cai, H., Ye, P., Li, L., and Chen, F. (2021). Evaluating and comparing memory error vulnerability detectors. Information and Software Technology, 137:106614.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic malware analysis in the modern era—a state of the art survey. ACM Computing Surveys (CSUR), 52(5).
Song, D., Lettner, J., Rajasekaran, P., Na, Y., Volckaert, S., Larsen, P., and Franz, M. (2019). Sok: Sanitizing for security. In IEEE Symposium on Security and Privacy.
Sutter, T., Kehrer, T., Rennhard, M., Tellenbach, B., and Klein, J. (2024). Dynamic security analysis on android: A systematic literature review. IEEE Access.
Wu, W., Chen, Y., Xu, J., Xing, X., Gong, X., and Zou, W. (2018). FUZE: Towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18), pages 781–797. USENIX Association.
Zeng, K., Chen, Y., Cho, H., Xing, X., Doupé, A., Shoshitaishvili, Y., and Bao, T. (2022). Playing for {K (H) eaps}: Understanding and improving linux kernel exploit reliability. In 31st USENIX Security Symposium (USENIX Security 22), pages 71–88.
Cho, H., Park, J., Oest, A., Bao, T., Wang, R., Shoshitaishvili, Y., Doupé, A., and Ahn, G.-J. (2022). Vik: practical mitigation of temporal memory safety violations through object id inspection. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’22), pages 271–284.
Cho, M., An, D., Jin, H., and Kwon, T. (2023). BoKASAN: Binary-only kernel address sanitizer for effective kernel fuzzing. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4985–5002, Anaheim, CA. USENIX Association.
Curry, D. (2024). Android statistics (2024). [link].
CVEDetails (2024). Application sandbox. [link].
CWE (2023). 2023 cwe top 10 kev weaknesses. [link].
Gebai, M. and Dagenais, M. R. (2018). Survey and analysis of kernel and userspace tracers on linux: Design, implementation, and overhead. ACM Computing Surveys (CSUR), 51(2):1–33.
Hund, R., Holz, T., and Freiling, F. C. (2009). Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In USENIX Security Symposium.
Jay Schulist, Daniel Borkmann, A. S. (2024). Linux socket filtering aka berkeley packet filter (bpf). [link].
Jing, Y., Zhao, Z., Ahn, G.-J., and Hu, H. (2014). Morpheus: Automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14, page 216–225, New York, NY, USA. Association for Computing Machinery.
Kang, H., Liu, G., Wu, Z., Tian, Y., and Zhang, L. (2021). A modified flowdroid based on chi-square test of permissions. Entropy, 23(2).
Kernel Development Community (2024). Kernel modules. [link].
Khan, I. (2022). Linux slub allocator internals and debugging, part 1 of 4. [link].
Lee, B., Song, C., Jang, Y., Wang, T., Kim, T., Lu, L., and Lee, W. (2015). Preventing use-after-free with dangling pointers nullification. In NDSS’15.
Liang, Z., Zou, X., Song, C., and Qian, Z. (2024). K-leak: Towards automating the generation of multi-step infoleak exploits against the linux kernel. In 31th Annual Network and Distributed System Security Symposium, NDSS.
Lin, Y., Wong, J., and Gao, D. (2023). Fa3: Fine-grained android application analysis. In Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications, HotMobile ’23, page 74–80, New York, NY, USA. Association for Computing Machinery.
Lin, Z., Chen, Y., Wu, Y., Mu, D., Yu, C., Xing, X., and Li, K. (2022). Grebe: Unveiling exploitation potential for linux kernel bugs. In 2022 IEEE Symposium on Security and Privacy (SP), pages 2078–2095. IEEE.
Marco, A., Cestaro, R., Conti, M., and Losiouk, E. (2020). Mascara: a novel attack leveraging android virtualization.
McConnell, S. (2004). Code complete. Pearson Education.
Mitsunami, K. (2021). Delivering enhanced security through memory tagging extension. [link].
Nong, Y., Cai, H., Ye, P., Li, L., and Chen, F. (2021). Evaluating and comparing memory error vulnerability detectors. Information and Software Technology, 137:106614.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic malware analysis in the modern era—a state of the art survey. ACM Computing Surveys (CSUR), 52(5).
Song, D., Lettner, J., Rajasekaran, P., Na, Y., Volckaert, S., Larsen, P., and Franz, M. (2019). Sok: Sanitizing for security. In IEEE Symposium on Security and Privacy.
Sutter, T., Kehrer, T., Rennhard, M., Tellenbach, B., and Klein, J. (2024). Dynamic security analysis on android: A systematic literature review. IEEE Access.
Wu, W., Chen, Y., Xu, J., Xing, X., Gong, X., and Zou, W. (2018). FUZE: Towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18), pages 781–797. USENIX Association.
Zeng, K., Chen, Y., Cho, H., Xing, X., Doupé, A., Shoshitaishvili, Y., and Bao, T. (2022). Playing for {K (H) eaps}: Understanding and improving linux kernel exploit reliability. In 31st USENIX Security Symposium (USENIX Security 22), pages 71–88.
Published
2024-09-16
How to Cite
TORRES JÚNIOR, Cláudio; CORREIA, Jorge; PINCOVSCY, João; ZANATA, Marco; GRÉGIO, André.
Observing Attacks Against Android Kernel Memory: Challenges and Solutions. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 492-507.
DOI: https://doi.org/10.5753/sbseg.2024.241778.
