Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adaptive Android Kernel Live Patching

Published byEustace McCoy Modified over 6 years ago

Similar presentations

Presentation on theme: "Adaptive Android Kernel Live Patching"— Presentation transcript:

1 Adaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi Wang1, Liangzhao Xia2, Chenfu Bao2, Tao Wei2 Florida State University1 Baidu X-Lab2

2 Android Kernel Vulnerabilities
Apps Java API Framework Native C/C++ Libraries Linux Kernel Android Runtime Hardware Abstraction Layer TrustZone

3 Android Kernel Vulnerabilities
Apps Java API Framework Native C/C++ Libraries Linux Kernel Android Runtime Hardware Abstraction Layer TrustZone

4 Android Kernel Vulnerabilities
Apps Java API Framework Native C/C++ Libraries Linux Kernel Android Runtime Hardware Abstraction Layer TrustZone

5 Number of Disclosed Android Kernel Vulnerabilities

6 Problem: Old Exploits Remain Effective
Number of devices vulnerable to two root exploits as of Nov. 2016 Android 5.0 released in November 2014 46.3% of devices run an older version in September 2016

7 Challenges Officially patching an Android device is a long process  Third-party Delayed/non-existing kernel source code  Binary-based

8 Challenges Severely fragmented Android ecosystem  Adaptive

9 Third-party Binary-based Adaptive Kernel Live Patching
Solution Third-party Binary-based Adaptive Kernel Live Patching Key requirements: Adaptiveness It should be adaptive to various device kernels Safety Patches should be easy to audit Their behaviors must be technically confined Timeliness Response time should be short, after disclosed vulnerability or exploit Performance The solution should not incur non-trivial performance overhead

10 Feasibility Study: Dataset
Studied 1139 Android kernels

11 Feasibility Study: Observations
Most kernel functions are stable across devices and Android releases Most vulnerabilities triggered by malicious inputs Many functions return error codes Return a pointer  ERR_PTR

12 Feasibility Study: Observations
Most kernel functions are stable across devices and Android releases Most vulnerabilities triggered by malicious inputs Many functions return error codes Return a pointer  ERR_PTR Filter them Gracefully return

13 Overall Approach: Input Validation

14 KARMA KARMA: Kernel Adaptive Repair for Many Androids
Adaptive – Automatically adapt to various device kernels Memory-safe – Protect kernel from malicious (misused) patches Multi-level – Flexible for different vulnerabilities

15 KARMA Design: Safety Patches are written in Lua, confined by Lua VM at runtime A patch can only be placed at designated locations Patched functions must return error codes or void Use existing error handling to recover from attacks A patch can read but not write the kernel memory Confined by KARMA APIs Prevent malicious (misused) patches from changing the kernel Prevent information leakage

16 KARMA Design: Multi-level Patching
A patch can only be placed at designated locations Level 1: Entry or return point of a (vulnerable) function Level 2: Before or after the call site to a callee e.g., copy_from_user Level 3: Binary-based patch 76 critical Android kernel vulnerabilities Level 1: 49/76 (64.5%) Level 2: 22/76 (28.9%) Level 3: 5/76 (6.6%)

17 Part of the official patch of CVE-2014-3153 (Towelroot)
KARMA Patch Example Part of the official patch of CVE (Towelroot)

18 More complex examples in the paper
KARMA Patch Example -EINVAL More complex examples in the paper

19 KARMA API

20 KARMA API Available to patches

21 KARMA Architecture Offline Patch Generation and Verification
Online Live Patching by KARMA Client

22 Offline Patch Adaptation

23 Offline Patch Adaptation
Three steps: Identify the vulnerable functions in the target kernel Same function but different names Inlined Check if the reference patch works for the target kernel Same function but different semantics Adapt the reference patch for the target kernel

24 Call graph based similarity comparison
Vulnerable Function Identification Example CVE (PingPong Root) Device A: ping_unhash Device B: ping_v4_unhash Func_A Func_B Func_C Func_D Func_E ping_unhash Func_A Func_B Func_C Func_D Func_E ping_v4_unhash Call graph based similarity comparison

25 Semantic Matching Check if two functions are semantically equivalent
If so, adapt the reference patch to the target kernel Syntactic matching is too strict Different compilers can generate different code with same semantics Instruction order, register allocation, instruction selection, code layout

26 Same semantics with different syntax
Semantic Matching Same semantics with different syntax

27 Same semantics with different syntax
Semantic Matching Same semantics with different syntax

28 Same semantics with different syntax
Semantic Matching Same semantics with different syntax

29 Same semantics with different syntax
Semantic Matching Same semantics with different syntax

30 Same semantics with different syntax
Semantic Matching Same semantics with different syntax

31 Semantic Matching Check if two functions are semantically equivalent
If so, adapt the reference patch to the target kernel Syntactic matching is too strict Different compilers can generate different code with same semantics Instruction order, register allocation, instruction selection, code layout Use symbolic execution to abstract these differences and adapt patches Use approximation to improve scalability (details in the paper)

32 Online Patch Application
Function entry point hooking

33 Prototype Implementation
Lua engine in kernel (11K SLOC) Simple Memory-safe Easy to embed and extend 24 years of development Semantic matching – angr

34 Evaluation: Applicability
Evaluated 76 critical vulnerabilities in the last three years Patch level: Level-1: 49 Level-2: 22 Level-3: 5

35 Evaluation: Adaptability

36 Evaluation: Adaptability
Types and frequencies of instruction opcodes

37 Evaluation: Adaptability
Number of function calls and conditional branches (to abstract CFG)

38 Evaluation: Adaptability
KARMA’s semantic matching

39 Evaluation: Performance
CF-Bench results with different patches

40 Evaluation: Performance
Execution time of chmod with different patches

41 Future Work User-space vulnerability protection
Project Treble  only partially solve the problem Lua engine in the kernel (11K SLOC) Alternative execution engines, like BPF or sandboxed binary patches Error handling code could be vulnerable Error injection to detect vulnerable error-handling code Improve semantic matching

42 Adaptive Android Kernel Live Patching
Q & A Adaptive Android Kernel Live Patching

43 Backup Slides

44 Attack TrustZone from Kernel
Example: Downgrade Attack on TrustZone (see its references)

45 Number of syntax clusters for each function
Observations Most kernel functions are stable across devices and Android releases. Cluster Number Kernel Function Number Number of syntax clusters for each function About 40% of the shared functions have only one cluster, and about 80% of them have 4 clusters or less.

46 Percentage of kernels in the largest cluster for each function
Observations Most kernel functions are stable across devices and Android releases. Kernel Function Number Percentage of kernels in the largest cluster for each function For about 60% of shared functions, the largest cluster contains more than 80% of all the kernels that have this function.

47 Symbolic Execution Challenges Practical Solution
Avoid path explosion Impact to the environment Practical Solution Non-local memory writes Function calls (and their arguments) Function return values Adaptation (e.g., mutate constants or offsets) foo(symbol_A + 4, 36) foo(symbol_A + 8, 36)

48 Evaluation: Overall Performance
Complex patch for most frequent syscall (gettimeofday) during web browsing Overall system performance overhead in this extreme situation: 0.9%

49 Example: CVE

50 Example: CVE

51 Example: CVE

52 Example: CVE

53 Example: CVE

54 Example: CVE

55 You May Also Like A time machine to locate vulnerabilities:
Pinpointing Vulnerabilities Protect your computer by encrypting memory all the time: Secure In-Cache Execution Fine-grained dynamic ASLR during runtime: Remix: On-demand Live Randomization

Download ppt "Adaptive Android Kernel Live Patching"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Java.  Java is an object-oriented programming language.  Java is important to us because Android programming uses Java.  However, Java is much more.

Java.  Java is an object-oriented programming language.  Java is important to us because Android programming uses Java.  However, Java is much more.
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.

The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.

A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Similar presentations

Ads by Google