Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overcoming Stagefright

Published byMartin Urban Modified over 6 years ago

Similar presentations

Presentation on theme: "Overcoming Stagefright"— Presentation transcript:

1 Overcoming Stagefright
Integer Overflow Protections in Android Dan Austin May 2016

2 Agenda $ whoami Stagefright Sanitizers Sanitizers in Practice
The Future

3 $ whoami

4 $ whoami Dan Austin Google since August 2015 Android Platform Security
I work on fuzzing and fuzzing accessories! Scalable Fuzzing Smart Fuzzing Compiler-based Defenses Vulnerability Mitigations

5 Stagefright

6 Stagefright

7 Stagefright

8 Stagefright MEDIA EXTRACTORS AACExtractor AMRExtractor AVIExtractor
DRMExtractor FLACExtractor MidiExtractor MP3Extractor MPEG2PSExtractor MPEG2TSExtractor MPEG4Extractor NuMediaExtractor MatroskaExtractor OggExtractor WAVExtractor WVMExtractor

9 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor!

10 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks

11 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g

12 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field

13 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field Which is not validated

14 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided

15 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow

16 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow And memory corruption

17 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow And memory corruption And ultimately execution...

18 Vulnerability in Stagefright!!!
Vulnerability in MPEG4Extractor! Specifically in parseChunk which, well parses chunks Of type tx3g That contains a size field Which is not validated And attacker provided That results in an integer overflow And memory corruption And ultimately execution... EVERYBODY FREAK OUT!!!

19 It’s not all bad... Vulnerability Researcher provided a patch!
Android was patched in August 2015 Raised visibility of Android's Monthly Security Update Program

20 It’s not all bad... Exploitation of the stagefright vulnerability on its own was in the context of mediaserver Privesc possible with an additional exploit Led to a full re-architecture of mediaserver with security in mind Original PoC required sending an MMS Repeatedly Which is a bit noticeable

21 Integer Overflows

22 Integer Overflows Integers are kept in a container of finite space
If an arithmetic operation results in a value that can’t be fully kept in that finite space, integer overflow occurs! Example: = ?

23 Integer Overflows Example: 4294967295 + 1 = ?
Represented as 32 bit values: So = 0? 32 bits ends here +

24 Integer Overflows In C & C++:
For unsigned values: the result is taken modulo 2bits For signed values: the result is undefined Can lead to memory corruption! (CVE !!!)

25 Exploitable Integer Overflows: How do they work?

26 Exploitable Integer Overflows: How do they work?
in_buf_size is user controlled, so it can be anything...

27 Exploitable Integer Overflows: How do they work?
in_buf_size is user controlled, so it can be anything... If in_buf_size > 0xffffffef, then buf_size < in_buf_size

28 Exploitable Integer Overflows: How do they work?
in_buf_size is user controlled, so it can be anything... If in_buf_size > 0xffffffef, then buf_size < in_buf_size If buf_size < in_buf_size, then the memcpy will write past the allocated amount, resulting in memory corruption :(

29 Coding is Hard Unfortunately, the patch had a flaw…
… and exploitation was still possible. Thanks Project Zero! This is the check that was added in the patch. Unfortunately, SIZE_MAX and size are 32 bits, while chunk_size is 64 bits, which means overflow can still happen

30 UndefinedBehaviorSanitizer
C & C++ have the concept of undefined behavior Often the cause of subtle bugs... ...such as signed integer overflow… LLVM has an UndefinedBehaviorSanitizer! Which adds checks at the code generation level to detect and prevent undefined behavior Authors also included unsigned integer overflow, which is nice

31 UBSan: Integer Overflow Sanitization: How does it work?
Implemented in clang as of the CodeGen module (CGExpr & CGExprScalar) Arithmetic operation (+, -, *) detected and passed to EmitOverflowCheckedBinOp LLVM Intrinsic corresponding with the operation checks for overflow Generate code to branch to abort or handler function if an overflow is detected Overflow cannot occur!

32 What if this were applied to libstagefright?

33 Sanitizers In Practice

34 Stagefright before patch

35 Stagefright after patch v1

36 Stagefright after patch v1, sanitized

37 Stagefright before patch v1, sanitized

38 UBSan applied to libstagefright SEEMS LEGIT.
In Summary: UBSan with original patch: no integer overflow, stops exploit! UBSan with no patch: no integer overflow, stops exploit! SEEMS LEGIT.

39 UBSan: The Good

40 UBSan: The Good It would have prevented the integer overflow based stagefright vulnerabilities! It’s easy! Just add LOCAL_SANITIZE:=unsigned-integer-overflow to the Android.mk It’s applied everywhere! Catch ALL THE OVERFLOWS! It’s fun! Play whack a mole fixing all that unexploitable undefined behavior in your legacy code base, er, wait...

41 UBSan: The Bad

42 UBSan: The Bad Again, it’s applied EVERYWHERE
Even code designed to work with unsigned overflow! It’s not free: some size/execution overhead Optimized code generation for abort function placement makes debugging hard :( See ElementaryStreamQueue::dequeueAccessUnitMPEGVideo

43 UBSan: The Bad “False Positives”
UBSan is a code health tool being used as a hardening tool From a security perspective, if an overflow does not influence a memory operation in some way, it’s likely not exploitable There are lots of overflows in the Android code base that do not influence memory operations at all: Crypto operations often work modulo 2wordsize Codec operations as well while (n--)

44 UBSan: The Ugly AMR-WB encoder Legacy code
Lots of arithmetic integer overflows And stability issues… Example: “OK, Google” voice recognition Specifically, this for loop in the coder function

45 UBSan: The Ugly When no integer sanitization, clang generates NEON instructions That do not partition the data correctly With integer sanitization, clang generates normal ARM instructions Parallelization is broken by the sanitization checks Data is processed correctly ¯\_(ツ)_/¯

46 The Future

47 UBSan Runtime In Android, UBSan overflow detection results in program abort Great for security, not so good for testing LLVM upstream UBSan has a runtime library that outputs diagnostic messages instead of aborts Currently testing the UBSan runtime in Android for platform- wide detection of integer overflows! (AOSP)

48 Global Integer Domination Sanitization !!!

49 Integer Overflow Specific Fuzzing
libFuzzer makes fuzzing easy! Write a libFuzzer fuzzer Write a mutator specific to Integer Overflow bugs Include additional logic to better choose paths for further analysis ??? Profit!

50 Questions? Dan Austin

Download ppt "Overcoming Stagefright"

Similar presentations

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
CMPE 325 Computer Architecture II Cem Ergün Eastern Mediterranean University Integer Representation and the ALU.

CMPE 325 Computer Architecture II Cem Ergün Eastern Mediterranean University Integer Representation and the ALU.
CIS 199 Test 01 Review. Computer Hardware  Central Processing Unit (CPU)  Brains  Operations performed here  Main Memory (RAM)  Scratchpad  Work.

CIS 199 Test 01 Review. Computer Hardware  Central Processing Unit (CPU)  Brains  Operations performed here  Main Memory (RAM)  Scratchpad  Work.
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.

1 Architectural Support for Copy and Tamper Resistant Software David Lie, Chandu Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell and.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
The Agent Based Crypto Protocol The ABC-Protocol by Jordan Hind MSE Presentation 3.

The Agent Based Crypto Protocol The ABC-Protocol by Jordan Hind MSE Presentation 3.
1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.

1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.
CSCE 548 Integer Overflows Format String Problem.

CSCE 548 Integer Overflows Format String Problem.
CSCI 4931 - Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

Similar presentations

Ads by Google