Beyond Root

About us

• 3+ yrs of Android rooting• Ping-Pong Root (CVE-2015-3636)

• Pipe-iovec root (aka iovyroot, CVE-2015-1805)

• Bypassing KNOX on Samsung Galaxy S6/S7

• First root on Samsung Galaxy S7

• …

• Two nominations of Pwnie Awards• For Ping-Pong root and Pipe-iovec root

But not today

• Root for fun vs. Root for profit

• There is no fun in malware

Source: Softpedia News

Profitable Business Model

Backend

DevelopSDK

Report

Pay per use

Fast Learning, …

• …Profit driven malware “community”

• Early 2016 – FramaRoot, put_user, TowelRoot, etc

• Late 2016 – PingPong Root, IovyRoot, etc• Took us 2 years to be there…

Source: https://www.youtube.com/watch?v=pB7xOnBybgU

Plenty of Easy Targets

0

2000

4000

6000

8000

10000

12000

14000

16000

Dirty Cow (64) Iovy(32) Iovy(64) Ping-Pong(32) Ping-Pong(64)

Est. Vulnerable Devices (-K devices, end of 2017)

Est. Vulnerable Devices

Don’t be an Ostrich

• Vulnerabilities are there

• (Most) users can’t fix them without OTA

• We can if users choose to root their phone• Good guys get the upper hand

• Proactive defense implemented by vendors• Pointer authentication• Samsung KNOX RKP• Huawei• YunOS• …

addr_limit Verification

Syscall entrance

Kernel Stack Randomization

- (Seems to be) HW random generator based- Defeats JOP chain operating on kernel stack

This Shall Benefit More Users

• Introducing XMod• Originally named “root killer”

• Prototype developed after Ping-Pong root

• Detect and defeat root attempts

• Adaptive kernel probe

XMod Adaptive Hooking Framework

• Why adaptive?• Fragmented Android ecosystem• Some symbols may be missing or renamed• Some data struct layout may change

• Make it adaptive• Manually locate volatile symbols

• offline kernel analysis for each vendor kernel/device we support

• If not found, use our own fallback implementation • Audit structure offsets

• Locate specific struct layout pattern in memory• Use heuristic method to guess the offset• Decode function code snippet to compute the offset

Offline Kernel Analysis

• Symbols: https://github.com/nforest/droidimg• Now with ida7, radare2 and kaslr support 8-)

• 3 steps:• Identify arch (arm32 or 64)

• Identify address table (according to arch detection)

• Unpack name table

• With symbols, we can further detect• Critical offsets

• Non-exported data structures (ptmx_fops for example)

Why Invented Our Own Wheels

• More than one hooking frameworks in kernel• Kprobes - Non-disruptvie dynamic kernel routine prober

• ftrace - Vesatile kernel internal activity inspector

• Two hindrances to use them in XMod• Availability – optional kernel feature

• Performance – too heavy for our purposes

Light-weight Hooking Framework

Pros & Cons

• Pros• Very light-weighted

• Easy to expand

• Cons• Have to blacklist some instructions

• Usually PC relative ones

• Branch range

Advantages

• Naturally immune to• Obfuscation

• Dynamic payload

• Emulator detection

• Location based disguise

• Very low false-positive• Not that many benign apps

Tracking of “爱心推” SDK

• Used to be part of ZNIU (Dirty Cow exploit in the wild)

• 300+ apps, millions of users• Root exploits are hosted on cloud

• Utilizing VirtualApp for malicious download• https://github.com/asLody/VirtualApp

Their official website…

Observations

• 64-bit systems are less likely to be affected• PXN does raise the bar of exploit

• dm-verity prevents persistency

• Android 5.1 and below are very much vulnerable

What’s Next?

• Non-root malicious behaviors?

• Mining?

• Challenges• No exploit

• No special privilege

• Web or app

• “Side” channels• CPU behavior, cache miss

• Network connection

Conclusion

• Root capability is tagged and sold on market• Both “good” and evil sides are using it

• XMod is an effective complement to existing malware detection• Radiant its detection to markets and other tools

• Has its limitations as an “add-on”

• Mainline kernel guard?• KSPP

• LKRG looks good