blender: self-randomizing address space layout for android ... · blender: self-randomizing address...
TRANSCRIPT
Blender: Self-randomizing Address Space Layoutfor Android Apps
Mingshen Sun ∗, John C.S. Lui ∗, and Yajin Zhou †
∗ The Chinese University of Hong Kong† Qihoo 360 Technology Co. Ltd.
September 21, 2016
Introduction – Android Malware
Mobile devices become the biggest target among all threats
Report
From 2004 to 2013 we detected nearly 200,000 samples of maliciousmobile code. In 2014 there were 295,539 new programs, while thenumber was 884,774 in 2015. — Kaspersky 1
1https://securelist.com/analysis/kaspersky-security-bulletin/73839/mobile-malware-evolution-2015/
Mingshen Sun (CUHK) Blender September 21, 2016 2 / 22
Introduction – Android Malware
Android malware samples accounted for 98% of all mobile threats
TrojanSpywarePhishing appsRansomwareRootkit…
2
2http://www.phonearena.com/news/Malware-on-Android---a-myth-or-real-threat_id37322
Mingshen Sun (CUHK) Blender September 21, 2016 3 / 22
Introduction – Android Vulnerabilities
O ct 2 0 1 1
A pr 2 0 1 2
O ct 2 0 1 2
A pr 2 0 1 3
O ct 2 0 1 3
A pr 2 0 1 4
O ct 2 0 1 4
A pr 2 0 1 50 .0
0 .2
0 .4
0 .6
0 .8
1 .0
Prop
ortio
n of
dev
ices
in s e c u re
may
be
secu
res e c u re
Figure: Proportion of devices running vulnerable versions of Android.3
3http://androidvulnerabilities.org
Mingshen Sun (CUHK) Blender September 21, 2016 4 / 22
Introduction – Android Vulnerabilities
Google disclosed 108 CVE numbers (Common Vulnerabilities andExposures) for Android in July 2016Nine of them are critical vulnerability (e.g., remote codeexecution and privilege elevation)
Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Me-diaserver
CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741,CVE-2016-3742, CVE-2016-3743
Critical Yes
Remote code execution vulnerability inOpenSSL & BoringSSL
CVE-2016-2108 Critical Yes
Remote code execution vulnerability in Blue-tooth
CVE-2016-3744 High Yes
Elevation of privilege vulnerability in libpng CVE-2016-3751 High YesElevation of privilege vulnerability in Medi-aserver
CVE-2016-3745, CVE-2016-3746, CVE-2016-3747
High Yes
Elevation of privilege vulnerability in sockets CVE-2016-3748 High YesElevation of privilege vulnerability in Lock-SettingsService
CVE-2016-3749 High Yes
Elevation of privilege vulnerability in Frame-work APIs
CVE-2016-3750 High Yes
Elevation of privilege vulnerability inChooserTarget service
CVE-2016-3752 High Yes
Mingshen Sun (CUHK) Blender September 21, 2016 5 / 22
Introduction – Buffer Overflow
Mingshen Sun (CUHK) Blender September 21, 2016 6 / 22
Introduction – Buffer Overflow
4
SolutionData Execution Prevention(DEP)No-eXecute (NX) bit in CPU
4http://arstechnica.com/security/2015/08/how-security-flaws-work-the-buffer-overflow/
Mingshen Sun (CUHK) Blender September 21, 2016 7 / 22
Introduction – ROP Attack
Solution: AddressSpace LayoutRandomization(ASLR)
Mingshen Sun (CUHK) Blender September 21, 2016 8 / 22
ASLR in Android
Android 2.x: stackAndroid 4.0: stack and shared librariesAndroid 4.0.3: stack, shared libraries, and heapAndroid 5.0: stack, shared libraries, heap, and linker
Mingshen Sun (CUHK) Blender September 21, 2016 9 / 22
ASLR Circumvention in Android
What went wrong?Apps are forked from zygote process with identical memory layoutAndroid app creation model indirectly defeats the purpose of ASLRprotection
Mingshen Sun (CUHK) Blender September 21, 2016 10 / 22
ROP attack
How to exploit? (ROP attack)obtain memory layoutcalculate offsets of gadgetsoverflow native library and hijack control flowchain gadgets for attacks
Mingshen Sun (CUHK) Blender September 21, 2016 11 / 22
Executable Section in Android
Increasing .text section sizes of loaded shared libraries in zygotefor different Android major versions.
0 20 40 60 80 100102
103
104
105
106
107
1 KB
128 KB
512 KB
1 MB
16 MBboot.oat (22.9 MB)
libLLVM.so (7.4 MB)
libart.so (3.2 MB)
libc.so (301.1 KB)
Shared Libraries Loaded in Zygote (Sorted By Size)
Sizeof.textSection
(Byte)
Android 2.2Android 2.3.3Android 4.0.3Android 4.2.2Android 4.3.1Android 5.1.1M Preview
Mingshen Sun (CUHK) Blender September 21, 2016 12 / 22
A New Attack: Ret2art
What went wrong?The newly-designed Android RunTime (ART) utilize ahead-of-time(AOT) compilation strategy to pre-compiled framework code intonative codeThe addresses of the pre-compiled native code of the systemframework APIs are predictable
Mingshen Sun (CUHK) Blender September 21, 2016 13 / 22
A New Attack: Ret2art
How to exploit?similar with traditional ROP attacksprepare registers to call framework APIsa more damaging and flexible attack method
Mingshen Sun (CUHK) Blender September 21, 2016 14 / 22
Blender – Overview
Blender, a user-level mitigation solution to self-randomizeaddress space layout, provides non-invasive and easy-to-deployself-protection for Android apps
randomize the addresses of loaded system libraries for appsrandomize the executable code of the pre-compiled frameworkcode in the ART runtime
Mingshen Sun (CUHK) Blender September 21, 2016 15 / 22
Blender – BlenderLRM
Blender Library Randomization Module1 Customized dynamic linker called blinker2 Generate dependency graph between libraries for rearrangement3 Rearrange loaded libraries and fix GOTs (maintains pointers to
external functions)
Mingshen Sun (CUHK) Blender September 21, 2016 16 / 22
Blender – BlenderART
Blender ART Randomization Module1 Patch method absolute addresses2 Rearrange boot.oat3 Fixup class linker data instance4 Optimization for improving startup time
Mingshen Sun (CUHK) Blender September 21, 2016 17 / 22
Evaluation – Effectiveness
App randomnessapp entropyWe define {x1, x2, . . . , xn} as base addresses of the librarym, and nis the number of executions for one app.H(Xm) = −
∑ni=1 p(xi)
ln p(xi)ln n
average app entropy: R(A) =∑
m∈M H(Xm)|M|
Mode App Entropy R(A)
Original App 0.005B LRM Only 0.981B LRM and B ARM 0.991
Table: Entropy Analysis Results
Mingshen Sun (CUHK) Blender September 21, 2016 18 / 22
Evaluation – Performance
Startup time: launch time of apps360 ms start time (code start) overhead
Memory overhead: memory usage during startup11.5% memory overhead
2 4 6 8 100
500
1,000
1,500
2,000
387.3
504.9
624.3
1,597.3
741.1
Execution Index
App’s
Sta
rtup
Tim
e(M
illiseco
nds)
Orginal App App Redelegation
BlenderLRM BlenderLRM+BlenderART(without cache)
BlenderLRM+BlenderART(with cache)
0 500 1,000 1,500 2,000
3.5
4
4.5
5
5.5·104
Elapsed Time (Milliseconds)
VmRSS
inth
e/proc/[pid]/statusFile(k
B)
Original App App Redelegation
BlenderLRM BlenderLRM+BlenderART
Mingshen Sun (CUHK) Blender September 21, 2016 19 / 22
Evaluation – Performance
Runtime overhead: benchmarks of CPU, Memory, I/O, etc.negligible overhead at runtime
Battery overhead: battery usage measurement1% batter overhead
0 100 200 300 400 500
85
90
95
100
Number of ExecutionsBatteryCapacity
inth
epowersupply/capacityFile(%
) Original App App with Blender
Baseline BlenderLRM Full Blender
CPU 35915 36480 35969Memory 13900 13846 14653I/O 5874 5893 59002D 330 330 2983D 1967 2019 1981
Total 57986 58568 58801
Table: Benchmark scores.
Mingshen Sun (CUHK) Blender September 21, 2016 20 / 22
Summary
Contributions
1 discover a new attack surface in recent Android RunTime2 propose a non-invasive solution to mitigate the threat of the
weakened ASLR implementation in Android system3 implement a system to self-randomize address space layout for
both native libraries and the ART runtime
Mingshen Sun (CUHK) Blender September 21, 2016 21 / 22
Thank you!
Thank you.
Question?
Mingshen Sun (CUHK) Blender September 21, 2016 22 / 22