From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout...

30
From Zygote to Morula: For0fying Weakened ASLR on Android Byoungyoung Lee α Long Lu β Tielei Wang α Taesoo Kim γ Wenke Lee α α Georgia Tech, β Stony Brook University, γ MIT In embryology, the morula is produced by the rapid division of the zygote cell. In Android, each applica0on process is a fork of the Zygote process. 1

Transcript of From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout...

Page 1: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

From  Zygote  to  Morula:    For0fying  Weakened  ASLR  on  Android  

Byoungyoung  Leeα  Long  Luβ  

Tielei  Wangα  Taesoo  Kimγ  

Wenke  Leeα    

αGeorgia  Tech,  βStony  Brook  University,  γMIT    

In  embryology,  the  morula  is  produced  by  the  rapid  division  of  the  zygote  cell.  In  Android,  each  applica0on  process  is  a  fork  of  the  Zygote  process.  

1  

Page 2: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Security  Hardening  Efforts  on  Mobile  

Address  Space  Layout  Randomiza0on  (ASLR)  

Data  Execu0on  Preven0on  (DEP)  

Underlying  Opera4ng  System  

Permission  Model  

Mobile  Pla:orm  

App  code  signing  

2  

Page 3: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Security  Hardening  Efforts  on  Mobile  

Address  Space  Layout  Randomiza0on  (ASLR)  

Data  Execu0on  Preven0on  (DEP)  

Underlying  Opera4ng  System  

Permission  Model  

Mobile  Pla:orm  

App  code  signing  

3  

Page 4: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Address  Space  Layout  Randomiza0on  (ASLR)  

•  Mo0va0on  •  Knowing  the  address  is  prerequisite  for  many  aZacks  

•  Making  predic0on  of  the  memory  address  difficult  –  Individual  memory  layouts  for  each  process  

•  Implemented  in  all  major  OSes  

4  

Page 5: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

History  of  ASLR  adop0on  in  Android  

•  Why  ASLR  on  Android?  – Prevent  exploita0ons  on  na0ve  code  in  apps  

•  Adopted  incrementally  – Performance  concerns  on  early  Android  devices        (enabling  PIE  è  loading  latency  /  memory  overheads)  – Android  4.1  implemented  full  ASLR  enforcements  

5  

Page 6: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

6  

Page 7: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

(actual)  ASLR  enforcements  in  Android  related  to  performance  priori4zed  design  

Page 8: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Performance  Priori0zed  Designs  of  Android  

Dalvik  VM  

Android  Run0me  Library  

Applica0on  

•  Mul0-­‐layered  architectures  – Android  Applica0ons  run  on  Dalvik  VM  – with  addi0onal  run0me  libraries  

è  Slow  app  launch  0me  

8  

Page 9: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Zygote:  the  process  crea0on  module  

Dalvik  VM  

Android  Run0me  Library  

Applica0on  

Applica0on  

the  Zygote  process  :  a  template  process  hos4ng  apps    

Dalvik  VM  

Android  Run0me  Library  

Dalvik  VM  

Android  Run0me  Library  

fork()  

fork()  

Fast  app  launch  4me!  9  

Page 10: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Zygote:  the  process  crea0on  module  

Dalvik  VM  

Applica0on  

Applica0on  

Dalvik  VM  

Dalvik  VM  

fork()  

fork()  

Sharing  address  layout  10  

Android  Run0me  Library    

Android  Run0me  Library    

Android  Run0me  Library    

Page 11: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Zygote  weakens  ASLR  effec0veness  

Zygote  

AM  

browser  

①  request              new  app  

②  fork()  

Shared  libraries  ③specialize  

•  All  apps  have  the  same  memory  layouts  –  For  shared  libraries  loaded  by  the  Zygote  process  

è Weakens  Android  ASLR  security  

11  

Page 12: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

AZacking  the  ASLR  weakness    by  Zygote  

•  Challenges  to  develop  fully  working  exploits  (with  ideal  ASLR)  –  Exploit  the  Informa4on  leak  vulnerability  –  Exploit  the  control-­‐flow  hijack  vulnerability  è  should  be  achieved  in  the  same  app!  

12  

Page 13: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

AZacking  the  ASLR  weakness    by  Zygote  

•  How  Zygote’s  ASLR  weakness  helps  aZackers  – Remote  Coordinated  ANacks  

•  Informa0on  leak  in  Chrome  +  control-­‐flow  hijack  in  VLC  •  Reduce  the  vulnerability  searching  spaces  

– Local  Trojan  ANacks  •  Obtain  the  memory  layout  by  having  the  trojan  app  installed  

13  

Page 14: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

AZacking  weakened  ASLR  :  Remote  Coordinated  AZack  

①  

②  

③  

④    ANacker’s  web  server  

Vic4m’s  Android  

VLC  player  

Chrome  Malicious  JavaScript  è Exploit  the  informa4on  leak  vulnerability                                                                                                          (CVE-­‐2013-­‐0912)  

Cra_ed  video  file  è Exploit  the  control-­‐flow  hijack  vulnerability  with  leaked  memory  layout  informa4on  

URI  Intent  

14  

Page 15: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

AZacking  weakened  ASLR  :  Local  Trojan  AZack  

•  Zero-­‐permissioned  trojan  app  – Asks  (almost)  no  permissions  to  the  system  –  Scanning  memory  spaces  using  the  na0ve  code  –  Layout  informa0on  can  be  exported  

•  Intent  •  Internet  

•  Once  the  trojan  app  is  installed,  ASLR  can  be  easily  bypassed  

15  

Page 16: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Intui0ve  (but  imprac0cal)  Solu0ons  

Dalvik  VM  

Applica0on  

Dalvik  VM  

fork()  &  exec()  

16  

Android  Run0me  Library    

Android  Run0me  Library    

–  fork()  &  exec()  •  Execute  and  ini0alize  all  components  from  the  scratch  

– Too  slow  to  be  used  in  prac0ce  •  App  launch  0me:    427%  slowdown  

Page 17: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Morula:  Fast  Process  Crea0on    without  Weakening  ASLR    

•  Maintain  a  Morula  instance  pool  – An  instance  is  prepared  (fork()  and  exec())  when  the  device  is  idle  

– Pull  out  the  instance  to  create  an  app  later  

17  

Page 18: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Morula:  Fast  Process  Crea0on    without  Weakening  ASLR    

Applica0on  

S4ll  fast  enough  &  ASLR  is  securely  enforced  

Dalvik  VM  

Pool  of  Morula  instances  

Dalvik  VM  

…  

18  

Android  Run0me  Library    

Dalvik  VM  

Android  Run0me  Library    

Android  Run0me  Library    

Page 19: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Morula:  Fast  Process  Crea0on    without  Weakening  ASLR    

Prepara4on  phase  – Prepare  a  Morula  instance  when  the  device  is  idle  

Zygote  

AM  

Morula  

①  request              prepare            when  idle  

…  

Shared  libraries  ③  cold-­‐init  

②  fork()    &  exec()  

Morula  

19  

Page 20: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Morula:  Fast  Process  Crea0on    without  Weakening  ASLR    

Transi4on  phase  – Transform  the  instance  into  the  target  applica0on  

Zygote  

AM  

browser  

①  request              new  app  

②  send  app  info  

…  

Shared  libraries  ③specialize  

Morula  

20  

Page 21: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Evalua0ons  

•  Implemented  Morula  in  Android  4.2  – 548  Loc  in  Java  – 197  LoC  in  C  

•  Evaluated  on  Galaxy  Nexus  – Dual-­‐core  1.2  GHz  CPU,  1GB  RAM    

21  

Page 22: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Applica0on  Launch  Delays  

Morula  is  0.7%  faster  than  Zygote  on  average  è Trade-­‐offs  between            fork()  in  Zygote  VS  extra  communica0ons  in  Morula    

22  

Zygote Fork & exec Morula

Page 23: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Memory  Use  Overheads  

Morula  uses  13.7MB  (85%)  more  memory  per  app  è  Mostly  from  individual  DalvikVM  heaps  

23  

Zygote Fork & exec Morula

Page 24: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Implica0ons  •  Other  data  sharing  issues  by  Android  Zygote  

–  Predic0ng  OpenSSL’s  PRNG  states  [CCS  13]  

•  Systems  relying  on  Zygote  like  designs  –  Chrome,  Server  side  applica0ons  [Blind  ROP,  Oakland  14]  –  Plaworm  specific  op0miza0ons  should  be  considered  

•  Morula:  On-­‐demand  Dalvik  class  loading  /  Selec0ve  randomiza0on  

•  Performance  priori0zed  designs  can  be  odd  with  ASLR  –  Hash  table  designs  in  dynamic  script  languages  (to  appear,  BlackHat  USA  2014)  

24  

Page 25: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Conclusion  

 •  Showed  two  aZacks  on  Weakened  Android  ASLR  by  Zygote  

– Remote  coordinated  aZacks  – Local  trojan  aZacks  

•  Morula  achieves  fast  app  launch  0me  without  weakening  ASLR  

25  

Page 26: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Thank  you    

Q&A  

26  

Page 27: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Backup  slides  

27  

Page 28: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

BaZery  Consump0on  

28  

 •  Executed  the  web  browser  every  10  seconds  •  Morula  imposes  0.5%  more  power  consump0on  for  100  execu0ons  

Page 29: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Op0miza0ons  on  Morula  

•  On-­‐demand  Dalvik  class  Loading  – DalvikVM  pre-­‐loads  2,541  Dalvik  classes  

•  Most  Java  libraries  including  Android  run0me  libraries  •  On  average,  only  5%  of  them  are  actually  used  by  applica0ons  

– Dynamically  loaded  the  classes  at  the  0me  it  is  used  •  Shiy  the  overheads  from  prepara0on  phase  to  transi0on  phase  

– Device  boo0ng  process  can  be  significantly  benefited  •  More  than  10  apps  are  launched  during  the  device  boo0ng    

29  

Page 30: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%

Zygote  conflicts  with  ASLR  security  

è Each  app  shares  ~10MB  sized  of  data  that  can  be  poten4ally  used  as  aNack  vectors  (e.g.,  ROP)  

30