The problems which were pointed out are good ones, and they should be fixed. Fortunately, they are easy to fix.
In the grand scheme of things, though, this isn't as bad as it seems, since the vast majority of Android applications run in the Dalvik JVM. Hence the amount of code that is subject to weaknesses that could be exploited by the attacker to cause a jump into the non-randomized dynamic loader (for example) are much smaller.
Of course, there could still be bugs in native code applications, libraries, and system executables, so the ALSR should definitely be improved. Again, fortunately, this should be relatively easy to do.
This is why I think Chrome for Android is a big deal. The browser will always be one of the easiest ways run an exploit. With the browser tightly coupled with the OS, many old phones will never receive an update for it.
The WebView as attack target is a different story, though.
Because they're common speech patterns on the internet these days, where it's difficult to show emotion via text. You could have just as easily said "why did you grin after saying you ate pizza?". A better question might have been: "Why the 'sticks tongue out at in silly manner' face?"
Yes, it should be easy to fix. That said, you downplay the weakness too strongly: it was because of the lack of working ASLR that allowed me to use the mempodipper exploit (as my port, "mempodroid" [1]) to get root on all the current ICS devices. (While sometimes you can adjust an exploit to work around ASLR, this exploit requires you to know an absolute address before the program executes.)
Yeah, mempodroid is a great example. You'd need to randomize the location of the setuid executable (w/PIE), randomize of the linker, and implement something like GRKERNSEC_BRUTE to prevent trivial local bruteforcing of a usable address.
Speaking of which, spender's recent blog post gives a good overview of some of the grsec/PaX mitigations that would hamper the exploitation of the /proc/pid/mem vuln:
Interesting... it never occurred to me that brute forcing an address was feasible enough to bother with. ;P (edit: Although, thinking more, some exploits have a more constrained range of addresses. That said, even here we have a 2-3GB area, but could probably expand the target to "any instruction executed between these points", which might be as much as a kilobyte; requiring just a few million attempts isn't that unreasonable.)
Looking at GRKERNSEC_BRUTE, however, it would not affect this exploit: it is designed to penalize the parent for forking exploitable children (so as, for example, to keep new copies of Apache from coming into existence rapidly enough for them to be remotely exploited); however, here we are assumed to have control of the parent, so we can just add a layer of indirection, never reusing direct parents.
Ah, (for anyone caring enough to read this discussion) apparently the actual code in the patch (which was more complex than listed here [1]) doesn't just ban processes (as with control of the parent we really do have the ability to bypass the process check, as again: we can just keep making replacement exploit containers), but also bans entire user accounts that are causing suspicious memory accesses.
So how does the ASLR work with images optimized to be loaded at specific address? (-fPIC all of them?)
I was under the impression that if you have two or more instances of the same .so/.dll/.dylibs in different processes, and they end up using different virtual addresses then they can't share the same code page. Maybe I'm behind times...
I disagree with -fPIE making things slow, specially in the ~13 general purpose registers of ARM. Maybe -fPIE affect things in the register-starved x86, not so much in modern archs. Also, "fucked up beyond all repair" is a little exagerated when the repair is to add "-fPIE" to some binaries.
As a mild counterpoint, I semi-recently tried to start habitually compiling my executables with -fPIE on my AMD64 development machines, and at least several months ago, the GDB I got from Debian sid was not up to the task of debugging such a creature and would fail to attach to the process and emit mysterious error messages. AMD64 being a mature architecture where I would expect PIE to have a significant benefit, it wouldn't surprise me if this were true for ARM also, or if other toolchain elements had similar problems. So that could provide a disincentive to switch over to position-independent executables.
> I was under the impression that if you have two or more instances of the same .so/.dll/.dylibs in different processes, and they end up using different virtual addresses then they can't share the same code page. Maybe I'm behind times...
By design, dylibs (i.e. shared dynamic libraries) are allowed to be loaded at different virtual addresses and still have their text/ro sections shared.
Because dylibs are always compiled with -fPIC, they do not have any dependence on their load addresses (branches are pc-relative, data loads go through the GOT, etc). This allows the dyld to map the physical address(es) of a dylib's text/ro section(s) into virtual address spaces of multiple processes with very little relocation.
18 comments
[ 3.1 ms ] story [ 50.1 ms ] threadIn the grand scheme of things, though, this isn't as bad as it seems, since the vast majority of Android applications run in the Dalvik JVM. Hence the amount of code that is subject to weaknesses that could be exploited by the attacker to cause a jump into the non-randomized dynamic loader (for example) are much smaller.
Of course, there could still be bugs in native code applications, libraries, and system executables, so the ALSR should definitely be improved. Again, fortunately, this should be relatively easy to do.
The WebView as attack target is a different story, though.
[1] https://github.com/saurik/mempodroid
Speaking of which, spender's recent blog post gives a good overview of some of the grsec/PaX mitigations that would hamper the exploitation of the /proc/pid/mem vuln:
http://forums.grsecurity.net/viewtopic.php?f=7&t=2939
Looking at GRKERNSEC_BRUTE, however, it would not affect this exploit: it is designed to penalize the parent for forking exploitable children (so as, for example, to keep new copies of Apache from coming into existence rapidly enough for them to be remotely exploited); however, here we are assumed to have control of the parent, so we can just add a layer of indirection, never reusing direct parents.
[1] http://xorl.wordpress.com/2010/11/09/grkernsec_brute-exploit...
OTOH, that means it's a back door for use with those nasty handset manufacturers that still ship phones that can't be unlocked. :-)
I was under the impression that if you have two or more instances of the same .so/.dll/.dylibs in different processes, and they end up using different virtual addresses then they can't share the same code page. Maybe I'm behind times...
Dug's FUBAR comment was just an attempt cram in as many acronyms as possible...of course the situation is improvable. ;-)
Still at CORE these days?
By design, dylibs (i.e. shared dynamic libraries) are allowed to be loaded at different virtual addresses and still have their text/ro sections shared.
Because dylibs are always compiled with -fPIC, they do not have any dependence on their load addresses (branches are pc-relative, data loads go through the GOT, etc). This allows the dyld to map the physical address(es) of a dylib's text/ro section(s) into virtual address spaces of multiple processes with very little relocation.