18 comments

[ 3.1 ms ] story [ 50.1 ms ] thread
The problems which were pointed out are good ones, and they should be fixed. Fortunately, they are easy to fix.

In the grand scheme of things, though, this isn't as bad as it seems, since the vast majority of Android applications run in the Dalvik JVM. Hence the amount of code that is subject to weaknesses that could be exploited by the attacker to cause a jump into the non-randomized dynamic loader (for example) are much smaller.

Of course, there could still be bugs in native code applications, libraries, and system executables, so the ALSR should definitely be improved. Again, fortunately, this should be relatively easy to do.

There's still a large attack surface of native code in the Android platform. I've heard WebKit has a few bugs... :-P
This is why I think Chrome for Android is a big deal. The browser will always be one of the easiest ways run an exploit. With the browser tightly coupled with the OS, many old phones will never receive an update for it.

The WebView as attack target is a different story, though.

You made a great point. Why did you have to ruin it with an emoticon?
Because they're common speech patterns on the internet these days, where it's difficult to show emotion via text. You could have just as easily said "why did you grin after saying you ate pizza?". A better question might have been: "Why the 'sticks tongue out at in silly manner' face?"
Yes, it should be easy to fix. That said, you downplay the weakness too strongly: it was because of the lack of working ASLR that allowed me to use the mempodipper exploit (as my port, "mempodroid" [1]) to get root on all the current ICS devices. (While sometimes you can adjust an exploit to work around ASLR, this exploit requires you to know an absolute address before the program executes.)

[1] https://github.com/saurik/mempodroid

Yeah, mempodroid is a great example. You'd need to randomize the location of the setuid executable (w/PIE), randomize of the linker, and implement something like GRKERNSEC_BRUTE to prevent trivial local bruteforcing of a usable address.

Speaking of which, spender's recent blog post gives a good overview of some of the grsec/PaX mitigations that would hamper the exploitation of the /proc/pid/mem vuln:

http://forums.grsecurity.net/viewtopic.php?f=7&t=2939

Interesting... it never occurred to me that brute forcing an address was feasible enough to bother with. ;P (edit: Although, thinking more, some exploits have a more constrained range of addresses. That said, even here we have a 2-3GB area, but could probably expand the target to "any instruction executed between these points", which might be as much as a kilobyte; requiring just a few million attempts isn't that unreasonable.)

Looking at GRKERNSEC_BRUTE, however, it would not affect this exploit: it is designed to penalize the parent for forking exploitable children (so as, for example, to keep new copies of Apache from coming into existence rapidly enough for them to be remotely exploited); however, here we are assumed to have control of the parent, so we can just add a layer of indirection, never reusing direct parents.

GRKERNSEC_BRUTE will also trigger for suid binaries (in the case of memprodroid, run-as). See gr_handle_brute_attach() for details.
Ah, (for anyone caring enough to read this discussion) apparently the actual code in the patch (which was more complex than listed here [1]) doesn't just ban processes (as with control of the parent we really do have the ability to bypass the process check, as again: we can just keep making replacement exploit containers), but also bans entire user accounts that are causing suspicious memory accesses.

[1] http://xorl.wordpress.com/2010/11/09/grkernsec_brute-exploit...

/me not my current employer speaking

OTOH, that means it's a back door for use with those nasty handset manufacturers that still ship phones that can't be unlocked. :-)

So how does the ASLR work with images optimized to be loaded at specific address? (-fPIC all of them?)

I was under the impression that if you have two or more instances of the same .so/.dll/.dylibs in different processes, and they end up using different virtual addresses then they can't share the same code page. Maybe I'm behind times...

Right, all libaries need to be compiled with -fPIC in order to be randomized. That tends to be much more common than -fPIE.
I disagree with -fPIE making things slow, specially in the ~13 general purpose registers of ARM. Maybe -fPIE affect things in the register-starved x86, not so much in modern archs. Also, "fucked up beyond all repair" is a little exagerated when the repair is to add "-fPIE" to some binaries.
Yeah, I'm guessing ARM will be ok with respect to GPRs (although I certainly haven't done any benchmarks).

Dug's FUBAR comment was just an attempt cram in as many acronyms as possible...of course the situation is improvable. ;-)

Still at CORE these days?

No more CORE for me Doc :) playing the "entrepeneur" now, without the social app or i-phone app, so, no glamour I'm afraid.
As a mild counterpoint, I semi-recently tried to start habitually compiling my executables with -fPIE on my AMD64 development machines, and at least several months ago, the GDB I got from Debian sid was not up to the task of debugging such a creature and would fail to attach to the process and emit mysterious error messages. AMD64 being a mature architecture where I would expect PIE to have a significant benefit, it wouldn't surprise me if this were true for ARM also, or if other toolchain elements had similar problems. So that could provide a disincentive to switch over to position-independent executables.
> I was under the impression that if you have two or more instances of the same .so/.dll/.dylibs in different processes, and they end up using different virtual addresses then they can't share the same code page. Maybe I'm behind times...

By design, dylibs (i.e. shared dynamic libraries) are allowed to be loaded at different virtual addresses and still have their text/ro sections shared.

Because dylibs are always compiled with -fPIC, they do not have any dependence on their load addresses (branches are pc-relative, data loads go through the GOT, etc). This allows the dyld to map the physical address(es) of a dylib's text/ro section(s) into virtual address spaces of multiple processes with very little relocation.