As software systems become more and more complex, software vulnerabilities become inevitable. The industry has gradually introduced methods that make the vulnerability unable to be exploited or make it more difficult to exploit, referred to as vulnerability mitigation technology. We briefly introduce some vulnerability mitigation and possible bypass technologies widely used in Android and IOS. Of course, there are also some associated security restrictions, rather than the real sense of mitigation technology.
Mitigation and bypass technology points
User Permissions
Each app has its own uid, SELinux [context]. Only when it applies and the user allows it, can it do what it wants. To break through these restrictions, we can consider the irrationality of each app after reasonable permissions are combined with each other. Or there is a vulnerability in the interaction between apps, such as Android's fileprovider. Take this app first.
SELinux、MAC、Sandbox
SELinux is the abbreviation of security enhanced Linux, which can be interpreted as "security enhanced Linux kernel". MAC is the abbreviation of mandatory access control, which means forced access control. Sandbox is sandbox. They contain a complex set of rights management policies. It basically adopts the white list mode. By default, most of the behaviors of any process are prohibited, file access is restricted, system call and call parameters are restricted. It not only limits the behavior of each app, but also reduces the attacked area. To break through these limitations, the more feasible way is to attack such as kernel shutdown.
PIE、ASLR、KALSR
Pie is the abbreviation of position independent executable, which is the same as pic and position independent code. Alsr is the randomness of address layout space randomization to enhance memory address space allocation. The interval between the executable file and the dynamically loaded library is different, not to mention irregular. When the exact address is unknown, it is almost impossible for the attacker to complete the attack, which is equivalent to that the target on the battlefield has not been found. K in kalsr is the abbreviation of kernel, which ensures that the virtual address of kernel is different every time the device starts. In order to break through these limitations, we can use heap spray and other spray plus various types of skateboards to improve the utilization success rate. Information disclosure vulnerabilities, such as memory leak, file leak, access to memory address.
DEP, PXN
Dep is the abbreviation of data execution protection, data is not executable, which means that attackers can not directly execute their own code, making the attack more difficult. Pxn is the abbreviation of privileged execute never. User executable data cannot be run in kernel state. To break through these limitations, we can use ROP (return orient program), jop (jump orient program), stack pivot technology to do what the attacker wants with the program's own code. The principle is to use the characteristics of abi (Application Binary Interface), rewrite the program stack, control multiple function return addresses to form a chain, and connect the code fragments of the original program to do what the attacker wants. It's like a biological virus. The browser can overwrite the memory used by the JIT (just in time) compiler. Android user mode mprotect, MMAP system call, change memory to executable.
Trust Zone
Trusted space is the safest step for fingerprint, payment, unlocking, DRM and other authentication. Even the operating system kernel cannot access its memory. It completes signature, encryption and so on. To break through these restrictions, first consider taking down the service process drmservie and gatekeeper with permission. Find the vulnerability through the fuzzy interface. If you get the permission to execute the code, you can skip the fingerprint verification and quietly deduct the money.
Smooth upgrade
The app is automatically updated, the system automatically downloads and reminds you to upgrade when you turn on or off, so as to ensure the bug is fixed in time. We also include this in vulnerability mitigation. To break through these restrictions, you can consider using Google Apps to trust each other and take one of Google Apps first. Let the app send an installation request to Google play.
Code Sign
Sign the code to ensure that the code will not change from the store to the user's mobile phone, to prevent malicious implantation of the code, and to prevent the execution of the code that has not been reviewed by apple. The bypass method will not be described here.
Secure Boot、Verifying Boot
Secure boot is IOS, and verifying boot is Android. They ensure that the system code is not modified, and that the perfect jailbreak and root cannot be achieved. There are also some customized slow-release measures of mobile phone manufacturers, such as Android's system partition can only be read-only mounted, and the data in some drivers needs to be modified to realize the modification of system partition
Case study
In the previous article "research and bypass of Pxn protection technology", it explained in detail how to bypass dep and Pxn, two slow-release measures. The basic methods used are jop and ROP technology. On this basis, we will explain how to bypass several other protections in the root tool.
It is mentioned in the article that the addr_limit in thread_info should be changed to 0xffffffffffffffff:
Addr? Limit is used to limit the access range of a thread's virtual address. It is 0 to addr? Limit. Changing to 0xffffffffffffffffffff indicates that all 64 bit addresses are accessible. Google has not enabled kalsr on Android so far. The arm64 kernel is generally fixed on the virtual address starting from 0xffffffc0000000000, which means that the kernel can be read and written at will. Although Android does not have kalsr, the address of the kernel heap is still unpredictable, which is equivalent to a kind of randomization. If you want to exploit the UAF type vulnerability like cve-2015-3636 (pingpong), you must use the memory masking technology like jet or ret2dir.
Generally, the uid and GID are changed to 0, 0 is the uid of root, that is, the thread has the root permission, and the capabilities are changed to 0xffffffffffffffffffffff to mask all bits, indicating that it has all capabilities. At this point, the user permissions release is bypassed, and you can fake yourself to any other user.
After setting the global variable of "SELinux ﹣ enforcing" in the kernel to 0, SELinux is equivalent to being turned off. This can bypass the release of SELinux.
Mac and sandbox are slow-release measures in IOS, which act as SELinux in Android. Apple's code sign requires that in addition to developing the program used, all executable code must be signed by apple to run on the iPhone. Although Android needs to sign APK, APK can still load executable programs at will.
In this aliju security attack and defense challenge, you can experience how to break through vulnerability mitigation technologies such as ASLR and Dep. This question is written by aflslab Qu he, Chao Liu and these three students completed the design, prepared some bug containing programs for simulating the application scenario, and focused on the PWN form. The server-side PWN requires players to have the ability to mine and utilize binary program vulnerabilities. Through the reverse server-side program, find out all kinds of problems of the server-side program, and then write and utilize the code to obtain the server-side program in the interaction with the server-side program The shell permission of the program, and then get the sensitive information on the server. In addition, in the aspect of Android application PWN ability, players need to have the ability to remotely obtain arbitrary code execution and disassembly and understanding logic of arm64 platform, to find a way to break through DEP, ASLR and other protections, and then control the target app to execute its own code.
The AFLSLab, the ant's golden suit, is a newly built mobile security laboratory recently built by the ant gold clothing Safety Center (commonly known as the ant shield agency). Besides protecting Alipay's wallet and ant's gold clothing related products, it also protects the terminal infrastructure of external manufacturers, business partners and ecological partners. Although it has been established for a short time, it has reported multiple security vulnerabilities for Google, Samsung, Huawei and other companies. Qu he, technical director of the laboratory, said that he expected to attract more application and system vulnerability mining and exploitation players to exchange and learn through the competition, and work together for the new Internet Security ecology.
Heavy weight notice, tonight at 20:00, aliju security attack and defense challenge warm-up game starts at full time! But we don't do any Elimination! No elimination! No elimination! No elimination!
Author: This @ bath guangnian laboratory, for more challenge information, please pay attention to the official website of aliju security attack and defense challenge