from%zygote%to%morula:% … · security%hardening%efforts%on%mobile% address%space%layout...
TRANSCRIPT
![Page 1: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/1.jpg)
From Zygote to Morula: For0fying Weakened ASLR on Android
Byoungyoung Leeα Long Luβ
Tielei Wangα Taesoo Kimγ
Wenke Leeα
αGeorgia Tech, βStony Brook University, γMIT
In embryology, the morula is produced by the rapid division of the zygote cell. In Android, each applica0on process is a fork of the Zygote process.
1
![Page 2: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/2.jpg)
Security Hardening Efforts on Mobile
Address Space Layout Randomiza0on (ASLR)
Data Execu0on Preven0on (DEP)
Underlying Opera4ng System
Permission Model
Mobile Pla:orm
App code signing
2
![Page 3: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/3.jpg)
Security Hardening Efforts on Mobile
Address Space Layout Randomiza0on (ASLR)
Data Execu0on Preven0on (DEP)
Underlying Opera4ng System
Permission Model
Mobile Pla:orm
App code signing
3
![Page 4: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/4.jpg)
Address Space Layout Randomiza0on (ASLR)
• Mo0va0on • Knowing the address is prerequisite for many aZacks
• Making predic0on of the memory address difficult – Individual memory layouts for each process
• Implemented in all major OSes
4
![Page 5: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/5.jpg)
History of ASLR adop0on in Android
• Why ASLR on Android? – Prevent exploita0ons on na0ve code in apps
• Adopted incrementally – Performance concerns on early Android devices (enabling PIE è loading latency / memory overheads) – Android 4.1 implemented full ASLR enforcements
5
![Page 6: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/6.jpg)
6
![Page 7: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/7.jpg)
(actual) ASLR enforcements in Android related to performance priori4zed design
![Page 8: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/8.jpg)
Performance Priori0zed Designs of Android
Dalvik VM
Android Run0me Library
Applica0on
• Mul0-‐layered architectures – Android Applica0ons run on Dalvik VM – with addi0onal run0me libraries
è Slow app launch 0me
8
![Page 9: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/9.jpg)
Zygote: the process crea0on module
Dalvik VM
Android Run0me Library
Applica0on
Applica0on
the Zygote process : a template process hos4ng apps
Dalvik VM
Android Run0me Library
Dalvik VM
Android Run0me Library
fork()
fork()
Fast app launch 4me! 9
![Page 10: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/10.jpg)
Zygote: the process crea0on module
Dalvik VM
Applica0on
Applica0on
Dalvik VM
Dalvik VM
fork()
fork()
Sharing address layout 10
Android Run0me Library
Android Run0me Library
Android Run0me Library
![Page 11: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/11.jpg)
Zygote weakens ASLR effec0veness
Zygote
AM
browser
① request new app
② fork()
Shared libraries ③specialize
• All apps have the same memory layouts – For shared libraries loaded by the Zygote process
è Weakens Android ASLR security
11
![Page 12: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/12.jpg)
AZacking the ASLR weakness by Zygote
• Challenges to develop fully working exploits (with ideal ASLR) – Exploit the Informa4on leak vulnerability – Exploit the control-‐flow hijack vulnerability è should be achieved in the same app!
12
![Page 13: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/13.jpg)
AZacking the ASLR weakness by Zygote
• How Zygote’s ASLR weakness helps aZackers – Remote Coordinated ANacks
• Informa0on leak in Chrome + control-‐flow hijack in VLC • Reduce the vulnerability searching spaces
– Local Trojan ANacks • Obtain the memory layout by having the trojan app installed
13
![Page 14: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/14.jpg)
AZacking weakened ASLR : Remote Coordinated AZack
①
②
③
④ ANacker’s web server
Vic4m’s Android
VLC player
Chrome Malicious JavaScript è Exploit the informa4on leak vulnerability (CVE-‐2013-‐0912)
Cra_ed video file è Exploit the control-‐flow hijack vulnerability with leaked memory layout informa4on
URI Intent
14
![Page 15: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/15.jpg)
AZacking weakened ASLR : Local Trojan AZack
• Zero-‐permissioned trojan app – Asks (almost) no permissions to the system – Scanning memory spaces using the na0ve code – Layout informa0on can be exported
• Intent • Internet
• Once the trojan app is installed, ASLR can be easily bypassed
15
![Page 16: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/16.jpg)
Intui0ve (but imprac0cal) Solu0ons
Dalvik VM
Applica0on
Dalvik VM
fork() & exec()
16
Android Run0me Library
Android Run0me Library
– fork() & exec() • Execute and ini0alize all components from the scratch
– Too slow to be used in prac0ce • App launch 0me: 427% slowdown
![Page 17: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/17.jpg)
Morula: Fast Process Crea0on without Weakening ASLR
• Maintain a Morula instance pool – An instance is prepared (fork() and exec()) when the device is idle
– Pull out the instance to create an app later
17
![Page 18: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/18.jpg)
Morula: Fast Process Crea0on without Weakening ASLR
Applica0on
S4ll fast enough & ASLR is securely enforced
Dalvik VM
Pool of Morula instances
Dalvik VM
…
18
Android Run0me Library
Dalvik VM
Android Run0me Library
Android Run0me Library
![Page 19: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/19.jpg)
Morula: Fast Process Crea0on without Weakening ASLR
Prepara4on phase – Prepare a Morula instance when the device is idle
Zygote
AM
Morula
① request prepare when idle
…
Shared libraries ③ cold-‐init
② fork() & exec()
Morula
19
![Page 20: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/20.jpg)
Morula: Fast Process Crea0on without Weakening ASLR
Transi4on phase – Transform the instance into the target applica0on
Zygote
AM
browser
① request new app
② send app info
…
Shared libraries ③specialize
Morula
20
![Page 21: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/21.jpg)
Evalua0ons
• Implemented Morula in Android 4.2 – 548 Loc in Java – 197 LoC in C
• Evaluated on Galaxy Nexus – Dual-‐core 1.2 GHz CPU, 1GB RAM
21
![Page 22: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/22.jpg)
Applica0on Launch Delays
Morula is 0.7% faster than Zygote on average è Trade-‐offs between fork() in Zygote VS extra communica0ons in Morula
22
Zygote Fork & exec Morula
![Page 23: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/23.jpg)
Memory Use Overheads
Morula uses 13.7MB (85%) more memory per app è Mostly from individual DalvikVM heaps
23
Zygote Fork & exec Morula
![Page 24: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/24.jpg)
Implica0ons • Other data sharing issues by Android Zygote
– Predic0ng OpenSSL’s PRNG states [CCS 13]
• Systems relying on Zygote like designs – Chrome, Server side applica0ons [Blind ROP, Oakland 14] – Plaworm specific op0miza0ons should be considered
• Morula: On-‐demand Dalvik class loading / Selec0ve randomiza0on
• Performance priori0zed designs can be odd with ASLR – Hash table designs in dynamic script languages (to appear, BlackHat USA 2014)
24
![Page 25: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/25.jpg)
Conclusion
• Showed two aZacks on Weakened Android ASLR by Zygote
– Remote coordinated aZacks – Local trojan aZacks
• Morula achieves fast app launch 0me without weakening ASLR
25
![Page 26: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/26.jpg)
Thank you
Q&A
26
![Page 27: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/27.jpg)
Backup slides
27
![Page 28: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/28.jpg)
BaZery Consump0on
28
• Executed the web browser every 10 seconds • Morula imposes 0.5% more power consump0on for 100 execu0ons
![Page 29: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/29.jpg)
Op0miza0ons on Morula
• On-‐demand Dalvik class Loading – DalvikVM pre-‐loads 2,541 Dalvik classes
• Most Java libraries including Android run0me libraries • On average, only 5% of them are actually used by applica0ons
– Dynamically loaded the classes at the 0me it is used • Shiy the overheads from prepara0on phase to transi0on phase
– Device boo0ng process can be significantly benefited • More than 10 apps are launched during the device boo0ng
29
![Page 30: From%Zygote%to%Morula:% … · Security%Hardening%Efforts%on%Mobile% Address%Space%Layout Randomizaon%(ASLR)% DataExecu0on%Preven0on% (DEP) UnderlyingOperangSystem1 Permission%Model%](https://reader034.vdocuments.pub/reader034/viewer/2022042100/5e7cb3140c11e10ace2c1e9a/html5/thumbnails/30.jpg)
Zygote conflicts with ASLR security
è Each app shares ~10MB sized of data that can be poten4ally used as aNack vectors (e.g., ROP)
30