secuinside 연세대학교 제출secuinside.com/archive/2016/2016-2-1.pdf · 스마트폰에서...

2016. 7. 12

[email protected]

최신 스마트폰 오디오 취약점 분석

권 태 경

mailto:[email protected]?subject=

2Background

출처 : StatCounter (2016.06)

미국 Mobile & Tablet OS 점유율

Android

iOS

Windows Phone

Series 40

BlackBerry OS

0 15 30 45 60

전세계 Mobile & Tablet OS 점유율

Android

iOS

Windows Phone

Series 40

BlackBerry OS

0 20 40 60 80

단위(%)

단위(%)

3Background

스마트폰 보급 확대와 더불어 보안 취약점 보고 급증

0

100

200

300

400

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Android iOS

출처 : CVEDetails (2016.06)

4Background

5Background

오디오 제공 서비스

[2015 ~ 2016 Android CVE chart related to the Stagefright]

6Background

[iOS CVE chart related to mediaserverd]

1 1 1

5

[Android media file processing flow]

The mediaserver process runs in the background and automatically restarts when it crashes

A mix of Java and native code

Why audio? 7

8

다양한 실행 환경 - 브라우저나 앱에서 사용자 동의 없이 실행 되는 경우도 있음

스마트폰에서 가장 많이 사용되는 서비스 - 알림음, 통화, 멀티미디어, 게임, …

Why audio?

다양한 종류의 코덱, 플러그인 - 보안 의식 부족한 개발자에 의해 개발

다양한 형식의 바이너리 오디오 화일 - 그러나 상대적으로 덜 위험하다고 인식

9Why audio?

Audio Codecs

Codec AbstractFLAC Lossless codec developed by Xiph.Org Foundation.

LAME Lossy compression (MP3 format).

TooLAME/TwoLAME Lossy compression (MP2 format).

Musepack Lossy compression; based on MP2 format, with many improvements.

Speex Low bitrate compression, primarily voice; developed by Xiph.Org Foundation. Deprecated in favour of Opus according to www.speex.org.

CELT Lossy compression for low-latency audio communication

libvorbis Lossy compression, implementation of the Vorbis format; developed by Xiph.Org Foundation.

iLBC Low bitrate compression, primarily voice

iSAC Low bitrate compression, primarily voice; (free when using the WebRTC codebase)

TTA Lossless compression

WavPack Hybrid lossy/lossless

Apple Lossless Lossless compression (MP4)

Fraunhofer FDK AAC Lossy compression (AAC)

FFmpeg codecs in the libavcodec library, e.g. AC-3, AAC, ADPCM, PCM, Apple Lossless, FLAC, WMA, Vorbis, MP2, etc.

•••

•••

https://en.wikipedia.org/wiki/FLAC

https://en.wikipedia.org/wiki/Xiph.Org_Foundation

https://en.wikipedia.org/wiki/LAME

https://en.wikipedia.org/wiki/TooLAME

https://en.wikipedia.org/wiki/TooLAME#TwoLAME

https://en.wikipedia.org/wiki/Musepack

https://en.wikipedia.org/wiki/Speex


https://en.wikipedia.org/wiki/CELT

https://en.wikipedia.org/wiki/Libvorbis

https://en.wikipedia.org/wiki/Vorbis


https://en.wikipedia.org/wiki/Internet_Low_Bit_Rate_Codec

https://en.wikipedia.org/wiki/Internet_Speech_Audio_Codec

https://en.wikipedia.org/wiki/WebRTC

https://en.wikipedia.org/wiki/TTA_(codec)

https://en.wikipedia.org/wiki/WavPack

https://en.wikipedia.org/wiki/Apple_Lossless

https://en.wikipedia.org/wiki/Fraunhofer_FDK_AAC

https://en.wikipedia.org/wiki/Windows_Media_Audio

10Why audio?

Audio File Types - 1,263 개

3ga m4p sf2 dss zvr audionote mgu

aac midi gtp aax sdx rip br4

aiff mp3 gig wv fsb ses m4r

amr ogg aud ct3 ajp band cdg

ape pcm sf cs3 ram mka mogg

arf rec pbf nvf mtd br5 omf

asf snd svq mv3 aaf vdj nki

asx sng xspf ca3 kfn ytif xpak

cda uax avr sib alb ove spx

dvf wav opus ds2 cdfs mid muk

flac wma sesx nwc 2ch mxl bmw

gp4 wpl trm sabs dcf nmsv ap4

gp5 zab bnk kam au caf dkd

gpx gog mpdp wrf oma vox rpp

logic mus aa nmf mp4a xwb thd

m4a moi ocdf xkr fls voc efa

m4b wem tak adts ad4 elastik acd

• • •

*source: Audio and sound file extension list. http://www.file-extensions.org/

http://www.file-extensions.org/3ga-file-extension

http://www.file-extensions.org/m4p-file-extension

http://www.file-extensions.org/sf2-file-extension

http://www.file-extensions.org/dss-file-extension

http://www.file-extensions.org/zvr-file-extension

http://www.file-extensions.org/audionote-file-extension

http://www.file-extensions.org/mgu-file-extension

http://www.file-extensions.org/aac-file-extension

http://www.file-extensions.org/midi-file-extension

http://www.file-extensions.org/gtp-file-extension

http://www.file-extensions.org/aax-file-extension

http://www.file-extensions.org/sdx-file-extension

http://www.file-extensions.org/rip-file-extension

http://www.file-extensions.org/br4-file-extension-bmw-idrive-multimedia-data

http://www.file-extensions.org/aiff-file-extension

http://www.file-extensions.org/mp3-file-extension

http://www.file-extensions.org/gig-file-extension

http://www.file-extensions.org/wv-file-extension

http://www.file-extensions.org/fsb-file-extension

http://www.file-extensions.org/ses-file-extension

http://www.file-extensions.org/m4r-file-extension

http://www.file-extensions.org/amr-file-extension

http://www.file-extensions.org/ogg-file-extension

http://www.file-extensions.org/aud-file-extension-nice-media-player-audio-file

http://www.file-extensions.org/ct3-file-extension

http://www.file-extensions.org/ajp-file-extension

http://www.file-extensions.org/band-file-extension

http://www.file-extensions.org/cdg-file-extension

http://www.file-extensions.org/ape-file-extension

http://www.file-extensions.org/pcm-file-extension

http://www.file-extensions.org/sf-file-extension

http://www.file-extensions.org/cs3-file-extension

http://www.file-extensions.org/ram-file-extension

http://www.file-extensions.org/mka-file-extension

http://www.file-extensions.org/mogg-file-extension

http://www.file-extensions.org/arf-file-extension

http://www.file-extensions.org/rec-file-extension

http://www.file-extensions.org/pbf-file-extension-turtle-beach-pinnacle-sound-bank

http://www.file-extensions.org/nvf-file-extension

http://www.file-extensions.org/mtd-file-extension

http://www.file-extensions.org/br5-file-extension-bmw-idrive-multimedia-data

http://www.file-extensions.org/omf-file-extension

http://www.file-extensions.org/asf-file-extension

http://www.file-extensions.org/snd-file-extension

http://www.file-extensions.org/svq-file-extension

http://www.file-extensions.org/mv3-file-extension

http://www.file-extensions.org/aaf-file-extension

http://www.file-extensions.org/vdj-file-extension

http://www.file-extensions.org/nki-file-extension

http://www.file-extensions.org/asx-file-extension

http://www.file-extensions.org/sng-file-extension

http://www.file-extensions.org/xspf-file-extension

http://www.file-extensions.org/ca3-file-extension

http://www.file-extensions.org/kfn-file-extension

http://www.file-extensions.org/ytif-file-extension

http://www.file-extensions.org/xpak-file-extension

http://www.file-extensions.org/cda-file-extension

http://www.file-extensions.org/uax-file-extension

http://www.file-extensions.org/avr-file-extension

http://www.file-extensions.org/sib-file-extension

http://www.file-extensions.org/alb-file-extension

http://www.file-extensions.org/ove-file-extension

http://www.file-extensions.org/spx-file-extension

http://www.file-extensions.org/dvf-file-extension

http://www.file-extensions.org/wav-file-extension

http://www.file-extensions.org/opus-file-extension

http://www.file-extensions.org/ds2-file-extension

http://www.file-extensions.org/cdfs-file-extension

http://www.file-extensions.org/mid-file-extension

http://www.file-extensions.org/muk-file-extension

http://www.file-extensions.org/flac-file-extension

http://www.file-extensions.org/wma-file-extension

http://www.file-extensions.org/sesx-file-extension

http://www.file-extensions.org/nwc-file-extension

http://www.file-extensions.org/2ch-file-extension

http://www.file-extensions.org/mxl-file-extension

http://www.file-extensions.org/bmw-file-extension

http://www.file-extensions.org/gp4-file-extension

http://www.file-extensions.org/wpl-file-extension

http://www.file-extensions.org/trm-file-extension-court-record-audio-format

http://www.file-extensions.org/sabs-file-extension

http://www.file-extensions.org/dcf-file-extension

http://www.file-extensions.org/nmsv-file-extension

http://www.file-extensions.org/ap4-file-extension

http://www.file-extensions.org/gp5-file-extension

http://www.file-extensions.org/zab-file-extension

http://www.file-extensions.org/bnk-file-extension

http://www.file-extensions.org/kam-file-extension

http://www.file-extensions.org/au-file-extension

http://www.file-extensions.org/caf-file-extension

http://www.file-extensions.org/dkd-file-extension

http://www.file-extensions.org/gpx-file-extension-guitar-pro-6-format

http://www.file-extensions.org/gog-file-extension

http://www.file-extensions.org/mpdp-file-extension

http://www.file-extensions.org/wrf-file-extension-webex-recorded-video

http://www.file-extensions.org/oma-file-extension

http://www.file-extensions.org/vox-file-extension

http://www.file-extensions.org/rpp-file-extension

http://www.file-extensions.org/logic-file-extension

http://www.file-extensions.org/mus-file-extension

http://www.file-extensions.org/aa-file-extension

http://www.file-extensions.org/nmf-file-extension

http://www.file-extensions.org/mp4a-file-extension

http://www.file-extensions.org/xwb-file-extension

http://www.file-extensions.org/thd-file-extension

http://www.file-extensions.org/m4a-file-extension

http://www.file-extensions.org/moi-file-extension

http://www.file-extensions.org/ocdf-file-extension

http://www.file-extensions.org/xkr-file-extension

http://www.file-extensions.org/fls-file-extension

http://www.file-extensions.org/voc-file-extension

http://www.file-extensions.org/efa-file-extension

http://www.file-extensions.org/m4b-file-extension

http://www.file-extensions.org/wem-file-extension

http://www.file-extensions.org/tak-file-extension

http://www.file-extensions.org/adts-file-extension

http://www.file-extensions.org/ad4-file-extension

http://www.file-extensions.org/elastik-file-extension

http://www.file-extensions.org/acd-file-extension

Challenges 11

Ringtone 파일을 활용한 퍼징 (T. Klein. 2011)

iPhone 대상의 퍼징 가치를 증명

단순한 변이 전략도 효과적인 것을 보여줌

iPhone 에서 출처가 분명하지 않은 미디어 파일은열어보지 않아야 한다.

Challenges 12

Ringtone 파일을 활용한 퍼징 (T. Klein. 2011)

Ringtone m4r file을 시드 파일로 선정

iOS의 모바일 사파리로 웹 서버의 m4a 파일 요청을 자동화원본 파일의 오프셋을 순차적으로 1바이트 크기씩 변이: 1000개

“Automated”

• iOS 3.1.3 이전 • Web Server

mediaserverd 프로세스 취약점 발견- CVE-2010-0036 (DoS, Code execution, Overflow)

Challenges 13

Fuzzing on iOS & Android (Lee et al. 2015)

* Source: 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015)

iOS와 Android에 대한 fuzzing 환경 구축

Unique 버그를 찾기위한 seed file selection 연구

Unique 버그를 발견하기 위해선 좋은 seed file이 선택되어야 한다.

Challenges 14

Fuzzing on iOS & Android (Lee et al. 2015)

Real world format (GIF, JPEG, PNG, MP3, and MP4)을 이용테스트케이스가 서로 중복되지 않도록 uniqueness를 고려하여 생성

CACE (Crash Automatic Classification Engine) 활용하여 크래시 분석 자동화

안드로이드와 iOS에서 약 1900개의 크래시와 7개의 유니크한 버그 발견

좋은 시드파일을 선택할 수 있는 SFAT (Seed File Analysis Tool) 고안

Quality Input Generation

1) SFD - Seed Files Download(auto)

2) SFAT - Seed Files Analysis(auto)

3) Augmenting Seed Files(manual - optional)

24x7 Web Console4) Fuzzing Engine(auto)

10) CACE(auto)

11)Exploitability

Analysis(manual)

6)FuzzedFile

Delivery(auto)

5) FEETFuzz

EngineEvaluation

Tool(auto)

SOFT(auto)7) Fuzz Download /

9)Result Upload

24x7 SOFT Application Monitor(auto)

8) Crash Log Extractor

(auto)

SERVER

DEVICE

Challenges 15

미디어 파일 분석을 활용한 퍼징 (D. Thiel. 2008)

* Source: BlackHat 2008

Media file format-aware fuzzing (PC)

기존의 방식(Code auditing, Static analysis, Simple fuzzer)으로는 찾을 수 없는버그 발견

Media codec fuzzing - libvorbis, VLC, iTunes, WMP, RealPlayer, Flac-tools

Challenges 16

미디어 파일 분석을 활용한 퍼징 (D. Thiel. 2008)

[Analysis]

Mutation valuesRandom stringsFormat stringsFencepost numbersURLs—for catching URL pingbacks

Media ContainersAVIOgg

MPEG-2MP4ASF

Media CodecsDivX

VorbisTheoraWMVXvid

Sorenson

Toolbox for file format-awareness(Hachoir, Mutagen, vbindiff, bvi, bbe, gdb)

17Fuzzing

File Fuzzing File Format-aware Fuzzing

많은 테스트케이스 생성

많은 시간 소요

Seed selection

Mutation strategy

ZZUF, Filefuzz, MFFA, Peach fuzzer, …

적은 테스트케이스 생성

적은 시간 소요

Seed selection

Mutation strategy- Mutation ratio (e.g., 0.004 in ZZUF)

- 변이 위치

18

FuzzGenerator

DeliveryMechanism

MonitoringSystem

“Fuzzer”

Generating the inputs that will be used to drive the System Under Test (SUT)

Accept system inputs from the fuzz generator and presents them to the SUT for consumption

Observe the SUT as it processes each system input, attempting to detect any errors that arise

Fuzzing

19File Fuzzing

발표자의 사정에 따라 제출본에서는 이하 내용을 생략합니다.

secuinside 연세대학교 제출secuinside.com/archive/2016/2016-2-1.pdf · 스마트폰에서...

Documents