adaptive kernel live patching
TRANSCRIPT
![Page 1: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/1.jpg)
AdaptiveKernelLivePatching:AnOpenCollaborativeEffortto
AmeliorateAndroidN-dayRootExploits
YulongZhangandLenx(Tao)WeiBaiduX-LabAugust2016
![Page 2: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/2.jpg)
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
![Page 3: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/3.jpg)
UnprivilegedUser Root
CodeExecutionVulnerability
Info-leakVulnerability
UserMode
KernelModeInformationLeakage PrivilegeEscalation
ThreatsofKernelVulnerabilities
![Page 4: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/4.jpg)
ThreatsofKernelVulnerabilities• Mostsecuritymechanismsrelyingonkernelintegrity/trustworthinesswillbebroken
• Accesscontrol,app/userisolation• Payment/fingerprintsecurity• KeyStore• OtherAndroiduser-landsecuritymechanisms
• TrustZonewillalsobethreatened• Attacksurfacesexposed• Notenoughinputvalidation
![Page 5: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/5.jpg)
KernelVulnerabilitiesinAndroidSecurityBulletin
1 1 3 4 4 715 19
66
0
10
20
30
40
50
60
70
2015/09 2015/12 2016/01 2016/02 2016/03 2016/04 2016/05 2016/06 2016/07
MonthlyDisclosedNumberofAndroidKernelVulnerabilities
![Page 6: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/6.jpg)
Month Count
2015/09 1
... ...
2015/12 1
2016/01 3
2016/02 4
2016/03 4
2016/04 7
2016/05 15
2016/06 19
2016/07 66
• Moreandmoreattentionsaredrawntosecurethekernel
• MoreandmorevulnerabilitiesareintheN-Dayexploitarsenalfortheundergroundbusinesses
TheGrowingTrendIndicates
![Page 7: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/7.jpg)
ManyVulnerabilitiesHaveExploitPoCPubliclyDisclosedVulnerability/ExploitName CVEIDmempodipper CVE-2012-0056exynos-abuse/Framaroot CVE-2012-6422diagexploit CVE-2012-4221perf_event_exploit CVE-2013-2094fb_mem_exploit CVE-2013-2596msm_acdb_exploit CVE-2013-2597msm_cameraconfig_exploit CVE-2013-6123get/put_user_exploit CVE-2013-6282futex_exploit/Towelroot CVE-2014-3153msm_vfe_read_exploit CVE-2014-4321pipeexploit CVE-2015-1805PingPong Root CVE-2015-3636f2fs_exploit CVE-2015-6619prctl_vma_exploit CVE-2015-6640keyring_exploit CVE-2016-0728…... ......
![Page 8: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/8.jpg)
KEMOGE
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
![Page 9: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/9.jpg)
GHOSTPUSH
http://www.cmcm.com/blog/en/security/2015-09-18/799.html
![Page 10: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/10.jpg)
DOGSPECTUS
“...thepayloadofthatexploit,aLinuxELFexecutablenamedmodule.so,containsthecodeforthefutex orTowelrootexploit thatwasfirstdisclosedattheendof2014.”
https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware
![Page 11: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/11.jpg)
HUMMINGBAD
“Allcombined,thecampaignincludesnearly85milliondevices...HummingBadattemptstogainrootaccessonadevicewitharootkitthatexploitsmultiplevulnerabilities...Ittriestoroot thousandsofdeviceseveryday,withhundredsoftheseattemptssuccessful.”
https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware
![Page 12: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/12.jpg)
iOSMoreSecure?
?
![Page 13: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/13.jpg)
iOSVersion ReleaseDate KernelVulnerability# Android#InThisPeriod
8.4.1 8/13/15 3 -
9 9/16/15 12 1
9.1 10/21/15 6 -
9.2 12/8/15 5 1
9.2.1 1/19/16 4 3
9.3 3/21/16 9 8
9.3.2 5/16/16 11 22
V.S.
![Page 14: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/14.jpg)
Sotheproblemis:AndroidhasMORE vulnerabilitiesVulnerabilitiesremainUNFIXED overalongtime
http://www.whisperingrandomness.com/wp-content/uploads/2014/03/iOS-security-black-hat-macworld-australia.jpghttp://images.pcworld.com/images/article/2011/11/androidsecurity-5241445.jpg
![Page 15: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/15.jpg)
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
![Page 16: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/16.jpg)
• IfApplewantstopatchavulnerability• Applecontrolstheentire(mostly)supplychain• Applehasthesourcecode• Applerefusestosignoldversions,forcingone-directionupgrade• AlltheiOSdeviceswillgetupdateinatimelymanner
• Android• Manydevicesstayunpatchedforever/foralongperiod...
![Page 17: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/17.jpg)
WhyAreAndroidKernelVulnerabilitiesLongLasting?
• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices
• Capabilitymismatchingbetweendevicevendorsandsecurityvendors
![Page 18: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/18.jpg)
CauseA:Thelongpatchingchain
![Page 19: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/19.jpg)
Thereareexploitsappearedinpublicbut• Nevergotofficiallyreportedtovendors
![Page 20: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/20.jpg)
Exploitsmadepublicbutnotreported
AndroidRootanditsProviders:ADouble-EdgedSwordH.Zhang,D.She,andZ.Qian,CCS2015
![Page 21: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/21.jpg)
Thereareexploitsdisclosedbut• Notgettingtimelypatches
![Page 22: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/22.jpg)
Exploitsdisclosedbutnottimelypatched
https://bugs.chromium.org/p/project-zero/issues/detail?id=734&can=1&sort=-id
![Page 23: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/23.jpg)
Thereareexploitspatchedbut• Delayedbythecarriers
![Page 24: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/24.jpg)
Exploitspatchedbutdelayedbycarriers
http://www.howtogeek.com/163958/why-do-carriers-delay-updates-for-android-but-not-iphone
![Page 25: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/25.jpg)
UserdelaystheOTAduetorebooting
![Page 26: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/26.jpg)
WhyAreAndroidKernelVulnerabilitiesLongLasting?
• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices
• Capabilitymismatchingbetweendevicevendorsandsecurityvendors
![Page 27: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/27.jpg)
http://opensignal.com/reports/2015/08/android-fragmentation
CauseB:Fragmentation
![Page 28: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/28.jpg)
GoogleDashboard(2016/07/21)Version Codename API Distribution2.2 Froyo 8 0.1%2.3.x Gingerbread 10 1.9%
4.0.x IceCreamSandwich 15 1.7%
4.1.xJellyBean
16 6.4%4.2.x 17 8.8%4.3 18 2.6%4.4 KitKat 19 30.1%5.0
Lollipop21 14.3%
5.1 22 20.8%6.0 Marshmallow 23 13.3%
LollipopwasreleasedinNovember12,2014,but
51.6%ofthedevicesarestillolderthanthat!GooglestoppedpatchingforAndroidolderthan4.4,
but21.5%ofthedevicesarestillolderthanthat!
![Page 29: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/29.jpg)
ChineseMarketIsEvenWorse(StatsfromdeviceswithBaiduappsinstalled,July2016)
LollipopwasreleasedinNovember12,2014,but
80% ofthedevicesarestillolderthanthat!
Version Codename Rate2.3.x Gingerbread 3%4.0.x IceCreamSandwich 3%4.1.x
JellyBean 36%4.2.x4.34.4 KitKat 39%5 Lollipop 19%5.1
42% ofthedevicesare<4.4!
3% 3%
36%
39%
19%
Gingerbread
IceCreamSandwich
JellyBean
KitKat
Lollipop
![Page 30: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/30.jpg)
WhyAreAndroidKernelVulnerabilitiesLongLasting?
• Thelongpatchingchaindelaysthepatcheffectivedate• Fragmentationmakesitchallengingtoadaptthepatchestoalldevices
• Capabilitymismatchingbetweendevicevendorsandsecurityvendors
![Page 31: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/31.jpg)
SecurityVendors:• Capabletodiscoverandpatchvulnerabilities• Notprivilegedenough• Withoutsourcecode,difficulttoadaptthepatches
PhoneVendors:• Privilegedtoapplythepatches• Withsourcecode,easytoadaptthepatches• Notenoughresourcestodiscoverandpatchvulnerabilities
![Page 32: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/32.jpg)
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
![Page 33: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/33.jpg)
CVE-2014-3153(Towelroot)
• Thefutex_requeue functioninkernel/futex.c intheLinuxkernelthrough3.14.5doesnotensurethatcallshavetwodifferentfutex addresses,whichallowslocaluserstogainprivileges.
![Page 34: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/34.jpg)
CVE-2015-3636 (PingPong Root)
• Theping_unhash functioninnet/ipv4/ping.c intheLinuxkernelbefore4.0.3doesnotinitializeacertainlistdatastructureduringanunhash operation,whichallowslocaluserstogainprivilegesorcauseadenialofservice.
![Page 35: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/35.jpg)
CVE-2015-1805 (used inKingRoot)
• Thepipe_read andpipe_write implementationsinkernelbefore3.16allowslocaluserstocauseadenialofservice(systemcrash)orpossiblygainprivilegesviaacraftedapplication.
• Aknown issue inthe upstream Linuxkernel that was fixed inApril 2014butwasn’t called outasasecurity fix andassigned CVE-2015-1805 untilFebruary 2,2015.
![Page 36: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/36.jpg)
0 200 400 600 800 1000
CVE-2015-1805PipeRoot
CVE-2015-3636PingPongRoot
CVE-2014-3153Towelroot
Dayssincetheadvisorypublicationdate
![Page 37: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/37.jpg)
0%
20%
40%
60%
80%
100%
CVE-2014-3153Towelroot
CVE-2015-3636PingPongRoot
CVE-2015-1805PipeRoot
Vulnerable NotVulnerable
VulnerabilitystatisticscollectedfromChineseAndroiddeviceinJuly2016
![Page 38: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/38.jpg)
How/WhotoSecureThem???
![Page 39: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/39.jpg)
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
![Page 40: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/40.jpg)
KernelLivePatching
• kpatch• kGraft• ksplice• Linuxupstream’slivepatch• ......
![Page 41: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/41.jpg)
KernelLivePatching
kGraft asanexample
![Page 42: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/42.jpg)
KernelLivePatching
• Loadnewfunctionsintomemory• Linknewfunctionsintokernel
• Allowsaccesstounexported kernelsymbols
• Activenesssafetycheck• Preventold&newfunctionsfromrunningatsametime• stop_machine()+stackbacktrace checks
• Patchit!• Usesftrace etc.
https://events.linuxfoundation.org/sites/events/files/slides/kpatch-linuxcon_3.pdf
![Page 43: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/43.jpg)
ChallengesforThirdParty
• Mostexistingworkrequiressourcecode.Phonevendoristheonlyguythatcangeneratethelivepatches
• Unabletodirectlyapplypatchestootherkernelbuilds
![Page 44: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/44.jpg)
AdaptKpatch- AdaptiveLivePatching
Autopatchadaption
• Kernelinfogathering• Datastructurefilling
Patchingpayloadinjection
• ChoiceA:Installkernelmodule
• ChoiceB:Binary codeinjectionviamemdevice
Patchingpayloadexecution
• Replace/hookvulnerablefunctions
![Page 45: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/45.jpg)
KernelInfoCollection• Kernelversion
• /proc/version• vermagic
• Symboladdresses/CRC• /proc/kallsyms (/proc/sys/kernel/kptr_restrict)
• Otherkernelmodules• SymbolCRC/moduleinit offset
• Bootimage• decompressgzip/bzip/lzma/lzo/xz/lz4• somearerawcodeorevenELFfile
![Page 46: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/46.jpg)
PatchInjectionMethodsCoverage
INSMOD95%
(K)MEM60%
0.6%
99.4%
![Page 47: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/47.jpg)
MethodA:KernelModuleInjection
Kernelchecksthatneedtoberesolvedforadaption§ vermagiccheck§ symbolCRCcheck§modulestructurecheck§ vendor’sspecificcheck
vSamsunglkmauth
![Page 48: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/48.jpg)
Bypassvermagic/symbolCRC
- Bigenoughvermagicbuffer- Copykernelvermagicstringtomodule- CopykernelsymbolCRCstomodule
![Page 49: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/49.jpg)
BypassSamsunglkmauth
![Page 50: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/50.jpg)
MethodB:mem/kmem Injection
- Symboladdresses- vmalloc_exec- module_alloc
- Structuredshellcode- Allocate/reusememory- Writeintomemory- Triggertherunning
![Page 51: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/51.jpg)
PatchingPayloadExecution
• Overwritethefunctionpointer
• Overwritewithpatchcodedirectly
• Inlinehook
Samewithotherlivepatchingmethods
![Page 52: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/52.jpg)
AdaptionChallengesSolved•Patchautomaticadaption
Patch
Devicekernelinfo
Autoadaption
Adaptedpatch
![Page 53: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/53.jpg)
ChallengesSolvedüMostexistingworkrequiressourcecode.Phonevendoristheonlyguythatcangeneratethelivepatches
üUnabletodirectlyapplypatchestootherkernelbuilds
Vulnerable Immutable Vulnerable Immutable
![Page 54: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/54.jpg)
SuccessfullyEvaluatedCVEs• mmapCVEs è Framaroot• CVE-2014-3153 è Towelroot• CVE-2015-0569• CVE-2015-1805 è PipeRoot• CVE-2015-3636 è PingPongRoot• CVE-2015-6640• CVE-2016-0728• CVE-2016-0805• CVE-2016-0819• CVE-2016-0844• …...
![Page 55: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/55.jpg)
SuccessfullyEvaluatedonMostPopularPhones
GT-I8552 GT-S7572 S4 A7 SM-G5308W Grand2 Note4
![Page 56: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/56.jpg)
C8813 P6-U06 Hornor U8825D
SuccessfullyEvaluatedonMostPopularPhones
![Page 57: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/57.jpg)
M7 M8Sw S720e T528d
SuccessfullyEvaluatedonMostPopularPhones
![Page 58: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/58.jpg)
A630t A788t A938t K30-T
SuccessfullyEvaluatedonMostPopularPhones
![Page 59: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/59.jpg)
SuccessfullyEvaluatedonMostPopularPhones
![Page 60: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/60.jpg)
DemoBeforePatch:PingPong Root succeed
AfterPatch:PingPong Root fail
![Page 61: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/61.jpg)
RecalltheTwoProblems
• Thelongpatchingchain• Solvedbyadaptivelivepatching
• Capabilitymismatching• Tobesolvedbyajoint-effort
![Page 62: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/62.jpg)
Exploitexistingvulnerabilitiestogainroot
Vendorcooperation&pre-embeddedkernelagent
![Page 63: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/63.jpg)
![Page 64: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/64.jpg)
Multi-stageVettingMechanism
Vendorqualification
Patchsecurityvetting
Reputationranking
![Page 65: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/65.jpg)
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
![Page 66: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/66.jpg)
Weneedapatchingmechanism
• powerfulenoughtoblockmostthreats;• agileenoughforquickpatchgeneration;• yetrestrictiveenoughtoconfinepossibledamagescausedbythepatches.
![Page 67: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/67.jpg)
OurSolution-- LuaKpatch
Insertingatype-safedynamiclanguageengine (Lua)intothekerneltoexecutepatches
• Easytoupdate• NaturallyjailedinthelanguageVM• Noneedtoworryaboutmemoryoverflowetc.ofthepatches
![Page 68: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/68.jpg)
Arguments
ExternalInputs
Arguments
ExternalInputs
pwnednormalcontrolflow
maliciousinput
Arguments
ExternalInputs
normalcontrolflow
maliciousinput
Byhookingthedatainputentriesandvalidatingtheinput,wecanblockmostofthekernelexploits.
![Page 69: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/69.jpg)
Sowehavethefollowingrestrictions1) Thepatchcanhookatargetfunction’sentry;2) Incombinationwith1),withinthetargetfunction,thepatchcan
hooktheinvokingpointorreturningpointoffunctionsthatreturnastatuscode(e.g.,copy_from_user);
3) Thepatchcanreadanythingthatcanberead(registers,stacks,heaps,code,etc.,aslongasitdoesnottriggerfaults),butcannotmodifyoriginalkernelmemory(nowrite,andnodatacanbesentout);
4) Afterjudgingwhethertheinputismaliciousornot,thepatchcanreturnspecificerrorcodes.
![Page 70: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/70.jpg)
1: fun(...) {2: // entry of A can be hooked3: bool result;4: struct *s;5:6: // foo is allowed to be hooked7: result = foo(...);8: if (result == E_INVALID)9: return;10:11: // bar cannot be hooked12: s = bar(...);13: if (s)14: s->fun();15: }
Arunningexampletoillustratewhichfunctionscanbehookedandwhichcannot
![Page 71: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/71.jpg)
ImplementationofLuaKpatch
• Manypracticesfollowedfromthelunatik-ng project.• Line-of-Code(LoC)is~11K.600LoCarethecorepatchinglogic.• Compiledasa800KBkernelmodule.• Capabilityinterfaces:
o SymbolsearchingoHookingo Typedreadingo Threadinfofetching
![Page 72: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/72.jpg)
SampleLuapatchtofixoneofthevulnerableconditionsofCVE-2014-3153,knownas“Towelroot”
![Page 73: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/73.jpg)
EfficacyEvaluation
CVE-2012-4220 CVE-2013-6123 CVE-2015-3636CVE-2012-4221 CVE-2013-6282 CVE-2015-6619CVE-2012-4222 CVE-2014-3153 CVE-2015-6640CVE-2013-1763 CVE-2014-4321 CVE-2016-0728CVE-2013-2094 CVE-2014-4322 CVE-2016-0774CVE-2013-2596 CVE-2015-0569 CVE-2016-0802CVE-2013-2597 CVE-2015-1805 CVE-2016-2468
CVEsverifiedtobeprotectablebyLuaKpatch.MostareTypeIvulnerabilities(thosethatcanbepatchedbysimplyhookingtheentryofthevulnerablefunctions),butthehighlighted/coloredonesareTypeIIvulnerabilities(thosethatalsoneedtohooktheinvocationsthatreturnstatuscode).
![Page 74: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/74.jpg)
EfficacyEvaluation
All21CVEscanbepatchedbyLuaKpatch.16areTypeI,and5areTypeII.So76%ofthemcanbeeasilyfixedbyhookingandcheckinginputatthefunctionentry.
TypeI16
TypeII5
![Page 75: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/75.jpg)
ExampleI(CVE-2013-1763)
LuaKpatchcanpatchitbyhookingtheentryofthe__sock_diag_rcv_msg function,gettingthenlh argument,obtainingreq fromnlh,andthencheckingwhethertheconditionreq->sdiag_family >= AF_MAX issatisfied.Ifthisistrue,itisanexploitconditionandthepatchshouldreturnanerror.
![Page 76: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/76.jpg)
ExampleII(CVE-2013-6123)
LuaKpatchcanpatchitbyhookingthereturningpointofthecopy_from_user invokedbymsm_ioctl_server tochecktheexploitcondition.
![Page 77: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/77.jpg)
Demo
BeforePatch:VulnerabletoTowelroot andPingPong Root
AfterPatch:ImmunetoTowelroot andPingPong Root
![Page 78: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/78.jpg)
PerformanceEvaluation
17473.25 17551.75 17521.4 17482
02000400060008000
100001200014000160001800020000
Normal Patched(Towelroot) Patched(PingPongRoot)
Patched(bothvulnerabilities)
CF-BenchPerformanceScore
![Page 79: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/79.jpg)
0
20
40
60
80
100
120
Nopatch Patchedwithadirectreturn
Patchedwithaconditionalcomparison
Patchedwithamemoryread
Patchedwithmixedoperations
ExecutionTimeofchmod(Microseconds)
100.7µs +0.42µs +0.98µs +0.82µs +3.74µs
![Page 80: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/80.jpg)
LuaKpatchvalidationcheckaddsanoverheadunder4microseconds,only4%ofachmodsystemcall.
Becausesystemcallsarenotinvokedallthetime,theimpacttotheoverallsystemperformanceshouldbeevenless.• WhenausernormallybrowsesInternetusingChromeonNexus5+Android4.4,gettimeofday wasthemostly-calledsystemcall,triggeredfor~110,000times.Theoverallperformanceoverheadcanbeestimatedas5µs*110,000/1min» 0.9%,whichisquitesmall.
![Page 81: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/81.jpg)
As an ongoing work, we are migrating LuaKpatch to LuaJIT, which should further improve the performance.
![Page 82: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/82.jpg)
Agenda• TheProblem
• AndroidKernelVulnerabilityLandscape• WhyAreTheyLong-lasting?• CaseStudies
• TheSolution• AdaptKpatch:AdaptiveKernelLivePatching• LuaKpatch:MoreFlexibility,YetMoreConstraint
• TheFuture• EstablishingtheEcosystem
![Page 83: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/83.jpg)
Thepatchingcircleintheopencollaborativepatchingecosystem
![Page 84: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/84.jpg)
Let’sfightthebadtogether!• Thenumberandthecomplexityofkernelvulnerabilitieskeepincreasing,somorejointeffortmakesiteasiertobattleagainstthem.
• IntheAdaptKpatchscheme,patchescanbevettedandcross-validatedbyqualifiedalliancemembers.
• Lastbutmostimportantly,allvendorscanjointogethertodevelopapatchingstandardinsteadofimplementingdifferentvariants.Ifdifferenthotpatchingmechanismsexist,itintroducesanotherlayeroffragmentation.
![Page 85: Adaptive Kernel Live Patching](https://reader036.vdocuments.net/reader036/viewer/2022090906/613ca37cf046235e845ce917/html5/thumbnails/85.jpg)
Thanks!YulongZhang,YueChen,ChenfuBao,LiangzhaoXia,
LongriZheng,YongqiangLu,LenxWeiBaiduX-LabAugust2016