attacking the linux prng on android
TRANSCRIPT
Attacking the Linux PRNG on AndroidDavid Kaplan, Sagi Kedmi, Roee Hay & Avi DayanIBM Security Systems
MOTIVATION
motivation_keystore_buffer_overflow
• We discovered CVE-2014-3100, a stack-based Buffer Overflow in keystore• Service responsible of securely storing crypto related data
• We had privately reported to Google and they provided a patch available in KITKAT.
• Exploit must overcome various defense mechanisms, including Stack Canaries.
/* KeyStore is a secured storage for key-value pairs. In this implementation, * each file stores one key-value pair. Keys are encoded in file names, and * values are encrypted with checksums. The encryption key is protected by a * user-defined password. To keep things simple, buffers are always larger than * the maximum space we needed, so boundary checks on buffers are omitted. */
motivation_keystore_buffer_overflow
LR
Saved RegistersCanary
(32 bits)
Buffer
Stack layout
Linux PRNG
AUXV(AT_RANDOM)
__stack_chk_guard
Stack Guard initialization
32 bits
128 bits
Attacks on the Stack-Smashing Protection:
• Naive Online Bruteforce of the Canary Value• Impractical: 2^32 attempts on average.
motivation_keystore_buffer_overflow
LR
Saved RegistersCanary
(32 bits)
Buffer
Stack layout
Linux PRNG
AUXV(AT_RANDOM)
__stack_chk_guard
Stack Guard initialization
32 bits
128 bits
Attacks on the Stack-Smashing Protection:
• Naive Online Bruteforce of the Canary Value• Impractical: 2^32 attempts on average.
• Online Learning of the Canary Value• By another info leak issue• Re-forking server:
• Very efficient: 514 attempts until success on average
motivation_keystore_buffer_overflow
LR
Saved RegistersCanary
(32 bits)
Buffer
Stack layout
Linux PRNG
AUXV(AT_RANDOM)
Stack Guard initialization
32 bits
128 bits
__stack_chk_guard
Attacks on the Stack-Smashing Protection:
• Naive Online Bruteforce of the Canary Value• Impractical: 2^32 attempts on average.
• Online Learning of the Canary Value• By another info leak issue• Re-forking server:
• Very efficient: 514 attempts until success on average
• Overwrite __stack_chk_guard• By overwriting some pointer
motivation_keystore_buffer_overflow
LR
Saved RegistersCanary
(32 bits)
Buffer
Attacks on the Stack-Smashing Protection:
• Naive Online Bruteforce of the Canary Value• Impractical: 2^32 attempts on average.
• Online Learning of the Canary Value• By another info leak issue• Re-forking server:• Very efficient: 514 attempts until success on
average• Overwrite __stack_chk_guard• By overwriting some pointer
• Our attack: Offline reconstruction of the PRNG’s internal state
Stack layout
Linux PRNG
AUXV(AT_RANDOM)
Stack Guard initialization
32 bits
128 bits
__stack_chk_guard __stack_chk_guard __stack_chk_guard
LINUX PRNG
INPUT POOL NON-BLOCKING-POOL
ktime_t ktime_t
EXTRACTION (PULL)
INTERRUPT
DISK
INPUT
TIMER
time
if KEC >= 192 bits
*KEC = Kernel Entropy Count
entropy_sources
64 32 0
seconds nanoseconds
OUR WORK
Prior art on weakness in early boot *
Present practical run-time attack
Formalize attack
Demonstrate PoC against current mobile platforms
contribution
* Heninger et al. 2012, Becherer et al. 2009, Ding et al. 2014
Given a LEAK of a value extracted from the non-blocking pool and
LOW ENTROPY AT BOOT, the STATE of the PRNG can be
determined prior to time of leak until external entropy is indeterminate
attack
SIMULATE
attack_flow
SIMULATE
attack_flow CANDIDATE POOL SEEDS
non-blockinginput
SIMULATE
attack_flow CANDIDATE POOL SEEDS
non-blockinginput
CANDIDATE EXTERNALENTROPY
SIMULATE
attack_flow CANDIDATE POOL SEEDS
non-blockinginput
CANDIDATE EXTERNALENTROPY
COMPAREONLINE LEAK
attack_flow
SIMULATE
CANDIDATE POOL SEEDS
non-blockinginput
CANDIDATE EXTERNALENTROPY
COMPAREONLINE LEAK
SEEDS + ENTROPY PATH
EXPERIMENT
H (snb)=23.5bits
s4_non-blocking_seedSIMULATE
CANDIDATE POOL SEEDS
COMPARELEAK
SEEDS + ENTROPY PATH
ANDROID ZYGOTE (app_process)Apps fork()ed from Zygote process
Same AUX VECTOR
AT_RANDOM – 16 bytes extracted from PRNG
LEAK: Malicious app extracts AT_RANDOM from mem space
prng_value_leak
Linux PRNG
AUXV(AT_RANDOM)
__stack_chk_guard
app_process
__stack_chk_guard
APP-1
__stack_chk_guard
APP-2
__stack_chk_guard
MALWARE
__stack_chk_guard
fork() fork()fork()
SIMULATE
CANDIDATE POOL SEEDS
COMPARELEAK
SEEDS + ENTROPY PATH
Issue 1: order of extraction non-deterministic due to concurrent execution
simulate_prng
1
2
3
4
Process A
Process B
Process C
Process D
POOL STATE
Which process is Zygote?
Solution: linear search in set of extracted blocks
SIMULATE
CANDIDATE POOL SEEDS
COMPARELEAK
SEEDS + ENTROPY PATH
simulate_prng
1
2
3
4
3
4
POOL STATE
Most likely path in 20% of cases
~uniform distribution otherwise
Yellow Path
- Process A: extract from pool
- Process A: mix into pool
- Process B: extract from pool
- Process B: mix into pool
Green Path
- Process A: extract from pool
- Process B: extract from pool
- Process A: mix into pool
- Process B: mix into pool
POOL
extract
mix
Issue 2: pool state corruption due to concurrent execution
SIMULATE
CANDIDATE POOL SEEDS
COMPARELEAK
SEEDS + ENTROPY PATH
DEMO
s4_demoSIMULATE
CANDIDATE POOL SEEDS
COMPARELEAK
SEEDS + ENTROPY PATH
Demonstrated practical attack against S4 – derandomization KeyStore canary
Another remote leak can be found in the paper
Affects majority of devices in the field
Mitigations in newer kernels + devices
wrap_up
?Thank you