![Page 1: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/1.jpg)
Adaptive Android Kernel Live Patching
Yue Chen1, Yulong Zhang2, Zhi Wang1, Liangzhao Xia2, Chenfu Bao2, Tao Wei2
Florida State University1
Baidu X-Lab2
USENIX Security Symposium 2017
![Page 2: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/2.jpg)
Android Kernel Vulnerabilities
2
Apps
Java API Framework
Native C/C++ Libraries
Linux Kernel
Android Runtime
Hardware Abstraction Layer
TrustZone
![Page 3: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/3.jpg)
Android Kernel Vulnerabilities
2
Apps
Java API Framework
Native C/C++ Libraries
Linux Kernel
Android Runtime
Hardware Abstraction Layer
TrustZone
![Page 4: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/4.jpg)
Android Kernel Vulnerabilities
2
Apps
Java API Framework
Native C/C++ Libraries
Linux Kernel
Android Runtime
Hardware Abstraction Layer
TrustZone
![Page 5: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/5.jpg)
Number of Disclosed Android Kernel Vulnerabilities
3
![Page 6: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/6.jpg)
Problem: Old Exploits Remain Effective
Number of devices vulnerable to two root exploits as of Nov. 2016
4
• Android 5.0 released in November 2014 • 46.3% of devices run an older version in September 2016
![Page 7: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/7.jpg)
Challenges
• Officially patching an Android device is a long process Third-party
• Delayed/non-existing kernel source code Binary-based
5
![Page 8: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/8.jpg)
Challenges
• Severely fragmented Android ecosystem Adaptive
6
http://d.ibtimes.co.uk/en/full/1395443/android-fragmentation-2014.png
![Page 9: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/9.jpg)
Solution
Third-party Binary-based Adaptive Kernel Live Patching
7
Key requirements:
• Adaptiveness
– It should be adaptive to various device kernels
• Safety
– Patches should be easy to audit
– Their behaviors must be technically confined
• Timeliness
– Response time should be short, after disclosed vulnerability or exploit
• Performance
– The solution should not incur non-trivial performance overhead
![Page 10: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/10.jpg)
Feasibility Study: Dataset
• Studied 1139 Android kernels
8
![Page 11: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/11.jpg)
• Most kernel functions are stable across devices and Android releases
• Most vulnerabilities triggered by malicious inputs
• Many functions return error codes – Return a pointer ERR_PTR
Feasibility Study: Observations
9
![Page 12: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/12.jpg)
• Most kernel functions are stable across devices and Android releases
• Most vulnerabilities triggered by malicious inputs
• Many functions return error codes – Return a pointer ERR_PTR
Gracefully return
Feasibility Study: Observations
9
Filter them
![Page 13: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/13.jpg)
Overall Approach: Input Validation
10
![Page 14: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/14.jpg)
KARMA
KARMA: Kernel Adaptive Repair for Many Androids
Adaptive – Automatically adapt to various device kernels
Memory-safe – Protect kernel from malicious (misused) patches
Multi-level – Flexible for different vulnerabilities
11
![Page 15: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/15.jpg)
KARMA Design: Safety
• Patches are written in Lua, confined by Lua VM at runtime
• A patch can only be placed at designated locations
• Patched functions must return error codes or void – Use existing error handling to recover from attacks
• A patch can read but not write the kernel memory – Confined by KARMA APIs
– Prevent malicious (misused) patches from changing the kernel
– Prevent information leakage
12
![Page 16: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/16.jpg)
KARMA Design: Multi-level Patching
• A patch can only be placed at designated locations Level 1: Entry or return point of a (vulnerable) function
Level 2: Before or after the call site to a callee
e.g., copy_from_user
Level 3: Binary-based patch
• 76 critical Android kernel vulnerabilities Level 1: 49/76 (64.5%)
Level 2: 22/76 (28.9%)
Level 3: 5/76 (6.6%)
13
![Page 17: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/17.jpg)
KARMA Patch Example
Part of the official patch of CVE-2014-3153 (Towelroot)
14
![Page 18: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/18.jpg)
KARMA Patch Example
15
-EINVAL
More complex examples in the paper
![Page 19: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/19.jpg)
KARMA API
16
![Page 20: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/20.jpg)
KARMA API
Available to patches
16
![Page 21: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/21.jpg)
KARMA Architecture
17
Offline Patch Generation and Verification
Online Live Patching by KARMA Client
![Page 22: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/22.jpg)
Offline Patch Adaptation
Patch A
18
![Page 23: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/23.jpg)
Offline Patch Adaptation
Three steps:
1. Identify the vulnerable functions in the target kernel – Same function but different names
– Inlined
2. Check if the reference patch works for the target kernel – Same function but different semantics
3. Adapt the reference patch for the target kernel
19
![Page 24: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/24.jpg)
Vulnerable Function Identification Example CVE-2015-3636 (PingPong Root)
Device A: ping_unhash Device B: ping_v4_unhash
Func_A Func_B Func_C
Func_D Func_E
ping_unhash
Func_A Func_B Func_C
Func_D Func_E
ping_v4_unhash
20
Call graph based similarity comparison
![Page 25: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/25.jpg)
Semantic Matching
• Check if two functions are semantically equivalent
• If so, adapt the reference patch to the target kernel
• Syntactic matching is too strict – Different compilers can generate different code with same semantics
• Instruction order, register allocation, instruction selection, code layout
21
![Page 26: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/26.jpg)
Semantic Matching
Same semantics with different syntax 22
![Page 27: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/27.jpg)
Semantic Matching
Same semantics with different syntax 22
![Page 28: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/28.jpg)
Semantic Matching
Same semantics with different syntax 22
![Page 29: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/29.jpg)
Semantic Matching
Same semantics with different syntax 22
![Page 30: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/30.jpg)
Semantic Matching
Same semantics with different syntax 22
![Page 31: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/31.jpg)
Semantic Matching
• Check if two functions are semantically equivalent
• If so, adapt the reference patch to the target kernel
• Syntactic matching is too strict – Different compilers can generate different code with same semantics
• Instruction order, register allocation, instruction selection, code layout
• Use symbolic execution to abstract these differences and adapt patches – Use approximation to improve scalability (details in the paper)
23
![Page 32: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/32.jpg)
Online Patch Application
24
Function entry point hooking
![Page 33: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/33.jpg)
Prototype Implementation
• Lua engine in kernel (11K SLOC) – Simple
– Memory-safe
– Easy to embed and extend
– 24 years of development
• Semantic matching – angr
25
![Page 34: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/34.jpg)
Evaluation: Applicability
• Evaluated 76 critical vulnerabilities in the last three years
• Patch level: – Level-1: 49
– Level-2: 22
– Level-3: 5
26
![Page 35: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/35.jpg)
Evaluation: Adaptability
27
![Page 36: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/36.jpg)
Evaluation: Adaptability
Types and frequencies of instruction opcodes
27
![Page 37: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/37.jpg)
Evaluation: Adaptability
Number of function calls and conditional branches (to abstract CFG)
27
![Page 38: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/38.jpg)
Evaluation: Adaptability
KARMA’s semantic matching
27
![Page 39: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/39.jpg)
Evaluation: Performance
CF-Bench results with different patches
28
![Page 40: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/40.jpg)
Evaluation: Performance
Execution time of chmod with different patches
29
![Page 41: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/41.jpg)
Future Work
• User-space vulnerability protection – Project Treble only partially solve the problem
• Lua engine in the kernel (11K SLOC) – Alternative execution engines, like BPF or sandboxed binary patches
• Error handling code could be vulnerable – Error injection to detect vulnerable error-handling code
• Improve semantic matching
30
![Page 43: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/43.jpg)
Backup Slides
![Page 44: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/44.jpg)
Attack TrustZone from Kernel
• Example: – Downgrade Attack on TrustZone (see its references)
34
![Page 45: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/45.jpg)
Observations
• Most kernel functions are stable across devices and Android releases.
Number of syntax clusters for each function
35
About 40% of the shared functions have only one cluster, and about 80% of them have 4 clusters or less.
Cluster Number
Kernel Function Number
![Page 46: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/46.jpg)
Observations
• Most kernel functions are stable across devices and Android releases.
36
For about 60% of shared functions, the largest cluster contains more than 80% of all the kernels that have this function.
Kernel Function Number
Percentage of kernels in the largest cluster for each function
![Page 47: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/47.jpg)
Symbolic Execution
• Challenges – Avoid path explosion
– Impact to the environment
• Practical Solution – Non-local memory writes
– Function calls (and their arguments)
– Function return values
• Adaptation (e.g., mutate constants or offsets) – foo(symbol_A + 4, 36) foo(symbol_A + 8, 36)
37
![Page 48: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/48.jpg)
Evaluation: Overall Performance
• Complex patch for most frequent syscall (gettimeofday) during web browsing
• Overall system performance overhead in this extreme situation: 0.9%
39
![Page 49: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/49.jpg)
Example: CVE-2013-6123
49
![Page 50: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/50.jpg)
Example: CVE-2013-6123
50
![Page 51: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/51.jpg)
Example: CVE-2013-6123
51
![Page 52: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/52.jpg)
Example: CVE-2013-6123
52
![Page 53: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/53.jpg)
Example: CVE-2013-6123
53
![Page 54: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/54.jpg)
Example: CVE-2013-6123
54
![Page 55: Adaptive Android Kernel Live Patchingww2.cs.fsu.edu/~ychen/paper/KARMA_Slides.pdfAdaptive Android Kernel Live Patching Yue Chen1, Yulong Zhang2, Zhi 2Wang1, Liangzhao Xia2, Chenfu](https://reader033.vdocuments.net/reader033/viewer/2022053010/5f0d9c917e708231d43b369d/html5/thumbnails/55.jpg)
You May Also Like
• A time machine to locate vulnerabilities: – Pinpointing Vulnerabilities
• Protect your computer by encrypting memory all the time: – Secure In-Cache Execution
• Fine-grained dynamic ASLR during runtime: – Remix: On-demand Live Randomization
55