in ,

Mitigations are attack surface, too, Hacker News

Mitigations are attack surface, too, Hacker News

Posted by Jann Horn, Project Zero


This blog post discusses

a bug leading to memory corruption in Samsung’s Android kernel (specifically the kernel of the Galaxy A , A. 823 FN – I haven’t looked at Samsung’s kernels for other devices). I will describe the bug and how I wrote a (very unreliable) exploit for it. I will also describe how a second vulnerability , which had long been fixed in the upstream kernel, the upstream stable releases, and the Android common kernel , but not in Samsung’s kernel, aided in its exploitation.

If you want to look at the corresponding source code yourself, you can download Samsung’s kernel sources for the A 728 FN from here . The versions seem to be sorted such that the newer ones are at the top of the list; A 1657 FNXXS3ASK9 is the newest one at the time of writing, corresponding to the November (security patch level.)

On Android, it is normal for vendors to add device-specific code to the kernel. This code is a frequent source of security vulnerabilities. Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific. Modern Android phones access hardware devices through dedicated helper processes, which form the Hardware Abstraction Layer (HAL).

(As an aside: Linux supports secure, direct hardware access from userspace to PCI devices via Virtual Function I / O . (since Linux 3.6

, and to USB devices via / dev / bus / usb /

. If more OEMs use these mechanisms instead of out-of-tree drivers, this would improve their device security. It would also help with the issue of maintaining those drivers, since these mechanisms use stable userspace APIs instead of kernel APIs that have no such guarantees.)

Unfortunately, it is more difficult to generically lock down the attack surface that is created when vendors modify core kernel functionality.

For example, Samsung’s kernel adds extra “protection” to credential structures: struct cred is made read-only with the assistance of hypervisor code (CONFIG_RKP_KDP, “Protection for cred structure”), and transitions to UID 0 are subject to special checks based on the path of the current executable (CONFIG_SEC_RESTRICT_SETUID, “Restrict changing root privilege except allowed process”). But none of these modifications actually prevent an attacker who has sufficient control over the kernel to modify credential structures from reading or modifying user data directly. For example, an attacker could:

What do you think?

Leave a Reply

Your email address will not be published.

GIPHY App Key not set. Please check settings

State of Remote Work 2020, Hacker News

State of Remote Work 2020, Hacker News

Oracle founder Larry Ellison is hosting a fundraiser for Donald Trump, Recode

Oracle founder Larry Ellison is hosting a fundraiser for Donald Trump, Recode