Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) •...
Transcript of Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) •...
![Page 1: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/1.jpg)
EscapingTheSandboxByNotBreakingItMarcoGrassi (@marcograss)Qidan He (@flanker_hqd)
![Page 2: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/2.jpg)
AboutUs
• MarcoGrassi• SeniorSecurityResearcher@Tencent KEENLab• MainFocus:VulnerabilityResearch,Android,OSX/iOS,Sandboxes
• Qidan He• SeniorSecurityResearcher@Tencent KEENLab• Main Focus: Bug huntingand exploitingon *nix platform
![Page 3: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/3.jpg)
Tencent KEENSecurityLab
• PreviouslyknownasKeenTeam
• AlltheresearchersmovedtoTencent forbusinessrequirements
• Newname:TencentKEENSecurityLab
• InMarchofthisyearourunionteamwithTencent PCManager(Tencent SecurityTeamSniper)wonthetitleof“MasterOfPwn”atPwn2Own2016
![Page 4: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/4.jpg)
Agenda
• IntroductiontoSandboxes• SafariSandboxonOSX(WebContent Sandbox)• GoogleChromeSandboxonAndroid(IsolatedProcess)• ComparisonoftheSandboximplementationofthe2platforms• AuditingSandboxesandCaseStudies• FullSandboxEscapedemofromthebrowserrendererprocess• SummaryandConclusions
![Page 5: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/5.jpg)
IntroductiontoSandboxes
![Page 6: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/6.jpg)
Sandbox
• Inmodernoperatingsystems,a“Sandbox”isamechanismtoruncodeinaconstrainedenvironment.• ASandboxspecifieswhichresourcesthiscodehasaccessto.• Itbecameacrucialcomponentforsecurityinthelastyearsafteritbecameclearthatit’scurrentlyimpossibletogetridofabigpartofthebugs,especiallyinverycomplexsoftwarelikebrowser.• Shiftofapproach/complementaryapproach:• Let’sconfinesoftware,soevenifit’scompromisedithasrestrictedaccesstothesystem.
![Page 7: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/7.jpg)
AcoupleofSandboxesimplementationsmethods
![Page 8: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/8.jpg)
Firsttype(Discretionaryaccesscontrol):AndroidbaseSandboxmechanism• AndroidfromitsinitialversionhadasandboxmechanismimplementedmainlyontopofstandardLinuxprocessisolationwithuniqueUIDs,andGIDsspecifyingacapability(likeaccesstoexternalstorage).• Almosteveryapplication(usually,exceptsharedUID)haveauniqueUID.• Verywellstudiedandunderstoodbycountlessresourcesandtalks,wewillnottalkaboutitalotinthistalk.• Simplertounderstandandimplement,butnotveryflexible.
![Page 9: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/9.jpg)
Secondtype (MandatoryAccessControl):SELinux• Mechanismtospecifyaccesstoresourcesbasedwithdecisionpolicy.• SELinux isanexampleofthis,youcanspecifywhichpolicytheprocessissubjectto.• Whenaresourceisaccessed,thepolicyisevaluatedandadecisionismade.• SELinux wasintroducedinAndroid4.3officiallyanditbecameenforcingshortafter.• Quiteflexiblebutthepoliciescanbecomeverycomplexanddifficulttounderstand.
![Page 10: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/10.jpg)
WebContent SandboxonOSX
![Page 11: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/11.jpg)
StructureoftheSafariSandbox
• Safaricodeissplittoruninmultipleprocesses,basedonthepurposeofthecode,leveragingWebKit2.• The2mainprocessesthatinterestsusmorearetheWebProcessandtheUIProcess.• TheUIProcessistheparentandinchargeofmanagingtheotherprocesses Imagecourtesyof:
https://trac.webkit.org/attachment/wiki/WebKit2/webkit2-stack.png
![Page 12: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/12.jpg)
WebContent process
• TheWebContentprocessistheprocessresponsibleforhandlingjavascript,webpages,andalltheinterestingstuff.• Usuallyyougetyourinitialcodeexecutioninsidehere,thankstoabrowserbug.• Thisprocessisheavilysandboxed,unlikehisUIProcess parent.• WebProcess cantalktoUIProcess thankstoa“broker”interface,sohecanrequestresources(suchaswhenyouhavetoopenafilefromyourcomputer)underthesupervisionofthehigherprivilegedUIProcess.
![Page 13: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/13.jpg)
WebContent sandbox
• RegularOSXsandboximplementedontopofSandbox.kext• Thesandboxprofiledefinitioniscurrentlylocatedat:“/System/Library/Frameworks/WebKit.framework/Versions/A/Resources/com.apple.WebProcess.sb”• Sandbox.kext specifiescallbacksforalotofTrustedBSDMACframework,whichplaceshooksinthekernelwheredecisionshastobemade,toauthorizeaccesstoaresourceornot(forexample,onfileaccess,thesandboxprofileisusedtodecideifaccessshouldbegrantedornot)
![Page 14: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/14.jpg)
Exampleprofilesnippets
Everything isdeniedbydefault
Importing“system.sb”sandboxdefinition file
Thoseparticularmach servicesarewhitelisted,theirmach portcanbeasked
![Page 15: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/15.jpg)
SystemIntegrityProtection(SIP)
• InadditiontothoseSandboxes,onrecentOSXversionsyouarealsosubjecttoSystemIntegrityProtection.• “SIP”isasecuritypolicythatappliestoeveryprocessrunningonthesystem,eventherootones.• Usermode roothavenotunrestrictedaccessanymore
• KernelbugsbecomemoreappealingbecausetheyallowanattackertoescapethesandboxandalsodisableSIP.
![Page 16: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/16.jpg)
GoogleChromeSandboxonAndroid(IsolatedProcess)
![Page 17: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/17.jpg)
ChromiumAndroidSandbox(1)
• OnAndroid,ChromiumleveragestheisolatedProcess featuretoimplementitssandbox.
![Page 18: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/18.jpg)
ChromiumAndroidSandbox(2)
• IsolatedprocesswasintroducedaroundAndroid4.3• "Ifsettotrue,thisservicewillrununderaspecialprocessthatisisolatedfromtherestofthesystemandhasnopermissionsofitsown.”• Chromiumrenderprocess
![Page 19: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/19.jpg)
ChromiumAndroidSandbox(3)
• Soevenifcodeexecutionintherenderprocessisachieved,wedon’thavealotofcapabilities,andactuallywehavelotofrestrictions.• Inordertodosomethingmoremeaningful,asandboxescapemustbechainedafterinitialcodeexecution.• Usuallyitcanbeakernelexploit,orachromiumbrokerexploit,ortargetinganotheravailableattacksurface.• ButwhataboutSELinux?WehavetocheckitsSELinux policy,“isolated_app.te”,underexternal/sepolicy/inAOSP
![Page 20: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/20.jpg)
ChromiumAndroidSandbox(4)
• VeryrestrictiveSandboxprofile• Nodatafileaccessatall• Only2IPCservices• Minimuminteractionwithsockets• NographicdriversaccessL• ServiceManager alsorestricts implicit serviceexport
![Page 21: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/21.jpg)
Per interface constraint
• Isolated_app inherits from app_domain (app.te)• Only interfaces without enforceNotIsolatedCaller can be invoked
![Page 22: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/22.jpg)
AuditingandCaseStudies
![Page 23: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/23.jpg)
Howtoauditasandboxprofile?
• Justlookatthedefinitionsandseewhatattacksurfacesareallowed!• WewilltrywiththeWebContent sandboxonOSX.
system.sb isimported, soweneedtocheckthataswell
System-graphicsisdefined insystem.sb,let’scheckit
![Page 24: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/24.jpg)
Howtoauditasandboxprofile?(2)
AccesstoseveralIOKit UserclientsAndservicesrelatedtographics
Writeaccesstoseveraliokit propertiesrelatedtographics
Graphicsseemsdefinetely aniceattacksurface,
NowwecanstartfindingvulnerabilitiesinthoseIOKit clientsbyfuzzingor
manualauditing,sincewecaninteractwiththemfromtheWebContentprocess,wherewehaveinitialcodeexecution,toescapethesandbox,gettingkernelcodeexecution.
![Page 25: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/25.jpg)
Howtoauditasandboxprofile?(3)
• “allow-iokit-open”(iokit-connection"IOAccelerator")isdefinetely interesting• iokit-connectionallowsthesandboxedprocesstoopenalltheuserclient underthetargetIOService(muchlessrestrictivethaniokit-user-client-class)• InthetableontheleftweseetheUserclientsthatwecanobtainontheIntelAccelerator(defaultdriverinmostoftherecentApplemachines)
UserClient Name Type
IGAccelSurface 0
IGAccelGLContext 1
IGAccel2DContext 2
IOAccelDisplayPipeUserClient2 4
IGAccelSharedUserClient 5
IGAccelDevice 6
IOAccelMemoryInfoUserClient 7
IGAccelCLContext 8
IGAccelCommandQueue 9
IGAccelVideoContext 0x100
![Page 26: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/26.jpg)
IOKit vulnerability:CVE-2016-1744
• RaceconditioninanexternalMethod inAppleIntelBDWGraphics.• AffectseveryrecentMacwithIntelBroadwell CPU/Graphics.• DiscoveredbycodeauditingwhenlookingforsandboxescapesintoIOKitUserClients reachablefromtheSafariWebProcess sandbox.• Unfortunatelyitgotpartiallypatched1-2weeksbeforePwn2Own!LLL .Areplacementwasneeded.L• UnpatchedinOSX10.11.3,onlypartialfixin10.11.4beta6.• Reliablyexploitable.• FinallyitcameoutthatwehadabugcollisionwithIanBeerofGoogleProjectZero,whichreportedthebugtoApple.
![Page 27: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/27.jpg)
IOKit Vulnerability– CVE-2016-1744(cont.)
• Wrong/partialfixmistakeresponsiblydisclosedtoApple.• Fixedin10.11.5beta2• CVE-2016-1860
![Page 28: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/28.jpg)
IOKit vulnerability:CVE-2016-1744
• IGAccelCLContext andIGAccelGLContext are2UserClientsthatcanbereachedfromtheWebProcess Safarisandbox.• ThelockingmechanismsintheseUserClients isnottoogood,somemethodsexpectsonlyawellbehavedsinglethreadedaccess.• Firstwetargetedunmap_user_memory
![Page 29: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/29.jpg)
IOKit vulnerability:someunsafecode
![Page 30: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/30.jpg)
Racecondition– Howtotriggerit?
1. OpenyourtargetUserClient (IGAccelCLContext)2. Callmap_user_memory toinsertoneelementintotheIGHashTable3. Callwith2racingthreadsunmap_user_memory.4. Repeat2and3untilyouareabletoexploittheracewindow.5. Doublefreeonfirsthand6. PROFIT!
![Page 31: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/31.jpg)
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
The ideal situation is both threads passes hash table::contains, and when one is retrieving IOAccelMemoryMap* after get returns valid pointer, the other frees it and we control the pointer
However in reality more frequently they do passes containsbut thread 1 will remove it before thread 2 do get and thread 2 hit a null pointer dereference
![Page 32: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/32.jpg)
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
After 2 is removed
After 3 is removed
![Page 33: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/33.jpg)
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
nextprev
mach_vm_addr_tIOAccelMemoryMap*
IGElement
heap address leaked!
tail element
tail element
![Page 34: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/34.jpg)
Forfurtherinfo,checkourtalkslides
“Don'tTrustYourEye:AppleGraphicsIsCompromised!”http://bit.ly/23GR14N
ThePythonbitesyourapple:fuzzingandexploitingOSXkernelbugs
https://goo.gl/Ccgni1
![Page 35: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/35.jpg)
For Android Sandbox Escape
• Isolated_app inherits app.te, app.te (appdomain) inherits domain.te
![Page 36: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/36.jpg)
ForAndroidSandboxEscape(cont.)
• Attackingthebinderinterfaceisstillanoption• Exploitingvulnerable basic classes
• SharedStorage integer overflow• CVE-2015-3875
• ParcelatJavalevelacceptsdeserializationonclassnamespecifiedbystringwhenprocessingbundle• Ahiddenpathtotriggerde/serializationcodeinsystem_server context
![Page 37: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/37.jpg)
ForAndroidSandboxEscape(cont.)
• Attackingthebinderinterfaceisstillanoption• Unintend-export?
![Page 38: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/38.jpg)
ForAndroidSandboxEscape(cont.)
• Attackingthebinderinterfaceisstillanoption• Exploitingvulnerable basic classes/reachableviabundleinterfaces
• SharedStorage integer overflow
• Attacking the Chrome IPC• Attacking WebGL• GL process runs in host process in Android
• AttackingtheKernel• CVE-2015-1805?
![Page 39: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/39.jpg)
1805inaction
• Goodnews• Nopipepolicyinisolated_app
• Badnews:• CannotcreatesocketandspraykernelmemoryusesendmmsgL
![Page 40: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/40.jpg)
Preventvendor’sbindermistake
• IntegeroverflowinHuaweihw_ext_service runninginsystem_server
![Page 41: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/41.jpg)
Comparison
![Page 42: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/42.jpg)
Comparison
• Bothplatformssharelotoftraits.Theybothimplementasandboxpolicyinfilesthatspecifyitandcanbeaudited• Ingeneralbetweenthe2,theChromiumAndroidsandboxfeelsstrongerbecauseitexposesasmallerattacksurface.• OnAndroidwehavemorelayerofsandboxing:• Androidsandbox,chromeisanapplication,it’srestrictedbyitsDACsandbox• IsolatedProcess,therenderprocessesrunintheirownunprivilegedprocess• RestrictiveSELinux policyisolated_app.te
![Page 43: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/43.jpg)
FullSandboxEscapeDEMO!
![Page 44: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/44.jpg)
SummaryandConclusions
![Page 45: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/45.jpg)
SummaryandConclusions
• Sandboxesareagreatsecuritymitigation.• Theyrequireusuallyatleastanotheradditionalbugtoescapethemandcompromisethesystem,especiallyfromthebrowsercontext.• Theyhavethegreatadvantageofaveryconcise(andsmaller)attacksurface,muchmoredefinedtoaudit.• Adeterminedandknowledgeableattackercanstillcompromisethesystem,butwithmoreefforts.
![Page 46: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/46.jpg)
Acknowledgments
• LiangChen• Qoobee• Wushi• AllourothercolleaguesofKEENLab
![Page 47: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/47.jpg)
Questions?Twitter:@keen_lab
![Page 48: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/48.jpg)
![Page 49: Escaping The Sandbox By Not Breaking It - PUT.AS · 2016-08-06 · Chromium Android Sandbox (3) • So even if code execution in the render process is achieved, we don’t have a](https://reader034.fdocuments.in/reader034/viewer/2022050423/5f9290436d5fff4ed504af52/html5/thumbnails/49.jpg)