Man in the Binder
Transcript of Man in the Binder
![Page 1: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/1.jpg)
MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID
Everything Goes Through The Binder
![Page 2: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/2.jpg)
A Hack in Three Acts
Act I – Know Your DroidAct II – Attack Your DroidAct III – Prepare Your Droid
![Page 3: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/3.jpg)
Meet The Cast
![Page 4: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/4.jpg)
The Authors
Nitay Artenstein Idan Revivo Michael Shalyt
![Page 5: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/5.jpg)
Victim AppName: Kitty BankOccupation: Bank Application
“U want KitCoins – we haz it”
![Page 6: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/6.jpg)
n00b attackerName: Kitty-ninjaOccupation: Script kiddy
“Mommy, can I rob this bank?”
![Page 7: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/7.jpg)
Ninja AttackerName: Paw of DeathOccupation: Black belt ninja hacker
“To rob a bank, you must first become the bank”
![Page 8: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/8.jpg)
System ServicesName: System ServiceOccupation: Sitting and waiting to serve your needs These things run Android!
![Page 9: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/9.jpg)
The Linux KernelName: $ echo `uname –r`Occupation: Holding the world on its shoulders since 1.1.1970
Feeling neglected now that system services get all the attention on Android
![Page 10: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/10.jpg)
The BinderName: The BinderOccupation: All Powerful Mystery Character ?
Everything Goes Through The Binder
![Page 11: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/11.jpg)
Act IKnow Your Droid
![Page 12: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/12.jpg)
An Application’s Life On Windows
Syscalls
![Page 13: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/13.jpg)
An Application’s Life On Android
Syscalls
Syscalls
Syscalls
?
![Page 14: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/14.jpg)
Android – The Real Picture
Syscalls
Syscalls
Everything Goes Through The Binder
?
![Page 15: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/15.jpg)
/dev/binder /dev/tty0
libbinder.so
kernel/system/libbinder.so
/system/lib*.so
DalvikVM DalvikVM
syscallparcel parcel
Bank Application Process System Service Process
application
System services proxy
libandroid_runtime.so
libandroid_runtime.so
System Service
• Binder has a userland component and a kernel one
• The driver receives the Parcel via an ioctl syscall and sends it to the target processes
![Page 16: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/16.jpg)
What’s a Parcel?
![Page 17: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/17.jpg)
A Short Recap
libbinder.so
DalvikVM
Kitty Bank Process
Parcels
Syscalls
Parcels
Audio Manager
![Page 18: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/18.jpg)
Everything Goes Through The Binder
![Page 19: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/19.jpg)
Act IIAttack Your Droid
![Page 20: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/20.jpg)
Round IKey Logging
![Page 21: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/21.jpg)
A n00b Attacker’s View of The System
?
![Page 22: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/22.jpg)
What Would The n00b Attacker Do?
!
![Page 23: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/23.jpg)
What Would The n00b Attacker Do?
!
![Page 24: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/24.jpg)
What Would The n00b Attacker Do?
!@#$
![Page 25: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/25.jpg)
A Ninja Attacker’s View of The System
?
Everything Goes Through The Binder
![Page 26: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/26.jpg)
What Would The Ninja Attacker Do?
!
![Page 27: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/27.jpg)
Key Logger Demo
![Page 28: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/28.jpg)
What Would The Ninja Attacker Do?
w00t
![Page 29: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/29.jpg)
Round IIData Manipulation
![Page 30: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/30.jpg)
A n00b Attacker’s View of The System
?Activity Activity Activity
![Page 31: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/31.jpg)
What Would The n00b Attacker Do?Bye Kitty Bank , Hello Shi**y Bank!
![Page 32: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/32.jpg)
What Would The n00b Attacker Do?Bye Kitty Bank , Hello Shi**y Bank!@#$
![Page 33: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/33.jpg)
A Ninja Attacker’s View of The System
?
Everything Goes Through The Binder
Activity Manager
![Page 34: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/34.jpg)
In-app data goes through Binder???
![Page 35: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/35.jpg)
A Ninja Attacker’s View of The System
?Activity Manager
![Page 36: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/36.jpg)
What Would The Ninja Attacker Do?
!Activity Manager
![Page 37: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/37.jpg)
A trillion dollars, anyone?
![Page 38: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/38.jpg)
Data Manipulation Demo
![Page 39: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/39.jpg)
What Would The Ninja Attacker Do?
w00t
![Page 40: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/40.jpg)
Round IIIIntercepting SMS
![Page 41: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/41.jpg)
A n00b Attacker’s View of The System
? Telephony Manager
![Page 42: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/42.jpg)
What Would The n00b Attacker Do?
!Just Ask Politely
![Page 43: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/43.jpg)
What Would The n00b Attacker Do?
!@#$Just Ask Politely
![Page 44: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/44.jpg)
A Ninja Attacker’s View of The System
?
Everything Goes Through The Binder
Telephony Manager
![Page 45: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/45.jpg)
What Would The Ninja Attacker Do?
!
![Page 46: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/46.jpg)
SMS internals• The Telephony Manager notifies the SMS app
whenever an SMS is received
• The app queries the TM’s database via Binder:
![Page 47: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/47.jpg)
SMS internals• But what’s a Cursor object?
• It’s a messy abstraction of a response to a query
![Page 48: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/48.jpg)
SMS internals• Surprise: Under the hood, it’s just a Unix fd
• Now we’re in business!
![Page 49: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/49.jpg)
What Would The Ninja Attacker Do?
w00t
![Page 50: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/50.jpg)
SummaryWhat Just Happened?
![Page 51: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/51.jpg)
Attacking The Binder
• Hook libbinder.so at the point where it sends an ioctl to the kernel
• Stealth: dozens of places to hook• But don’t you need root?
![Page 52: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/52.jpg)
Attacking The Binder
Vulnerable to known rooting exploits
![Page 53: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/53.jpg)
Consider The Possibilities
![Page 54: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/54.jpg)
SummaryFeatures:• Versatility: one hook – multiple functionalities.• App agnostic: no need to RE apps.• Stealth: the Android security model limits 3rd
party security apps just like any other app.
![Page 55: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/55.jpg)
Summary• This is NOT a vulnerability. It’s like man-in-the-
browser, but for literally everything on Android.• Root is assumed. Rooting won’t go away any
time soon.
![Page 56: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/56.jpg)
Rumors(You didn’t hear it from me…)
![Page 57: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/57.jpg)
What are you trying to tell me? That I can get all permissions on
a device?
No.I’m trying to tell you that when you’re ready, you won’t have to
![Page 58: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/58.jpg)
Act IIIPreparing Your Droid
![Page 59: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/59.jpg)
Solutions – for developers • Take control of your own process memory
space.
• Minimize the amount of data going to IPC, and encrypt what has to go.
![Page 60: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/60.jpg)
Solutions – for security industry• Scan files like it’s the 90’s.• Be brave – get root yourself:• Runtime process scanning and monitoring.• Software firewall (like Avast).• Binder firewall/anomaly detection.• Etc.
![Page 61: Man in the Binder](https://reader030.fdocuments.in/reader030/viewer/2022020123/55c412afbb61eb841c8b4790/html5/thumbnails/61.jpg)
Further Reading[1] White paper: “Man in the Binder”, Artenstein and Revivo
[2] “On the Reconstruction of Android Malware Behaviors”, Fatori, Tam et al
[3] “Binderwall: Monitoring and Filtering Android Interprocess Communication”, Hausner