Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint
Man in the Binder
Transcript of Man in the Binder
MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID
Everything Goes Through The Binder
A Hack in Three Acts
Act I – Know Your DroidAct II – Attack Your DroidAct III – Prepare Your Droid
Meet The Cast
The Authors
Nitay Artenstein Idan Revivo Michael Shalyt
Victim AppName: Kitty BankOccupation: Bank Application
“U want KitCoins – we haz it”
n00b attackerName: Kitty-ninjaOccupation: Script kiddy
“Mommy, can I rob this bank?”
Ninja AttackerName: Paw of DeathOccupation: Black belt ninja hacker
“To rob a bank, you must first become the bank”
System ServicesName: System ServiceOccupation: Sitting and waiting to serve your needs These things run Android!
The Linux KernelName: $ echo `uname –r`Occupation: Holding the world on its shoulders since 1.1.1970
Feeling neglected now that system services get all the attention on Android
The BinderName: The BinderOccupation: All Powerful Mystery Character ?
Everything Goes Through The Binder
Act IKnow Your Droid
An Application’s Life On Windows
Syscalls
An Application’s Life On Android
Syscalls
Syscalls
Syscalls
?
Android – The Real Picture
Syscalls
Syscalls
Everything Goes Through The Binder
?
/dev/binder /dev/tty0
libbinder.so
kernel/system/libbinder.so
/system/lib*.so
DalvikVM DalvikVM
syscallparcel parcel
Bank Application Process System Service Process
application
System services proxy
libandroid_runtime.so
libandroid_runtime.so
System Service
• Binder has a userland component and a kernel one
• The driver receives the Parcel via an ioctl syscall and sends it to the target processes
What’s a Parcel?
A Short Recap
libbinder.so
DalvikVM
Kitty Bank Process
Parcels
Syscalls
Parcels
Audio Manager
Everything Goes Through The Binder
Act IIAttack Your Droid
Round IKey Logging
A n00b Attacker’s View of The System
?
What Would The n00b Attacker Do?
!
What Would The n00b Attacker Do?
!
What Would The n00b Attacker Do?
!@#$
A Ninja Attacker’s View of The System
?
Everything Goes Through The Binder
What Would The Ninja Attacker Do?
!
Key Logger Demo
What Would The Ninja Attacker Do?
w00t
Round IIData Manipulation
A n00b Attacker’s View of The System
?Activity Activity Activity
What Would The n00b Attacker Do?Bye Kitty Bank , Hello Shi**y Bank!
What Would The n00b Attacker Do?Bye Kitty Bank , Hello Shi**y Bank!@#$
A Ninja Attacker’s View of The System
?
Everything Goes Through The Binder
Activity Manager
In-app data goes through Binder???
A Ninja Attacker’s View of The System
?Activity Manager
What Would The Ninja Attacker Do?
!Activity Manager
A trillion dollars, anyone?
Data Manipulation Demo
What Would The Ninja Attacker Do?
w00t
Round IIIIntercepting SMS
A n00b Attacker’s View of The System
? Telephony Manager
What Would The n00b Attacker Do?
!Just Ask Politely
What Would The n00b Attacker Do?
!@#$Just Ask Politely
A Ninja Attacker’s View of The System
?
Everything Goes Through The Binder
Telephony Manager
What Would The Ninja Attacker Do?
!
SMS internals• The Telephony Manager notifies the SMS app
whenever an SMS is received
• The app queries the TM’s database via Binder:
SMS internals• But what’s a Cursor object?
• It’s a messy abstraction of a response to a query
SMS internals• Surprise: Under the hood, it’s just a Unix fd
• Now we’re in business!
What Would The Ninja Attacker Do?
w00t
SummaryWhat Just Happened?
Attacking The Binder
• Hook libbinder.so at the point where it sends an ioctl to the kernel
• Stealth: dozens of places to hook• But don’t you need root?
Attacking The Binder
Vulnerable to known rooting exploits
Consider The Possibilities
SummaryFeatures:• Versatility: one hook – multiple functionalities.• App agnostic: no need to RE apps.• Stealth: the Android security model limits 3rd
party security apps just like any other app.
Summary• This is NOT a vulnerability. It’s like man-in-the-
browser, but for literally everything on Android.• Root is assumed. Rooting won’t go away any
time soon.
Rumors(You didn’t hear it from me…)
What are you trying to tell me? That I can get all permissions on
a device?
No.I’m trying to tell you that when you’re ready, you won’t have to
Act IIIPreparing Your Droid
Solutions – for developers • Take control of your own process memory
space.
• Minimize the amount of data going to IPC, and encrypt what has to go.
Solutions – for security industry• Scan files like it’s the 90’s.• Be brave – get root yourself:• Runtime process scanning and monitoring.• Software firewall (like Avast).• Binder firewall/anomaly detection.• Etc.
Further Reading[1] White paper: “Man in the Binder”, Artenstein and Revivo
[2] “On the Reconstruction of Android Malware Behaviors”, Fatori, Tam et al
[3] “Binderwall: Monitoring and Filtering Android Interprocess Communication”, Hausner