Professional Documents
Culture Documents
Past work
– Some Bluetooth security work
– A lot on SMS and MMS security
– Mobile web usage and privacy
– Some early work on NFC phone security
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
3
Bug Hunting on Android
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
4
Debug, monitor, simple instrumentation
– GDB
• Debug, if you actually get it to work stable :-/
Simple instrumentation
– LD_LIBRARY_PRELOAD
• Intercept or replace library calls
– Replace library
• Overwrite functions to intercept
• Load original library
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
5
Dynamic Binary Instrumentation
Debugging
– exploit development
Extract “data”
– cryptographic keys
Create “instrument”
– e.g. I/O logger
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
7
Tasks
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
8
Inject Library (known technique!)
ptrace() process
– Save current state → the registers
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
10
Where is dlopen()?
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
11
Where is dlopen()?
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
12
Hooking com.android.nfc
instrument
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
13
My instrumentation toolkit
Compile helper
– Compiles ARM or Thumb depending on hook target
• Possible for each individual hook
– Deal with Android specific linking
– Assembles the final 'instrument' library (.so file)
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
14
The Instrumentation 'Framework'
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
15
Symbol Lookup
Read /proc/<PID>/maps
– Get (code, library) base addresses
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
16
Symbol Lookup: my modifications
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
17
Installing Hooks
Hook-function
– Writes “saved” instructions back to patched function
Issue
– Instruction cache vs. Data cache
– → flush instruction cache...
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
18
Hooking ARM Code
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
19
Hooking Thumb Code
Some problems
– Can't load PC with 32 bit value from relative address
• LDR pc, [pc, #0]
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
20
Hooking Thumb Code (new in v0.2)
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
21
Calling the original function
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
22
Hook code stub generator
Hook-Function body
– Log when hook it is called
– Call original function
Hooking macro
Auxiliary data structures
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
23
Developing an Instrument
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
24
Developing an Instrument cont.
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
25
My Demo Instruments for NFC
Log I2C
– Sniff com between NFC stack process and NFC chip
– Nexus S
– actually contributed by Charlie!
Log Uart
– Sniff com between NFC stack process and NFC chip
– Galaxy Nexus
Sniff
– Log NDEF read (dump NDEF payload)
EmuNFCcard
– Software emulate reading an NFC card (for fuzzing!)
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
26
Simple “i2c sniffing” hooking code
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
27
A hook in action: i2c_read
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
28
I2C sniff output
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
29
RFID/NFC Card Read Sniff Payload
hook: phLibNfc_Ndef_Read(...)
– Completely asynchronous
– Ndef_Read(..) takes pointer to callback
– Callback indicates data read
→ patch callback to get data
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
30
RFID/NFC Card Read Sniff Replace Payload
hook: phLibNfc_Ndef_Read(...)
– Completely asynchronous
– Ndef_Read(..) takes pointer to callback
– Callback indicates data read
→ patch callback to replace data
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
31
How do we fuzz tag reading?
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
32
How do we fuzz tag reading?
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
33
Finally: fully automated RFID/NFC tag fuzzing
Idea
– Simulate a card being read by the NFC chip
→ data pushed up the NFC stack for parsing
Fuzz com.android.nfc
– generate NDEF tag content and inject into process
Result
– NFC tag fuzzing without need to write data to tag
→ no need to hold tag to the phone
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
34
Fuzzing, Networking, and Android Permissions
Simple solution
– Use file system, put “fuzz data” in file and read it
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
35
Fuzzing, Networking, and Android Permissions
Simple solution
– Use file system, put “fuzz data” in file and read it
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
36
Network “Emulation” aka a file descriptor
A file descriptor to
– read(), write(), poll(), select()
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
37
Network “Emulation” finalized via proxy
for (;;)
bind(), listen(), accept()
open(pts)
read(net)
write(pts)
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
38
Fully automated RFID/NFC tag fuzzing
Idea
– Simulate a card being read by the NFC chip
→ data pushed up the NFC stack for parsing
Fuzz com.android.nfc
– generate NDEF tag content and inject into process
Result
– NFC tag fuzzing without need to write data to tag
→ no need to hold tag to the phone
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
39
Inside com.android.nfc
libnfc → libnfc-nxp
– Completely asynchronous operation
• Callback indicate end of operation
libnfc_jni
– Calls libnfc functions, provides callback functions
– runs extra thread for processing libnfc's message queue
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
40
Tag Detect-Read call stack: com.android.nfc
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
41
Full NFC/RFID (NDEF) tag read emulation
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
42
Full NFC/RFID (NDEF) tag read emulation
Some obstacles
– Cannot call callbacks from our thread
• Results in just a crash
– Need to call callbacks from libnfc_jni's libnfc-thread
• How???
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
43
Full NFC/RFID (NDEF) tag read emulation
Some obstacles
– Cannot call callbacks from our thread
• Results in just a crash
– Need to call callbacks from libnfc_jni's libnfc-thread
• How???
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
44
Full NFC/RFID (NDEF) tag read emulation
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
45
Full NFC/RFID (NDEF) tag read emulation
Demo Video
http://www.mulliner.org/android/nfcemuvideo.mp4
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
46
Release Android DBI Toolkit v0.2
BreakPoint special!!!
http://www.mulliner.org/android/feed/collin_android_dbi_v02.zip
– Not online yet, but soon!
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
47
Tools to be implemented (your task)
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
48
Improvements ToDo
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
49
Conclusions
Thanks
– Nico
• Good hints in the early state of this project
– Charlie
• For testing my framework! \o/
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
50
Related, Previous, and Similar Work
Android / ARM
– Georg Wicherski
• Thumb2 instrumentation stuff shown at HES2012
• No details and/or code published
– Sebastian Krahmer
• ported his injectso tool to Android
NEU SECLAB
Collin Mulliner – Breakpoint 2012 “Android DBI”
51
Northeastern University
Systems Security Labs
EOF
Thank you! Any Questions ?
twitter: @collinrm
crm[at]ccs.neu.edu
http://mulliner.org/android/
NEU SECLAB