LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules

  Рет қаралды 1,288

Black Hat

Black Hat

Күн бұрын

Netlink is a socket family designed for inter-process communication (IPC) between the kernel and user-space processes since 1999 with Linux 2.2. With the popularity of Android operating system, it is widely used in the Android kernel modules. Despite its capabilities, Netlink is often overlooked by security researchers due to the strong dominance of ioctl in userspace-kernelspace communication. Its programming complexity compared to ioctl also increases the chance of developers introducing security vulnerabilities. Therefore, Netlink has actually become a hidden attack surface buried deep in the Android ecosystem.
During our research, we found Netlink can be divided into two categories according to its usage, Classic Netlink and Generic Netlink. Each category consists of two message processing flows in the kernel due to its full-duplex characteristic, top-down message parsing and bottom-up message building. Following this idea, we summarized four threat models and analyzed typical vulnerability scenarios for each threat model. Based on these scenarios, we investigated Netlink-related kernel modules from 4 well-known vendors and discovered 30+ security vulnerabilities, and obtained 12 CVEs. Most vulnerabilities have been confirmed, and can lead to serious consequences such as privilege escalation.
In this talk, we will first dive into the Netlink mechanism in the Linux kernel, and then illustrate the security threats of Netlink usage scenarios according to four threat models. Next, we will introduce the analysis, verification and exploitation of Netlink-related vulnerabilities. Finally, we will provide vendors with some security suggestions for using Netlink through vulnerabilities statistics and root cause analysis.
By:
Chao Ma | Security Researcher, Baidu Security
Han Yan | Security Researcher, Baidu Security
Tim Xia | Security Researcher, Baidu Security
Presentation Materials Available:
www.blackhat.c...

Пікірлер
Privacy Detective: Sniffing Out Your Data Leaks for Android
30:04
Каха и дочка
00:28
К-Media
Рет қаралды 3,4 МЛН
It’s all not real
00:15
V.A. show / Магика
Рет қаралды 20 МЛН
人是不能做到吗?#火影忍者 #家人  #佐助
00:20
火影忍者一家
Рет қаралды 20 МЛН
OpenAI Unveils o3! AGI ACHIEVED!
26:24
Matthew Berman
Рет қаралды 212 М.
Black Hat 2014 Demo: EMV design flaws
5:46
SC Media - A CRA Resource
Рет қаралды 40 М.
MAJOR EXPLOIT: This GIF can Backdoor any Android Phone (sort of)
12:00
The kernel report
46:13
linux.conf.au
Рет қаралды 71 М.
Project Zero: Ten Years of 'Make 0-Day Hard'
40:20
Black Hat
Рет қаралды 2,9 М.
Practical LLM Security: Takeaways From a Year in the Trenches
37:01
Why Compile a Linux Kernel from Source?
13:38
DJ Ware
Рет қаралды 32 М.