Explore an innovative ex-vivo dynamic analysis framework for Android device drivers in this IEEE conference talk. Learn about a novel approach that enables off-device analysis without the need for porting or complex hardware emulation. Discover how the framework evades hardware and kernel dependencies to initialize drivers and enable analysis using userspace tools. Understand the advantages of this method over on-device analysis, including scalability with commodity CPUs. Examine the framework's effectiveness in loading drivers from various Android kernels and its ability to detect known vulnerabilities. Gain insights into the discovery of new bugs in system call handlers of platform device drivers, and the potential implications for security tasks such as exploit development, reverse engineering, and vulnerability detection in Android smartphones.
Ex-Vivo Dynamic Analysis Framework for Android Device Drivers
Overview
Syllabus
Intro
WHAT PREVENTS OFF-DEVICE DYNAMIC ANALYSIS (IN EMULATOR)?
SUPERFICIALLY DEPENDENT PATHS: EXAMPLE, MSM_ISP DRIVER FROM MSM KERNEL
SUPERFICIALLY DEPENDENT PATHS: EXAMPLE, MSM ISP DRIVER FROM MSM KERNEL
HOW KERNEL MANAGES DEVICES: DEVICE TREES
HARDWARE DEPENDENCIES: MISSING PERIPHERAL
SOFTWARE DEPENDENCIES 1: FUNCTION STUBS
STRUCTURE LAYOUTS
TESTING KNOWN CVE'S WITH EVASION KERNEL (HYPOTHESIS 1)
INITIALIZING ALIEN DRIVERS (HYPOTHESIS 2)
USER-SPACE FUZZING
IOCTL COMPLEX FORMAT
RECOVERING IOCTL'S
FUZZING RESULTS
CONCLUSION
Taught by
IEEE Symposium on Security and Privacy
