everything goes through the binder
play

Everything Goes Through The Binder A Hack in Three Acts Act I Know - PowerPoint PPT Presentation

Jul 18, 2023 •535 likes •1.16k views

MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II Atuack Your Droid Act III Prepare Your Droid Meet The Cast The Authors Nitay

  1. MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder

  2. A Hack in Three Acts Act I – Know Your Droid Act II – Atuack Your Droid Act III – Prepare Your Droid

  3. Meet The Cast

  4. The Authors Nitay Artenstein Idan Revivo Michael Shalyt

  5. Victim App Name: Kituy Bank Occupatjon: Bank Applicatjon “U want KitCoins – we haz it”

  6. n00b attacker Name: Kituy-ninja Occupatjon: Script kiddy “Mommy, can I rob this bank?”

  7. Ninja Attacker Name: Paw of Death Occupatjon: Black belt ninja hacker “To rob a bank, you must fjrst become the bank”

  8. System Services Name: System Service Occupatjon: Sittjng and waitjng to serve your needs These things run Android!

  9. The Linux Kernel Name: $ echo `uname –r` Occupatjon: Holding the world on its shoulders since 1.1.1970 Feeling neglected now that system services get all the atuentjon on Android

  10. The Binder Name: The Binder Occupatjon: All Powerful ? Mystery Character Everything Goes Through The Binder

  11. Act I Know Your Droid

  12. An Applicatjon’s Life On Windows Syscalls

  13. An Applicatjon’s Life On Android ? Syscalls Syscalls Syscalls

  14. Android – The Real Picture ? Syscalls Syscalls Everything Goes Through The Binder

  15. Bank Applicatjon Process System Service Process • Binder has a userland DalvikVM DalvikVM component and a kernel applicatjon applicatjon System Service System Service one System services System services proxy proxy • The driver receives the libandroid_runtjme.so libandroid_runtjme.so Parcel via an ioctl syscall libandroid_runtjme.so /system/lib*.so libandroid_runtjme.so /system/lib*.so and sends it to the target libbinder.so /system/libbinder.so libbinder.so /system/libbinder.so kernel processes syscall parcel parcel /dev/tuy0 /dev/binder

  16. What’s a Parcel?

  17. A Short Recap Audio Manager Kituy Bank Process DalvikVM Parcels Syscalls Parcels libbinder.so libbinder.so

  18. Everything Goes Through The Binder

  19. Act II Attack Your Droid

  20. Round I Key Logging

  21. A n00b Atuacker’s View of The System ?

  22. What Would The n00b Atuacker Do? !

  23. What Would The n00b Atuacker Do? !

  24. What Would The n00b Atuacker Do? !@#$

  25. A Ninja Atuacker’s View of The System ? Everything Goes Through The Binder

  26. What Would The Ninja Atuacker Do? !

  27. Key Logger Demo

  28. What Would The Ninja Atuacker Do? w00t

  29. Round II Data Manipulatjon

  30. A n00b Atuacker’s View of The System ? Actjvity Actjvity Actjvity

  31. What Would The n00b Atuacker Do? Bye Kituy Bank , Hello Shi**y Bank !

  32. What Would The n00b Atuacker Do? Bye Kituy Bank , Hello Shi**y Bank !@#$

  33. A Ninja Atuacker’s View of The System Actjvity Manager ? Everything Goes Through The Binder

  34. In-app data goes through Binder???

  35. A Ninja Atuacker’s View of The System Actjvity Manager ?

  36. What Would The Ninja Atuacker Do? Actjvity Manager !

  37. A trillion dollars, anyone?

  38. Data Manipulatjon Demo

  39. What Would The Ninja Atuacker Do? w00t

  40. Round III Interceptjng SMS

  41. A n00b Atuacker’s View of The System ? Telephony Manager

  42. What Would The n00b Atuacker Do? ! Just Ask Politely

  43. What Would The n00b Atuacker Do? !@#$ Just Ask Politely

  44. A Ninja Atuacker’s View of The System ? Telephony Manager Everything Goes Through The Binder

  45. What Would The Ninja Atuacker Do? !

  46. SMS internals • The Telephony Manager notjfjes the SMS app whenever an SMS is received • The app queries the TM’s database via Binder:

  47. SMS internals • But what’s a Cursor object? • It’s a messy abstractjon of a response to a query

  48. SMS internals • Surprise: Under the hood, it’s just a Unix fd • Now we’re in business!

  49. What Would The Ninja Atuacker Do? w00t

  50. Summary What Just Happened?

  51. Atuacking The Binder • Hook libbinder.so at the point where it sends an ioctl to the kernel • Stealth: dozens of places to hook • But don’t you need root?

  52. Atuacking The Binder Vulnerable to known rootjng exploits

  53. Consider The Possibilitjes

  54. Summary Features: • Versatjlity: one hook – multjple functjonalitjes. • App agnostjc: no need to RE apps. • Stealth: the Android security model limits 3 rd party security apps just like any other app.

  55. Summary • This is NOT a vulnerability. It’s like man-in-the- browser, but for literally everything on Android. • Root is assumed. Rootjng won’t go away any tjme soon.

  56. Rumors (You didn’t hear it from me…)

  57. What are you trying to tell me? That I can get all permissions on a device? No. I’m trying to tell you that when you’re ready, you won’t have to

  58. Act III Preparing Your Droid

  59. Solutjons – for developers • Take control of your own process memory space. • Minimize the amount of data going to IPC, and encrypt what has to go.

  60. Solutjons – for security industry • Scan fjles like it’s the 90’s. • Be brave – get root yourself: • Runtjme process scanning and monitoring. • Sofuware fjrewall (like Avast). • Binder fjrewall/anomaly detectjon. • Etc.

  61. Further Reading [1] White paper: “Man in the Binder”, Artenstein and Revivo [2] “On the Reconstructjon of Android Malware Behaviors”, Fatori, Tam et al [3] “Binderwall: Monitoring and Filtering Android Interprocess Communicatjon”, Hausner

Recommend

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem Coleri Shashwath Sreedhar, Sogol Haddadi, Matthew Haynes, and Sunny Lewis Other contribut Other butor ors TAC members: Larry Ilg ODOT

712 views • 34 slides
Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D.

Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D.

transportationstudies.asu.edu Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D. Assistant Professor, School of Sustainable Engineering and the Built Environment Co-Director, The National Center of

311 views • 27 slides
Regulatory Binder By: Sam Payn Regulatory Binder Goals To learn about regulatory binders.

Regulatory Binder By: Sam Payn Regulatory Binder Goals To learn about regulatory binders.

Regulatory Binder By: Sam Payn Regulatory Binder Goals To learn about regulatory binders. To learn about Essential documents for the regulatory binder Put together a regulatory binder Purpose The purpose of the Regulatory Binder is

187 views • 14 slides
What is a Regulatory Binder? Paperwork required to keep updated on studies where patients are

What is a Regulatory Binder? Paperwork required to keep updated on studies where patients are

Regulatory Binder: 1.26.15 Sara L. Douglas, PhD, RN Amy R. Lipson, PhD Information in this Presentation Is Up-to-Date as of 8.18.17 What is a Regulatory Binder? Paperwork required to keep updated on studies where patients are being consented

343 views • 16 slides
I N N O V A T I O N W O R L D W I D E CARDBOARD ECO BINDER A NEW CONCEPT OF

I N N O V A T I O N W O R L D W I D E CARDBOARD ECO BINDER A NEW CONCEPT OF

I N N O V A T I O N W O R L D W I D E CARDBOARD ECO BINDER A NEW CONCEPT OF BINDING SHEETS ENVIRONMENTALLY FRIENDLY, COST EFFECTIVE AND INNOVATIVE USE AN ALTERNATIVE TO TRADITIONAL METAL OF PLASTIC COIL BINDERS. The patent

283 views • 7 slides
Field Validation Database for Binder Testing Procedures Recommended by NCHRP 9-10 Wilfung

Field Validation Database for Binder Testing Procedures Recommended by NCHRP 9-10 Wilfung

Field Validation Database for Binder Testing Procedures Recommended by NCHRP 9-10 Wilfung Martono H.U.Bahia University of Wisconsin-Madison ETG Meeting Fall 2003 Las Vegas, NV Background ! Need for Field Validation of ! Binder repeated

743 views • 23 slides
Binder tude du mcanisme de communication interprocessus d'Android et de ses vulnrabilits

Binder tude du mcanisme de communication interprocessus d'Android et de ses vulnrabilits

Binder tude du mcanisme de communication interprocessus d'Android et de ses vulnrabilits - Binder IPC and its vulnerabilities Prsent 06/03/2020 Pour THCON 2020 Par Jean-Baptiste Cayrou Who I am Jean-Baptiste Cayrou ( @jbcayrou )

1.63k views • 97 slides
Binder: A System to Aggregate Mul5ple Internet Gateways in

Binder: A System to Aggregate Mul5ple Internet Gateways in

Binder: A System to Aggregate Mul5ple Internet Gateways in Community Networks Marwan Fayed Luca Boccassi (Cisco) and Mahesh Marina How to solve

445 views • 13 slides
Guide to Rates of Application of Primer Primer Pavement Grade Rate (L/m ) Tightly bonded

Guide to Rates of Application of Primer Primer Pavement Grade Rate (L/m ) Tightly bonded

Design of Rates of Application Primes Primerseals Seals C170 binder Polymer modified binder Sprayed Seal Design Geotexle reinforced seals (GRS) AAPA training

222 views • 9 slides
p K a modulation of a bis(2-aminoimidazoline) DNA minor groove binder that targets the kinetoplast

p K a modulation of a bis(2-aminoimidazoline) DNA minor groove binder that targets the kinetoplast

p K a modulation of a bis(2-aminoimidazoline) DNA minor groove binder that targets the kinetoplast of Trypanosoma brucei Jorge Jonathan Nu Martinez 1 , Harry P. De Koning 2 , Godwin Ebiloma 2 , Cinthia Millan 3 , J. Lourdes Campos 3 , Christophe

724 views • 20 slides
THE USE OF XPS TO INVESTIGATE THE AGEING MECHANISM OF THE PHENOL-UREA-FORMALDEHYDE (PUF) BINDER

THE USE OF XPS TO INVESTIGATE THE AGEING MECHANISM OF THE PHENOL-UREA-FORMALDEHYDE (PUF) BINDER

THE USE OF XPS TO INVESTIGATE THE AGEING MECHANISM OF THE PHENOL-UREA-FORMALDEHYDE (PUF) BINDER COATED MINERAL FIBERS A. Zafar 1* , J. Schjdt-Thomsen 1 , R. Sodhi 2 , D. de Kubber 3 1 Department of Mechanical and Manufacturing Engineering,

66 views • 6 slides
at Palm Valley Academy - Email is the best way to communicate with us. - Please make sure your

at Palm Valley Academy - Email is the best way to communicate with us. - Please make sure your

at Palm Valley Academy - Email is the best way to communicate with us. - Please make sure your child brings their binder and planner to school every day. In your childs binder, you will find: - Homework - Graded Papers - Notes (when needed)

512 views • 24 slides
A proposal for a 100% use of bauxite residue: The process, results on the novel Fe-rich binder

A proposal for a 100% use of bauxite residue: The process, results on the novel Fe-rich binder

A proposal for a 100% use of bauxite residue: The process, results on the novel Fe-rich binder and how this can take place within the alumina refinery T. Hertel, L. Arnout, A. Peys, L. Pandelaers, B. Blanpain, Y. Pontikes 06/10/2015 The dirty

318 views • 31 slides
Polarized We Govern? Sarah Binder GWU and Brookings Negotiating with Republicans is like

Polarized We Govern? Sarah Binder GWU and Brookings Negotiating with Republicans is like

Polarized We Govern? Sarah Binder GWU and Brookings Negotiating with Republicans is like Chasing a greasy pig It is kind of a painless ordeal for the pig For those who dont know what a greased pig contest is, heres what it

108 views • 9 slides
Convergence to SLE 6 for Percolation Models (joint with I. Binder & L. Chayes) Helen K. Lei

Convergence to SLE 6 for Percolation Models (joint with I. Binder & L. Chayes) Helen K. Lei

Convergence to SLE 6 for Percolation Models (joint with I. Binder & L. Chayes) Helen K. Lei August 14, 2009 Introduction Setup & Scaling Limit Conformal Invariance & Cardys Formula Statement of Result Percolation

281 views • 27 slides
Welcome Grab your binder and something to write with Open to your SEL Section Opening Activity

Welcome Grab your binder and something to write with Open to your SEL Section Opening Activity

Welcome Grab your binder and something to write with Open to your SEL Section Opening Activity Turn to your SEL section How will we respond to the immigrant caravan? Students will be able to Analyze texts to identify the push and

162 views • 14 slides
THE ROLE OF PRIVATE PURCHASERS IN PAYMENT REFORM Leah Binder, MA, MGA, President & CEO, The

THE ROLE OF PRIVATE PURCHASERS IN PAYMENT REFORM Leah Binder, MA, MGA, President & CEO, The

1 THE ROLE OF PRIVATE PURCHASERS IN PAYMENT REFORM Leah Binder, MA, MGA, President & CEO, The Leapfrog Group 2 Why the surprising news? 3 4 Surprise Percentage of Covered Workers Enrolled in Either a HDHP/HRA or HSA Qualified

646 views • 21 slides
Leah Binder, President & CEO May 17, 2018 2 Yet! Surprisingly few data sources on quality of

Leah Binder, President & CEO May 17, 2018 2 Yet! Surprisingly few data sources on quality of

Leah Binder, President & CEO May 17, 2018 2 Yet! Surprisingly few data sources on quality of care public by provider 3 Source LImitations Sometimes Medicare-only, Hospital Compare by system,older, political

400 views • 14 slides
Effects of Binder, Curing Time, Temperature and Trafficking on Moduli of Stabilized and Un-

Effects of Binder, Curing Time, Temperature and Trafficking on Moduli of Stabilized and Un-

Effects of Binder, Curing Time, Temperature and Trafficking on Moduli of Stabilized and Un- stabilized Full Depth Reclamation Materials Rongzong Wu, Stefan Louw, David Jones University of California Pavement Research Center 94 th Annual

271 views • 25 slides
Mucormycosis from the pathogens to the disease U. Binder, E. Maurer and C. Lass-Fl orl

Mucormycosis from the pathogens to the disease U. Binder, E. Maurer and C. Lass-Fl orl

REVIEW 10.1111/1469-0691.12566 Mucormycosis from the pathogens to the disease U. Binder, E. Maurer and C. Lass-Fl orl Division of Hygiene and Medical Microbiology, Medical University Innsbruck, Innsbruck, Austria Abstract Mucormycosis

88 views • 7 slides
A Forecasting Competition: First Results Michael Binder 1 , Mtys Farkas 2 , Zexi Sun 1 , John

A Forecasting Competition: First Results Michael Binder 1 , Mtys Farkas 2 , Zexi Sun 1 , John

3rd Conference of the Macroeconomic Modelling and Model Comparison Network June 13, 2019 A Forecasting Competition: First Results Michael Binder 1 , Mtys Farkas 2 , Zexi Sun 1 , John Taylor 3 , Volker Wieland 1 , Maik Wolters 4 1 Goethe

343 views • 19 slides
19mm High RAP WMA Binder Leveling Course Gary Hoffman, P.E Director of Technical Services PA

19mm High RAP WMA Binder Leveling Course Gary Hoffman, P.E Director of Technical Services PA

19mm High RAP WMA Binder Leveling Course Gary Hoffman, P.E Director of Technical Services PA Asphalt Pavement Association Garth Bridenbaugh, P.E. Pennsylvania Department of Transportation BOCM, Quality Assurance Division www.dot.state.pa.us

452 views • 22 slides
Alkaline activation-induced conversion of fly ash into an effective binder Part III. Reducing the

Alkaline activation-induced conversion of fly ash into an effective binder Part III. Reducing the

Proceedings of the EUROCOALASH 2012 Conference, Thessaloniki Greece, September 25-27 2012 http:// www.evipar.org/ Alkaline activation-induced conversion of fly ash into an effective binder Part III. Reducing the clinker content A. Fernndez -

314 views • 10 slides
19mm High RAP WMA Binder Leveling Course Garth Bridenbaugh, P.E. Pennsylvania Department of

19mm High RAP WMA Binder Leveling Course Garth Bridenbaugh, P.E. Pennsylvania Department of

19mm High RAP WMA Binder Leveling Course Garth Bridenbaugh, P.E. Pennsylvania Department of Transportation Construction Services Engineer, District 9-0 Gary Hoffman, P.E Director of Technical Services PA Asphalt Pavement Association

346 views • 19 slides

More recommend