file format fuzzing in android giving stagefright to the
play

File format fuzzing in Android: Giving Stagefright to the Android - PowerPoint PPT Presentation

Jul 28, 2023 •195 likes •614 views

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE Agenda File format fuzzing in Android Fuzzing the Stagefright media framework Fuzzing the Android application

  1. File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE

  2. Agenda • File format fuzzing in Android • Fuzzing the Stagefright media framework • Fuzzing the Android application installer • Fuzzing with AFL in Android 2

  3. File format fuzzing in Android Open Source Technology Center 3

  4. Steps Execute/run test Data Log Triage Analyze & generation process mechanism debug crashes 4

  5. Data generation • Mutational vs. generational fuzzing • Evolutionary fuzzing • Tools • Basic Fuzzing Framework (BFF) / zzuf • FuzzBox • Radamsa • American Fuzzy Lop (AFL)* 5

  6. Log process • Log every test case with fatal priority $ adb shell log -p F – t <Component> <test_case_index> *** <reproducibility_info> • Log template $ adb shell logcat – v time *:F 01-16 17:46:12.240 F/<Component> (PID): <test_case_index> *** <reproducibility_info> 01-16 17:46:19.676 F/<Component> (PID): <test_case_index> *** <reproducibility_info> 17:46:24.405 F/libc (8321): Fatal signal 11 (SIGSEGV) at 0x18 (code=1), thread 831 (process_name) 01-16 17:46:25.128 F/<Component> (PID): <test_case_index> *** <reproducibility_info> 6

  7. Triage mechanism • Input that produces a crash generates an entry in /data/tombstones and /data/system/dropbox pid: 3438, tid: 3438, name: stagefright >>> stagefright <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad eax b3ee0ff8 ebx b7b18f38 ecx b7b1d900 edx b3ee0ff8 esi 8004d748 edi af6d4dee xcs 00000073 xds 0000007b xes 0000007b xfs 00000000 xss 0000007b eip b7a7202c ebp bffff418 esp bffff3d0 flags 00010286 backtrace: #00 pc 0001402c /system/lib/libc.so (dlfree+1948) #01 pc 000dcf1c /system/lib/libstagefright.so (android::MediaBuffer::~MediaBuffer()+108) #02 pc 000dd6eb /system/lib/libstagefright.so (android::MediaBuffer::release()+267) 7

  8. Triage mechanism 1. Parse generated logs • Identify input that causes crashes 2. Execute input to confirm crash 3. For each identified input • Grab generated tombstone • Parse tombstone – get the PC value • Check if PC value has been previously encountered • Save tombstone and input if issue is unique 8

  9. Analyze and debug crashes • /data/tombstones pid: 3438, tid: 3438, name: stagefright >>> stagefright <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad eax b3ee0ff8 ebx b7b18f38 ecx b7b1d900 edx b3ee0ff8 esi 8004d748 edi af6d4dee xcs 00000073 xds 0000007b xes 0000007b xfs 00000000 xss 0000007b eip b7a7202c ebp bffff418 esp bffff3d0 flags 00010286 backtrace: #00 pc 0001402c /system/lib/libc.so (dlfree+1948) #01 pc 000dcf1c /system/lib/libstagefright.so (android::MediaBuffer::~MediaBuffer()+108) #02 pc 000dd6eb /system/lib/libstagefright.so (android::MediaBuffer::release()+267) 9

  10. Analyze and debug crashes • Dmesg <6>[73801.130320] stagefright[12469]: segfault at 14 ip 00000000f72a5fff sp 00000000fff98710 error 4 in libstagefright.so[f71c6000+1b5000] <6>[73794.579462] stagefright[12455]: segfault at c ip 00000000f728bcfe sp 00000000ff9d6f90 error 6 in libstagefright.so[f71e8000+1b5000] * Page fault error code bits: * bit 0 == 0: no page found 1: protection fault * bit 1 == 0: read access 1: write access * bit 2 == 0: kernel-mode access 1: user-mode access * bit 3 == 1: use of reserved bit * bit 4 == 1: instruction fetch fault 10

  11. Analyze and debug crashes • gdbserver (on device) / gdb (on local machine) $ gdbserver :5039 --attach <process_pid> OR $ gdbserver :5039 /path/to/executable <options> (ex: gdbserver :5039 /system/bin/stagefright -a file.mp3) --------------------------------------------------------------- $ adb forward tcp:5039 tcp:5039 $ gdb (gdb) target remote :5039 (from the gdb shell) (gdb) continue (to resume process execution) --------------------------------------------------------------- (gdb) set solib-absolute-prefixdb </path/to/tree/symbols> (gdb) set solib-search-path </path/to/tree/symbols/system/lib> 11

  12. Analyze and debug crashes • addr2line backtrace: #00 pc 0001402c /system/lib/libc.so (dlfree+1948) #01 pc 0000d630 /system/lib/libc.so (free+32) #02 pc 000dcf1c /system/lib/libstagefright.so (android::MediaBuffer::~MediaBuffer()+108) $ addr2line -f -e /path/to/tree/out/target/product/<product_id>/symbols/system/li b/libstagefright.so 000dcf1c 12

  13. Fuzzing the Stagefright media framework Open Source Technology Center 13

  14. Media files as attack vectors Binary streams containing complex data Large variety of audio and video players and associated media codecs User perception that media files are harmless Media playback doesn’t require special permissions 14

  15. Overview of testing process • Create corrupt but structurally valid media files • Direct test cases to the appropriate decoders • Monitor the system for potential issues • Pass the issues through a triage mechanism 15

  16. The Stagefright CLI • frameworks/av/cmds/stagefright root@android:/ # stagefright -h usage: stagefright -h(elp) -a(udio) -m max-number-of-frames-to-decode in each pass -p(rofiles) dump decoder profiles supported -t(humbnail) extract video thumbnail or album art -s(oftware) prefer software codec -r(hardware) force to use hardware codec -o playback audio -w(rite) filename (write to .mp4 file) -S allocate buffers from a surface -T allocate buffers from a surface texture -d(ump) filename (raw stream data to a file) -D(ump) filename (decoded PCM data to a file) 16

  17. Stagefright log • Media files corrupted using BFF 04-14 05:02:07.698 F/Stagefright(20222): - sp_stagefright *** 958 - Filename:zzuf.32732.c8jZzT.mp4 04-14 05:02:13.382 F/Stagefright(20255): - sp_stagefright *** 959 - Filename:zzuf.26772.zh7c8g.mkv 04-14 05:02:13.527 F/libc (20256): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 20256 (stagefright) 04-14 05:02:20.820 F/Stagefright(20270): - sp_stagefright *** 960 - Filename:zzuf.12260.ayDuIA.mpg 04-14 05:02:21.259 F/Stagefright(20281): - sp_stagefright *** 961 - Filename:zzuf.6488.F8drye.mp4 17

  18. Results • Initial fuzzing campaigns started in March 2014 • Results were extremely surprising: thousands of crashes per week (triage mechanism) • First severe issues in the September 2014 Android security bulletin: • Integer overflows in libstagefright (CVE-2014-7915, CVE-2014- 7916, CVE-2014-7917) • The tool was open-sourced in February 2015: • https://github.com/fuzzing/MFFA • Currently used as a complementary solution alongside AFL 18

  19. Fuzzing the Android application installer Open Source Technology Center 19

  20. Application installer – attractive target Process runs with high system privileges Method for unprivileged users to send input to system components Check for issues that are not discovered during regular validation 20

  21. Install process overview KitKat Lollipop Dalvik dexopt ART dex2oat 21

  22. Testing process overview 22

  23. APK structure 23

  24. Approach on Dalvik (dexopt) • Simulate the regular APK install process  Extract classes.dex file from seed APK o unzip – d </local/path/> </apk/path/>  Fuzz extracted dex file* o <fuzz> – s <seed> classes.dex > fuzzed.dex  Remove original .dex file from initial APK o aapt r <original_apk> classes.dex  Repackage APK with fuzzed dex file o aapt a <original_apk> classes.dex 24

  25. Approach on Dalvik (dexopt) • Simulate the regular APK install process  Create local keystore o keytool -genkey -v -keystore keystore.keystore -alias keystore - keyalg RSA -keysize 2048 -validity 10000  Remove META-INF directory from APK o zip --delete </apk/path/> META-INF/*  Resign the APK using local keystore o jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 - keystore </keystore/path> </apk/path> <keystore_alias> 25

  26. Approach on Dalvik (dexopt) • Log example 06-26 17:43:29.732 F/dexopt (14881): - sp_lib.py - APK_id = imangi.templerun.apk combination = radamsa -s 2086 06-26 17:43:54.620 F/dexopt (14988): - sp_lib.py - APK_id = imangi.templerun.apk seed = radamsa -s 5011 06-26 17:44:44.079 F/libc (15227): Fatal signal 11 (SIGSEGV) at 0xaa4c04f8 (code=1), thread 15227 (mangi.templerun) 06-26 17:45:09.950 F/dexopt (15338): - sp_lib.py - APK_id = imangi.templerun.apk seed = radamsa -s 8098 26

  27. Approach on ART (dex2oat) • Dex files can be passed directly to dex2oat binary Usage: dex2oat [options]... --dex-file=<dex-file>: specifies a .dex file to compile. --zip-fd=<file-descriptor>: specifies a file descriptor of a zip file containing a classes.dex file to compile. --zip-location=<zip-location>: specifies a symbolic name for the file --oat-file=<file.oat>: specifies the oat output destination via a filename. --oat-fd=<number>: specifies the oat output destination via a file descriptor. --oat-location=<oat-name>: specifies a symbolic name for the file corresponding to the file descriptor specified by --oat- fd. ... 27

Recommend

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk WarCon 2016, Warsaw PS&gt; whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon Sector CTF

2.26k views • 184 slides
Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black

Effective file format fuzzing Thoughts, techniques and results Mateusz j00ru Jurczyk Black Hat Europe 2016, London PS&gt; whoami Project Zero @ Google Part time developer and frequent user of the fuzzing infrastructure. Dragon

1.57k views • 133 slides
Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition binary format: array format of config. U(3,3,X,,,) numerical format (precision,IEEE,byte-order) file format: format of a file

88 views • 8 slides
Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format layout Buffer Overflow theory Example code Initial Investigation / Assembly Registers Tooling Fuzzing Shellcode /

700 views • 16 slides
CS4405 JPEG File Format JPEG Lifecycle Container format required JFIF JPEG File

CS4405 JPEG File Format JPEG Lifecycle Container format required JFIF JPEG File

CS4405 JPEG File Format JPEG Lifecycle Container format required JFIF JPEG File Interchange Format is a minimal file format which enables JPEG bitstreams to be exchanged

344 views • 6 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
HELLO WORLD ON ANDROID Create a new Android Project Open File-&gt;New-&gt;Android

HELLO WORLD ON ANDROID Create a new Android Project Open File-&gt;New-&gt;Android

HELLO WORLD ON ANDROID Create a new Android Project Open File-&gt;New-&gt;Android project Application name Company domain Project location Hello World Project Target Android Devices Hello World Project Add an

213 views • 18 slides
Computing Lecture 3: Android UI Design in XML + Examples Emmanuel Agu Android UI Design in XML

Computing Lecture 3: Android UI Design in XML + Examples Emmanuel Agu Android UI Design in XML

CS 4518 Mobile and Ubiquitous Computing Lecture 3: Android UI Design in XML + Examples Emmanuel Agu Android UI Design in XML Recall: Files Hello World Android Project XML file used to design Android UI 3 Files: Activity_main.xml: XML file

701 views • 58 slides
Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security

Fuzzing remote interfaces for system services in Android Alexandru Blanda Information Security Engineer 1 Agenda Context Fuzzing tool implementation Results and vulnerabilities 2 Context Intro to System Services System services

446 views • 31 slides
WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

666 views • 63 slides
Understanding Gradle for Android Kevin Pelgrims Schedule The build file Groovy basics

Understanding Gradle for Android Kevin Pelgrims Schedule The build file Groovy basics

Understanding Gradle for Android Kevin Pelgrims Schedule The build file Groovy basics Back to the build file Custom tasks Tasks for Android Tips and tricks The build file The build file apply plugin:

616 views • 47 slides
Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

963 views • 73 slides
Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

1.07k views • 52 slides
THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format

THE ELF OBJECT FILE FORMAT PROGRAM EXECUTION gcc/cc output an executable in the ELF format (Linux) Executable and Linkable Format Standard unified binary format for: Relocatable object files (.o), Shared object files (.so)

421 views • 16 slides
An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01 http://www.ietf.org/internet-drafts/draft-trammell-ipfix-file-01.txt Brian Trammell, Elisa Boschi, Lutz Mark, Tanja Zseby Tuesday, July 11, 2006 IETF 66 - Montral, Qubec, Canada The

318 views • 6 slides
Fuzzing File Systems via Two-Dimensional Input Space Exploration Wen Xu, Hyungon Moon, Sanidhya

Fuzzing File Systems via Two-Dimensional Input Space Exploration Wen Xu, Hyungon Moon, Sanidhya

Fuzzing File Systems via Two-Dimensional Input Space Exploration Wen Xu, Hyungon Moon, Sanidhya Kashyap, Po-Ning Tseng and Taesoo Kim INTRODUCTION 3 INTRODUCTION FILE SYSTEMS 101 $ ls -l /mnt drwxrwxr-x bar -rw-rw-r- foo Disk image

759 views • 40 slides
Flash 1 Chandler McWilliams | 161A What is Flash Multimedia file format for animation and

Flash 1 Chandler McWilliams | 161A What is Flash Multimedia file format for animation and

Flash 1 Chandler McWilliams | 161A What is Flash Multimedia file format for animation and interactivity. Vector based format allows for smaller file sizes and scalability. Designed for web delivery. Interactive when used with ActionScript.

650 views • 6 slides
A deep dive into DEX file format Rodrigo Chiossi Rodrigo Chiossi ABS 2014 Bio Rodrigo

A deep dive into DEX file format Rodrigo Chiossi Rodrigo Chiossi ABS 2014 Bio Rodrigo

A deep dive into DEX file format Rodrigo Chiossi Rodrigo Chiossi ABS 2014 Bio Rodrigo Chiossi Android Engineer @ Intel OTC AndroidXRef www.androidxref.com Dexterity https://github.com/rchiossi/dexterity Rodrigo Chiossi

821 views • 22 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Android UI Design, First Android Program

CS 403X Mobile and Ubiquitous Computing Lecture 2: Android UI Design, First Android Program

CS 403X Mobile and Ubiquitous Computing Lecture 2: Android UI Design, First Android Program Emmanuel Agu Android UI Design in XML Recall: Files Hello World Android Project XML file used to design Android UI 3 Files: Activity_main.xml: XML

1.18k views • 92 slides
Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao,

Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao,

Introduction Title Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao, Taesoo Kim May 1, 2020 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems 1 May 1, 2020 Introduction Data

847 views • 64 slides
3D PDF Technical Data Package Overview Why PDF Neutral File Format In Accordance with

3D PDF Technical Data Package Overview Why PDF Neutral File Format In Accordance with

3D PDF Technical Data Package Overview Why PDF Neutral File Format In Accordance with ASME Y14.41 Need to Publish/Approve Readily Readable Format Compatible with JEDMICS Long Term Archiving and CAM compatibility

106 views • 7 slides
Fuzzing Tools Jenny Kang High-level overview A pretty slide deck that does a good job of

Fuzzing Tools Jenny Kang High-level overview A pretty slide deck that does a good job of

Fuzzing Tools Jenny Kang High-level overview A pretty slide deck that does a good job of explaining browser fuzzing approaches on a high level Another slide deck on DOM fuzzing Peach (Windows version) PeachPit is an XML file

741 views • 36 slides

More recommend