Android Internals: The Hacker's View -- Duration: 3 days
----------------------------------------------
Synopsis
This course takes a different approach to Android Internals - that of the adversary. The 3 day intense discussion covers the attack surface of Android: IPC using Binder and sockets, framework services, vendor daemons (in particular, Qualcom & Samsung Exynos) the kernel, and beyond. Through specially designed tools, we tear apart these aspects of Android in detail, looking through open sources - where possible - and reversing - where not.
Target Audience
Experienced Android Researchers. Knowledge of Android Internals, such as from having read Jonathan Levin's books (https://NewAndroidBook.com) is highly recommended.
This course is NOT intended for user mode developers who wish to develop GUI applications or use the Android Java SDKs.
Prerequisites
Solid background in Security. Knowledge of C/C++ vulnerabilities (Buffer Overflows, UaF, and other memory corruptions)
Objectives
- Describe the architecture of the Android operating system and the derived attack surface
- Explain the Security Model of Android, and its components
- Hardening Android
- Understand Android Security, its evolution over history, and its weaknesses
- Describe the functions and architecture of the Android Kernel
- Monitor, trace and intercept inter process communication on Android
- Understand the frameworks of Android, and interception points
- Learn to use innovative free tools, such as Dextra, bdsm, and jtrace
Exercises
This course allocates time for hands-on practice, and plenty of instructor led demos. The hands-on exercises include:
- Tracing processes with jtrace
- Attacking Binder services directly with bdsm
- System call and kernel level tracing
MODULES
Day 1
1. The Android Architecture & its security - 1-2 hours
Evaluating the Android Architecture, from an attacker's perspective
- Code Bases on an Android device:
/system
(AOSP), /vendor
BSP, /product
& /odm
and /system_ext
- Threat Modeling Android
2. Android Security Architecture, Detailed - 3-4 hours
Android's security is comprised of several layers, with interrelations. These include:
- Linux: permissions and ACLs, and the Android AIDs
- SELinux/SEAndroid
- "Code Signatures" in Android
- Isolated Apps
- The Android ""Sandbox"" - SECCOMP-BPF
- Linux Capabilities
- Dalvik Permissions
Day 2
3. The Boot Process - 3 hours
System startup and initialization - Walk through the various stages, from boot loader through kernel startup to basic setup of user mode processes. We also describe the modification of the boot loaders, and discuss both rooting ("boot to root") and other compromise vectors of the Boot Process.
- The Boot loader, and FastBoot
- Samsung Odin
- ARM TrustZone (32-bit) and ELx (64-bit)
- Kernel Startup
- User mode init - /init and /init.rc
- Boot-to-root: Rooting techniques by unlocking the bootloader
4. Android IPC - 5 hours
Android's IPC mechanism is based on Binder, with some UNIX domain sockets on the side. We detail the inner workings of Binder, including:
- Java: AIDL
- Frameworks: android.os.Binder
- Native level: libBinder, BBinder, BpBinder
- Kernel interface: ProcessState and IPCThreadState
- Kernel implementation: ioctl(2) codes and protocol
- hwbinder and scatter/gather (deprecated)
- Binder in Android 13 and 14
Exercises include: Debugging and Tracing Binder IPC
Day 3
5. Input as an attack vector - 1 hours
Android has a complex stack to manage various input sources, such as the touch screen, sensors, and external devices. This module traverses that stack, covering each layer in turn:
- The Linux Kernel Input Model
- The EventHub
- The InputReader
- The InputDispatcher
- The Activity Views
Exercises include: Injecting Events Monitoring and Capturing Input Events
6. Reversing ART - 1 hour
Since its inception as a "preview" in KitKat (4.4), ART has become the de facto standard for Android's application runtime. It has, however, changed with every version, up to and including 14:
- The concepts behind ART
- Advantages over Dalvik
- The evolution - from 5.0 to the present day
- Reversing ART
- ART Memory Management
- Return of the (profiled) JIT
- The JNI implementation
7. Case Studies - various CVEs ( remaining time)
- "Classic" bugs induced by Binder (so many to choose from..)
- Vendor bug - TBD
- Kernel bug - TBD
- Bugs proposed by particpants and already published as CVEs (sorry, we cannot discuss 0-days)
Frequently Asked Questions
-
When is this happening????
Either at your convenience, if you have a large enough group, or in our next public offering - April 2nd
-
Who is your instructor for this course?
None other than our CTO, Jonathan Levin, himself - author of Android Internals - Volume I and Volume II - with material from Vols III and IV, slated for release (finally) later in this year.
-
What are the course materials??
Participants will receive a PDF version of the slide deck used, and all the tools (which, we might add, are free anyway)
-
What Android device(s) do I need?
Though you can get by with an emulator, we strongly recommend bringing a rooted device, of at least Android 12.0 or higher (14 recommended). You will also need a Linux host - though we will gladly supply a VM
-
What software do I need on my host?
The Android SDK, NDK, and full sources of Android - all of which freely obtainable, from developer.android.com and android.googlesource.com, respectively
-
What about COVID-19?
Thankfully, it's a thing of the past.
-
How do I register??????
Shoot an email to i/n/f/o@technologeeks.com (without the slashes) for registration or more detail, or go through Zer0con
------------------------------------------------
Completed in 0.01s