1. No category

eu-15-Benameur-All-Your-Root-Checks-Are-Belong-To

Agenda
•  Bio
•  Context
•  Whatisroot?
•  Reversingtoolbox
•  Examina7onofcommonrootdetec7onmethods
•  SecurityandBYODapps
•  AndroPoser
•  Conclusion
Copyright©2015SymantecCorpora7on
2
AllyourRootChecksareBelongtoUs:Bio
•  AzzedineBenameur:
– 
– 
– 
– 
JoinedSymantecin2011
Pastresearchprojects:Minestrone(IARPA)andMEERKATS(DARPA)
SAPSecurity&TrustLab,HPCloudSecurityLab
Ph.D.,ComputerSciencefromLyonUniversity,2009
•  NathanEvans:
– 
– 
– 
– 
JoinedSymantecin2011
Pastresearchprojects:Minestrone(IARPA)andMEERKATS(DARPA)
AFRL-fundedresearchinnetworksecurity/mapping(NICE)
Ph.D.,ComputerSciencefromT.U.Munich,2011
•  YunShen:
– 
– 
– 
– 
JoinedSymantecin2012
Pastresearchproject:Bigfoot(FP7)
HPCloudSecurityLab
Ph.D.,ComputerSciencefromUniversityofHull,2005
Copyright©2015SymantecCorpora7on
3
AllyourRootChecksareBelongtoUs:Context
•  TheriseofBYOD:
–  Personalandcorporatedataonthesamedevice
–  Androidison70%ofthedevices(phoneandtablet)
–  Roothasabadreputa7on
•  Ques7ons
–  Howmany/whichapplica7onscheckforrootasasecurityconcern?
–  Howarethesechecksimplemented/aretheyeffec7veatdetec7ngroot?
–  Howeasilycanthesechecksbesubvertedtohidethepresenceofroot?
–  Whataretheimplica7ons?
•  Methodology
–  Lookatthetopsecurity/MDMsolu7onsavailable
–  Comparerootdetec7onmethodsbasedonstandardsetofchecks
Copyright©2015SymantecCorpora7on
4
AllyourRootChecksareBelongtoUs:Whatisroot?
HowRootworks:
Copyright©2015SymantecCorpora7on
5
AllyourRootChecksareBelongtoUs:ToolBox
Copyright©2015SymantecCorpora7on
6
AllyourRootChecksareBelongtoUs:ToolBox
•  AndroidApplica7onaredistributedasAPK:
Copyright©2015SymantecCorpora7on
7
AllyourRootChecksareBelongtoUs:ToolBox
•  Dex2Jar:convertsandroidbytecodetoJavaArchive(JAR)
•  JD-core:convertsJARtoJavasourcecode.
•  Apktool:decompilesandroidbytecodetoanintermediate
language(incasetheJavasourcecodewasnotfullyrecovered
ortheanalysiswasinconclusive)
•  CustomScripts:automatetheprocessandsearchforobvious
Javacallsandbroadreferencestorootedphonefeatures
Copyright©2015SymantecCorpora7on
8
AllyourRootChecksareBelongtoUs:CommonRoot
Discovery
•  Presenceoffiles:
–  StaBcPATH:Hardcodepaths(/system/bin/su,/bin/su,etc.)andissueanopen/stat
–  DynamicPATH:ParsethePATHvariable,appending“/su”toeachentry;openeach
inaloop
–  SystemPATH:Executeswhichcommandwithparameter“su”andcheckifthe
resultis0
–  ExecuBon:Justalempttoexecute“su”asasubprocessandcheckthereturncode
–  RootACLProgram:Checkforsuperuserapkunderthepath“/system/app/
Superuser.apk”.
–  Setuid:Wefoundoneappwithaninteres7ngcheck;thepresenceofbinarieson
thesystemthatweresetuidroot,orabletobeexecutedasroot(uid0)bynormal
users.Whilestandardsubinariesaresetuidroot,wearenotsureifthisisa
legi7matecheckforrootasprogramscouldbesetuidrootforotherreasons.
–  InstalledPackages:Checkforthepresenceofcommonrootpackagesbeing
installedonthesystem(e.g.,“com.chainfire.supersu”,“com.noshufou.android.su”).
WesawbothchecksusingAndroidAPI’saswellasbyexec’ing“pmlistpackages”
Copyright©2015SymantecCorpora7on
9
AllyourRootChecksareBelongtoUs:CommonRoot
Discovery
•  GeneralDeviceSeongs:
–  Testkeys:Ifacustomkernelisusedonadevicethebuildversionshows
that“test-keys”areusedinsteadof“release-keys”.Someappsassume
“test-keys”meansthedeviceisrooted,whichisnotalwaysthecase.Also,
thepresenceof“release-keys”doesnotindicatethedeviceisnotrooted.
–  Buildversion:Weencounteredspecificchecksoftheseong
“ro.modversion”aswell,whichcanbeusedtoiden7fycertaincustom
AndroidROMs(suchasCyanogenmod).
Copyright©2015SymantecCorpora7on
10
AllyourRootChecksareBelongtoUs:CommonRoot
Discovery
•  Run7meCapabili7esandCharacteris7cs:
–  Systemmounted:Someroo7ngmethodsrequirethispar77ontobe
remounted“rw”(read-/write).Wesawtwovariantsofthischeck;thefirst
simplyrunsthemountcommandandlooksfora“rw”flag,thesecond
actuallyalemptstocreateafileunder“/system/”or“/data/”.
–  Abilitytomount:Arelatedmethodalemptstomountthe“/system”
par77onwiththecommand“mount-oremount,rw/system”,andthen
checksthereturncode.
–  UserID:Acuriouscheckwefoundinonecasewastheappgeongthe
currentuserid(UID)oftheappasitwasrunningandcheckingifitwas
runningasroot(UID0).Thisiscuriousbecauseasfarasweknow,evenon
arootedphoneanyappstartedbyZygotegetsit’sownunique(non0)
UID.However,itispossiblethatanappwouldrequestrootaccessvia
intentandthenissuetheUIDcheck.
Copyright©2015SymantecCorpora7on
11
AllyourRootChecksareBelongtoUs:
SecurityApplica7ons
Copyright©2015SymantecCorpora7on
12
AllyourRootChecksareBelongtoUs:
SecurityApplica7ons
•  Nona7vecodeusedforrootdetec7on?!
•  RootCloak/Xposed“friendly”
•  AVASTleveragesroot:iptables/firewall
•  Kasperskyrootchecks:packed/reflec7on(requiredrun7me
help)
Copyright©2015SymantecCorpora7on
13
AllyourRootChecksareBelongtoUs:BYODSolu7ons
Copyright©2015SymantecCorpora7on
14
AllyourRootChecksareBelongtoUs:BYODSolu7ons
•  NaBvecode:
–  VMware’sAirwatchMDMagent.libcoredevice.soisnotpar7cularly
difficulttoreverse.Thebulkofthechecksareinthemethod
getDeviceState(JNIEnv*,jobject*)
–  Excitor:Thelibraryisnotdifficulttoreverse:sta7cpathalongwith
privilegeescala7onalempt.
•  Fourvendorshavenorootcheck:
–  MobileIron:com.cisco.anyconnect.vpn.android.rooted,Policymightbe
pushedfromserverlater?
•  Breadth:Wewereimpressedbytheapparenteffortthatwent
intomakingIBM’sMDMsolu7onasrigorousandin-depthas
possible.Butnoobfusca7onandnona7vecode
Copyright©2015SymantecCorpora7on
15
AllyourRootChecksareBelongtoUs:AndroPoser
•  Neededatooltoverifyoursta7canalysis
•  Createdalibrarythatgivesusrun7mevisibilityintowhatthe
processisreallydoing
•  Leverageddynamiclinkerfeature:LD_PRELOAD
•  Selectedasetoffunc7onstoinspect
Copyright©2015SymantecCorpora7on
16
AllyourRootChecksareBelongtoUs:AndroPoser
•  EasytosetonAndroid:
–  setpropwrap.com.package.id“LD_PRELOAD=/data/androposer.so”
•  Exampleonopen():
Copyright©2015SymantecCorpora7on
17
AllyourRootChecksareBelongtoUs:AndroPoser
•  Otheruse:defeatAn7-Debugprotec7on
•  Iden7fyFDforopen/proc/self/status
•  Replacereadfor“TracerPid:XXX”(whereXXXisthedebugger)
Copyright©2015SymantecCorpora7on
18
AllyourRootChecksareBelongtoUs:Conclusion
•  Security/MDMcomparison:
–  McAfee:NocheckontheirAVbutchecksontheMDMagent
–  Kaspersky/Symantec:SamecodeforbothsecurityandMDMapp,
Kasperskyhasadifferentbuildprobably
–  Panda:noapparentrootcheckforeither
•  BYOD/MDMsolu7onsdocareaboutRoot
•  MostarevulnerabletoRootCloak/Xposed/AndroPoser
Copyright©2015SymantecCorpora7on
19
AllyourRootChecksareBelongtoUs:Conclusion
•  Levelup:
–  Werevisitedhowwecheckforroot
–  Na7vecodeismakingitalillebitharder
–  Binary“hardening”:packing,check-summing,stringencryp7on
•  Exploringotherways:
–  Machinelearningbasedapproachtodetectroot:WIP
–  ARMTrustZone?
Copyright©2015SymantecCorpora7on
20
Thankyou!
Copyright©2015SymantecCorporaBon.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorpora7onorits
affiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespec7veowners.
Thisdocumentisprovidedforinforma7onalpurposesonlyandisnotintendedasadver7sing.Allwarran7esrela7ngtotheinforma7oninthisdocument,eitherexpressor
implied,aredisclaimedtothemaximumextentallowedbylaw.Theinforma7oninthisdocumentissubjecttochangewithoutno7ce.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz