CN107273750B - Patching system and method for Android device kernel vulnerability - Google Patents

Abstract

Translated fromChinese

一种Android设备内核漏洞的修补系统及方法，包括：修复信息采集模块、启发式匹配模块、内核页表处理模块和修复模块，其中：修复信息采集模块与启发式匹配模块相连并传输CVE信息，启发式匹配模块与修复模块相连并传输漏洞点位置，即修补代码的插入点位置，内核页表处理模块与修复模块相连并传输分配的可执行内存信息，修复模块根据分配的可执行内存信息和漏洞点位置实现漏洞的修复。本发明通过启发式匹配策略来进行匹配定位漏洞点，在深入分析、理解内核页表的基础上，修改页表权限达到插入修补代码的目的。

A system and method for patching kernel vulnerabilities of Android devices, comprising: a repair information collection module, a heuristic matching module, a kernel page table processing module and a repair module, wherein the repair information collection module is connected with the heuristic matching module and transmits CVE information, The heuristic matching module is connected to the repair module and transmits the location of the vulnerability point, that is, the insertion point of the patched code. The kernel page table processing module is connected to the repair module and transmits the allocated executable memory information. The repair module is based on the allocated executable memory information and The location of the vulnerability point realizes the repair of the vulnerability. The invention matches and locates the vulnerability point through heuristic matching strategy, and on the basis of in-depth analysis and understanding of the kernel page table, the authority of the page table is modified to achieve the purpose of inserting patching codes.

Description

Android device kernel vulnerability repairing system and method

Technical Field

The invention relates to a technology in the field of computers, in particular to a system and a method for repairing kernel bugs of old Android equipment.

Background

Most of the kernel vulnerabilities found on Android today are logical vulnerabilities that are easy to patch and recompile on source code. In practice Google only pushes patch updates for its Nexus device. When Google releases a new security update, it often takes a significant amount of time for other vendors to update compatible mobile devices. In some cases, some vendors may even ignore certain updates or only update their own up-to-date devices. Therefore, in this case, a large number of Android devices will face a situation where vulnerabilities cannot be repaired for a long time.

One of the biggest obstacles to security updates for the Android system comes from Android system fragmentation. Compared with IOS devices, the Android system has a large number of different vendors, thus creating a variety of binary files. Moreover, most manufacturers close the source of the codes related to the devices, each manufacturer generates a certain fixed version based on the source codes by modifying or deleting related functions in a large amount, and some manufacturers optimize the binary codes by using different compilers or compiling options. In addition, the repair involves work such as binary rewriting, different protection means (kernel code read-only, kernel module check, kernel module white list, PXN and the like) are adopted for different manufacturers of kernel codes, and certain difficulty is caused to the rewriting work.

Disclosure of Invention

Aiming at the defects in the prior art, the invention provides a system and a method for repairing the kernel vulnerability of the Android device.

The invention is realized by the following technical inventions:

the invention relates to a system for repairing kernel bugs of Android equipment, which comprises the following components: the device comprises a repair information acquisition module, a heuristic matching module, a kernel page table processing module and a repair module, wherein: the restoration information acquisition module is connected with the heuristic matching module and transmits CVE (Common Vulnerabilities & expositions) information, the heuristic matching module is connected with the restoration module and transmits vulnerability point positions, namely insertion point positions of the restoration codes, the kernel page table processing module is connected with the restoration module and transmits the distributed executable memory information, and the restoration module realizes the restoration of Vulnerabilities according to the distributed executable memory information and vulnerability point positions.

The Android equipment is as follows: android system devices with version below 6.0.

The kernel vulnerability refers to a CVE vulnerability related to an android system kernel.

The invention relates to a method for repairing kernel bugs of the system, which comprises the following steps:

step 1) acquiring relevant repair information from the latest Android CVE information issued by the Android Security Bulletin of Google every month and acquiring kernel symbol information from the Android equipment to be repaired.

The repair information includes: functions with holes in the CVE and repair codes.

The acquiring kernel symbol information includes: all function addresses and names of kernels stored by kallsyms, i.e. kernel symbol information, are read from/proc/kallsyms on Android devices.

And 2) selecting a kernel page table of a certain unusual syscall, rewriting write permission and codes, triggering the system call to distribute executable memory, and finally restoring the kernel page table.

The uncommon syscall comprises: sys _ scheduled _ yield, etc.

The writing permission modification means that: and modifying the authority of the kernel page table according to different protection means adopted by different manufacturers, so that the kernel code area for placing the syscall can be written.

The code rewriting means: rewriting the syscall code, rewriting a shellcode (shell code) of the distributed executable memory according to the position of the kernel code of the syscall obtained by the kernel symbol information, so that an executable area for placing the patching code in the future in the kernel can be obtained when the syscall is called. The result of the call to syscall will return the address of the executable area.

And 3) positioning a function with a vulnerability according to the vulnerability repair information and the kernel symbol information, and then searching and positioning vulnerability points and vulnerability repair information through a heuristic matching strategy.

The positioning refers to: and positioning the function with the bug through the path/dev/kmem for accessing the kernel virtual memory.

The vulnerability repair information is as follows: the patch code refers to a register or memory address that stores the relevant variable.

The heuristic matching strategy can help the repair system to adaptively position bug points and bug repair information. The heuristic matching positioning strategy carries out matching according to the following characteristics: mnemonics and operators, constants, calling conventions, relative offsets of the architects, assembly code features of the ARM architecture, such as return, jump related instructions, etc.

And 4) generating a patching code according to the vulnerability points positioned by the heuristic matching strategy and the related patching information, rewriting and patching the vulnerability points, and placing the patching code on the executable area obtained in the step 2.

The vulnerability rewriting and modifying method specifically comprises the following steps:

A) modifying the page table authority of the vulnerability point code segment and increasing the write authority;

B) rewriting a jump instruction at the bug point and pointing the jump instruction to an executable area address;

C) the patch code is written in the executable area.

D) And restoring the page table authority of the vulnerability point code segment to a state before modification.

Drawings

FIG. 1 is a flow chart of the present invention;

FIG. 2 is a schematic diagram of the system of the present invention.

Detailed Description

As shown in fig. 2, the present embodiment includes: the device comprises a repair information acquisition module, a heuristic matching module, a kernel page table processing module and a repair module, wherein: the restoring information acquisition module is connected with the heuristic matching module and transmits CVE information, the heuristic matching module is connected with the restoring module and transmits the position of a bug point, namely the insertion point position of a restoring code, the kernel page table processing module is connected with the restoring module and transmits distributed executable memory information, and the restoring module realizes restoring of the bug according to the distributed executable memory information and the location of the bug point.

As shown in fig. 1, the present embodiment relates to a method for repairing the above system, which includes the following steps:

step 1) acquiring repair information related to CVE from safety announcement issued by Google every month;

and 2) selecting a kernel page table of a certain unusual syscall, rewriting write permission and codes, triggering system call to distribute executable memory, and finally restoring the kernel page table.

And 3) positioning a function with the vulnerability according to the patching information and the kernel symbol information, and then searching and positioning vulnerability points and related vulnerability patching information through a heuristic matching strategy.

And 4) generating a patching code according to the vulnerability points positioned by the heuristic matching strategy and the related patching information, rewriting and patching the vulnerability points, and placing the patching code on the executable area obtained in the step 2.

In the heuristic matching strategy, the matched features comprise: mnemonics and operators, constants, calling conventions, relative offsets of the architects, and assembly code features of the ARM architecture, such as return, jump related instructions, etc.

The rewriting modification comprises the following steps:

1) for the kernel, there are two ways to make the kernel code read-only. One is the configure DEBUG data option, which employs a single-level mapping to the page table. The other is the high-pass CONFIG _ stride _ MEMORY _ RWX option, with page mapping.

2) After rewriting the page table, the kernel code is directly modified to crash. Through research and analysis, each process copies a region of a kernel page table at the time of establishment, so code modification is performed by newly starting one process.

3) The short term modification of the selected syscall does not affect the normal use of the system.

Through the above strategy, the invention directly carries out dynamic repair on the kernel code under the condition of no source code. Compared with the previous research invention and the research on the actual mobile equipment condition, most of the equipment below 6c.0 can be repaired.

The foregoing embodiments may be modified in many different ways by those skilled in the art without departing from the spirit and the principle of the invention, and the scope of the invention is not limited by the above embodiments but by the appended claims.

Claims (1)

Translated fromChinese

1.一种基于Android设备内核漏洞的修补系统的内核漏洞的修补方法，其特征在于，所述的修补系统包括：修复信息采集模块、启发式匹配模块、内核页表处理模块和修复模块，其中：修复信息采集模块与启发式匹配模块相连并传输CVE信息，启发式匹配模块与修复模块相连并传输漏洞点位置，即修补代码的插入点位置，内核页表处理模块与修复模块相连并传输分配的可执行内存信息，修复模块根据分配的可执行内存信息和漏洞点位置实现漏洞的修复；1. a patching method based on the kernel vulnerability of the patching system of Android device kernel vulnerability, is characterized in that, described patching system comprises: repairing information acquisition module, heuristic matching module, kernel page table processing module and repairing module, wherein : The repair information collection module is connected to the heuristic matching module and transmits CVE information, the heuristic matching module is connected to the repair module and transmits the location of the vulnerability point, that is, the insertion point of the patched code, and the kernel page table processing module is connected to the repair module and transmits the allocation The executable memory information, the repair module implements the vulnerability repair according to the allocated executable memory information and the location of the vulnerability point;所述的修补方法，包括以下步骤：The repairing method includes the following steps:步骤1)从Google每月发布的安全通告中获取CVE相关的修复信息；Step 1) Obtain CVE-related repair information from the monthly security notices issued by Google;步骤2)选取某一不常用的syscall的内核页表，进行写权限改写和代码改写，触发系统调用进行可执行内存分配，最后恢复内核页表；Step 2) select the kernel page table of a certain uncommon syscall, carry out write permission rewriting and code rewriting, trigger the system call to perform executable memory allocation, and finally restore the kernel page table;所述的写权限改写是指：根据不同厂商采用的不同防护手段，对内核页表权限进行修改，使放置该syscall的内核代码区域可写；The write permission rewriting refers to: modifying the kernel page table permission according to different protection measures adopted by different manufacturers, so that the kernel code area where the syscall is placed is writable;所述的代码改写是指：重写syscall代码，根据内核符号信息得到的syscall内核代码位置重写一段分配可执行内存的shellcode，使得在调用该syscall时能够得到内核中一段用于未来放置修补代码的可执行区域；该syscall的调用结果将返回可执行区域的地址；The code rewriting refers to: rewriting the syscall code, and rewriting a section of shellcode that allocates executable memory according to the syscall kernel code position obtained from the kernel symbol information, so that when the syscall is called, a section in the kernel can be obtained for placing patch code in the future. The executable area of the syscall; the call result of the syscall will return the address of the executable area;所述的内核符号信息，通过从Android设备上的/proc/kallsyms读取由kallsyms存储的内核的所有函数地址和名称；For the kernel symbol information, all function addresses and names of the kernel stored by kallsyms are read from /proc/kallsyms on the Android device;步骤3)根据修补信息以及内核符号信息定位存在漏洞的函数，然后通过启发式匹配策略搜索定位漏洞点以及相关的漏洞修补信息；Step 3) according to the patch information and the kernel symbol information, locate the function with the vulnerability, then search and locate the vulnerability point and the related vulnerability patch information through the heuristic matching strategy;所述的定位是指：通过访问内核虚拟内存的路径/dev/kmem定位存在漏洞的函数；The positioning refers to: positioning the vulnerable function by accessing the path /dev/kmem of the kernel virtual memory;所述的漏洞修补信息是指：修补代码涉及到的存储相关变量的寄存器或内存地址；The vulnerability patching information refers to: registers or memory addresses storing relevant variables involved in patching code;步骤4)根据启发式匹配策略定位的漏洞点以及相关修补信息，生成修补代码，并进行漏洞点重写修补，将修补代码放置于及步骤2得到的可执行区域上；Step 4) according to the vulnerability point of heuristic matching strategy location and related patch information, generate patch code, and carry out vulnerability point rewrite repair, and patch code is placed on the executable area obtained in step 2;所述的启发式匹配策略根据以下特征进行匹配：助记符和操作符、常数、调用约定关系、结构体的相对偏移、ARM体系的汇编代码特征；The heuristic matching strategy is matched according to the following features: mnemonics and operators, constants, calling convention relationships, relative offsets of structures, and assembler code features of the ARM system;所述的启发式匹配策略中，匹配的特征包括：助记符和操作符、常数、调用约定关系、结构体的相对偏移以及ARM体系的汇编代码特征；In the heuristic matching strategy, the matched features include: mnemonics and operators, constants, calling convention relationships, relative offsets of structures, and assembly code features of the ARM system;所述的修补信息包括：该CVE中的具有漏洞的函数以及修复代码；The patching information includes: functions with vulnerabilities and repair codes in the CVE;所述的重写修补：Said rewrite patch:1)对于内核，有以下两种方式来是使内核代码只读；一种是CONFIG DEBUG RODATA选项，会对页表采用单层映射；另一种是高通的CONFIG_STRICT_MEMORY_RWX选项，采用页映射；1) For the kernel, there are two ways to make the kernel code read-only; one is the CONFIG DEBUG RODATA option, which uses a single-layer mapping for the page table; the other is the Qualcomm CONFIG_STRICT_MEMORY_RWX option, which uses page mapping;2)重写页表后，直接修改内核代码会crash；通过研究分析，每个进程在建立的时候会拷贝内核页表的区域，所以通过新启动一个进程来进行代码修改；2) After rewriting the page table, directly modifying the kernel code will crash; through research and analysis, each process will copy the area of the kernel page table when it is created, so code modification is performed by starting a new process;3)选取的syscall的短期修改不影响系统的正常使用；3) The short-term modification of the selected syscall does not affect the normal use of the system;所述的漏洞点重写修补，具体包括以下步骤：The described vulnerability point rewriting and patching specifically includes the following steps:A)对漏洞点代码段的页表权限进行修改增加写权限；A) Modify the page table permission of the vulnerability point code segment to increase the write permission;B)在漏洞点处重写跳转指令，将其指向可执行区域地址；B) Rewrite the jump instruction at the vulnerability point and point it to the address of the executable area;C)在可执行区域中写入修补代码；C) write patch code in the executable area;D)将漏洞点代码段的页表权限恢复至修改前状态。D) Restore the page table permissions of the vulnerability point code segment to the state before modification.

Images