Android Kernel Security

4000€ | 10th to 13th of October 2022 | Espace Vinci, Rue des Jeuneurs, Paris, France

Kernel exploitation on Android devices still presents a relatively new unexplored research area due to its diverse range of hardware options and hardware/software exploitation mitigations implemented by vendors or the Linux kernel itself. Similar to other operating systems, Android provides several common user-space exploitation mitigations and attacking the kernel is an appealing option to obtain full access on the device bypassing any user-space exploitation mitigations.


Objectives of the training

Explore the Android kernel attack surface

Learn Local Privilege Escalation techniques

Exploit common Android kernel vulnerability classes

Study Android kernel exploitation mitigation bypasses

Discover Android kernel fuzzing

The trainer

Who will run this training?

Vitaly
Nikolenko


@vnik5287

Vitaly is a security researcher at DUASYNT specializing in reverse engineering and exploit development. He has a solid academic background in programming languages, code analysis and algorithms. His current area of research is mobile security/operating systems (kernel space exploitation techniques and countermeasures).

Syllabus

What will we do?

Introduction

This course starts by enumerating the Android kernel attack surface (from an LPE perspective) describing any sandboxing options that may limit this attack surface. Though the course is mostly self-contained and there’s a brief refresher on arm64 architecture, attendees should be already familiar with this architecture / instruction set.

The main focus is on common kernel vulnerability classes and exploitation techniques on Android. The training is hands-on and assumes some familiarity with Linux kernel exploit development. All practical labs / exercises will be performed on Pixel 4a devices. Common hardware/software kernel exploitation mitigations on Google and Samsung devices will be discussed and several bypass techniques will be presented. The course will also provide some introduction to fuzzing and crash analysis on Android devices.

This course is largely self-contained but please ensure you meet the entry requirements detailed below.

Key Learning Objectives:

  • Android kernel attack surface
  • Privilege escalation techniques
  • Exploitation of common Android kernel vulnerability classes
  • Android kernel exploitation mitigation bypasses
  • Introduction to Android kernel fuzzing

Course agenda

  • ARM64 architecture refresher
  • Bootloaders and boot process
  • Rooting / test environment setup
  • Kernel debugging options
  • Introduction to root cause analysis
  • Android kernel attack surface / Sandboxing / SELinux
  • Baseband hardware driver
  • Privilege separation model and common privilege escalation techniques
  • Fixating the system and recovering the kernel state
  • Common classes of kernel vulnerabilities
  • Kernel race conditions
  • Double fetch vulnerabilities
  • Dynamic memory management and heap related vulnerabilities (heap overflows, UAF, off-by-X)
  • Current UAF exploitation countermeasures and bypasses
  • Kernel security on Google Pixel and Samsung devices
  • Latest kernel exploitation mitigations
  • Bypassing kernel protections
  • Kernel fuzzing on Android devices

Who should attend?

  • Reverse engineers, bug hunters and exploit developers
  • Information security professionals experienced in user-land exploitation

Pre-requisites:

  • Familiarity with arm64 architecture
  • Fundamental knowledge of common classes of vulnerabilities (e.g., stack and heap overflows, integer type conversion vulnerabilities and overflows, etc.) and user-space exploitation techniques
  • Some experience in Linux kernel exploitation / knowledge of common Linux kernel vulnerability classes (consider taking Linux kernel exploitation techniques (x86_64) first)
  • C and assembly programming knowledge
  • Familiarity with GDB (GNU Debugger)

Hardware/Software requirements

  • Base OS - Windows, macOS, Linux
  • Virtualisation software that allows you to import VMs in a standard OVA/OVF format and passthrough USB devices
  • BYO Pixel 4a (non-5G) with an unlocked bootloader (running any firmware you like)
  • Standard USB-C data cable
  • At least 40GB of free disk space
  • At least 8 GB of RAM

Other trainings

What else might interest you?

Hunting and Reversing UEFI Firmware Implants

Alex Matrosov

Hypervisor development for security analysis

Satoshi Tanda

Practical Baseband Exploitation

Nitay Artenstein & Pedro Ribeiro

Windows Internals for Security Engineers

Yarden Shafir