LinkDoor：Android Netlink 内核模块中的隐藏攻击面.pdf

《LinkDoor：Android Netlink 内核模块中的隐藏攻击面.pdf》由会员分享，可在线阅读，更多相关《LinkDoor：Android Netlink 内核模块中的隐藏攻击面.pdf（39页珍藏版）》请在三个皮匠报告上搜索。

1、#BHASIA BlackHatEventsLinkDoorLinkDoor:A Hidden Attack Surface in the:A Hidden Attack Surface in the Android Netlink Kernel ModulesAndroid Netlink Kernel ModulesChao Ma,Han Yan,Tim XiaBaidu AIoT Security TeamAbout usAbout usBaidu AIoT Security Team Focus on Android/Linux platform Aim to discover 0da

2、y vulnerability and explore possible defensesMembersChao Ma()Han Yan()Tim Xia()AgendaAgenda Introduction Attack Surface Analysis Case Study PoC and Exploitation ConclusionIntroductionIntroduction Background of Netlink Programming model of Classic Netlink Flaws of Classic Netlink Programming model of

3、 Generic NetlinkIntroductionIntroductionBackground of Netlink Mainly used for bidirectional communication between the kernel and user-space processes Support full-duplex,asynchronous and multicast communication Two categories in usage:Classic Netlink and Generic NetlinkIntroductionIntroductionProgra

4、mming model of Classic Netlink (Classic)Netlink socket is supported since 1999 with Linux 2.2 The programming modelIntroductionIntroductionFlaws of Classic Netlink Limited number of Netlink protocol Complex usageGeneric NetlinkIntroductionIntroductionProgramming model of Generic Netlink Generic Netl

5、ink socket is supported since 2006 with Linux 2.6.15 The programming modelAttack Surface AnalysisAttack Surface Analysis Netlink architecture Kernel mechanism of Classic Netlink Threat model of Classic Netlink Kernel mechanism of Generic Netlink Threat model of Generic NetlinkAttack Surface Analysis

6、Attack Surface AnalysisNetlink architectureAttack Surface AnalysisAttack Surface AnalysisKernel mechanism of Classic Netlink Transfer Message Format-nlmsg_len :sizeof(nlmsghdr+pad+payload+pad)-nlmsg_type:message content type-nlmsg_flags:additional flag-nlmsg_seq:sequence number-nlmsg_pid:sending pro