The Android Binder driver is a keystone of Android’s inter-process communication (IPC) mechanism. The Binder driver is an open-source Linux kernel module accessible by untrusted applications and consists of less than 10,000 lines of C code. Despite its relatively small size, Binder is complex and has had several security vulnerabilities reported and successfully exploited in the past - leading to privilege escalation in Android, including in-the-wild attacks. The complexity of Binder combined with its wide accessibility from unprivileged context makes it a high-risk component for Android platform.
This talk will feature two use-after-free vulnerabilities identified during internal red-teaming of the Binder driver: CVE-2023-20938 (fixed in February 2023) and CVE-2023-21255 (fixed in July 2023) which at the moment of discovery affected multiple versions of Android kernel. In this presentation the authors will focus on technical details of vulnerability discovery and its exploitation to achieve local privilege escalation on Android devices.
After a quick overview of Binder complex object lifetime management and reference counting, we will focus on a novel approach for deterministically detecting concurrency issues in the Linux kernel by fuzzing it in user-space using the Linux Kernel Library (LKL) combined with a custom scheduler implementation. This approach enables the fuzzer to deterministically reproduce concurrency-related bugs in a multi-threaded environment. We will demonstrate the application of this fuzzing approach to the Binder driver which led to identification of CVE-2023-20938 and CVE-2023-21255.
Then, the authors will cover how to exploit CVE-2023-20938 to achieve root privileges from an unprivileged Android application on a device running a fully up-to-date and patched version of Android at the time of the issue discovery. These steps will highlight the cross-cache attack technique used in the exploit and current state of Android kernel mitigations against the exploitation of memory corruption bugs. The authors will conclude the presentation by discussing remediation and future hardening efforts on Android Binder.
Eugene Rodionov, PhD, is a Security Researcher at Google on the Android Red Team. In his current position, Eugene focuses on finding and exploiting vulnerabilities in the low-level components of Android platform and Pixel devices. Prior to that, Rodionov performed offensive security research on UEFI firmware for Client Platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" book and has spoken at security conferences such as Black Hat, REcon, ZeroNights, and CARO.
Zi Fan Tan is a Security Researcher at Google on the Android Red Team. He is currently focused on vulnerability research and exploitation on Android platform, kernel and Pixel devices.
Gulshan Singh is a Security Researcher at Google on the Android Red Team. He is currently focused on vulnerability research and exploitation of the Android platform, kernel, and firmware. He is also an avid CTF player.