Basebads: Automated security analysis of baseband firmware

Hernandez, Grant; Butler, Kevin

doi:10.1145/3317549.3326310

Cited by 7 publications

(11 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, POLYSCOPE scripts are not authorized to access all files, particularly those owned by root, so we run these scripts on rooted phones. Recent work by Hernandez et al [19] is able to extract MAC policy and part of DAC configuration from Android firmware images without rooting devices. However, this approach cannot extract all files located in some directories like /data.…”

Section: Methodsmentioning

confidence: 99%

“…Traditionally, research only considered one access control policy at a time. Researchers have recently proposed techniques to reason about MAC and DAC policies in combination [7,19], but they have not considered how to compose subjects and objects from multiple policies systematically. As Android includes new access control mechanisms, such as Scoped Storage, how to characterize subjects and objects accurately across multiple policies becomes challenging.…”

Section: Limitations Of Current Techniquesmentioning

confidence: 99%

“…Access control policy analyses transform individual policy rules into the information flows that they authorize to enable detection of secrecy (e.g., data leakage) and integrity (e.g., use of untrusted executables) problems. Recent work computes the information flows of combined MAC and DAC policies [7], as well as including Linux capabilities [19]. However, detecting authorized information flows on current access control policies is insufficient to detect attacks in two ways.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage

Lee¹,

Chen²,

Enck³

et al. 2023

Preprint

View full text Add to dashboard Cite

Android's filesystem access control is its foundation for system integrity. It combines mandatory (e.g., SELinux) and discretionary (e.g., Unix permissions) access control with other specialized access controls (e.g., Android permissions), aiming to protect Android/OEM services from third-party applications. However, OEMs often introduce vulnerabilities when they add market-differentiating features because they fail to correctly reconfigure this complex combination of policies. In this paper, we propose the POLYSCOPE tool to triage Android filesystem access control policies to find the authorized operations that may be exploited by adversaries to escalate their privileges, called attack operations. In this paper, we demonstrate the effectiveness of POLYSCOPE by assessing the impact of the recently introduced Scoped Storage defense for Android. POLYSCOPE introduces three major advantages over prior access control policy analyses for this analysis: (1) independent extension and analysis of individual policy models, to ease the addition of Scoped Storage; (2) knowledge of the flexibility that untrusted parties have to modify access control policies; and (3) the ability to identify attack operations that system configurations allow. We apply POLYSCOPE to three Google and five OEM Android releases, finding that Scoped Storage reduces the number of attack operations possible on external storage resources by over 50%. However, we also find two previously unknown vulnerabilities because OEMs only adopt Scoped Storage partially, limiting its benefit. Thus, we show how to use POLYSCOPE to assess an ideal scenario where all apps are compliant to Scoped Storage, which can the number of untrusted parties that can access attack operations by over 65% on OEM systems. As a result, we find that POLYSCOPE can help Android OEMs triage complex access control policies to identify the specific attack operations worthy of further examination.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Limitations Of Current Techniquesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage

Lee¹,

Chen²,

Enck³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…In contrast to static program analysis and emulation-based fuzzing, LTEFuzz performs over-the-air analysis on LTE and found vulnerabilities in various mobile devices and core network components [32]. Moreover, SpikerXG wirelessly fuzzes 2G on multiple smartphones in parallel, including a packet mutator using YateBTS [28,45]. Such approaches are feasible for 2G and LTE, because open source projects like OpenAir-Interface and srsLTE already implement a lot of common protocol features on SDRs [38,44].…”

Section: Related Workmentioning

confidence: 99%

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

Ruge¹,

Classen²,

Gringoli³

et al. 2020

Preprint

View full text Add to dashboard Cite

Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic overthe-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricted ability to debug. In this paper, we present Frankenstein, a fuzzing framework based on advanced firmware emulation, which addresses these shortcomings. Frankenstein brings firmware dumps "back to life", and provides fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing method is sufficient to maintain interoperability with the attached operating system, hence triggering realistic full-stack behavior. We demonstrate the potential of Frankenstein by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others.Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that crashes multiple operating system kernels and a design flaw in the Bluetooth 5.2 specification that allows link key extraction from the host. Turning off Bluetooth will not fully disable the chip, making it hard to defend against RCE attacks. Moreover, when testing our chip-based vulnerabilities on those devices, we find BlueFrag, a chip-independent Android RCE.

show abstract

“…LTEFuzz by Kim et al [32] uses predefined test cases to identify implementation problems of a baseband. SpikerXG by Hernandez et al [24] fuzz firmware of Android devices and propose an analysis platform for further rehosting and analysis will be possible, taking a big step towards automated baseband analysis. Prior publicly known baseband fuzzing setups fuzzed leaked binaries compiled for host system [35].…”

Section: Baseband Researchmentioning

confidence: 99%

BaseSAFE: Baseband SAnitized Fuzzing through Emulation

Maier,

Seidel,

Park

2020

Preprint

View full text Add to dashboard Cite

Rogue base stations are an effective attack vector. Cellular basebands represent a critical part of the smartphone's security: they parse large amounts of data even before authentication. They can, therefore, grant an attacker a very stealthy way to gather information about calls placed and even to escalate to the main operating system, over-the-air. In this paper, we discuss a novel cellular fuzzing framework that aims to help security researchers find critical bugs in cellular basebands and similar embedded systems. BaseSAFE allows partial rehosting of cellular basebands for fast instrumented fuzzing off-device, even for closed-source firmware blobs. BaseSAFE's sanitizing drop-in allocator, enables spotting heap-based buffer-overflows quickly. Using our proof-of-concept harness, we fuzzed various parsers of the Nucleus RTOS-based MediaTek cellular baseband that are accessible from rogue base stations. The emulator instrumentation is highly optimized, reaching hundreds of executions per second on each core for our complex test case, around 15k test-cases per second in total. Furthermore, we discuss attack vectors for baseband modems. To the best of our knowledge, this is the first use of emulation-based fuzzing for security testing of commercial cellular basebands. Most of the tooling and approaches of BaseSAFE are also applicable for other low-level kernels and firmware. Using BaseSAFE, we were able to find memory corruptions including heap out-of-bounds writes using our proof-of-concept fuzzing harness in the MediaTek cellular baseband. BaseSAFE, the harness, and a large collection of LTE signaling message test cases will be released open-source upon publication of this paper. CCS CONCEPTS• Security and privacy → Software reverse engineering; Embedded systems security.

show abstract

Basebads: Automated security analysis of baseband firmware

Cited by 7 publications

References 7 publications

PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage

PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

BaseSAFE: Baseband SAnitized Fuzzing through Emulation

Contact Info

Product

Resources

About