droidsec.org

A Simple Æ»¶ñ for Linux Kernel Audits

In Android, the Linux kernel is the crux of °ÂÁ´. It is ÀÕǤ¤¬¤¢¤ë »Ü¹Ô¤¹¤ëing ÀÜ¶á »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë to just about everything in the system. If an ¹¶·â¼Ô can ¿­¤Ó¡Ê¤ë¡Ë ÆÈÃÇŪ¤Ê code »à·º¼¹¹Ô in kernel Êý¼°, they can bypass »ÈÍÑ¡¿Å¬ÍÑ sandboxing, ÀÜ¶á ¶âʪÎà¡¿Éð´ïÎà ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë, and more.

Æ°µ¡¤Å¤±

Over the years, the Linux kernel source code has grown °ÕÌ£¤¢¤ê¤²¤Ë. It ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës code for all supported functionality ´Þ¤àing drivers for a wide variety of ¶âʪÎà¡¿Éð´ïÎà across several supported architectures. A modern Linux kernel source tree is ¤ä¤á¤ë large. The tree we will use in our demonstration within this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë is 729 megabytes.

dev:0:/android/source/kernel/msm$ du -hs . --½ü³°¤¹¤ë .git
729M    .

Now, you may be wondering why size »öÊÁs. To better understand, let us put ourselves in the shoes of ¡ÊƬ¤¬¡Ë¤Ò¤ç¤¤¤ÈÆ°¤¯. He ºîÉÊ professionally as a source code auditor. Companies ¸Û¤¦ him to read through ¹­Âç¤Ê ÎÌs of source code to discover and ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë bugs and/or vulnerabilities in the code. ¡ÊƬ¤¬¡Ë¤Ò¤ç¤¤¤ÈÆ°¤¯¡Çs success depends on ¹©Éפ¹¤ëing and ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëing a Àïά to use his time most ¸ú²ÌŪ¤Ë. Some auditors may Áª¤Ö to use ¼«Æ°²½¤¹¤ëd Æ»¶ñs while others may choose to manually read through the code.

¡ÊƬ¤¬¡Ë¤Ò¤ç¤¤¤ÈÆ°¤¯ prefers to work smarter instead of harder so he has developed a ¹µÁÊ of Àµµ¬¤Î¡¿ÀµÁª¼ê ɽ¸½s that he runs over the kernel code to identify ²ÄǽÀ­¤Î¤¢¤ë problem areas. After Àººº¤¹¤ëing through the results and ʬÀϤ¹¤ëing the surrounding code, he discovers a rather serious looking problem in a driver. He pulls out the ¼Â¸³¡Ê¤¹¤ë¡Ë ÁõÃÖ for the »ö¶È¡¿·×²è¡Ê¤¹¤ë¡Ë and quickly finds that the driver is not Ééôd. Oh no! Now ¡ÊƬ¤¬¡Ë¤Ò¤ç¤¤¤ÈÆ°¤¯ becomes curious. He reaches out and asks which Android ÁõÃÖs in the ¡ÈDroid Army¡É are using the driver. Unfortunately, it turns out no ÁõÃÖs use that driver. In my opinion, this Âåɽ¤¹¤ës an error in ¡ÊƬ¤¬¡Ë¤Ò¤ç¤¤¤ÈÆ°¤¯¡Çs Àïά that led him to wasting his time. Is there anything ¡ÊƬ¤¬¡Ë¤Ò¤ç¤¤¤ÈÆ°¤¯ can do °Û¤Ê¤Ã¤Æ to Èò¤±¤ë this ±¿Ì¿¡¿½ÉÌ¿ in the ̤Íè? The answer is ¡ÈYes.¡É

The Æ»¶ñ

Enter the Linux Kernel reducer, or lk-reducer for short. This Æ»¶ñ helps Èò¤±¤ë some of the problems we have discussed thus far. It ºîÉÊ by ´Æ»ë¤¹¤ëing ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë system Àܶá while building the Linux kernel. (By no means is its ¸ø¶¦»ö¶È¡ÊÎÁ¶â¡Ë¡¿Í­ÍÑÀ­ ¸Â¤é¤ì¤¿¡¿Î©·ûŪ¤Ê to the Linux Kernel, but it is ´Êñ¤Ë where we ÀßΩ¤¹¤ë a need.) This is possible because ¶¡µë¤¹¤ëing the Linux Kernel source code is a ¹çˡŪ¤Ê ɬÍ×ʪ¡¿É¬Í×¾ò·ï under the GNU Public License (GPL). By ´Æ»ë¤¹¤ëing the build ²áÄø, we are able to ·èÄꤹ¤ë which ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës from within the source tree have been used to build the final kernel image. Some ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës will ɬÁ³Åª¤Ë not get used and thus we can ·èÄꤹ¤ë that they are not needed. Therefore, they can be ½üµî¤¹¤ëd from review during a source code audit. This saves time during both ¼êÆ°¼°¤Î and ¼«Æ°²½¤¹¤ëd source code reviews.

The ¸½ºß¤Î incarnation of the Æ»¶ñ is a slight modification of an ¼Â»Ü by Jann Horn. The first incarnation consisted of using strace(1) and a bunch of Çú·â¤¹¤ë scripts to ´Æ»ë¤¹¤ë calls to the open(2) system call. Jann developed his ¸«²ò¡¿ËÝÌõ¡¿ÈÇ around the Linux inotify subsystem. His ¼Â»Ü is much more clean and performant. My only modifications were to let the »ÈÍÑ¼Ô decide how to ²áÄø the ´Æ»ë¤¹¤ëing results based on a data ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë. The Æ»¶ñ À¸À®¤¹¤ës a ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë called ¡Èlk-reducer.out¡É that shows whether each ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë was Accessed, Untouched, or Generated. Let us see it in ³èÆ°¡¿ÀïÆ®!

A Demonstration

Once the Æ»¶ñ is downloaded and ¼ý½¸¤¹¤ëd, give it the path to your Linux kernel source tree:

dev:0:lk-reducer$ ./lk-reducer /android/source/kernel/msm
dev:0:msm$

Now, build the Linux kernel to Àפò¤Ä¤±¤ë which ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës are Àܶád. Remember to not only configure and build the kernel, but also clean the build too. ¤µ¤â¤Ê¤±¤ì¤Ð, we might ¹ÔÊýÉÔÌÀ¤Ë¤Ê¤ë ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës used during the ¤­¤ì¤¤¤Ë¤¹¤ë ²áÄø and ·ë¶ÉºÇ¸å¤Ë¤Ï¡¼¤Ê¤ë with a tree we can build but not clean.

dev:0:msm$ Í¢½Ð¡Ê¤¹¤ë¡Ë ARCH=arm64 SUBARCH=arm64 CROSS_COMPILE=aarch64-linux-androidkernel-
dev:0:msm$ make marlin_defconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/zconf.lex.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/conf
drivers/soc/qcom/Kconfig:381:·Ù¹ð: choice value used outside its choice group
drivers/soc/qcom/Kconfig:386:·Ù¹ð: choice value used outside its choice group
#
# configuration written to .config
#
dev:0:msm$ make
scripts/kconfig/conf --silentoldconfig Kconfig
drivers/soc/qcom/Kconfig:381:·Ù¹ð: choice value used outside its choice group
drivers/soc/qcom/Kconfig:386:·Ù¹ð: choice value used outside its choice group
  CHK     ´Þ¤à/config/kernel.²òÊü¡Ê¤¹¤ë¡Ë
[... ¤½¤Î¾å¤Î build À¸»º¡Ê¹â¡Ë omitted for brevity ...]
  DTC     arch/arm64/boot/dts/htc/msm8996-v3-htc_sailfish-xb.dtb
  GZIP    arch/arm64/boot/Image.gz
  CAT     arch/arm64/boot/Image.gz-dtb
dev:0:msm$ make mrproper
  CLEAN   .
  CLEAN   arch/arm64/kernel/vdso
  CLEAN   arch/arm64/kernel
  CLEAN   crypto/asymmetric_keys
  CLEAN   kernel/time
  CLEAN   kernel
  CLEAN   lib
  CLEAN   ÂáÊ᤹¤ë/wireless
  CLEAN   °ÂÁ´/selinux
  CLEAN   usr
  CLEAN   arch/arm64/boot/dts/htc
  CLEAN   arch/arm64/boot
  CLEAN   .tmp_versions
  CLEAN   scripts/basic
  CLEAN   scripts/dtc
  CLEAN   scripts/kconfig
  CLEAN   scripts/mod
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   ´Þ¤à/config ´Þ¤à/À¸À®¤¹¤ëd arch/arm64/´Þ¤à/À¸À®¤¹¤ëd
  CLEAN   .config .¸«²ò¡¿ËÝÌõ¡¿ÈÇ ´Þ¤à/À¸À®¤¹¤ëd/uapi/linux/¸«²ò¡¿ËÝÌõ¡¿ÈÇ.h Module.symvers
dev:0:msm$

With the build and clean ²áÄø ´°Á´¤Ë¤¹¤ëd, ´Êñ¤Ë ½Ð¸ý the sub-Çú·â¤¹¤ë to À¸À®¤¹¤ë the data ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë:

dev:0:msm$ ½Ð¸ý
½Ð¸ý
²áÄøing remaining events...
inotify event collection Ãʳ¬ is over, ¥À¥ó¥Ô¥ó¥° results to "lk-reducer.out"...
cleanup ´°Á´¤Ë¤¹¤ë

From here, you can ʬÀϤ¹¤ë the data ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë and choose whether to ºï½ü¤¹¤ë the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës from the ¸½ºß¤Î source tree or copy them to another place. I tend to copy the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës to another directory and audit from there.

NOTE: If you¡Çre working with a tree from Git, you might want to filter out the .git subdirectory as I¡Çve done here. You can always ¶¨µÄ¤¹¤ë the history in the ½é¤á¤Î repository.

dev:0:msm$ grep ^A lk-reducer.out | ºï¸º¡Ê¤¹¤ë¡Ë -c 3- | grep -v '\./\.git/' > lk-reducer-keep.out
dev:0:msm$ mkdir ../msm-¥Þ¥«¥¸¥­-¸º¤º¤ëd
dev:0:msm$ tar cf - -T lk-reducer-keep.out | tar xf - -C ../msm-¥Þ¥«¥¸¥­-¸º¤º¤ëd/
dev:0:msm$ du -hs ../msm-¥Þ¥«¥¸¥­-¸º¤º¤ëd/
132M    ../msm-¥Þ¥«¥¸¥­-¸º¤º¤ëd/

As you can see, we¡Çve ¸º¤º¤ëd the source code from 729 megabytes É餫¤¹¡¿·âÄƤ¹¤ë to only 132 megabytes. More importantly, we know that there¡Çs no code left that is not built into the final kernel image.

À©¸Âs

Of course, this is not the only problem ľÌ̤¹¤ëd when auditing the Linux kernel. Even though we have ½üµî¤¹¤ëd code that isn¡Çt Àܶád at build time, some remaining code may not get used ͽÄê to Ä´ºº¡Ê¤¹¤ë¡Ëing, system configuration, or other ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ës that may be out of our »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë. Also, code within a ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë might still be thrown out by the pre-²Ã¹©¶È¼Ô or optimized out during ÊÔ½¸. ¤½¤Î¾å¤Î, this Æ»¶ñ does nothing to help understand the ¶¼¤· model or ·èÄꤹ¤ë attack surfaces that might be Íø±×¡¿¶½Ì£ing for an audit.

·ëÏÀ

This ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë defines one problem Linux kernel auditors ľÌ̤¹¤ë and ¸½ºß¤Îs a Æ»¶ñ designed to help solve it. Jann and I are pleased to publish this Æ»¶ñ to Êä½õÁõÃÖ the community in their source code audits of the Linux kernel. It is our hope that the Æ»¶ñ will save you time and make you more ¸ú²ÌŪ¤Ê. You can find the Æ»¶ñ on GitHub here. Thank you for your time and best of luck and your kernel auditing ÅØÎϤ¹¤ës!