• CVE-2018-9568 WrongZone利用

    12 Jul 2019
  • CVE-2018-9568(WrongZone)是近期已知公开可利用的内核漏洞。本文主要对漏洞进行分析,并提出一个基于镜像攻击的漏洞利用方案。

    Read more
  • 内核镜像攻击的缓解措施

    02 Jan 2019
  • 2018年3月,阿里潘多拉实验室在Black Hat Asia 2018会议上展示了针对ARM64的Kernel Space Mirroring Attack(简称KSMA,也称内核镜像攻击)。该方法利用ARMv8 MMU的特性,使得攻击程序可以直接修改Android内核代码段,为漏洞利用提供了新的思路。

    为了缓解该类攻击,本文作者向ARM内核社区提交了相关补丁。补丁实现原理是将swapper_pg_dir设置为只读,并通过fixmap进行更新。这样攻击者无法直接修改该页表。

    Read more
  • Android Kernel Control flow Integrity分析

    17 Sep 2018
  • Kernel Control flow Integrity(简称KCFI)是Android 9上新增的一项缓解措施。 该措施主要用来缓解内核函数指针劫持攻击。

    目前,谷歌已经公开相关的补丁,本文主要分析该补丁的具体实现。

    Read more
  • CVE-2015-3865: Elevation of Privilege Vulnerability in Android Runtime

    06 Jan 2016
  • This vulnerability could always unsafely expose the JDWP interface through the built-in app_process command. As a result, when this command is executed, the corresponding processes will also unsafely expose the JDWP interface, which might be exploited for privilege leak or escalation.

    Read more
  • CVE-2015-0568: Use-After-Free Vulnerability in the Camera Driver of Qualcomm MSM 7x30

    18 Nov 2015
  • The vulnerable driver implements a standard ioctl interface for user space programs to communicate. But the ioctl handler does not properly handle user-provided information and could still reference a previously freed memory block, leading to possible code execution at the kernel level.

    Read more