Android Kernel Security
Skill level: Intermediate to Advanced
Duration: 4 days
Instructor: Vitaly Nikolenko

Note:

We've experienced some issues with border security when bringing in HiKey boards and a large number of test mobile devices. Depending on the country, we might not be able to deliver this training or will need to organise alternative methods for delivering hardware required for this training.

Course description:

Kernel exploitation on Android devices still presents a relatively new unexplored research area due to its diverse range of hardware options and hardware/software exploitation mitigations implemented by vendors or the Linux kernel itself. Similar to other operating systems, Android provides several common user-space exploitation mitigations and attacking the kernel is an appealing option to obtain full access on the device bypassing any user-space exploitation mitigations.

This course starts by enumerating the Android kernel attack surface (from an LPE perspective) describing any sandboxing options that may limit this attack surface. Though the course is mostly self-contained and there's a brief refresher on arm64 architecture, attendees should be already familiar with this architecture / instruction set.

The main focus is on common kernel vulnerability classes and exploitation techniques on Android. The training is hands-on and assumes some familiarity with Linux kernel exploit development. All practical labs / exercises will be performed on Pixel 4a devices. Common hardware/software kernel exploitation mitigations on Google and Samsung devices will be discussed and several bypass techniques will be presented. The course will also provide some introduction to fuzzing and crash analysis on Android devices.

This course is largely self-contained but please ensure you meet the entry requirements detailed below.

Android kernel exploitation
Prerequisites:
  • Familiarity with arm64 architecture
  • Fundamental knowledge of common classes of vulnerabilities (e.g., stack and heap overflows, integer type conversion vulnerabilities and overflows, etc.) and user-space exploitation techniques
  • Some experience in Linux kernel exploitation / knowledge of common Linux kernel vulnerability classes (consider taking Linux kernel exploitation techniques (x86_64) first)
  • C and assembly programming knowledge
  • Familiarity with GDB (GNU Debugger)
Who should attend:
  • Reverse engineers, bug hunters and exploit developers
  • Information security professionals experienced in user-land exploitation
Hardware and software:
  • Base OS - Windows, macOS, Linux
  • Virtualisation software that allows you to import VMs in a standard OVA/OVF format and passthrough USB devices
  • BYO Pixel 4a (non-5G) with an unlocked bootloader (running any firmware you like)
  • Standard USB-C data cable
  • At least 40GB of free disk space
  • At least 8 GB of RAM
  • **Other hardware for kernel debugging will be provided
Key learning objectives:
  • Android kernel attack surface
  • Privilege escalation techniques
  • Exploitation of common Android kernel vulnerability classes
  • Android kernel exploitation mitigation bypasses
  • Introduction to Android kernel fuzzing
Course agenda:
  • ARM64 architecture refresher
  • Bootloaders and boot process
  • Rooting / test environment setup
  • Kernel debugging options
  • Introduction to root cause analysis
  • Android kernel attack surface / Sandboxing / SELinux
  • Baseband hardware driver
  • Privilege separation model and common privilege escalation techniques
  • Fixating the system and recovering the kernel state
  • Common classes of kernel vulnerabilities
  • Dynamic memory management and heap related vulnerabilities (heap overflows, UAF, off-by-X)
  • Current UAF exploitation countermeasures and bypasses
  • Kernel security on Google Pixel and Samsung devices
  • Latest kernel exploitation mitigations
  • Bypassing kernel protections
  • Kernel fuzzing on Android devices

FAQ
  • I haven't done any Linux / Android kernel exploit development. Is this training suitable for me?
  • If you are not familiar with basic Linux kernel ret2usr techniques, kernel privilege escalation payloads, physmap, kernel UAF / heap overflow exploitation techniques, this training is not the best option for you. Even though this training aims to be self-contained, there is some required background knowledge. You will certainly learn something new but if you are relatively new to the kernel exploitation area, consider taking the Linux kernel exploitation training first. The Linux kernel exploitation training is not "easier" but simply has more background material to get you started.
  • Is C and assembly knowledge essential?
  • Yes. There is a brief ARM64 assembly refresher (mostly specific to the kernel) but it is assumed you are already familiar with ARM64 assembly. C knowledge goes without saying.
  • No longer using Hikey 960/970 reference boards?
  • They are no longer available on the market. Hence, we switched to Pixel devices for this training.
  • Why Pixel 4a specifically?
  • Pixels are Google reference devices. Pixel 4a is still relatively recent and more affordable compared to newer high-end devices.
  • Do I need to flash any specific firmware version?
  • No, you can have any firmware you like. We will be reflashing it during the training. However, make sure your bootloader is unlocked!
  • Where can I find instructions to unlock the bootloader on my device?
  • The instructions will be emailed to you before the training but you can also find them here.
  • I can't seem to unlock my bootloader.
  • Certain refurbished / telco-locked devices may come with an unlockable bootloader (for example, some Verizon refurbished devices in US). If you are buying a refurbished device, make sure the bootloader can be unlocked!
  • Can I use QEMU or VirtualBox?
  • As long as you can import standard OVF files, you can use any hypervisor software with USB passthrough support you like. If you run Linux natively, you can install Android platform tools / NDK and copy firmware and kernel images, lab exercises, etc. from the provided VM.
  • Are there any special hardware requirements?
  • There are no special hardware requirements as long as your machine has at least 2 type-A USB ports (for the simultaneous use of the kernel debugger and the ADB session).
Public Schedule
Training Announcements

There are generally two public trainigs sessions per year (first half of the year) in Europe or Asia. You can sign up below to receive public training schedule notifications.

For a private training contact us directly.