1、Android系統(tǒng)安全審計概述議程背景介紹排查已知漏洞挖掘未知漏洞修補漏洞展望什么是安全審計?主流的SDL產(chǎn)品(APP SCAN)百度MTC-移動云測試中心阿里聚安全 安全審計騰訊 金剛安全審計360 App Scan(顯危鏡)(顯危鏡)Security Development LifecycleAPP SDLSYSTEM SDL如何做系統(tǒng)級別的安全審計?OEM廠商迭代開發(fā)Google PATCHQASDL本地PATCHOTA檢測已知漏洞手動檢測自動檢測挖掘未知漏洞有源碼無源碼議程背景介紹排查已知漏洞挖掘未知漏洞修補漏洞展望手動檢測已知漏洞逆向工程CVE-2016-3822(libjhead.

2、so)未修復已修復本地Index本地index I I 遠程indexClick me to test uxss! 494640Click me to test uxss! 519558 Click me to test uxss! 524074Click me to test uxss! 530301 Click me to test uxss! 531891 Click me to test uxss! 541206 Click me to test uxss! 556724 Click me to test uxss! 577105 Click me to test CVE-2016-1

3、646 Click me to test CVE-2016-1677127.0.0.1:8765 顯示：CVE-2016-16 77 無漏洞CVE-2016-0844Not TestedElevation of Privilege in Qualcomm RF component (Devicespec幣c)測試I SHOW DETAILSCVE-2016-2412Not TestedElevation of Privilege Vulnerability in System_server測試SHOW DETAILSCVE-2016-3915Not VulnerableElevation of

4、 privilege vulnerability in Camera serviceSHOW DETAILSCVE-2016-3916Not VulnerableElevation of privilege vulnerability in Camera seviceSHOW DETAILSCVE-2016-3909Not VulnerableElevation of privilege vulnerability in MediaserverSHOW DETAILSCVE-2016-0820Not TestedElevation of Privilege Vulnerability in M

5、ediaTek Wi-Fi Kernel Driver測試SHOW DrCVE-2016-3910Not VulneraElevation of privilege vulnerability in Mediaserver自動化檢查已知漏洞(VPS)CVE-2015-3636自動化檢查已知漏洞(VTS)CVE-2016-3871相似度比較(Similarity & Containment)QP,相似度Q= 80%Q,相似度R= 20%PQ ,相似度= 10%R議程背景介紹排查已知漏洞挖掘未知漏洞修補漏洞展望漏洞類型Linux內(nèi)核漏洞(Ping/Pipe/dirtyCow)第三方驅(qū)動漏洞(MSM

6、/MTK/HISI/NVIDIA)Native漏洞(LibStagefright/LibMediaServer)Framework漏洞(Runtime)為什么會造成這樣的漏洞?核心原因是開發(fā)人員和安全人員的理解不一致CVE-2016-8768Security Advisory - PXN Defense Mechanism Failure Vuln erabilit y in Huawei Mobile PhonesS.A Nlo:huawei-sa-20161026 -01-pxn Init ial Release Date: 20116-10-26匕 1st Release Dat e:

7、20 16-11 0 -26-1m paclTlhe PXN defen se meclhan is1r11 is d sab led ab no rmally_:t. org/兇 ss/)- Vulnerabiliiit y Sc or in g , 10 etailsTlhe vulnerab ilit y class ficat.ion has b eern p erfo11111ed by usin g th e CVS5v2 sc oring sy st em (ht t p J/ww w阮 Base Sco re: 11.2 (AV:1/AC: H/Au:IN/ C:N/t N/

8、A:PTempora!l Score:.0 (E:F/RL O/RC:O未知攻,焉知防如何通過漏洞來完成攻擊提權(quán)(Root)commit_creds(prepare_kernel_cred(0);如何發(fā)現(xiàn)未知的漏洞?源碼審計Fuzz Testing符號執(zhí)行逆向工程源碼審計(Read The Fuck*ing Source Code)remap_pfn_range(vma,addr,ptn,size,prot)copy_from_user(dst,src,len)/copy_to_user(, , )ioctl(fd,cmd,arg)CVE-2015-8088Fuzz Testing(模糊測試)DronityAFLPEACH符號執(zhí)行(symbolic execution )以符號代替具體值靜態(tài)執(zhí)行 (約束求解,路徑爆炸)代表KLEESAGE混合執(zhí)行 concolic execution 部分以具體值執(zhí)行,提升效率代表S2E輔助fuzzing 達到高路徑覆蓋率和精確度逆向工程議程背景介紹排查已知漏洞挖掘未知漏洞修補漏洞展望發(fā)現(xiàn)并提交漏洞提供