Detection of TowelRoot & Exploits of CVE-2014-3153
Today we had the opportunity to see the engine of zIPS our Mobile IPS in action on a newly published vulnerability. As a reminder, we prefer complex problems, hence security on mobile devices is where we can think of out of the box ideas to solve security problems while still complying with smartphone rules and sandboxing limitations.
According to a Debian mailing list: “Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.”
NVD description of CVE-2014-3153 – “The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.”
The sophistication and continuous evolution of computer malware is becoming a serious problem for our information technology infrastructure. Advanced techniques, such as polymorphic engines (a technique used to automatically generate unique instances of single strain of malware) or runtime binary encryption, can easily evade traditional signature based methods to detect malware. Even more, the high growth rate of malware makes infeasible the use of signature databases, which require daily maintenance to keep pace with the latest threats in the wild.
At Zimperium we have developed an accurate and efficient malware classification technique which detects malicious programs on the first day of its launch – commonly known as zero-day malware detection. Today we demonstrated that by detecting a new threat in the wild that attempts to gain root on an android device using a kernel exploit. You can understand that many Mobile Advanced Persistent Threats (m-APT) are using this or similar techniques to gain ring 0 permissions.
Our challenge was to design an engine that will efficiently run on low-end devices, such as smartphones or tablets, without administrator (root) privileges. Since the detection engine uses the same privileges as the malware, we can’t use any signature based methods or static executable analysis to classify a malicious application.
We use machine learning techniques to analyze the impact on the operating system to raise an alarm when a malicious activity is running. This approach is immune to evasion techniques such as polymorphic engines or runtime binary encryption. Since we need to minimize the use of the device resources, we use various optimization techniques for the most efficient way to train and test our machine learning engine and thus eventually also reduces processing or memory overhead related issues. We run on smartphones after all.
Zimperium Mobile Security System customers are immune to this threat without an engine update.
The Z team