Category Archives: Cell Phone (iPhone, Android, windows mobile)

Integrated GPU may allow side-channel and rowhammer attacks – 03 May 2018 | Last revised: 03 May 2018

The side-channel attack looks never ending in CPU world.
So called rowhammer attack jeopardize to the cyber security world today especially smartphone. The worst is that it can altering the information saved in a computer’s memory once attack successful.

An academic paper describes an attack called “GLitch,” which leverages two different techniques to achieve a compromise of a web browser using WebGL (see below url for reference).

https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf

Impact

The attacker may be able to bypass security features provided by the web browser.

Observation:

Microsoft and Cisco announce that they will intend to integrate New Intel Threat Detection Technology to Help Defend Against Advanced Security Threats last month.
I think they have to consider this technincal problem before click start of their project.

https://newsroom.intel.com/editorials/securing-digital-world-intel-announces-silicon-level-security-technologies-industry-adoption-rsa-2018/

Status:

 

Vendor Status Date Notified Date Updated
Google Affected 16 Mar 2018 03 May 2018
Mozilla Affected 16 Mar 2018 03 May 2018
Microsoft Not Affected 16 Mar 2018 25 Apr 2018
AMD Unknown 16 Mar 2018 16 Mar 2018
Apple Unknown 16 Mar 2018 16 Mar 2018
Arm Unknown 26 Apr 2018
BlackBerry Unknown 16 Mar 2018 16 Mar 2018
Brave Software Unknown 16 Mar 2018 16 Mar 2018
Broadcom Unknown 16 Mar 2018 16 Mar 2018
IBM, INC. Unknown 26 Apr 2018 26 Apr 2018
Imagination Technologies Unknown 16 Mar 2018 16 Mar 2018
Intel Unknown 16 Mar 2018 16 Mar 2018
NVIDIA Unknown 16 Mar 2018 16 Mar 2018
Opera Unknown 16 Mar 2018 16 Mar 2018
QUALCOMM Incorporated Unknown 16 Mar 2018 16 Mar 2018

Realistic threats exists in NFC. Are they all secure?

The mobile payment is aggressive in some sort of area. As seen, it fully utilized in China market. From the economey point of view, this new payment design driven the retail business in parallel. The traditional banknote concept convert to digitalization silently.Is this a prelude of digital currency? The people doubt of the NFC (near field communcation) technology embedded in Visa payment earlier. As times goes by, it is popular today. The new smartphone market similar pushing the NFC techonology into next phase. The new form of payment method integrated both smartphone (iPhone and Android) and payment card with near field communication. How Secure Are NFC Payments? NFC technology comes with a range of security features that help protect financial data from stolen. But are they capable to avoid modern cyber attack? Perhaps if the computer product contains Java programming element. It is hard to avoid vulnerability. As a matter of fact, Java bytecode Verification is a key element in Java world. If this feature applied in the overalll design. It will significant reduce the malware infection because it is not easy to execute the malicious code. Do you have doubt after this discussion?

Firebase Analytics – To be compliance or not to be compliance on personal privacy

Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic.  Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It  allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.

CVE-2018-3561 – Is this a hiccups or it will maintain longer?

Retrospectively, the annual revenue growth of smartphone chips vendor on 2017 Q3. Samsung is the winner.Qualcomm growth only 23% but apple only growth of 12%. From my personal point of view, even though operating system or vulnerability on iPhone looks mystery. Perhaps it is a business strategy in order to avoid competitor know the details. By the way, Qualcomm techincal design limitation lure my interest. Regarding to the CVE 2017-15834 it proof that there is a vulnerability occur in kernel let it encountered potential heap overflow. But this bug found last year, however I believe that it will continous expose something bad until MDM9615 and MDM9x07 end of life.The MDM9615 appears to be a Qualcomm chip. But apple iPad deployed it. Android phone is the biggest comsumer of MDM9615 and MDM9x07 so far. A new vulnerability identify by US-CERT on Mar 2018 with vulnerability record reference no. CVE-2018-3561.The issue is that Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition. Stay alert and update your Android phone once patch for security update available.

Do you concerns of your e-wallet?

Electronic wallets play an important role in our daily lives. Perhaps the demand of e-wallet market in Hong Kong cannot compare with Greater China market. However mobile phone itself like computer device will encounter Zero – day. This week I keen my personal interest review the TNG wallet design. I am concerning the vulnerability (CVE-2016-5195) on android OS in past. TNG wallet is able to working with armeabi-v7a and armeabi.

From cyber security perspective, it is highly recommend TNG e-wallet user follow the security advice of mobile phone vendor. It is better to update OS once it is available. For more details, please refer to below diagram for reference.

Undetected malware on android

Preface:

Till 2018-02-01, the official announcement provides the following details.

Security patch level—Vulnerability details

Start discussion:

ART (Android RunTime) is the next version of Dalvik. Unlike Dalvik, ART introduces the use of ahead-of-time (AOT) compilation by compiling entire applications into native machine code upon their installation. Regarding to Android security bulletin on February 2018, the official announcement did not had cyber incident reports of active customer exploitation or abuse of reported issues. But why do security expert said Andorid smartphone system is under cyber attack.

Basic understanding of ART boot sequence (see below diagram for reference)

Zygote is running as UID=0 (root). After forking child process, its UID is changed by setuid system call.

A closer look on above diagram step 4 to step 6 operation flow (see below)

Software/application installation workflow

We heard that Google App store sometimes contains malicious code APK. And such a way compromise the Android OS. Below diagram can explicitly provide an idea how Android download and install a application program in normal way.

Lock down

Refer to above information (3 items of diagrams), we lock down 2 items of components for our investigation.

Zygote – When the application start, the Zygote will be forked, target into 2 units of VM. Since all the core library interconnect with zygote. And therefore both zygote and application sharing the library. The memory will only be copied if the new process tries to modify it.

Even thought the core library is read only. However the copy of memory procedure lure threat actors modifies Zygote system process in the memory to achieve their goal.

How does it works? – The injection code works is that their payload is part of any new process spawned, whereas if you use Frida to inject into Zygote it will stay behind when it calls fork() to become the app to be spawned. (Though technically Frida’s code Frida 9.x) will be part of the newly forked child, but no threads survive the fork except the thread that called fork(), so any hooked functions will call into Frida code (Frida 9.x) in an undefined state.

Summarize of the concept

  1. spawn([“com.android.xxx”]) with the package name.
  2. enable_spawn_gating() and listen to the spawned signal in order to do early compromise of memory address. For more details, please see below information for reference.

Reference: Frida (Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers).

APK – We notice that Google scan the apps on their play store to avoid malicious APK place on their store. However the security expert aware that it is hard to scan the APK which contained the malicious script embedded in APK file. Below example may a old style technique. However we only provides awareness and therefore I quote this example for reference.

The Android ZIP APIs do not prevent directory traversals by default, allowing for a file with a directory traversal in the name to be injected into the ZIP. This allows us to gain an arbitrary write in the context of the app. The zip was injected with a directory traversal that writes inside of the app directory. As a result, the malicious zip files were written in the application’s data directory. You can gain an arbitrary file write primitive. But the Arbitrary File contains risk causes remote code execution. For instance, Mercury Browser for Android is prone to directory traversal vulnerability and a security bypass vulnerability. Exploiting these issues will allow an attacker to bypass security restrictions, perform unauthorized actions and access, read and execute files. Information harvested may aid in launching further attacks.

Recommendation

In order to avoid unforeseen cyber incident encounter. Below details is the recommendation provided by federal government.

Federal Mobile Device Security Recommendations

  1. Create a mobile device security framework based on existing standards and best practices.
  2. Bolster Federal Information Security Modernization Act (FISMA) metrics to focus on protecting mobile devices, applications and network infrastructure.
  3. Incorporate mobility into the Continuous Diagnostics and Mitigation program to address the security of mobile devices and applications with capabilities that are similar to those of workstations, servers and other network devices.
  4. Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities.
  5. Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include security and defense against mobile threats.
  6. Develop cooperative arrangements and capabilities with mobile network operators to detect and respond to threats.
  7. Create a new defensive security research program to address vulnerabilities in mobile network infrastructure.
  8. Increase active participation by the federal government in mobile-related standards bodies and industry associations.
  9. Develop policies and procedures regarding U.S. government use of mobile devices overseas.

— End of discussion —

 

Special Edition – HIDDEN COBRA – Malicious Cyber Activity

Special Edition: Information security focus

US Homeland security (DHS) urge the world to staying alert with HIDDEN COBRA Malicious Cyber Activity. It looks that the cyber attack wreak havoc to the world. And therefore DHS suggest to add below Yara rule into your IDS or malware detector (For instance RSA ECAT).

The following YARA rule may be used to detect the proxy tools:

rule NK_SSL_PROXY{
meta:
Author = "US-CERT Code Analysis Team"
Date = "2018/01/09"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
Info= "Detects NK SSL PROXY"
strings:
$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
$s2 = {4775401F713435747975366867766869375E2524736466}
$s3 = {67686667686A75797566676467667472}
$s4 = {6D2A5E265E676866676534776572}
$s5 = {3171617A5853444332337765}
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
condition:
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

There are total 2 items of malware would like to draw your considerations.

  • Trojan: HARDRAIN (Backdoor – Remote Access Tool)
  • Trojan: BADCALL (data thief and surveillance)

In order to avoid unforeseen data breach happens to enterprise firm and personal data privacy protection. We better to consider the suggestion by DHS.

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to run unwanted software applications
  • Enforce a strong password policy and
  • implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date.
  • Enable a personal firewall on agency workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g.,
  • USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

Threat actor transform Vehicle GSM GPRS GPS Tracker Car Vehicle Tracking Locator technology

Since the mobile phone usage volume bigger than personal computer today. Perhaps digital e-wallet function and BYOD concept let people keep their confidential data on mobile phone. And therefore it lure the hacker focusing the mobile phone device especially Android. This round hacker relies on GRPS TCP/UDP connection (see below diagram for reference) create Trojan (BADCALL) to listen for incoming connections to a compromised Android device, on port 60000. Meanwhile it awaken the security concern on GPRS gateway.

Since this is a special edition of article so we summarize the technical details as below:

Trojan: HARDRAIN

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

3dae0dc356c2b217a452b477c4b1db06 (3DAE0DC356C2B217A452B477C4B1DB06)

746cfecfd348b0751ce36c8f504d2c76 (746CFECFD348B0751CE36C8F504D2C76)

  • Executable Linkable Format (ELF) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

9ce9a0b3876aacbf0e8023c97fd0a21d (9CE9A0B3876AACBF0E8023C97FD0A21D)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Trojan: BADCALL (data thief and surveillance)

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

c01dc42f65acaf1c917c0cc29ba63adc (C01DC42F65ACAF1C917C0CC29BA63ADC)

c6f78ad187c365d117cacbee140f6230 (C6F78AD187C365D117CACBEE140F6230)

  • run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

d93b6a5c04d392fc8ed30375be17beb4 (D93B6A5C04D392FC8ED30375BE17BEB4)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

End discussion, thak you for your attention.

Happy valentines day.

Renaissance – Cyber attack transformation

Preface:

Renaissance – The period of this revival, roughly the 14th through the 16th century, marking the transition from medieval to modern times.

Background:

The virus and malware wreak havoc in information technology environment in past decade especially on Microsoft windows operating system platform. It looks that a transformation was happened since smartphone leading the IT technology trend today. The percentage of usage for smartphones are bigger than traditional computer devices (desktop, notebook and server).

Transformation of cyber attack scenario

The major of cyber attacks in information technology environment are given by tradition virus since early 90’s. A quick and simplified explanation below diagram is able to awaken your memories in this regard.

The Evolution diagram of virus, worm, malware and ransomware

Remark: Perhaps we shown the generations of the virus and malware past three decades. The diagram looks simple. However it represents the virus and malware in the specific period of time.

The attack surface targets to Microsoft products till SmartPhone appears.

We all known the design goal of virus and malware targeted Microsoft products fundamentally. We feel that Linux base operating system will be provided a secure environment. But the question is that which element change the atmosphere in silent way?

We understand that the infection of malware divided into four phase (see below diagram). Since the malicious file (so called dropper – file) relies on the PE (portable executable) to execute the infiltation. The way is that the malicious code will try to infiltrate for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems.

However the specifics mechanism does not work in Linux environment till ELF malware invented.

Stages of a Malware Infection and technology evolution overview

Where it began? Code Injection to Linux world.

Linux Operating system looks like a well protected castle but a beast live inside. Whether are you familiar with ptrace() command on Linux? With reference to tutorial (execute man command in Linux). The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.

Docker, an open-source technology. Meanwhile Docker is the company driving the container movement and the only container platform provider to address every application across the hybrid cloud. Microsoft cloud product family also embraced Docker. Below informatics diagram can bring an idea to you on how the docker works.

No matter Fedora workstation or Cloud computing platform (Docker). The command (ptrace()) can do the magic. Even though attach to system process!

Reference: you can disable this behavior by the following:

If you are using Fedora (see below for reference)

echo 0 > /proc/sys/kernel/yama/ptrace_scope

or modify (with root privileges)

/etc/sysctl.d/10-ptrace.conf

If you are using Docker, you will probably need below options:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Above detail information intends to proof of comment which described earlier. Linux Operating system looks like a well protected castle but a beast live inside. Why? If there is a zero day vulnerability occurred in Linux. A ELF format of file embedded malicious code relies on zero day vulnerability execute the attack. That is to awake the beast with privileges escalation. This assumption not rare. Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel found last year. Such incident not only harm to workstation. It also includes cloud infrastructure. From technical point of view, it do not have difference in between Microsoft Product and Linux product.

ELF malware space

Above example highlight the ELF format file. ELF is flexible, extensible, and cross-platform, not bound to any given central processing unit (CPU) or instruction set architecture. This has allowed it to be adopted by many different operating systems on many different hardware platforms. Since smartphone especially Android phone fully utilize Linux OS platform. Perhaps the vendor announcement told this is not a standard Linux OS. But the truth is that they are using Linux base kernel.

According to the IDC Quarterly Mobile Phone Tracker, phone companies shipped a total of 344.3 million smartphones worldwide in the first quarter of 2017 (1Q17). And such away the cyber attack includes BYOD botnet or IoT botnet wreak havoc.

In order to cope with IT technology and smartphone trend. The attackers will build ELF malware using a customized builder. And therefore the malware of target to Linux system includes smartphone rapidly growth. For instance, Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms. Should you have interest, please refer below url for reference.

https://wikileaks.org/vault7/#OutlawCountry

Summary:

Information security expert found Stagefright exploit puts millions of Android devices at risk on early 2016. The attack is effective against devices running Android versions 2.2 through 4.0 and 5.0 and 5.1. Another way round of malware attack to android devices is copyCat. CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016. Since this is a history but the malware attacks to Linux world are on the way!

SS7 flaw make two factor authentication insecure – Reveal the veil

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference.

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

The enemy of ASLR (Address space layout randomization) – memory leak

Preface

Address space layout randomization (ASLR) is a computer security technique which popular in cyber world today. Since it reduce the ratio of incident hit rate of malware infection. Do you agree that there is not required to worries about malware infection once ASLR implemented?

Start discussion

We discuss ASLR topics in our earlier discussion (see below).  Our discussion last time focus on virtual machine (VM) especially VMware.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

We move our focus on mobile phone this time especially Android system. As far as we know, chip-set vendors (Qualcomm and Intel) going to reduce the attack surface with division of duty of design.

Highlight of division of duty of design on mobile chip set

Baseband processor: Manages all the radio functions except Wi-Fi and Bluetooth radios. A baseband processor typically uses its own RAM and firmware.

WiFi chip-sets:  responsible for handling the PHY, MAC and MLME on its own, and hands the kernel driver data packets that are ready to be sent up.

Reference point:  We noticed that research found that hacker can implant malicious code relies on WiFi chip-set design weakness to compromised Baseband processor. Since WiFi chip-set did not protect by ASLR technique. But this time we are not going to focus on chipset design weakness from mobile phone topic. As such we move on to the following items of discussion.

ASLR implementation status on Android

Early Android versions only had stack randomization due to lack of kernel support for ASLR on ARM. The address space layout randomization (ASLR) has been adopted in their design since 2015. Android version  4.1 introduced support for full ASLR by enabling heap randomization and  position Independent Executables (PIE). But we frequently heard that Android OS encountered malware infection. But what is the root causes?

  1. Non traditional spawning model

On Android system (from my personal view point it is a tailor made Linux), but the memory management design have different. A process so called Zygote.
However the zygote process have design limitation. It might have possibilities let malware to do the infiltration (see below detail for reference).

 

Mobile apps like your wife or girlfriend. They are tracing you!

2. Memory leak

Android system needs to manage memory allocation resources. A programmatically initiate that Garbage initiation when memory runs short. Garbage collection base on the following criteria.

a. Verify all object references in memory , non reachable object will go to Garbage collection. Everything else are wiped out from memory to free up resources

b. Everything serving the user should be kept in memory

Garbage collection design weakness Highlight

a. The drawback is that when code are written in negligence form result that unused objects are referenced somehow from reachable objects, garbage collection would mark unused objects as useful object. As a result it would not be able to remove. This is called a memory leak. From technical point of view, memory leak will be few kilo bytes to mega bytes. However mobile phone application relies on  java engine and Java script. Java dynamic language use garbage collect to management memory. To enhance CPU performance, a caching technology will be in use. A design weakness was found is that component shares some of its cache with untrusted applications. Hacker could send malicious JavaScript that specifically targeted this shared memory space.  A known bug (see below CVE details) confirm that JavaScript Attack Breaks ASLR on CPU Micro-Architectures  (vulnerable CPU displayed as below:)

CVE – vulnerabilities on CPU

CVE-2017-5925 is assigned to track the developments for Intel processors
CVE-2017-5926 is assigned to track the developments for AMD processors
CVE-2017-5927 is assigned to track the developments for ARM processors
CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

Vulnerable CPU (mobile phone devices)

Allwinner A64 ARM – Cortex A53 (2016)
Intel Xeon E3-1240 v5 – Skylake (2015)
Intel Core i7-6700K – Skylake (2015)
Intel Celeron N2840 – Silvermont (2014)
Samsung Exynos 5800 – ARM Cortex A15 (2014)
Samsung Exynos 5800 – ARM Cortex A7 (2014)
Nvidia Tegra K1 CD580M-A1 – ARM Cortex A15 (2014)
Nvidia Tegra K1 CD570M-A1 – ARM Cortex A15; LPAE (2014)

b. The side-channel attack capable to bypass ASLR algorithm and assists malware implant to the system. The modern CPU require work with internal or external cache. Therefore this is the other alternative way may potentially bypass ASLR memory protection.

i. Evict + time

The attacker measures the time it takes to execute a piece of victim code. Then attacker flushes part of the cache, executes and times the victim code again. The difference in timing tells something about whether the victim uses that part of the cache.

ii. Prime + probe

The attacker now accesses memory to fill part of the cache with his own memory and waits for the victim code to execute. (Prime) Then the attacker measures the time it takes to access the memory that he would carefully placed in cache before. If it’s slow it is because the victim needed the cache and this gives us knowledge about what victim did. (Probe)

iii. Flush + reload

The flush and reload attack utilizes that processes often share memory. By flushing a shared address, then wait for the victim and finally measuring the time it takes to access the address an attacker can tell if the victim placed the address in question in the cache by accessing it.

Summary:

It looks that new technologies claimed that it avoid malware infection. For instance 64-bit OS and ASLR. As a matter of fact, these technology are valid and required. However we can’t say we are now secure! Refer to above discussion. Any mis-use operation or negligence form of programming technique, hacker might find vulnerability to compromise your mobile system even though ASLR is running on your mobile.

Tips to detect Android memory leak

LeakCanary is an Open Source Java library to detect memory leaks in your debug builds.

You create a RefWatcher instance and give it an object to watch:

// We expect java-id-session to be gone soon (or not), let's watch it.
refWatcher.watch(java-id-session);

When the leak is detected, you automatically get a nice leak trace:

* GC ROOT static ..............
* references .............
* leaks ....... instance

Have  a nice weekend!