This 4 day course is designed to provide students with both an overview of the Android attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, binary instrumentation, and advanced exploitation of widely deployed mobile platforms.
Taught by Senior members of the Exodus Intelligence Mobile Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.
Emphasis
Hands on with privilege escalation techniques within the Android Kernel, mitigations and execution migration issues with a focus on MediaTek chipsets.
Prerequisites
- Computer with the ability to run a VirtualBox image (x64, recommended 8GB+ memory)
- Some familiarity with: IDA Pro, Python, C/C++.
- ARM assembly fluency strongly recommended.
- Installed and usable copy of IDA Pro 6.1+, VirtualBox, Python.
Course Information
Attendance will be limited to 12 students per course.
Cost: $5000 USD per attendee
Dates: July 15 – 18, 2024
Location: Washington, D.C.
Syllabus
Android Kernel
- Process Management
- Important structures
- Memory Management
- Kernel Synchronization
- Memory Management
- Virtual memory
- Memory allocators
- Debugging Environment
- Build the kernel
- Boot and Root the kernel
- Kernel debugging
- Samsung Knox/RKP
- SELinux
- Type of kernel vulnerabilities
- Exploitation primitives
- Kernel vulnerabilities overview
- Heap overflows, use-after-free, info leakage
- Double-free vulnerability (radio)
- Exploitation – convert the double free into a use-after-free of a struct page
- Double-free vulnerability (untrusted_app)
- Vulnerability overview
- Technique 1: type confusion to obtain write access to globally shared memory
- Technique 2: UaF that can lead to arbitrary RW in kernel memory
Mediatek / Exynos baseband
- Introduction
- Exynos baseband overview
- Mediatek baseband overview
- Environment
- Previous research
- Analysis of the modem
- Emulation / Fuzzing
- Rogue base station
- Secure boot
- Mediatek boot rom vulnerability
- Vulnerability overview
- Exploitation
- Using brom exploit to patch the tee
- Baseband debugger
- Write the modem physical memory from EL1