PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



cs3235 poster .pdf


Original filename: cs3235-poster.pdf
Title: PowerPoint Presentation
Author: Gan Gan

This PDF 1.5 document has been generated by Microsoft® PowerPoint® 2010, and has been sent on pdf-archive.com on 13/11/2015 at 10:29, from IP address 137.132.x.x. The current document download page has been viewed 467 times.
File size: 845 KB (1 page).
Privacy: public file




Download original PDF file









Document preview


Stagefright

CS3235 - 18

CS3235 – COMPUTER SECURITY
Project Overview

How Our App Works

Mitigation Techniques
Video is verified as
safe

SAFE
In recent times, there have been a number of software
bugs found for mobile devices running on the Android
operating system. A particular group of vulnerabilities,
named Stagefright, makes use of maliciously formed
media files to exploit the underlying Android video
processor, which may lead to potential attacks.
There have not been any known real exploit in the wild
as of now, but we should take precautions against such
overflow attacks as it allows Remote Code Execution
(RCE). This will allow an attacker to execute malicious
software that is potentially harmful and undesired.
We have created an application which detects and
informs the user if a certain video file has a potential
Stagefright exploit. This will enable users to verify if a file
is safe for viewing.

Our application detects if
the file is malicious based
on its signature

What is Stagefright?
Stagefright is a group of Android vulnerabilities discovered in July
2015 by Joshua J. Drake from Zimperium Mobile Security.

Approximately 1 billion Android users are affected by this
vulnerability and are still unsafe from exploits.
This is due to Android using a flawed library, ‘libstagefright’, to
process media files that has mainly integer overflows/underflows
issues which causes buffer overflow on the Android system.
By default, most of the messaging services currently autodownloads the video file into the user’s phone if the user receives
an attached video without the users’ consent. This can be
exploited by sending a malicious video file to an unsuspecting
user, which can allow a hacker to execute malicious code without
the user’s knowledge.

Phone manufacturers
pushed various update
since August 2015

Unknown Video File
User receives video file of
unknown origin

App scans for
vulnerability patterns
at binary level

Potential malicious file,
user will be warned

NOT SAFE

Disable auto-fetch MMS
from Google
Hangout/SMS application

0111011101101000011000010111010001110100
0110100001100101011001100111010101100011

Conclusion

Known Exploits
‘stts’ Integer Overflow

‘tx3g’ Integer Overflow

CVE-2015-1538
This vulnerability is caused by the
integer overflowing the bounds of
a 32-bit integer

CVE-2015-3824
This vulnerability is caused by a
combination of chunks overflowing
the value SIZE_MAX (0xFFFFFFFF)

‘stsc’ Integer Overflow

‘3gpp’ Buffer Overread

CVE-2015-1538
This vulnerability is caused by a
combination of chunks
overflowing the value
SIZE_MAX (0xFFFFFFFF)

CVE-2015-3826
This vulnerability is caused by a not
detecting a null-terminated string

‘ctts’ Integer Overflow

‘3gpp’ Integer Underflow

CVE-2015-1538
This vulnerability is caused by a
improper promotion of integer
values

CVE-2015-3828
This vulnerability is caused by a chunk
data size falling below a certain value.

Example
CVE-2015-1538: STTS Integer Overflow
Field
Header
Version
Flags
Count
Entries

Type
Value
BOXHEADER
‘stts’
Unsigned int(8)
0
Unsigned int(24)
0
Unsigned int(32)
Number of STTSRECORD
STTSRECORD[Count]
Array of STTSRECORD
‘stts’ box format

Our team has researched into and analyzed the causes
of various Stagefright vulnerabilities. We wrote a mobile
application to detect malicious video files that would
exploit them.
However, as new vulnerabilities, such as Stagefright 2.0,
are found in libStageFright over time, more devices that
depends on this library are affected by Stagefright.

The Count value is checked and assigned to the
mTimeToSampleCount variable. This variable is used
to calculate allocSize, a 64-bit unsigned integer. In
the code, it is calculated with:
mTimeToSampleCount * 2 * sizeof(uint32_t)

‘covr’ Integer Underflow

‘stss’ Integer Overflow

CVE-2015-3827
This vulnerability is caused by a
chunk size falling below a certain
value

CVE-2015-1538
This vulnerability is caused by a
improper promotion of integer
values

‘esds’ Integer Underflow

‘covr’ Integer Overflow

CVE-2015-1539
This vulnerability is caused by a
combination of flag values falling
below 0 unexpectedly

Update to latest Android
firmware, if possible

CVE-2015-3829
This vulnerability is caused by a
combination of chunks overflowing
the value SIZE_MAX (0xFFFFFFFF)

where 2 * sizeof(uint32_t) represents the size of a
STTSRECORD entry, this may cause an overflow
before the integer is promoted to 64-bit if the two
32-bit integers are big enough.
Field
SampleCount
SampleDelta

Type
Unsigned int(32)
Unsigned int(32)

STTSRECORD format

Platinum Sponsors


Document preview cs3235-poster.pdf - page 1/1

Related documents


cs3235 poster
google patches critical media
3i17 ijaet1117369 v6 iss5 1967 1976
hacking for beginners the ultimate guide for newbie hackers
daiping dsn14
alkaline protease uses


Related keywords