Posted by Xuan Xing, Eugene Rodionov, Jon Bottarini, Adam Bacchus – Android Crimson Group;
Amit Chaudhary, Lyndon Fawcett, Joseph Artgole – Arm Product Safety Group
Who cares about GPUs?
You, me, and the whole ecosystem! GPUs (graphics processing items) are essential in delivering wealthy visible experiences on cellular units. Nevertheless, the GPU software program and firmware stack has turn into a approach for attackers to realize permissions and entitlements (privilege escalation) to Android-based units. There are many points on this class that may have an effect on all main GPU manufacturers, for instance, CVE-2023-4295, CVE-2023-21106, CVE-2021-0884, and extra. Most exploitable GPU vulnerabilities are within the implementation of the GPU kernel mode modules. These modules are items of code that load/unload throughout runtime, extending performance with out the necessity to reboot the gadget.
Proactive testing is sweet hygiene as it could actually result in the detection and determination of recent vulnerabilities earlier than they’re exploited. It’s additionally one of the crucial advanced investigations to do as you don’t essentially know the place the vulnerability will seem (that’s the purpose!). By combining the experience of Google’s engineers with IP house owners and OEMs, we will make sure the Android ecosystem retains a robust measure of integrity.
Why examine GPUs?
When researching vulnerabilities, GPUs are a preferred goal as a consequence of:
Performance vs. Safety Tradeoffs
No one needs a gradual, unresponsive gadget; any hits to GPU efficiency might end in a noticeably degraded consumer expertise. As such, the GPU software program stack in Android depends on an in-process HAL mannequin the place the API & consumer house drivers speaking with the GPU kernel mode module are working immediately throughout the context of apps, thus avoiding IPC (interprocess communication). This opens the door for probably untrusted code from a 3rd social gathering app having the ability to immediately entry the interface uncovered by the GPU kernel module. If there are any vulnerabilities within the module, the third social gathering app has an avenue to use them. Consequently, a probably untrusted code working within the context of the third social gathering software is ready to immediately entry the interface uncovered by the GPU kernel module and exploit potential vulnerabilities within the kernel module.
Selection & Reminiscence Security
Moreover, the implementation of GPU subsystems (and kernel modules particularly) from main OEMs are more and more advanced. Kernel modules for many GPUs are sometimes written in reminiscence unsafe languages akin to C, that are prone to reminiscence corruption vulnerabilities like buffer overflow.
Can somebody do one thing about this?
Nice information, we have already got! Who’s we? The Android Crimson Group and Arm! We’ve labored collectively to run an engagement on the Mali GPU (extra on that under), however first, a quick introduction:
Android Crimson Group
The Android Crimson Group performs time-bound safety evaluation engagements on all facets of the Android open supply codebase and conducts common safety critiques and assessments of inner Android elements. All through these engagements, the Android Crimson Group recurrently collaborates with third social gathering software program and {hardware} suppliers to research and perceive proprietary and “closed supply” code repositories and related supply code which might be utilized by Android merchandise with the only goal to determine safety dangers and potential vulnerabilities earlier than they are often exploited by adversaries exterior of Android. This yr, the Android Crimson Group collaborated immediately with our trade associate, Arm, to conduct the Mali GPU engagement and additional safe hundreds of thousands of Android units.
Arm Product Safety and GPU Groups
Arm has a central product safety crew that units the coverage and follow throughout the corporate. In addition they have devoted product safety specialists embedded in engineering groups. Arm operates a scientific method which is designed to stop, uncover, and remove safety vulnerabilities. This features a Safety Improvement Lifecycle (SDL), a Monitoring functionality, and Incident Response. For this collaboration the Android Crimson Groups had been supported by the embedded safety specialists primarily based in Arm’s GPU engineering crew.
Working collectively to safe Android units
Google’s Android Safety groups and Arm have been working collectively for a very long time. Safety necessities are by no means static, and challenges exist with all GPU distributors. By steadily sharing experience, the Android Crimson Group and Arm had been capable of speed up detection and determination. Investigations of recognized vulnerabilities, potential remediation methods, and hardening measures drove detailed analyses and the implementation of fixes the place related.
Latest analysis targeted on the Mali GPU as a result of it’s the most well-liked GPU in right now’s Android units. Collaborating on GPU safety allowed us to:
Assess the influence on the broadest phase of the Android Ecosystem: The Arm Mali GPU is likely one of the most used GPUs by authentic gear producers (OEMs) and is discovered in lots of fashionable cellular units. By specializing in the Arm Mali GPU, the Android Crimson Group might assess the safety of a GPU implementation working on hundreds of thousands of Android units worldwide.
Consider the reference implementation and vendor-specific modifications: Telephone producers usually modify the upstream implementation of GPUs. This tailors the GPU to the producer’s particular gadget(s). These modifications and enhancements are all the time difficult to make, and may generally introduce safety vulnerabilities that aren’t current within the authentic model of the GPU upstream. On this particular occasion, the Google Pixel crew actively labored with the Android Crimson Group to higher perceive and safe the modifications they made for Pixel units.
Enhancements
Investigations have led to vital enhancements, leveling up the safety of the GPU software program/firmware stack throughout a large phase of the Android ecosystem.
Testing the kernel driver
One key element of the GPU subsystem is its kernel mode driver. Throughout this engagement, each the Android Crimson Group and Arm invested vital effort wanting on the Mali kbase kernel driver. Attributable to its complexity, fuzzing was chosen as the first testing method for this space. Fuzzing automates and scales vulnerability discovery in a approach not potential through handbook strategies. With assist from Arm, the Android Crimson Group added extra syzkaller fuzzing descriptions to match the newest Mali kbase driver implementation.
The crew constructed just a few customizations to allow fuzzing the Mali kbase driver within the cloud, with out bodily {hardware}. This offered an enormous enchancment to fuzzing efficiency and scalability. With the Pixel crew’s help, we additionally had been capable of arrange fuzzing on precise Pixel units. By the mixture of cloud-based fuzzing, Pixel-based fuzzing, and handbook evaluate, we had been capable of uncover two reminiscence points in Pixel’s customization of driver code (CVE-2023-48409 and CVE-2023-48421).
Each points occurred inside the gpu_pixel_handle_buffer_liveness_update_ioctl operate, which is carried out by the Pixel crew as a part of gadget particular customization. These are each reminiscence points brought on by integer overflow issues. If exploited fastidiously alongside different vulnerabilities, these points might result in kernel privilege escalation from consumer house. Each points had been mounted and the patch was launched to affected units in Pixel safety bulletin 2023-12-01.
Testing the firmware
Firmware is one other basic constructing block of the GPU subsystem. It’s the middleman working with kernel drivers and GPU {hardware}. In lots of instances, firmware performance is immediately/not directly accessible from the applying. So “software ⇒ kernel ⇒ firmware ⇒ kernel” is a identified assault circulation on this space. Additionally, typically, firmware runs on embedded microcontrollers with restricted sources. Generally used safety kernel mitigations (ASLR, stack safety, heap safety, sure sanitizers, and many others.) may not be relevant to firmware as a consequence of useful resource constraints and efficiency influence. This could make compromising firmware simpler, in some instances, than immediately compromising kernel drivers from consumer house. To check the integrity of present firmware, the Android Crimson Group and Arm labored collectively to carry out each fuzzing and formal verification together with handbook evaluation. This multi-pronged method led to the invention of CVE-2024-0153, which had a patch launched within the July 2024 Android Safety Bulletin.
CVE-2024-0153 occurs when GPU firmware handles sure directions. When dealing with such directions, the firmware copies register content material right into a buffer. There are dimension checks earlier than the copy operation. Nevertheless, below very particular circumstances, an out-of-bounds write occurs to the vacation spot buffer, resulting in a buffer overflow. When fastidiously manipulated, this overflow will overwrite another essential buildings following the buffer, inflicting code execution inside the GPU firmware.
The circumstances crucial to achieve and probably exploit this difficulty are very advanced because it requires a deep understanding of how directions are executed. With collective experience, the Android Crimson Group and Arm had been capable of confirm the exploitation path and leverage the problem to realize restricted management of GPU firmware. This finally circled again to the kernel to acquire privilege escalation. Arm did a superb job to reply rapidly and remediate the problem. Altogether, this highlights the power of collaboration between each groups to dive deeper.
Time to Patch
It’s identified that attackers exploit GPU vulnerabilities within the wild, and time to patch is essential to scale back threat of exploitation and shield customers. Because of this engagement, 9 new Safety Check suite (STS) exams had been constructed to assist companions mechanically verify their builds for lacking Mali kbase patches. (Safety Check Suite is software program offered by Google to assist companions automate the method of checking their builds for lacking safety patches.)
What’s Subsequent?
The Arm Product Safety Group is actively concerned in security-focused trade communities and collaborates carefully with its ecosystem companions. The engagement with the Android Crimson Group, as an example, supplies beneficial enablement that drives greatest practices and product excellence. Constructing on this collaborative method, Arm is complementing its product safety assurance capabilities with a bug bounty program. This funding will increase Arm’s efforts to determine potential vulnerabilities. For extra info on Arm’s product safety initiatives, please go to this product safety web page.
The Android Crimson Group and Arm proceed to work collectively to proactively elevate the bar on GPU safety. With thorough testing, fast fixing, and updates to the safety check suite, we’re enhancing the ecosystem for Android customers. The Android Crimson Group seems to be ahead to replicating this working relationship with different ecosystem companions to make units safer.