Android Userland & Kernel Fuzzing and Exploitation Step into the realm of comprehensive Android security with our integrated “Android Userland and Kernel Fuzzing and Exploitation” course. Designed for both novices and seasoned professionals, this course offers an extensive curriculum that covers the spectrum of Android vulnerabilities and their exploitation.
Starting with the Userland component, learners will grasp how to detect bugs in Android Userland Applications and exploit memory corruptions. The course provides a deep understanding of ARM assembly, reverse engineering, and the development of robust exploits, bypassing exploit mitigations like NX and ASLR. With 43 labs across 9 modules, students will employ advanced fuzzing techniques to pinpoint exploitable vulnerabilities.
The journey continues as we pivot to the Android kernel on the second day, where the intricacies of kernel internals, such as memory allocators and driver programming, are unraveled. Students will learn to discover bugs using kernel fuzzing techniques, including the use of sanitizers and Syzkaller. The course will guide attendees through the construction of kernel exploits crucial for sandbox escape, examining real-world vulnerabilities and the art of kernel debugging.
In culmination, the course integrates Userland and Kernel learnings to assemble a full-chain remote exploit against target devices. The hands-on approach is further enhanced by access to our state-of-the-art training platform, where course attendees can perform exercises and apply their knowledge in practical scenarios.
Part 1: Android Userland Fuzzing and Exploitation
Part 1: Module 1: Android Security Model
1 Introduction into Android Security
1.1 Android Architecture
1.2 Security Model
1.3 Android Sandbox
1.4 Permission
1.4 Labs – Permissions
1.4 Labs – Permissions
1.5 Binder IPC
1.6 SELinux
1.6 Labs SELinux
1.6 Labs SELinux
1.7 Disabling SELinux
1.7 Labs Disabling SELinux
1.7 Labs Disabling SELinux
1.8 Verified boot
1.9 OWASP Mobile Security Project
Part 1: Module 2: Fuzzing and Crash Analysis
2.1 Introduction into fuzzing
2.2 Dumb fuzzing vs Smart fuzzing
2.3 Building harnesses and fuzzing
2.4 Open source fuzzing with LLVM Libfuzzer
2.4 Libfuzzer exercise
2.4 Open source fuzzing with LLVM Libfuzzer – Libxml2 compilation
2.4 Open source fuzzing with LLVM Libfuzzer – Libxml2 execution
2.4 Libxml2 fuzzing exercise
2.4 Real World Examples – WhatsApp – Android-Gif-Drawable
2.4 Real World Examples – WhatsApp – compilation & exercise
2.4b WhatsApp fuzzing exercise
2.5 Structure Aware Fuzzing with Protobuf – Intro + Exercise 1
2.5 Structure Aware Fuzzing with Protobuf – Exercise 1
2.5 Real World Examples – Protobuf fuzzing rLottie Library
2.5b Structure Aware Fuzzing with Protobuf – rLottie Telegram exercise
2.6 Emulated Black Box Fuzzing with AFL++ & QEMU
2.6 AFL++ fuzzing exercise
2.7 Crash analysis
2.7 Crash analysis exercise
Part 1: Module 2: Exploiting Android Userland Heap Attacks
4.1 Introduction into jeMalloc and Scudo
4.2 Basic heap overflow
4.3 Use-after-free exploitation
4.4 Heap grooming & Heap Spraying
4.4 Lab jemalloc heap grooming / heap feng-shui
4.5 Introduction in mprotect and bypassing non executable memory
4.6 Stack Pivoting
Part 2 – Introduction to Kernel Fuzzing and Exploitation
Part2: Module 1: Android Kernel
1.2 Android Kernel Emulation
1.2 Android Kernel Emulation
1.3 Kernel Internals – Userspace and Kernelspace
1.4 Kernel Internals – Memory Management
1.5 Kernel Internals – Drivers
1.6 Kernel Driver Programming
1.6 Kernel Driver
1.7 Kernel Debugging
1.7 Kernel Debugging
1.8 Kernel Internals – Memory Allocators
1.9 Kernel Internals – Page Allocator
1.9 Page Allocator
1.10 Kernel Internals – Slab Allocator
1.10 Slab Allocator
Part 2: Module 2: Kernel Fuzzing
2.2.1 Kernel Address Sanitizer (KASAN)
2.2.2 Other Sanitizers
2.2.3 Kernel Coverage (KCOV)
2.2.4 Kernel Fuzzing – Syzkaller
2.2.4 Syzkaller Installation
2.2.5 Kernel Fuzzing – Syzkaller Configuration
2.2.5 Syzkaller Configuration
2.2.6 Analyzing Syzkaller Crashes
2.2.7 Reproducing Syzkaller Crashes
Part 2: Module 3: Android Kernel Exploitation
3.1 Privilege Escalation
3.2 Exploitation Terms and Primitives
3.3 Kernel Exploit Mitigations
3.4 Exploitation Technique – Ret2usr
3.4 Ret2usr
3.5 Exploitation Technique – ROP Chain
3.5 ROP Chain
3.6 Exploitation Technique – Heap Feng Shui
3.6 Heap Feng Shui
3.7 Exploit Primitive – Out-Of-Bound Read
3.7 Out-Bound-Read – KASLR Bypass
3.8 Exploitation Technique – Reallocation
3.8 Heap Reallocation
3.9 Exploitation Technique – Cred Overwrite
3.9 Cred Overwrite
3.10 Exploit Primitive – Arbitrary Read and Write
3.11 Exploitation Technique – Disable SELinux
Real-World Exploit Case-Study