I added some very primitive kernel event logging to running on my phone and dumped it to an azure data store and piped to sentinel. For the first time I feel like I might actually have a chance to know if someone owned my phone.
Conversation
Since I assume most phone attacks will involve memory corruption you can grab a lot of loggin data around allocation patterns from kasan, scudo, or hardened allocator. Whether that’s going to be useful for a given exploit is anyone’s guess but you can have it!
6
22
Replying to
Is ebpf enabled on graphene? A bunch of well-placed bpftrace scripts might be wonderful...
2
2
Android already uses it for various things itself as part of the built-in network functionality / firewall. You can see this in android.googlesource.com/platform/syste.
It's how the direct access portion of the INTERNET permission and therefore our Network toggle is implemented these days, etc.
Android used to require kernel patches adding support for controlling network access via socket access groups. It was similar to the grsecurity feature for this. It switched to BPF as part of avoiding Android having any hard dependencies on kernel patches to be fully functional.
1
1
See this sub-thread too:
Quote Tweet
Replying to @dwizzzleMSFT
Grep around for 0x534e4554 in the source code, particularly in frameworks/av.
That's the tag for security events logged on failed exploitation attempts for SafetyNet to consume as part of monitoring attempts to exploit vulnerabilities.
The sub-tag is set to the bug id number.