I added some very primitive kernel event logging to running on my phone and dumped it to an azure data store and piped to sentinel. For the first time I feel like I might actually have a chance to know if someone owned my phone.
Conversation
Since I assume most phone attacks will involve memory corruption you can grab a lot of loggin data around allocation patterns from kasan, scudo, or hardened allocator. Whether that’s going to be useful for a given exploit is anyone’s guess but you can have it!
6
22
Replying to
Grep around for 0x534e4554 in the source code, particularly in frameworks/av.
That's the tag for security events logged on failed exploitation attempts for SafetyNet to consume as part of monitoring attempts to exploit vulnerabilities.
The sub-tag is set to the bug id number.
1
1
5
So if you wire up those events, you can have your own version of what SafetyNet provides to Google. These aren't reported to end users by SafetyNet but rather it detects failed attempts at exploitation across the ecosystem for Google to monitor.
1
1
It's the main basis for them saying whether or not they think a patched vulnerability is being actively exploited outside of targeted attacks. If they have this logging set up for the patched vulnerability the patched devices end up acting as canaries detecting mass exploitation.
There are also security events tagged in the logs. IIRC, those are available to a device manager. I don't think the SafetyNet events are available to one.
We've been thinking about making monitoring this part of Auditor and attestation.app but we haven't started on it.
1
3
Replying to
Yeap I read about this in their security report a few years ago. I am more interested in logging invariants for generalized exploitation. There’s a few kernel patches with log_level security that are reasonably helpful. Problem is this will quickly derive into log heuristics
1
2
Show replies