Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone

Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone

Though researchers have found lots of vulnerabilities in Stagefright framework for audio/video codecs on Android smartphones, all these vulnerabilities are in the software implementation of the AOSP. However, almost all smartphone chip manufacturers utilize the hardware implementation decoders to improve the performance and reduce battery consuming. For example, a complex video format, such as h264 or h265, will be given priority to decode by the hardware decoders.

Therefore, lots of questions about hardware decoder remain unanswered. How does it work? What's the security status and overall impact to the whole system? What about the attack surface and mitigation? Can we find any vulnerabilities and exploit it? Our research will answer these questions.

We focus on the hardware decoder named Venus on Qualcomm based smartphone. Venus is the dedicated video hardware decoder, which is a subsystem like Baseband, WLAN. This presentation will describe the architecture, the work principle, and the attack surface of Venus. Then we'll describe how to defeat the secure boot and setup the live debugger. Finally, we'll describe the vulnerabilities we found and how to exploit Venus remotely.

Nowadays, there are plenty of security features and mitigations on the application processor of Android. For a real attack from the browser, we should gain arbitrary code execution first, escape from the sandbox, then break down the userspace application isolation. Finally, if we are lucky enough, we could escalate privilege into a process that can touch something like the device node exposed by the Kernel. The whole process can be a long journey.

However, by attacking the hardware decoder, we can bypass all these defenses directly. In the hardware decoder, we have DMA, IO Port, shared memory with other processor, and messages with Kernel. There are plenty of attack surfaces into the Kernel and left behind security features like the Maginot Line.

Presented by